Abstract: A device may analyze a first file for malware. The device may determine that the first file causes a second file to be downloaded. The device may store linkage information that identifies a relationship between the first file and the second file based on determining that the first file causes the second file to be downloaded. The device may analyze the second file for malware. The device may determine a first malware score for the first file based on analyzing the second file for malware and based on the linkage information. The device may determine a second malware score for the second file based on analyzing the first file for malware and based on the linkage information.

Abstract: In general, this disclosure describes a high-level forwarding path description language (FPDL) for describing internal forwarding paths within a network device. The FPDL enables developers to create a template that describes a section of an internal forwarding path within the forwarding plane of a network device. The FPDL provides syntactical elements for specifying the allocation of forwarding path structures as well as enabling the run-time construction of internal forwarding paths to interconnect the forwarding path structures in a manner specific to packet, packet flow, and/or interface properties, for example. In conjunction with late binding techniques, whereby the control plane of the network device provides arguments to template parameters that drive allocation by the packet forwarding engines of forwarding path structures specified by the FPDL, the techniques provide control plane processes a unified interface with which to manage the operation of the packet forwarding engines.

Abstract: A provider edge (PE) device may receive an indication to perform a designated forwarder (DF) election associated with a network segment that includes the PE device, one or more other PE devices, and a client edge (CE) device. The PE device, the one or more other PE devices, and the CE device may be associated with an Ethernet virtual private network (EVPN) that includes a group of EVPN instances (EVIs). The PE device may perform the DF election in order to determine election information associated with the PE device. The election information may include information associated with a particular EVI, of the group of EVIs, for which the PE device is to act as a DF. The PE device may provide the election information to the CE device to cause the CE device to provide traffic, associated with a particular VLAN included in the particular EVI, to the PE device.

Abstract: In general, this disclosure describes techniques for applying, with a network device, subscriber-specific packet processing using an internal processing path that includes service objects that are commonly applied to multiple packet flows associated with multiple subscribers. In one example, a network device control plane creates subscriber records that include, for respective subscribers, one or more variable values that specify service objects as well as an identifier for a packet processing template. A forwarding plane of the network device receives and maps subscriber packets to an associated subscriber record and then processes the packet by executing the packet processing template specified by the subscriber record. When the forwarding plane reaches a variable while executing the specified packet processing template, the forwarding plane reads the associated variable value from the subscriber record to identify and then apply the subscriber-specific service object specified by the variable.

Abstract: A device is configured to receive, from a network device, a first message associated with a network management activity performed by using an application of the network device. The device is further configured to determine whether the first message satisfies a criterion, and to classify the first message based on a type of the application when the first message satisfies the criterion. The device is also configured to receive, from the network device, a second message associated with the network management activity; to correlate the second message with the first message after classifying the first message; and to create a record for the network management activity based on the first message and the second message by using rules associated with the type of the application.

Abstract: A system may include a power module that includes a group of power supplies, particular ones of the group of power supplies being operable at a group of voltages ranging from a first voltage to a second voltage. The system may further include a controller coupled to the particular ones of the group of power supplies, the controller being to ramp up an output voltage, associated with the group of power supplies, from the first voltage to the second voltage in a group of discrete steps; where ramping up the output voltage by a particular one of the group of discrete steps is performed while a load is receiving power from the group of power supplies; and where ramping up the output voltage by a particular one of the group of discrete steps prevents over-current protection on the group of power supplies from being activated.

Abstract: In general, techniques are described for managing routing information in a hub-and-spoke network in a manner that reduces flooding of link information. A hub router of the hub-and-spoke network including a memory and a processor may perform the techniques. The memory may be configured to store a representation of a topology of the hub-and-spoke network. The processor may be configured to utilize a separate instance of a multi-instance version of a link state protocol to communicate with each of a plurality of spoke routers of the hub-and-spoke network. Each separate instance of the multi-instance version of the link state protocol may include the hub router and a different one of the plurality of spoke routers. The processor may process link state advertisements from the separate instances of the multi-instance version of the link state protocol to maintain the representation of the topology of the hub-and-spoke network.

Abstract: Techniques are described for specifying and constructing multi-protocol label switching (MPLS) rings. Routers may signal membership within MPLS rings and automatically establish ring-based label switch paths (LSPs) as components of the MPLS rings for packet transport within ring networks. In one example, a router includes a processor configured to establish an MPLS ring having a plurality of ring LSPs. Each of the ring LSPs is configured to transport MPLS packets around the ring network to a different one of the routers operating as an egress router for the respective ring LSP. Moreover, each of the ring LSPs comprises a bidirectional, multipoint-to-point (MP2P) LSP for which any of the routers can operate as an ingress to source packet traffic into the ring LSP for transport to the respective egress router for the ring LSP. Separate protection paths, bypass LSPs, detours or loop-free alternatives need not be signaled.

Abstract: A device may determine that a file of a client device is a malicious file. The device may obtain remote access to the client device using a connection tool. The connection tool may provide access and control of the client device. The remote access may include access to a file location of the malicious file. The device may determine file information associated with the malicious file using the remote access to the client device. The device may select one or more remediation actions based on the file information. The device may cause the one or more remediation actions to be executed using the remote access to the client device.

Abstract: A device may identify a set of features associated with the unknown object. The device may determine, based on inputting the set of features into a threat prediction model associated with a set of security functions, a set of predicted threat scores. The device may determine, based on the set of predicted threat scores, a set of predicted utility values. The device may determine a set of costs corresponding to the set of security functions. The device may determine a set of predicted efficiencies, associated with the set of security functions, based on the set of predicted utility values and the set of costs. The device may identify, based on the set of predicted efficiencies, a particular security function, and may cause the particular security function to be executed on the unknown object. The device may determine whether another security function is to be executed on the unknown object.

Abstract: A client device may provide, to a host device, a request to access a website associated with a host domain. The client device may receive, based on the request, verification code that identifies a verification domain and a resource, associated with the verification domain, to be requested to verify a public key certificate. The verification domain may be different from the host domain. The client device may execute the verification code, and may request the resource from the verification domain based on executing the verification code. The client device may determine whether the requested resource was received, and may selectively perform a first action or a second action based on determining whether the requested resource was received. The first action may indicate that the public key certificate is not valid, and the second action may indicate that the public key certificate is valid.

Abstract: A system may comprise a first group of switches, each switch including a first group of inputs and outputs, and a first group of controllers, each controller being independent from one another and corresponding to a switch of the first group of switches, to selectively control the switch to connect the switch's inputs with outputs. The first group of switches and controllers may be installed in a chassis. The system may comprise a second group of switches, each switch including a second group of inputs and outputs, and a second group of controllers, each controller corresponding to a switch of the second group of switches, to selectively control the switch to connect the switch's inputs with outputs. The second group of controllers may control and connect, via a group of control links, to the first group of controllers.

Abstract: In some embodiments, an apparatus includes a forwarding module that is configured to receive a group of first data packets. The forwarding module is configured to modify a data flow value in response to receiving each first data packet. The forwarding module is also configured to store each first data packet in a first output queue based on the data flow value not crossing a data flow threshold after being modified. Furthermore, the forwarding module is configured to receive a second data packet. The forwarding module is configured to modify the data flow value in response to receiving the second data packet, such that the data flow value crosses the data flow threshold. The forwarding module is configured to store the second data packet in a second output queue based on the data flow value having crossed the data flow threshold.

Abstract: An intrusion detection system (“IDS”) device is described that includes a flow analysis module to receive a first packet flow from a client and to receive a second packet flow from a server. The IDS includes a forwarding component to send the first packet flow to the server and the second packet flow to the client and a stateful inspection engine to apply one or more sets of patterns to the first packet flow to determine whether the first packet flow represents a network attack. The IDS also includes an application identification module to perform an initial identification of a type of software application and communication protocol associated with the first packet flow and to reevaluate the identification of the type of software application and protocol according to the second packet flow. The IDS may help eliminate false positive and false negative attack identifications.

Abstract: In general, the invention is directed to techniques for scheduling resource access within an intermediate network device. For example, as described herein, a device receives packets for a plurality of sessions that include application-layer data for the sessions. The device determines a weight for each of the plurality of sessions and, during periods of resource congestion, selects one or more sessions for additional resource allocation based on the respective weights of the sessions. The device allocates additional memory resources to selected sessions to enable further buffering of application-layer data such that the device may apply the service to multiple sessions concurrently despite the resource congestion.

Abstract: In general, techniques are described for dynamically modifying the extent of logging performed by logging information generators in response to events detected in logging information received by the collector. In some examples, a network device includes one or more processors and a collector executed by the processors to receive a log message that includes logging information from a generator. The network device also includes a rules engine to apply one or more rules that each specify a condition and a corresponding action to the logging information to identify a matching rule, wherein the rules engine, upon identifying a matching rule, executes the action of the matching rule to generate and send a logging modification message to increase an extent to which the generator generates logging information.

Abstract: In some examples, a controller for a network includes a path computation module configured for execution by one or more processors to obtain configuration information for at least one point-to-multipoint label switched path (P2MP LSP); obtain, from the network via at least one protocol, network topology information defining a network topology for the network; determine, based on the network topology, a first solution comprising first respective paths through the network for the at least one P2MP LSP; determine, after generating a modified network topology based on the network topology, a second solution comprising second respective paths through the network for the at least one P2MP LSP. The controller also includes a path provisioning module configured for execution by the one or more processors to configure the network with the solution of the first solution and the second solution having the lowest total cost.

Abstract: In some embodiments, an apparatus comprises of a first Control And Provisioning of Wireless Access Points (CAPWAP) module implemented in at least one of a memory or a processing device that is configured to be designated as a backup control module for a wireless access point during a first time period. The first CAPWAP control module is configured to receive state information associated with the wireless access point during the first time period from a second CAPWAP control module. The second CAPWAP control module is designated as a primary control module for the wireless access point during the first time period. The first CAPWAP control module is configured to be automatically designated as the primary control module during a second time period after the first time period and in response to the second CAPWAP control module not operating according to at least one predefined criterion.

Abstract: A system may comprise a first switch connected to an output of a first power source, a second switch connected to an output of a second power source, a first sensor connected to an output of the first switch, a second sensor connected to an output of the second switch, a third switch connected to the first sensor and the second sensor and connected to a load, and a control device connected to the first switch, the second switch, the first sensor, the second sensor, and the third switch.

Abstract: In general, techniques are described for representing services, network resources, and relationships between such services and resources in a graph database with which to validate, provision, and manage the services in near real-time. In one example, a controller device includes at least one processor; and at least one memory to store a graph database comprising a graph that represents network resources and relationships between network resources. The controller device receives, at an application programming interface, a data-interchange formatted message that indicates a service request to configure a network service; queries, at least a portion of the plurality of the graph, to determine whether a set of the plurality of network resources can satisfy the service request to provision the network service within the network; and configures the set of the plurality of network resources to provide the network service.