Abstract: Disclosed are methods and systems for determining combinations of system parameters that indicate a root cause of a system level experience deterioration (SLED). Some of the disclosed embodiments generate a decision tree from a first class of operational parameter datasets. Rules are derived from the decision tree. Filtered rule sets for feature parameters included in the system parameters are then determined. Pairs of features within a particular dataset that each satisfy their respective filtered rule sets are indicative of a root cause of the degradation, at least in some embodiments.

Abstract: A system configured to detect a threat activity on a network. The system including a digital device configured to detect a first order indicator of compromise on a network, detect a second order indicator of compromise on the network, generate a risk score based on correlating said first order indicator of compromise on the network with the second order indicator of compromise on said network, and generate at least one incident alert based on comparing the risk score to a threshold.

Abstract: A network device may monitor a TCP session with another network device, and may identify ingress and/or egress packets, a TCP header, and a socket of the TCP session. The network device may inspect the ingress and/or egress packets, the TCP header, and the socket to identify a zero window advertisement, details of a last quantity of packets sent or received, synchronize, finish, or reset packets sent or received, negotiated TCP options, or buffer space utilization, and may temporarily record identified data based on the inspection. The network device may detect a TCP session flap when a finish packet or a reset packet is identified and recorded, and may store, in a dead TCP session list, the identified data based on the TCP session flap being detected.

Abstract: A first device may provide, periodically throughout a test session and to neighboring devices that are in a network with the first device, a message request for measuring network performance. The neighboring devices, upon receiving the request message, are to use a relay mechanism to determine network performance indicator (NPI) values. The first device may receive, from the neighboring devices and periodically throughout the test session, a response message that includes the NPI values. The first device may determine additional NPI values that measure the network performance between the first device and the neighboring devices. The first device may determine overall NPI values based on the NPI values and the additional NPI values. The first device may identify a preferred next-hop to one of the neighboring devices based on the overall NPI values, where the preferred next-hop is part of a preferred path through the network.

Abstract: A network device, associated with peer network devices, may receive policy information for a protocol; and compute a first update message based on information regarding a route associated with the policy information. The network device may determine that an upper utilization threshold for one or more of peer queues, associated with the peer network devices, is not satisfied; and write the first update message to the peer queues based on determining that the upper utilization threshold is not satisfied. The network device may compute a second update message based on the information regarding the route; determine that the upper utilization threshold for one or more of the peer queues is satisfied; and pause writing the second update message to the peer queues based on the upper utilization threshold being satisfied. The network device may permit the peer network devices to obtain data from corresponding ones of the peer queues.

Abstract: Techniques are disclosed for identifying a maximum segment size (MSS) for a path. For example, a first router includes a routing engine and a packet forwarding engine. The routing engine is configured to identify a path maximum transmission unit (MTU) corresponding to a path between the first router and a second router; and identify a maximum packet overhead size corresponding to a session between a first client device and a second client device over the path between the first router and the second router. Additionally, the routing engine is configured to calculate, based on the path MTU and the maximum packet overhead size, a path maximum segment size (MSS), wherein the path MSS represents a maximum packet payload size corresponding to the path; and control the packet forwarding engine to output information indicative of the path MSS.

Abstract: A network device may receive, from a source device, an option request that includes a source address of the source device and a destination address of a destination device, wherein the network device is associated with an Internet protocol version 6 (IPv6) network. The network device may identify a map code that is associated with an address translation for traffic associated with the destination device and may determine, based on identifying the map code, a source prefix code and a destination prefix code for the address translation. The network device may determine a source IPv6 prefix and a destination IPv6 prefix for the address translation based on the source prefix code and the destination prefix code and may provide, to the source device, an option response to the option request to permit the source device to use the source IPv6 prefix and the destination IPv6 prefix for the traffic.

Abstract: A network device obtains a data package associated with an ISSU procedure and determines, based on the data package, that a control plane of the network device is to be rebooted to facilitate performance of the ISSU procedure. The network device causes, based on determining that the control plane is to be rebooted, a plurality of applications of the network device to stop executing on the network device and a control plane state of the network device to be frozen. The network device then causes the ISSU procedure to be performed. The network causes, based on causing the ISSU procedure to be performed, the control plane state of the network device to be restored and the plurality of applications to resume executing on the network device.

Abstract: A device may receive data identifying malicious behavior by a compromised endpoint device associated with a network and may receive user identity data identifying a user of the compromised endpoint device associated with the network. The device may receive endpoint device data identifying the compromised endpoint device and other endpoint devices associated with the network and may receive network device data identifying network devices associated with the network. The device may utilize the data identifying malicious behavior, the user identity data, and the endpoint device data to generate, based on an identity of the user, a security policy to isolate the malicious behavior. The device may cause the security policy to be provided to the network devices and the other endpoint devices based on the network device data and the endpoint device data.

Abstract: An example method includes receiving, by an SD-WAN system, WAN link characterization data for a plurality of WAN links of the SD-WAN system over a time period; and for each site of a plurality of sites of the SD-WAN system, generating, by the SD-WAN system, a local policy for the site, wherein generating the local policy is based on a machine learning model trained with the WAN link characterization data for the plurality of WAN links, and providing the local policy to an SD-WAN edge device of the site.

Abstract: An example network analysis system includes a memory storing telemetry data received from a plurality of network devices, the plurality of network devices includes extract entity information and connectivity information from the received telemetry data, wherein the entity information represents one or more network devices of the plurality of network devices and the connectivity information represents network connections between one or more devices of the plurality of network devices; and store the connectivity information and entity information as a network topology graph in a graph database, wherein the entity information is stored as nodes of the network topology graph and the connectivity information is stored as edges of network topology graph, and wherein the network topology graph represents an organization level topology of the organization network.

Abstract: A disclosed apparatus for accomplishing such a task may include (1) a circuit board incorporated into a module designed for insertion into slots of computing devices, (2) at least one conductive contact disposed on the circuit board, (3) a counter circuit disposed on the circuit board and communicatively coupled to the conductive contact, wherein the counter circuit comprises (A) a signal-change detector that detects signal changes as the module is inserted into one of the slots of the computing devices and (B) a counter device that maintains a dynamic count indicative of a number of times that the module has been inserted into one of the slots of the computing devices based at least in part on the signal changes, (4) a battery electrically coupled to the counter circuit, wherein the battery powers the counter device prior to the insertion. Various other apparatuses, systems, and methods are also disclosed.

Abstract: A network device may detect an error associated with a packet based on error information being generated from processing the packet at a layer of a network stack. The network device may determine, based on detecting the error, metadata associated with the packet. The network device may generate telemetry data to include the metadata. The network device may provide the telemetry data to a network analyzer for policy enforcement.

Abstract: Network management techniques are described. A controller device of this disclosure manages a device group of a network. The controller device includes processing circuitry in communication with the memory, the processing circuitry being configured to receive, using a programmable diagnosis service executed by the processing circuitry, a programming input, to form, using the programmable diagnosis service, based on the programming input, a resource definition graph that models interdependencies between a plurality of resources supported by the device group, to detect, using the programmable diagnosis service, an event affecting a first resource of the plurality of resources, and to identify, using the programmable diagnosis service, based on the interdependencies modeled in the resource definition graph formed based on the programming input, a root cause event that caused the event affecting the first resource, the root cause event occurring at a second resource of the plurality of resources.

Abstract: A node may be an active node associated with a high-availability service and may route session traffic communicated via a first route path between a first endpoint and a second endpoint. The node may determine a first measurement of a traffic metric of the first route path and may receive, from another node associated with the high-availability service, a second measurement of the traffic metric of a second route path. The node may compare the first measurement and the second measurement and determine that the traffic metric is enhanced on the second route path relative to the first route path. The node may cause, via a high-availability link between the node and the other node, the other node to become the active node for routing the session traffic between the first endpoint and the second endpoint.

Abstract: A network device may receive packets and may calculate, during a time interval, an arrival rate and a departure rate, of the packets, at one of multiple virtual output queues. The network device may calculate a current oversubscription factor based on the arrival rate and the departure rate, and may calculate a target oversubscription factor based on an average of previous oversubscription factors associated with the multiple virtual output queues. The network device may determine whether a difference exists between the target oversubscription factor and the current oversubscription factor and may calculate, when the difference exists, a scale factor based on the current oversubscription factor and the target oversubscription factor. The network device may calculate new scheduling weights based on prior scheduling weights and the scale factor, and may process packets received by the multiple virtual output queues based on the new scheduling weights.

Abstract: A device may receive a malicious file associated with a network of network devices and may identify a file type and file characteristics associated with the malicious file. The device may determine one or more rules to apply to the malicious file based on the file type and the file characteristics associated with the malicious file and may apply the one or more rules to the malicious file to generate a partial file signature for the malicious file. The device may provide the partial file signature for the malicious file to one or more of the network devices of the network. The partial file signature may cause the one or more of the network devices to block the malicious file.

Abstract: In general, techniques are described for deploying virtualized cell site routers (vCSRs) capable of layer 2 (L2) forwarding to cell site servers to support management and orchestration of functional units for mobile networks executing on the cell site servers. In an example, a method comprises receiving, at a forwarding plane of a virtualized cell site router (vCSR) of a first Distributed Unit (DU) of a plurality of DU servers of a cell site for a 5G radio access network, the vCSR having a containerized routing protocol process and a forwarding plane configured to perform Layer 2 (L2) switching, L2 packets on a second interface for a second physical link connecting the first DU server to an L2 switch; and switching, by the forwarding plane of the vCSR of the first DU, the L2 packets on a first interface for a first physical link connecting the first DU server to a second DU server of the plurality of DU servers.

Abstract: A network device obtains information, associated with blacklisted domains, that includes blacklisted domain identifiers, and sinkhole server identifiers associated with the blacklisted domain identifiers. The network device obtains a set of rules that specify match criteria, associated with the blacklisted domains, that include source network addresses and/or destination network addresses for comparison to packet source network addresses and/or packet destination network addresses associated with incoming packets. The set of rules specify actions to perform based on a result of comparing the match criteria and the packet source network addresses and/or the packet destination network addresses for the incoming packets.

Abstract: A semiconductor package may include a substrate, an application-specific integrated circuit (ASIC) provided on a first portion of a surface of the substrate, a memory device provided on a second portion of the surface of the substrate, and a stiffener plate provided on a third portion of the surface of the substrate. The stiffener plate may be spaced from and may surround the ASIC and the memory device. The semiconductor package may include an electromagnetic interference (EMI) absorber provided on a fourth portion of the surface of the substrate. The EMI absorber may be provided between the stiffener plate and the ASIC and the memory device. The EMI absorber may surround the ASIC and the memory device and may block EMI radiation generated by the ASCI and the memory device.