Abstract: In a network system in which a server receives packets each including a source address, and in which the server ordinarily responds to each packet, Distributed Denial of Service attacks may be launched by malicious actors controlling a plurality of network devices. In such an attack, the attacking devices may spoof the IP address of a legitimate device, e.g., they may include, in each packet, the source address of the legitimate device. As such, systems and methods for increased security using client address manipulation are provided.

Abstract: Aspects of the present disclosure involve utilizing network threat information to manage one or more security devices or policies of a communication network. The security system may receive threat intelligence data or information associated with potential threats to a communications network and process the threat intelligence data to determine one or more configurations to apply to security devices of a network. The system may then generate a rule or action to respond to the identified attack, such as a firewall rule for a firewall device to block traffic from the source of the attack. The threat intelligence information may include a confidence score indicating a calculated confidence in the identification of the malicious communications, which may be utilized by the system to determine the type of action taken on the security devices of the network in response to the information or data.

Abstract: Examples of the present disclosure describe systems and methods relating to adaptive virtual services. In an example, a user specifies a device configuration for a platform device. As a result, a service provider installs selected virtual-network functions and defines network connections as specified by the device configuration. Management software may also be installed, thereby enabling the service provider to communicate with and remotely manage the platform device. The installed virtual-network functions are activated on the platform device once it is delivered to the user. In some instances, the user changes the device configuration. For example, the user may install new virtual-network functions, reconfigure or remove existing virtual-network functions, or change defined network connections. As a result, the service provider reconfigures the platform device accordingly. Thus, the user need not purchase new specialized hardware in order to change the available functions of the computer network.

Abstract: Systems and methods for conference security based on user groups are disclosed. In examples, a set of attendees (e.g., in a collaboration group) may be allowed access to a meeting by a host user with a specified access permission. The collaboration group may be in the network hosting the meeting or outside of the network. An attendee requesting access to the meeting may be verified based on the attendee's identity and membership status of the collaboration group. If an attendee's identity is not identified or if the attendee is not a member of the collaboration group, the requesting attendee may be denied access to the meeting. If the requesting attendee's identity is verified and the attendee is a member of the collaboration group, the attendee is allowed access to the meeting with their specified access permission.

Abstract: Automatic testing/analysis of local loops of telecommunications networks includes obtaining bits-per-tone data for a local loop of a telecommunications network and generating a bit value string from the bits-per-tone data. The bit value string is then analyzed to determine whether it includes a bit pattern indicative of an impairment of the local loop. Further approaches for automatically testing local loops of telecommunications networks include obtaining attenuation data for multiple tones carried by the local loop and determining whether the attenuation data falls below thresholds for providing a service using the local loop.

Abstract: Aspects of the disclosure involve systems and methods for utilizing Virtual Local Area Network separation in a connection, which may be a single connection, between a customer to a telecommunications network and a cloud environment to allow the customer to access multiple instances within the cloud through the connection. A customer may purchase multiple cloud resource instances from a public cloud environment and, utilizing the telecommunications network, connect to the multiple instances through a communication port or connection to the cloud environment. To utilize the single connection or port, communication packets intended for the cloud environment may be tagged with a VLAN tag that indicates to which cloud instance the packet is intended. The telecommunications network may route the packet to the intended cloud environment and configure one or more aspects of the cloud environment to analyze the attached VLAN tag to transmit the packet to the intended instance.

Abstract: Novel tools and techniques are provided for implementing management of routing across multiple voice or data networks with separate routing masters. In various embodiments, in response to receiving a request to establish a call between a calling party in a first network and a called party in a second network, a computing system might receive a first set of network information from a first routing database(s) that is operated by a first service provider and a second set of network information from a second routing database(s) that is operated by a second service provider separate from the first service provider; might analyze the received first and second sets of network information to generate a unified routing model for optimizing routing of the call through the first and second networks; and might establish the call through a selected optimized route based on the generated unified routing model.

Abstract: Novel tools and techniques are provided for implementing monitoring and detection of fraudulent or unauthorized use in telephone conferencing systems or voice networks. In various embodiments, a computing system might monitor call activity through telephone conferencing system or voice network. In response to detecting use of the telephone conferencing system or voice network by at least one party based on the monitored call activity, the computing system might identify incoming and/or outgoing associated with a call initiated by the at least one party. The computing system might analyze the identified incoming and/or outgoing call data to determine whether the call initiated by the at least one party constitutes at least one of fraudulent use or unauthorized use of the telephone conferencing system or voice network. If so, the computing system might initiate one or more first actions.

Abstract: A data system is provided for analyzing and maintaining data obtained from one or more data sources on which the data system depends. The system includes a primary database including current values used by the system and a collection of executable algorithms used to generate the data maintained in the primary database. In response to receiving a notification regarding a change in one of the data sources, a dependency database is used to establish an execution order for algorithms of the algorithm collection that are directly or indirectly dependent on the changed data. The algorithms identified in the execution order are then executed in accordance with the execution order and the corresponding result is stored in the primary database. The system may include data harvesters adapted to recognize changes in the data sources and to generate and transmit corresponding change notifications when such changes occur.

Abstract: Dynamic and self-healing optimized traffic rerouting is provided. A system and method are described for determining and implementing optimized traffic routing decision. A route orchestration system monitors network resource performance characteristics information for identifying a traffic redirection triggering event and for determining an optimized traffic control decision based on the network resource performance characteristics information. The decision may include software defined networking (SDN) instructions that may be communicated to one or more network resources (e.g., PE devices, P devices, and/or routers) that may cause traffic to be rerouted the one or more targeted servers. For example, the optimized traffic control decision may be determined to improve load balancing amongst performing servers and other network resources in the network while reducing or minimizing administrative costs.

Abstract: Aspects of the present disclosure involve systems, methods, for encoding a firewall ruleset into one or more bit arrays for fast determination of processing of a received communication packet by a firewall device associated with a network. Through this bitmap, a number of computation operations needed to determine a processing rule for a received packet is significantly reduced compared to the traditional approach of using a hash or a longest prefix match technique. Rather, determining a processing rule for a received packet may include determining a bit value within one or more arrays. In one implementation, a firewall rule may be encoded into a 64-bit array of bit values in which each bit of the array corresponds to a particular processing rule for a particular network address. The firewall rule may be encoded into a bitmap array of bit values by asserting a particular bit within the array.

Abstract: Aspects of the present disclosure involve systems for providing multiple egress routes from a telecommunications network for a client of the network. In general, the system provides for a client of the network to receive intended packets of information through multiple connections to the network such that load balancing and failover services for traffic to the customer are provided. The process and system allow for telecommunications network to utilize a common next-hop value of announced border gateway protocol (BGP) routes to advertise multiple routes to reach a destination customer network or address. By utilizing a common next-hop value in the announced BGP information, the devices of the network may load balance communication packets to the destination customer or address among the multiple egress locations from the network, as well as providing fast failover to alternate routes when a failure at the network or customer occurs.

Abstract: Novel tools and techniques are provided for implementing dashboard for alert storage and history (“DASH”). In various embodiments, DASH provides for consolidated tracking and monitoring of two or more of current (or active) alerts, cleared alerts, and/or transactional information for alerts that are stored within corresponding alert live database that mirrors current alert instance data in a real-time fault management system, alert history database that contains a snapshot of an alert history of each alert or corresponding network device, and/or alert log database that contains a full transaction record of every copy of an alert either over a first duration or having a total data size within a first total data size. DASH also cleans received alert data and/or enriches the alert data, and provides a user interface (“UI”) that enables a user to view, absorb, filter, manage, and/or organize alert data to facilitate addressing of alerts in the network(s).

Abstract: A route viewing system includes a computing system that receives information associated with one or more routes through a network, and identifies the routes that are associated with at least one illicit user computer used by an illicit user. The computing system then obtains a source location of a source address of the routes and a destination location of a destination address of the routes, and displays the routes on a geographical display at the source location of the source address and the destination location of the destination address of each of the routes.

Abstract: Implementations described and claimed herein provide systems and methods for correlating one or more service areas of a network with one or more geolocation coordinates to determine available services for customers to the network. A service polygon may be generated that define an area in which a particular service offered by a communications network is available. The boundaries of the service polygons may be adjusted based on information corresponding to physical features of the initial area. The service polygons may aid a communications network in providing a list of available services to potential customers or devices connected to the network by determining one or more geolocation coordinate values of a potential connection site and comparing the values to the service polygons. A network management system may determine the available services, current or in the future, to offer such services to a customer to the network.

Abstract: Implementations described and claimed herein provide systems and methods for intelligent node type selection in a telecommunications network. In one implementation, a customer set is obtained for a communications node in the telecommunications network. The customer set includes an existing customer set and a new customer set. A set of customer events is generated for a node type of the communications node using a simulator. The set of customer events is generated by simulating the customer set over time through a discrete event simulation. An impact of the customer events is modeled for the node type of the communications node. The node type is identified from a plurality of node types for a telecommunications build based on the impact of the customer events for the node type.

Abstract: Novel tools and techniques are provided for implementing web-based monitoring and detection of fraudulent or unauthorized use of voice calling service. In various embodiments, a computing system might receive, from a user device associated with an originating party, a request to initiate a call session with a destination party, the request comprising user information associated with the originating party and a destination number associated with the destination party; might query a database with session data (including user information) to access permission data and configuration data; and might configure fraud logic using received configuration data from the database. The computing system might analyze the session data and permission data using the configured fraud logic to determine whether the originating party is permitted to establish the requested call session with the destination party; if so, might initiate one or more first actions; and, if not, might initiate one or more second actions.

Abstract: Implementations include providing security services to workloads deployed across various types of network environments, such as public networks, private networks, hybrid networks, customer premise network environments, and the like, by redirecting traffic intended for the service device through a security environment of the first network. After application of the security features to the incoming traffic, the “clean” traffic may be transmitted to the service device instantiated on the separate network via a tunnel. Redirection of incoming traffic to the security-providing first network may include correlating a network address of the service device to a reserved network address of a block of reserved addresses and updating a Domain Name Server (DNS) or other address resolving system with the reserved address. The return transmission tunnel may be established between the security environment and the network address of the service device.

Abstract: Apparatus, systems, methods, and the like, for autonomous scaling of security and other network services through initialization of a service from a network service device and/or migration of such services from one service device to another is provided. Such network scaling may allow for migration of services from existing service edges to other service edges. A security management system may coordinate the migration of services provided to a secondary network from one or more service edges to another, separate service edge while providing session synchronization during the migration. To migrate the services from the first service edge to a second service edge, a session table may be shared between the service edges and the first and second service edges may advertise service routes or endpoints with one or more priority values to control or otherwise determine which service edge is selected by a service-receiving device to receive the services.

Abstract: The present application describes a system and method for passively collecting DNS traffic data as that data is passed between a recursive DNS resolver and an authoritative DNS server. The information contained in the collected DNS traffic data is used to generate a virtual authoritative DNS server, or a zone associated with the authoritative DNS server, when it is determined that the authoritative DNS server has been compromised.