Abstract: The present application describes a system and method for passively collecting DNS traffic data as that data is passed between a recursive DNS resolver and an authoritative DNS server. The information contained in the collected DNS traffic data is used to generate a virtual authoritative DNS server, or a zone associated with the authoritative DNS server, when it is determined that the authoritative DNS server has been compromised.

Abstract: Novel tools and techniques are provided for implementing management of edge network protection service. In various embodiments, a computing system may receive a request from a customer to manage edge network protection services for at least one Internet circuit. Based on a determination that the customer has been provisioned one or more circuits that are capable of implementing edge network protection services, the computing system may present, or cause to be presented, options to select a circuit, from among the one or more circuits, for which edge network protection service should be provisioned or managed. When a selection of a first circuit is received from the customer, the computing system may automatically cause the selected first circuit to be configured to provision a new service instance of the edge network protection service or reconfigured to modify an existing service instance of the edge network protection service.

Abstract: Disclosed are systems and methods that provide a decision-intelligence (DI)-based, computerized framework for automatically and/or dynamically managing connectivity and/or operation of assets on/over an electronic network. The disclosed framework functions in relation to providing network management, inclusive of inventor and network reconciliation, via a network data quality management tool (NDQ). The NDQ framework is configured for advanced network data discovery, provisioning analysis, discrepancy resolution, monitoring processes, and the like. The disclosed NDQ framework serves as a comprehensive, automated solution for ensuring accurate network data and seamless network management by integrating advanced analytics, multi-platform compatibility, and automation capabilities.

Abstract: Disclosed herein are system, method, and computer program product embodiments for providing an API description of an external network service and using the API to integrate the external service into a network. An embodiment operates by receiving, from a service provider, a description of an application programming interface (API), transmitting a call to the service provider using the API for creating a new instance of a service and transmitting to the service provider a traffic flow upon which the service will be applied.

Abstract: In a network, Domain Name Service (DNS) queries may be handled by one or more resolvers and one or more authoritative name servers. If a DNS distributed denial of service attack is launched against the network, it may degrade the performance of the authoritative name servers. As such, systems and methods for protection of authoritative name servers are provided.

Abstract: Novel tools and techniques are provided for implementing network service ordering and provisioning of secure access service edge (“SASE”) software packages. In various embodiments, a computing system may provide a user experience (“UX”) platform for a customer portal, the UX platform being accessible by a user via a user device over a first network(s); may provide, via the UX platform, options to configure, via the customer portal, one or more SASE-based network services among a plurality of network services provided by a service provider; and may autonomously orchestrate deployment and configuration of the one or more SASE-based network services via one or more customer premises equipment (“CPE”) that are associated with the user or to an entity with which the user is associated, over a second network(s), based at least in part on user selection of at least one option to configure the one or more SASE-based network services.

Abstract: Novel tools and techniques are provided for implementing object-based changes to filter-intent over multicast or publication/subscription (“Pub/Sub”) distribution. In various embodiments, a computing system (e.g., a managed device among a plurality of managed devices and/or its corresponding agent) may receive, from a network filter orchestration conductor, a global filter-intent list including a first filter intent that references a corresponding filter-intent object. The computing system may determine whether the at least one first filter intent applies to the managed device. If so, the computing system may translate the at least one first filter intent into a first filter that is specific to a first configuration of the managed device, in some cases, by building the first filter based at least in part on the at least one first filter intent. The computing system may subsequently apply the first filter to one or more network communications handled by the managed device.

Abstract: In one implementation for the identification of connection areas in a telecommunications network, a customer set is obtained for a communications node in the telecommunications network. The customer set includes an existing connection type and a collection of network sites including the connection type is generated from the customer set. An overlay of customer sites without the connection type may be applied to the collection of network sites to generate an intersection of non-connected customer sites within the collection of network sites including the connection type. The intersection provides an indication of underserviced sites connection to the telecommunication network for potential network growth.

Abstract: Novel tools and techniques are provided for implementing route-based service chaining of applications. In various examples, after receiving a data packet, at least one router may determine a plurality of routes to a destination address associated with the data packet, based on route announcements advertised by a plurality of service applications. The at least one router may select each of the routes based on at least routing policies and local preference values associated with the plurality of routes. The at least one router may send the data packet to each service application in turn over routes among the plurality of routes from highest priority to lowest priority, with the data packet returning to the at least one router after traversing through a service application(s) along each route, until the data packet is sent over the final route to a customer device at the destination address.

Abstract: Novel tools and techniques are provided for implementing 911 or enhanced 911 (“E911”) address update. In various embodiments, in response to a trigger event, a computing system may determine whether E911 address data associated with a customer that is stored in an E911 database requires updating. If so, the computing system may update the E911 database with address data associated with the customer that has been validated or verified (if available). Where no validated or verified address associated with the customer is available, the computing system may send a message to the customer to provide updated 911 or E911 address data; may receive, from a user device associated with the customer via an API over a network(s) operated by the service provider, updated 911 or E911 address data from the customer; and may update the E911 database with the received updated 911 or E911 address data from the customer.

Abstract: Novel tools and techniques are provided for implementing exponentially weighted scoring of calculated resource availability for automated network element selection, augmentation, and service delivery. After receiving a request for network services and measurement data associated with a plurality of network elements capable of providing the requested network services, a computing system may calculate a weighted score for each of a plurality of resources that is available on each network element. Each weighted score for a corresponding resource may be based on an exponential decay function of a difference between a limit value corresponding to an allocatable amount of the corresponding resource and a measured usage value based on the measurement data. For each network element, the computing system may calculate an availability score based on the weighted scores, and may output either the availability score and/or a resource allocation decision for that network element.

Abstract: Systems and methods for ingesting, managing, and distributing configuration data in one or more computing networks are provided. In examples, a flexible configuration definition framework is provided to allow for simplified ingestion, management, and distribution of configuration data to various computing devices in complex networks. Rather than table data, the framework permits expression of configuration settings in a non-relational, text-based data format to allow easy searching and filtering of configuration data and targeted distribution of data to machines and applications within the network(s).

Abstract: Aspects of the present disclosure involve systems, methods, for encoding a firewall ruleset into one or more bit arrays for fast determination of processing of a received communication packet by a firewall device associated with a network. Through this bitmap, a number of computation operations needed to determine a processing rule for a received packet is significantly reduced compared to the traditional approach of using a hash or a longest prefix match technique. Rather, determining a processing rule for a received packet may include determining a bit value within one or more arrays. In one implementation, a firewall rule may be encoded into a 64-bit array of bit values in which each bit of the array corresponds to a particular processing rule for a particular network address. The firewall rule may be encoded into a bitmap array of bit values by asserting a particular bit within the array.

Abstract: In a network system in which a server receives packets each including a source address, and in which the server ordinarily responds to each packet, Distributed Denial of Service attacks may be launched by malicious actors controlling a plurality of network devices. In such an attack, the attacking devices may spoof the IP address of a legitimate device, e.g., they may include, in each packet, the source address of the legitimate device. As such, systems and methods for increased security using client address manipulation are provided.

Abstract: Disclosed are systems and methods that provide a decision-intelligence (DI)-based, computerized framework for automatically and dynamically managing fiber assets within a distributed ledger. The framework operates via predicted insights into how a fiber optic network, inclusive of the fiber assets as a whole and/or individualized, can be optimized to provide accurate, efficient and/or reliable network facilities for associated entities. OTDR data can be utilized by the framework to perform maintenance, troubleshooting and/or to ensure the network operates efficiently. Accordingly the framework can operate to manage, analyze and utilize such forms and/or types of data to curate computerized fiber optic solutions for the fiber optic networks and/or the entities that are operating therefrom, which can be effectuated via the implementation of the disclosed systems and methods within a fiber optics network infrastructure.

Abstract: Systems and methods for enforcing compliance-program conformity during authorization-token generation are presented. Applications may be registered with an identity and access management (IAM) system. The registration of the application may include whether the application is subject to one or more compliance program(s). When an authorization token is requested from the IAM system, the IAM system may (a) determine the set of authorization information needed in the token, and (b) determine whether the application is subject to a compliance program. The IAM system may then check an approval source of record to determine whether the user was legitimately approved for the required authorization prior to granting an authorization token. If there is a mismatch between the approval source of record and the authorization information associated with the user identity, then the mismatch may cause certain mitigation actions to be performed.

Abstract: Novel tools and techniques are provided for implementing data storage and search functionality using hot and cold embeddings. In examples, a first vector data storage device is implemented to store hot embeddings, which are vector representations of data that has been determined to likely be used within a succeeding timeframe and that is associated with a plurality of network services each of which is one of being provisioned, in a process of being provisioned, or being ordered for provisioning, by a service provider, at a plurality of locations associated with a corresponding plurality of entities. The first vector data storage device is kept up to date with updates to any of the plurality of data. Embeddings of data that has been determined to not likely be used within the succeeding timeframe are moved to a second vector data storage device as cold embeddings.

Abstract: Novel tools and techniques are provided for implementing intelligent alert automation (“IAA”). In various embodiments, IAA receives alert/event feeds from several different alerting and ticketing systems via input Redis queues, and uses a triage system to determine whether to process the alert/event or disregard it. If so, IAA may create a flow instance, assign a unique instance ID, and place the flow instance in one of a plurality of jobs queues based on alert/event type and/or or source. An abattoir system retrieves a flow instance from one of the jobs queues (in order of the queue's priority), and processes the next node or step in the flow instance. The flow instance is placed back into the jobs queue for subsequent processing by the same or different abattoir system until no additional nodes or steps remain in the flow, at which point the flow instance is considered complete.

Abstract: Novel tools and techniques are provided for implementing name-based routing through networks. In various embodiments, a broker manager in each of a plurality of networks may receive a subscription request for a network device from a client device, each device being locally accessible or disposed in an upstream or downstream network. The broker manager uses its client broker to communicate with a locally accessible client device, and uses its mediator broker (and, sometimes, an intermediate device(s)) to communicate with a locally accessible network device. The broker manager otherwise uses its messaging brokers to communicate with control channels of one or more networks. Once subscription with the network device has been established, any commands and responses between the client device and the network device may be routed over pub/sub channels via the broker managers and their brokers using name-based routing, without routing based on IP address of the network device.

Abstract: This disclosure describes systems, methods, and devices related to using an application programming interface (API) gateway orchestration layer. A method may include identifying, by the API gateway orchestration layer, a first API request, received by an API gateway API, to access a first microservice of a first API gateway that uses a first API gateway model; identifying a second API request, received by the API gateway API, to access a second microservice of a second API gateway that uses a second API gateway model; determining, based on the first API request, a first route to the first API gateway; determining, based on the second API request, a second route to the second API gateway; routing the first API request to the first microservice based on the first route; and routing the second API request to the second microservice based on the second route.