Abstract: In an embodiment, a computer implemented method receives flow data for one or more flows that correspond to a device-circuit pair. The method calculates a time difference for each flow that corresponds to a device-circuit pair. Based on the calculated time differences and the received flow data, the method updates a probability distribution model associated with the device-circuit pair. Then, the method determines whether a time bucket is complete or open based on the updated probability distribution model.

Abstract: FlowSpec is a mechanism for distributing rules to routers in a network. Such rules may be used, for example, to drop traffic associated with a distributed denial of service attack. However, a malformed or incorrect FlowSpec announcement may, if distributed in the network, cause legitimate traffic to be dropped, degrading the service experienced by legitimate users. As such, systems and methods for avoiding the distribution of malformed FlowSpec announcements are provided.

Abstract: Systems, methods, and storage media for detecting a security intrusion of a network device are disclosed. Exemplary implementations may include a method involving, in the network device including a processor, monitor a light signal associated with a security enabled port of the network device; and in response to detecting a change in the light signal, initiate a security alert.

Abstract: Systems and methods for enforcing compliance-program conformity during authorization-token generation are presented. Applications may be registered with an identity and access management (IAM) system. The registration of the application may include whether the application is subject to one or more compliance program(s). When an authorization token is requested from the IAM system, the IAM system may (a) determine the set of authorization information needed in the token, and (b) determine whether the application is subject to a compliance program. The IAM system may then check an approval source of record to determine whether the user was legitimately approved for the required authorization prior to granting an authorization token. If there is a mismatch between the approval source of record and the authorization information associated with the user identity, then the mismatch may cause certain mitigation actions to be performed.

Abstract: This disclosure describes systems, methods, and devices related to requesting use of a zero-copy operation. A method may include: generating, by a first channel of a hierarchy of channels in a user space, a request to retrieve a file descriptor before initiating a zero-copy operation; sending, by the first channel, to the hierarchy, the request; identifying, by a second channel of the hierarchy, a response accepting the request, the response including the file descriptor; adding, by the second channel, additional information to the response accepting the request, the additional information including at least one of a need notify request to be notified of an amount of data transferred using the zero-copy operation or parsed body data; identifying, by the first channel, the file descriptor and the additional information; and initiating, by the first channel, based on identifying the file descriptor, the zero-copy operation.

Abstract: The present application describes providing an attestation level to a received communication. The attestation level may be used to communicate a level of security to a network or a called party that receives the communication. The attestation level associated with the communication may indicate to a destination network and/or recipient that the phone number associated with the communication is secure and/or the telephone number has not been spoofed.

Abstract: Novel tools and techniques are provided for implementing name-based routing through networks. In various embodiments, a broker manager in each of a plurality of networks may receive a subscription request for a network device from a client device, each device being locally accessible or disposed in an upstream or downstream network. The broker manager uses its client broker to communicate with a locally accessible client device, and uses its mediator broker (and, sometimes, an intermediate device(s)) to communicate with a locally accessible network device. The broker manager otherwise uses its messaging brokers to communicate with control channels of one or more networks. Once subscription with the network device has been established, any commands and responses between the client device and the network device may be routed over pub/sub channels via the broker managers and their brokers using name-based routing, without routing based on IP address of the network device.

Abstract: Implementations include providing security services to workloads deployed across various types of network environments, such as public networks, private networks, hybrid networks, customer premise network environments, and the like, by redirecting traffic intended for the service device through a security environment of the first network. After application of the security features to the incoming traffic, the “clean” traffic may be transmitted to the service device instantiated on the separate network via a tunnel. Redirection of incoming traffic to the security-providing first network may include correlating a network address of the service device to a reserved network address of a block of reserved addresses and updating a Domain Name Server (DNS) or other address resolving system with the reserved address. The return transmission tunnel may be established between the security environment and the network address of the service device.

Abstract: Novel tools and techniques are provided for implementing programmatical public switched telephone network (“PSTN”) trunking for cloud hosted applications. In various embodiments, a computing system may determine one or more first network interconnection characteristics associated with a first entity service provider within a call service network operated by a call network service provider. Based on the determined one or more first network interconnection characteristics associated with the first entity service provider, the computing system may cause a network provisioning application layer to establish one or more network interconnections between a first network associated with the first entity service provider and the call service network, in some cases, by establishing shared peering connections between the first network and the call service network.

Abstract: Disclosed herein are system, method, and computer program product embodiments for providing an API description of an external network service and using the API to integrate the external service into a network. An embodiment operates by receiving, from a service provider, a description of an application programming interface (API), transmitting a call to the service provider using the API for creating a new instance of a service and transmitting to the service provider a traffic flow upon which the service will be applied.

Abstract: Novel tools and techniques are provided for implementing intent-based orchestration using network parsimony trees. In various embodiments, in response to receiving a request for network services that comprises desired characteristics and performance parameters for the requested network services without information regarding specific hardware, hardware type, location, or network, a computing system might generate a request-based parsimony tree based on the desired characteristics and performance parameters. The computing system might access, from a datastore, a plurality of network-based parsimony trees that are each generated based on measured network metrics, might compare the request-based parsimony tree with each of one or more network-based parsimony trees to determine a fitness score for each network-based parsimony tree, and might identify a best-fit network-based parsimony tree based on the fitness scores.

Abstract: Novel tools and techniques are provided for implementing name-based routing through networks. In various embodiments, a broker manager in each of a plurality of networks may receive a subscription request for a network device from a client device, each device being locally accessible or disposed in an upstream or downstream network. The broker manager uses its client broker to communicate with a locally accessible client device, and uses its mediator broker (and, sometimes, an intermediate device(s)) to communicate with a locally accessible network device. The broker manager otherwise uses its messaging brokers to communicate with control channels of one or more networks. Once subscription with the network device has been established, any commands and responses between the client device and the network device may be routed over pub/sub channels via the broker managers and their brokers using name-based routing, without routing based on IP address of the network device.

Abstract: Novel tools and techniques are provided for implementing object-based changes to filter-intent over multicast or publication/subscription (“Pub/Sub”) distribution. In various embodiments, a computing system (e.g., a managed device among a plurality of managed devices and/or its corresponding agent) may receive, from a network filter orchestration conductor, a global filter-intent list including a first filter intent that references a corresponding filter-intent object. The computing system may determine whether the at least one first filter intent applies to the managed device. If so, the computing system may translate the at least one first filter intent into a first filter that is specific to a first configuration of the managed device, in some cases, by building the first filter based at least in part on the at least one first filter intent. The computing system may subsequently apply the first filter to one or more network communications handled by the managed device.

Abstract: Novel tools and techniques are provided for implementing application programming interface (“API”)-based concurrent call path (“CCP”) provisioning. In various embodiments, in response to receiving a CCP provisioning request, a computing system may determine whether such a request would affect a set of trunk groups assigned to a customer based at least in part on network utilization data. If not, the computing system may cause the nodes in the network to increase or decrease, in near-real-time, the number of CCPs in at least one trunk group assigned to the customer based on the CCP provisioning request. If so, the computing system may cause the nodes in the network to increase or decrease, in near-real-time, the number of trunk groups assigned to the customer and may cause the nodes in the network to increase or decrease, in near-real-time, the number of CCPs in the updated number of trunk groups.

Abstract: The present application describes a system and method for utilizing a tunnel in a networking routing protocol to provide a network segment access to additional servers when certain load balancing trigger events are detected.

Abstract: This disclosure describes systems, methods, and devices related to using an application programming interface (API) gateway orchestration layer. A method may include identifying, by the API gateway orchestration layer, a first API request, received by an API gateway API, to access a first microservice of a first API gateway that uses a first API gateway model; identifying a second API request, received by the API gateway API, to access a second microservice of a second API gateway that uses a second API gateway model; determining, based on the first API request, a first route to the first API gateway; determining, based on the second API request, a second route to the second API gateway; routing the first API request to the first microservice based on the first route; and routing the second API request to the second microservice based on the second route.

Abstract: Novel tools and techniques are provided for implementing name-based routing through networks. In various embodiments, a broker manager in each of a plurality of networks may receive a subscription request for a network device from a client device, each device being locally accessible or disposed in an upstream or downstream network. The broker manager uses its client broker to communicate with a locally accessible client device, and uses its mediator broker (and, sometimes, an intermediate device(s)) to communicate with a locally accessible network device. The broker manager otherwise uses its messaging brokers to communicate with control channels of one or more networks. Once subscription with the network device has been established, any commands and responses between the client device and the network device may be routed over pub/sub channels via the broker managers and their brokers using name-based routing, without routing based on IP address of the network device.

Abstract: Apparatuses and methods are disclosed for managing network connections. A computing device accesses a request to provision a network connection associated with a first device. The request includes a plurality of connection parameters defining desired specifications for a network connection from the first device to a second device. The connection parameters are validated against information from a database and other predetermined rules. A network connection path is generated to connect the first device with the second device. The network connection path is generated by selecting network elements for the network connection that satisfy the connection parameters. Configuration information for the network elements of the network connection path is aggregated for a configuration system. The configuration information is used to provision the network connection.

Abstract: Novel tools and techniques are provided for implementing network service ordering and provisioning of secure access service edge (“SASE”) scriptlets for providing SASE-based network. In various embodiments, a computing system may provide a user experience (“UX”) platform for a customer portal, the UX platform being accessible by a user via a user device over a first network(s); may provide, via the UX platform, options to configure, via the customer portal, one or more SASE scriptlets for providing SASE-based network services provided by a service provider; and may autonomously orchestrate deployment and configuration of the one or more SASE scriptlets on one or more network devices that are associated with the user or to an entity with which the user is associated, over a second network(s), based at least in part on user selection of options to configure the one or more SASE scriptlets and/or the corresponding SASE-based network services.

Abstract: Novel tools and techniques are provided for implementing dynamic border gateway protocol (“BGP”) host route generation based on domain name system (“DNS”) resolution. In various embodiments, a computing system may receive, from a user device via a first network, a request to establish a communications link with an external device via a second network that is separate from the first network, based on a first uniform resource identifier (“URI”) indicative of a network location of the external device. The computing system may query a DNS resolver for an Internet Protocol (“IP”) address corresponding to a valid current IP address, based on the first URI, and may advertise the IP address and/or a route based on the IP address. A communications link may be established between the user device and the external device based on the IP address and/or the route.