Abstract: IoT stations are profiled in an IPv6 protocol environment. Responsive to sending the modified router advertisement instead of the router advertisement to the station, a DHCPv6 solicitation packet is snooped. The DHPv6 solicitation packet is sent from the station to a DHCPv6 server to gather network configuration information stored in the router advertisement withheld by the access point. In turn, the access point examines the DHCPv6 solicitation packet to determine an identity of least one of device and operating system. The identity determination is stored for applying network policies (e.g., network security policies) during transactions with the station.

Abstract: Firewall rules and policies are automatically managed in accordance with relevancy to network traffic on a wireless network. A specific firewall rule is applied to the network packet being examined based on the identified application based on a ranking of a relevancy score. Responsive to the specific firewall rule application, the relevancy score associated with the specific firewall rule are increased, and relevancy scores for other firewall rules of the predetermined firewall rule category that are not applied to the network packet decreased. Firewall rules of the category, for order of application, are ranked based on the relevancy scores. Firewall rules having relevancy scores below a predetermined relevancy threshold are disabled and the administrator is notified.

Abstract: RF (radio frequency) charging access points charge IoT (Internet of things) devices. RF charging service is advertised through periodically broadcast beacons. A MU-MIMO group or other group is formed from a plurality of stations connected to the access point for RF charging. RF packets are transmitted to stations in the MU-MIMO group, each station including RF charging circuitry to harvest reusable energy from the RF packets.

Abstract: Methods, systems and computer readable media for protecting networks and devices from network security attack using physical communication layer characteristics are described.

Abstract: An analytics containment system store RSSI values of connected stations and corresponding time stamps. If two or more stations have RSSI values within a certain proximity within a certain time period, a first condition for identifying analytics poisoning has been satisfied. Additionally, if RSSI values for the two or more stations changes at similar rate, the stations have satisfied a second optional condition.

Abstract: Methods, systems and computer readable media for rogue access point detection are described.

Abstract: Methods, systems and computer readable media for location-based endpoint security are described.

Abstract: RF tags using source addresses to locate stations on a Wi-Fi network are secured. An RF location server receives a pseudo source address of an RF (radio frequency) tag from a station. The station obtains the pseudo source address while being within radio range of the RF tag and the station receiving a beacon frame from the RF tag. A source address for the RF tag is looked-up utilizing the pseudo source address, and a specific location for the RF tag is looked-up utilizing the source address. Some embodiments store the locations in association with the pseudo address. Either way, the specific location of the station is identified based on the source address of the RF tag. An action is determined in response to at least the specific location of the station. Information related to the action is sent to the station for output to a user of the station. For example, a location-based offer or service can be provided in real-time with a consumer's presence to relevant products or services.

Abstract: A technique for emulating virtual port control of airtime fairness for wireless stations using per station Enhanced Distributed Channel Access (EDCA) parameters. Specific parameters are received for each of a plurality of stations connected to the access point. An EDCA field of a beacon that stores a general EDCA parameter is set to an empty state. The beacon is broadcast to a plurality stations on the wireless communication network and within range of an access point. The beacon comprises a BSSID (Basic Service Set Identifier) for use by the plurality of stations to connect with the access point for access to the wireless communication network. The beacon also comprises an empty EDCA field. In response to broadcasting the empty EDCA parameter, receiving a direct inquiry from each of the plurality of stations for the general EDCA parameter. Each of the plurality of stations is responded to with a direct communication of a specific parameter corresponding to each station.

Abstract: A battery saving controller toggles between a normal mode and a battery saving mode which selectively processing location beacons using mobile inbuilt sensors. Bluetooth location beacons are periodically sent by nearby Bluetooth location devices for updating a current location of mobile devices. Battery power within the mobile devices is selectively used for processing the location beacon. The processing exposes the unique tag id from Bluetooth LE data packets, and determines the RSSI value of the data packets received from Bluetooth devices. The battery saving controller deactivates location beacon processing to save power usage from the battery, responsive to detecting identical packets over a time interval. Additionally, the battery saving controller reactivates location beacon responsive to at least one of the sensors inbuilt to the mobile device detecting movement of the mobile device.

Abstract: A technique for providing per station control of multiple stations in a wireless network across multiple access points. A look-up table that assigns a station connected to the access point and at least one communication parameter to each of a plurality of persistent, uniquely-assigned BSSIDs (Basic Service Set Identifiers) is stored. An access point responds to messages addressed one of the plurality of persistent, uniquely-assigned BSSIDs and ignores messages addressed to other BSSIDs. Persistence of the BSSID allows the controller to maintain individual control over each station after moving to a second access point of the plurality of access points. A frame comprising the plurality of BSSIDs corresponding to each connected station aggregated into the frame is generated. The frame is transmitted to the plurality of stations.

Abstract: RF tags using source addresses to locate stations on a Wi-Fi network are secured. An RF location server receives a pseudo source address of an RF (radio frequency) tag from a station. The station obtains the pseudo source address while being within radio range of the RF tag and the station receiving a beacon frame from the RF tag. A source address for the RF tag is looked-up utilizing the pseudo source address, and a specific location for the RF tag is looked-up utilizing the source address. Some embodiments store the locations in association with the pseudo address. Either way, the specific location of the station is identified based on the source address of the RF tag. An action is determined in response to at least the specific location of the station. Information related to the action is sent to the station for output to a user of the station.

Abstract: An access packet group is formed for packet capture of MU-MIMO capable access points. A neighbor list for a plurality of access points discovered by an access point is received. The access point has MU-MIMO capability for multiple concurrent streams of data with multiple clients. A frame report is received from the access point of RSSI values for the plurality of access points on the neighbor list. A group of access points is selected from the plurality of access points to switch into packet capture mode, based on RSSI values. The group of access points is configured into packet capture mode.

Abstract: Spoof attacks on location based beacons are detected. A stream of beacons (e.g., IBEACONS) comprising at least a unique source identifier is generated. The stream of beacons is broadcast over a wireless communication channel to mobile devices within range. A list of broadcasted beacons is stored in a table along with a time and location of broadcast. Subsequent to broadcasting, a stream of beacons is detected. The detected beacon stream comprises a unique source identifier along with a time and a location of broadcast. The unique source identifier, the time and the location of at least one beacon of the detected beacon stream can be compared to the unique source identifier, the time and the location of at least one beacon of the broadcast beacon stream. Responsive to a match between the unique source identifiers and a mismatch of at least one of the time and locations, it is determined that the broadcast beacon stream has been spoofed by the detected beacon stream.

Abstract: An analytics containment system store RSSI values of connected stations and corresponding time stamps. If two or more stations have RSSI values within a certain proximity within a certain time period, a first condition for identifying analytics poisoning has been satisfied. Additionally, if RSSI values for the two or more stations changes at similar rate, the stations have satisfied a second optional condition.

Abstract: Directing station roaming in a cloud-managed Wi-Fi network. Management messages are received from a controller that is located remotely from the Wi-Fi communication network by an access point. When an RSSI (received signal strength indication) value between the station and the access point falls below a threshold, the access point (i.e., controller access point) determines which neighboring access point would be a best fit for a hand-off, with limited real-time input form the cloud-based Wi-Fi controller. One of the two or more of the plurality of access points is selected for handing-off the station based on the RSSI values received from the interrogation. Responsive to the selection, a message is sent to the selected access point instructing the one of the at least one of the plurality of access points to respond to messages from the station.

Abstract: A wireless communication network is self-provisioned using coordination of data plane behavior to steer stations to preferred access points. To do so, a policy concerning traffic flow for the wireless communication network is received. Data plane traffic flow is monitored at each of the plurality of access points distributed around the wireless communication network. At some point, it may be determined the data plane traffic flow at a first access point from needs to be reduced based on the data plane traffic flow relative to the policy. In response, a station is steered to a preferred access point using OpenFlow rules to affect data plane routing decisions at the access point (e.g., drop, delay, or reprioritize packets).

Abstract: IoT stations are profiled in an IPv6 protocol environment. Responsive to sending the modified router advertisement instead of the router advertisement to the station, a DHCPv6 solicitation packet is snooped. The DHPv6 solicitation packet is sent from the station to a DHCPv6 server to gather network configuration information stored in the router advertisement withheld by the access point. In turn, the access point examines the DHCPv6 solicitation packet to determine an identity of least one of device and operating system. The identity determination is stored for applying network policies (e.g., network security policies) during transactions with the station.

Abstract: Application bandwidth is dynamically throttled and/or stations are steered to different access points to maintain optimal QoE for stations on a wireless network. Responsive to a determination that the available bandwidth for the one or more applications is below a threshold for station QoE application minimum bandwidth, the current QoE station index is updated. Responsive to a determination that the current QoE station index is below a system determined QoE level, throttling the one or more applications of the station which were below a threshold for station QoE application bandwidth allocation or steering the station to a new access point.

Abstract: A spoofed management frame is sent to an unauthorized access point (AP) on behalf of a station from an authorized AP, using a media access control (MAC) address of the station. The spoofed frame triggers a security association (SA) query from an unauthorized AP to reestablish valid communications. An acknowledgment (ACK) frame sent from the client to the unauthorized AP responsive to the SA query request is detected by the AP. A probe response is sent to the client. The probe response includes a channel switching element. The channel switching prevents the client from completing the SA process before a time out.