Abstract: An SDN controller to provision network resources at a data plane to keep progressive downloads of multimedia files proportional to encoding rates is disclosed. Packets from a new or unknown flow being downloaded at a default rate are forwarded from an access point, or other device, to an SDN controller for analysis. If a progressive download of a multimedia file (e.g., a video file) in progress is detected, an encoding rate of frames for the multimedia file is determined. A target download rate for the multimedia file at the access point is determined based on the encoding rate, in an embodiment. Other optional factors also take into account network-wide data plane information gathered by the SDN controller from various points on the network. Additionally, a playback history for a particular multimedia file can affect the target download rate, based on whether, for example, a file is likely to be quickly halted.

Abstract: Attacks from IoT (Internet of Things) devices (or other statins) on a Wi-Fi network are identified using heuristics. Frames are detected from an IoT device (or conventional station) over a window of time. The frame is processed to expose IoT application data from the frame over the time window. Deviations are identified in the IoT application data to detect malicious activity from the IoT device by comparing the IoT application data from at least a first time and a second time within the time. Responsive to the IoT data comparison detecting a malicious activity from the IoT device, a network security action is performed in reference to the IoT device, the network security action to prevent the malicious activity.

Abstract: An access packet group is formed for packet capture of MU-MIMO capable access points. A neighbor list for a plurality of access points discovered by an access point is received. The access point has MU-MIMO capability for multiple concurrent streams of data with multiple clients. A frame report is received from the access point of RSSI values for the plurality of access points on the neighbor list. A group of access points is selected from the plurality of access points to switch into packet capture mode, based on RSSI values.

Abstract: Firewall rules and policies are automatically managed in accordance with relevancy to network traffic on a wireless network. A specific firewall rule is applied to the network packet being examined based on the identified application based on a ranking of a relevancy score. Responsive to the specific firewall rule application, the relevancy score associated with the specific firewall rule are increased, and relevancy scores for other firewall rules of the predetermined firewall rule category that are not applied to the network packet decreased. Firewall rules of the category, for order of application, are ranked based on the relevancy scores.

Abstract: Application bandwidth is dynamically throttled and/or stations are steered to different access points to maintain optimal QoE for stations on a wireless network. Responsive to a determination that the available bandwidth for the one or more applications is below a threshold for station QoE application minimum bandwidth, the current QoE station index is updated. Responsive to a determination that the current QoE station index is below a system determined QoE level, throttling the one or more applications of the station which were below a threshold for station QoE application bandwidth allocation or steering the station to a new access point.

Abstract: Per-application micro-firewall container images execute in containers on a data communication network. A micro-firewall controller detects that a specific application has been activated. In response, a micro-firewall image corresponding to the specific application is configured and executed in a container.

Abstract: A technique for self-testing of services in an access point of a communication network includes providing a table that has a mapping between a service test, packets to be sent for testing, and packets that should be received in response to the testing, emulating and marking the test packets to be sent, placing the marked test packets in an Rx queue, processing the test packets normally by the access point to provide response packets and marking these response packets, delivering the marked response packets to a Rx queue, retrieving the marked response packets from the Rx queue, and comparing the service test response packets to the list of packets that should have been received in the response to the testing in order to validate that service on the access point.

Abstract: Directing station roaming in a cloud-managed Wi-Fi network. Management messages are received from a controller that is located remotely from the Wi-Fi communication network by an access point. When an RSSI (received signal strength indication) value between the station and the access point falls below a threshold, the access point (i.e., controller access point) determines which neighboring access point would be a best fit for a hand-off, with limited real-time input form the cloud-based Wi-Fi controller. One of the two or more of the plurality of access points is selected for handing-off the station based on the RSSI values received from the interrogation. Responsive to the selection, a message is sent to the selected access point instructing the one of the at least one of the plurality of access points to respond to messages from the station.

Abstract: A spoofed management frame is sent to an unauthorized access point (AP) on behalf of a station from an authorized AP, using a media access control (MAC) address of the station. The spoofed frame triggers a security association (SA) query from an unauthorized AP to reestablish valid communications. An acknowledgment (ACK) frame sent from the client to the unauthorized AP responsive to the SA query request is detected by the AP. A probe response is sent to the client. The probe response includes a channel switching element. The channel switching prevents the client from completing the SA process before a time out.

Abstract: Per-station realm lists are dynamically generating per-station for hot spot connections to access points by roaming stations. A query for a list of realms is received from a roaming station when connecting to a hot spot. Using an MAC address or other station identity, a list of available realms narrowed to a subset of per-station realms sent to the station. Narrowing is performed on-the-fly with respect to at least one aspects. A last N realms are retrieved from a database record searched by MAC address. The list is further narrowed by removing realms that are inaccessible or otherwise recently shown to have bad link quality. Additional ranking factors can narrow or rearrange the realm list based on financial agreements, popularity, trends, and the like. A selection from the list of realms is received from the station. The access point then authenticates the station with the selected realm.

Abstract: Poisoning attacks are detected and resulting location data is excluded from location-based services. Rogue devices can use a MAC address in a source field of network data packet in order to appear as a trusted station to the access point in order to inject poisonous location data. Responsive to detecting that a change in location is suspicious, the change in location is excluded from the location-based service. Otherwise, the location change can be relied upon for providing the location-based service, as a default operation. Subsequent location-based service is provided by a locationing server using location information from connected stations while excluding suspicious changes in location.

Abstract: A navigation security module of an unmanned aerial vehicle (UAV) receives a combination of signals from a location technology, each signal comprising at least a signal identification and location data. The combination of signal identifications is processed against known identifications. If the identification is not found, or if the combination of signal identification is not possible, the signal may be a rogue signal, resulting in a quarantine protocol.

Abstract: An analytics containment system store RSSI values of connected stations and corresponding time stamps. If two or more stations have RSSI values within a certain proximity within a certain time period, a first condition for identifying analytics poisoning has been satisfied. Additionally, if RSSI values for the two or more stations changes at similar rate, the stations have satisfied a second optional condition.

Abstract: RF tags using source addresses to locate stations on a Wi-Fi network are secured. An RF location server receives a pseudo source address of an RF (radio frequency) tag from a station. The station obtains the pseudo source address while being within radio range of the RF tag and the station receiving a beacon frame from the RF tag. A source address for the RF tag is looked-up utilizing the pseudo source address, and a specific location for the RF tag is looked-up utilizing the source address. Some embodiments store the locations in association with the pseudo address. Either way, the specific location of the station is identified based on the source address of the RF tag. An action is determined in response to at least the specific location of the station. Information related to the action is sent to the station for output to a user of the station. For example, a location-based offer or service can be provided in real-time with a consumer's presence to relevant products or services.

Abstract: IoT stations are profiled in an IPv6 protocol environment. Responsive to sending the modified router advertisement instead of the router advertisement to the station, a DHCPv6 solicitation packet is snooped. The DHPv6 solicitation packet is sent from the station to a DHCPv6 server to gather network configuration information stored in the router advertisement withheld by the access point. In turn, the access point examines the DHCPv6 solicitation packet to determine an identity of least one of device and operating system. The identity determination is stored for applying network policies (e.g., network security policies) during transactions with the station.

Abstract: IoT stations are profiled in an IPv6 protocol environment. Responsive to sending the modified router advertisement instead of the router advertisement to the station, a DHCPv6 solicitation packet is snooped. The DHPv6 solicitation packet is sent from the station to a DHCPv6 server to gather network configuration information stored in the router advertisement withheld by the access point. In turn, the access point examines the DHCPv6 solicitation packet to determine an identity of least one of device and operating system. The identity determination is stored for applying network policies (e.g., network security policies) during transactions with the station.

Abstract: RF (radio frequency) charging access points charge IoT (Internet of things) devices. RF charging service is advertised through periodically broadcast beacons. A MU-MIMO group or other group is formed from a plurality of stations connected to the access point for RF charging. RF packets are transmitted to stations in the MU-MIMO group, each station including RF charging circuitry to harvest reusable energy from the RF packets.

Abstract: Attacks from IoT (Internet of Things) devices (or other statins) on a Wi-Fi network are identified using heuristics. Frames are detected from an IoT device (or conventional station) over a window of time. The frame is processed to expose IoT application data from the frame over the time window. Deviations are identified in the IoT application data to detect malicious activity from the IoT device by comparing the IoT application data from at least a first time and a second time within the time. Responsive to the IoT data comparison detecting a malicious activity from the IoT device, a network security action is performed in reference to the IoT device, the network security action to prevent the malicious activity.

Abstract: A spoofed management frame is sent to an unauthorized access point (AP) on behalf of a station from an authorized AP, using a media access control (MAC) address of the station. The spoofed frame triggers a security association (SA) query from an unauthorized AP to reestablish valid communications. An acknowledgment (ACK) frame sent from the client to the unauthorized AP responsive to the SA query request is detected by the AP. A probe response is sent to the client. The probe response includes a channel switching element. The channel switching prevents the client from completing the SA process before a time out.

Abstract: Directing station roaming in a cloud-managed Wi-Fi network. Management messages are received from a controller that is located remotely from the Wi-Fi communication network by an access point. When an RSSI (received signal strength indication) value between the station and the access point falls below a threshold, the access point (i.e., controller access point) determines which neighboring access point would be a best fit for a hand-off, with limited real-time input form the cloud-based Wi-Fi controller. One of the two or more of the plurality of access points is selected for handing-off the station based on the RSSI values received from the interrogation. Responsive to the selection, a message is sent to the selected access point instructing the one of the at least one of the plurality of access points to respond to messages from the station.