Abstract: An access point provisions of network resources at a data plane to optimize progressive downloads in WLANs. To do so, link information concerning at least one routing path of the access point is periodically sent to an SDN controller. As needed, download parameters are determined for a file transfer from the access point to a station from a resource external to the communication network. Responsive to the file transfer being a progressive download, one or more OpenFlow rules are received from the SDN controller. The one or more OpenFlow rules determine download parameters for the file transfer to the station based on link conditions visible to the SDN controller from the data plane of the communication network, including at least the access point link information periodically sent to the SDN controller. The file transfer to the station is then executed according to at least the one or more OpenFlow rules.

Abstract: Spoof attacks on location based beacons are detected. A stream of beacons (e.g., IBEACONS) comprising at least a unique source identifier is generated. The stream of beacons is broadcast over a wireless communication channel to mobile devices within range. A list of broadcasted beacons is stored in a table along with a time and location of broadcast. Subsequent to broadcasting, a stream of beacons is detected. The detected beacon stream comprises a unique source identifier along with a time and a location of broadcast. The unique source identifier, the time and the location of at least one beacon of the detected beacon stream can be compared to the unique source identifier, the time and the location of at least one beacon of the broadcast beacon stream. Responsive to a match between the unique source identifiers and a mismatch of at least one of the time and locations, it is determined that the broadcast beacon stream has been spoofed by the detected beacon stream.

Abstract: An access point associated on Wi-Fi portion of the communication network selectively groups stations according to a mobility profile. The mobility profile includes factors that characterize at least an amount of movement and current location for a station. Each station is assigned to a beamforming group of similar mobility profiles. A type of beamforming transmission is selected for each beamforming group based on mobility profiles of associated stations. The type of beamforming transmissions including at least MU-MIMO and SU-MIMO. Data is then transmitted to the stations of each beamforming group according to the selected type of beamforming transmissions. A Wi-Fi controller, having a network-wide view of conditions and being able to collect historical information about stations during connections to other access points, is able to provide data unique data to group selections.

Abstract: A computer-implemented method for detecting cache-poisoning attacks in networks using SDPs may include maintaining a cache of service information that identifies services provided by client devices connected to a network using an SDP. The method may also include detecting a cache-poisoning attack by (1) receiving, from a client device connected to the network, an SDP message related to a service allegedly provided via the network, (2) identifying, within the SDP message, an attribute of the service allegedly provided via the network, and then (3) determining that the client device is attempting to corrupt the cache of service information by determining that the identified attribute of the service suggests that the service is illegitimate. Finally, the method may include performing a security action to mitigate the cache-poisoning attack in response to detecting the cache-poisoning attack. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Poisoning attacks by spoofing location beacons in a WLAN are detected using silence periods. A location beacon identifier is received from a mobile device allegedly within range of a location device transmitting location beacons, along with a timestamp of transmission for each of the location beacons. Also silence periods associated with the location device, during which transmissions of location beacons are temporarily discontinued, and which are unknown to the public, are determined or retrieved. The location beacon transmission time is compared to the silence periods. Responsive to the location beacon transmission time corresponding to at least one of the silence periods, the location device flagged as poisoned.

Abstract: A navigation security module of an unmanned aerial vehicle (UAV) receives a combination of signals from a location technology, each signal comprising at least a signal identification and location data. The combination of signal identifications is processed against known identifications. If the identification is not found, or if the combination of signal identification is not possible, the signal may be a rogue signal, resulting in a quarantine protocol.

Abstract: RF tags using source addresses to locate stations on a Wi-Fi network are secured. An RF location server receives a pseudo source address of an RF (radio frequency) tag from a station. The station obtains the pseudo source address while being within radio range of the RF tag and the station receiving a beacon frame from the RF tag. A source address for the RF tag is looked-up utilizing the pseudo source address, and a specific location for the RF tag is looked-up utilizing the source address. Some embodiments store the locations in association with the pseudo address. Either way, the specific location of the station is identified based on the source address of the RF tag. An action is determined in response to at least the specific location of the station. Information related to the action is sent to the station for output to a user of the station.

Abstract: Spoof attacks on location based beacons are detected. A stream of beacons (e.g., IBEACONS) comprising at least a unique source identifier is generated. The stream of beacons is broadcast over a wireless communication channel to mobile devices within range. A list of broadcasted beacons is stored in a table along with a time and location of broadcast. Subsequent to broadcasting, a stream of beacons is detected. The detected beacon stream comprises a unique source identifier along with a time and a location of broadcast. The unique source identifier, the time and the location of at least one beacon of the detected beacon stream can be compared to the unique source identifier, the time and the location of at least one beacon of the broadcast beacon stream. Responsive to a match between the unique source identifiers and a mismatch of at least one of the time and locations, it is determined that the broadcast beacon stream has been spoofed by the detected beacon stream.

Abstract: A technique for providing per station control of multiple stations in a wireless network across multiple access points. A look-up table that assigns a station connected to the access point and at least one communication parameter to each of a plurality of persistent, uniquely-assigned BSSIDs (Basic Service Set Identifiers) is stored. An access point responds to messages addressed one of the plurality of persistent, uniquely-assigned BSSIDs and ignores messages addressed to other BSSIDs. Persistence of the BSSID allows the controller to maintain individual control over each station after moving to a second access point of the plurality of access points. A frame comprising the plurality of BSSIDs corresponding to each connected station aggregated into the frame is generated. The frame is transmitted to the plurality of stations.

Abstract: A spoofed management frame is sent to an unauthorized access point (AP) on behalf of a station from an authorized AP, using a media access control (MAC) address of the station. The spoofed frame triggers a security association (SA) query from an unauthorized AP to reestablish valid communications. An acknowledgment (ACK) frame sent from the client to the unauthorized AP responsive to the SA query request is detected by the AP. A probe response is sent to the client. The probe response includes a channel switching element. The channel switching prevents the client from completing the SA process before a time out.

Abstract: A network device detects a multicast video stream being from an upstream resource being sent to downstream multicast members. If the number of multicast members are below a threshold (e.g., 5 stations), multicast network packets can be converted to unicast network packets. On the other hand, if the number of multicast members are above the threshold, the multicast members are divided into groupings based on capabilities of the multicast members, such as data rate capability. Data rates of transmissions are set according to the group data rate capabilities. As a result, the higher data rate members are able to operate at a higher speed rather than at the lowest common denominator. Further, because there are several multicast streams being sent, packets missed from the higher data rate stream can be picked up on the lower data rate stream.

Abstract: An analytics containment system store RSSI values of connected stations and corresponding time stamps. If two or more stations have RSSI values within a certain proximity within a certain time period, a first condition for identifying analytics poisoning has been satisfied. Additionally, if RSSI values for the two or more stations changes at similar rate, the stations have satisfied a second optional condition.

Abstract: Reliable call hand-offs from a cellular network to a Wi-Fi network. A hand-off controller detects a hand-off condition (e.g., hand-off request, potential/predicted hand-off request) and, in response, initiates a test call. For example, a telephone call made through a smart phone, using a cellular network (e.g., Verizon, AT&T or Sprint) can be handed over to a hot spot at a Starbucks. In response to detecting an available data network, transmission quality for VOIP conditions is automatically tested. If the network conditions meet a certain predetermined threshold, the VOIP hand-off is executed. If the predetermined threshold is not met, the VOIP hand-off may not be executed, or may be delayed.

Abstract: Directing station roaming in a cloud-managed Wi-Fi network. Management messages are received from a controller that is located remotely from the Wi-Fi communication network by an access point. When an RSSI (received signal strength indication) value between the station and the access point falls below a threshold, the access point (i.e., controller access point) determines which neighboring access point would be a best fit for a hand-off, with limited real-time input form the cloud-based Wi-Fi controller. One of the two or more of the plurality of access points is selected for handing-off the station based on the RSSI values received from the interrogation. Responsive to the selection, a message is sent to the selected access point instructing the one of the at least one of the plurality of access points to respond to messages from the station.

Abstract: An access point associated on Wi-Fi portion of the communication network selectively groups stations according to a mobility profile. The mobility profile includes factors that characterize at least an amount of movement and current location for a station. Each station is assigned to a beamforming group of similar mobility profiles. A type of beamforming transmission is selected for each beamforming group based on mobility profiles of associated stations. The type of beamforming transmissions including at least MU-MIMO and SU-MIMO. Data is then transmitted to the stations of each beamforming group according to the selected type of beamforming transmissions. A Wi-Fi controller, having a network-wide view of conditions and being able to collect historical information about stations during connections to other access points, is able to provide data unique data to group selections.

Abstract: A technique for providing per station control of multiple stations in a wireless network across multiple access points. A look-up table that assigns a station connected to the access point and at least one communication parameter to each of a plurality of persistent, uniquely-assigned BSSIDs (Basic Service Set Identifiers) is stored. An access point responds to messages addressed one of the plurality of persistent, uniquely-assigned BSSIDs and ignores messages addressed to other BSSIDs. Persistence of the BSSID allows the controller to maintain individual control over each station after moving to a second access point of the plurality of access points. A frame comprising the plurality of BSSIDs corresponding to each connected station aggregated into the frame is generated. The frame is transmitted to the plurality of stations.

Abstract: An SDN controller to provision network resources at a data plane to keep progressive downloads of multimedia files proportional to encoding rates is disclosed. Packets from a new or unknown flow being downloaded at a default rate are forwarded from an access point, or other device, to an SDN controller for analysis. If a progressive download of a multimedia file (e.g., a video file) in progress is detected, an encoding rate of frames for the multimedia file is determined. A target download rate for the multimedia file at the access point is determined based on the encoding rate, in an embodiment. Other optional factors also take into account network-wide data plane information gathered by the SDN controller from various points on the network. Additionally, a playback history for a particular multimedia file can affect the target download rate, based on whether, for example, a file is likely to be quickly halted.

Abstract: A technique for emulating virtual port control of airtime fairness for wireless stations using per station Enhanced Distributed Channel Access (EDCA) parameters. Specific parameters are received for each of a plurality of stations connected to the access point. An EDCA field of a beacon that stores a general EDCA parameter is set to an empty state. The beacon is broadcast to a plurality stations on the wireless communication network and within range of an access point. The beacon comprises a BSSID (Basic Service Set Identifier) for use by the plurality of stations to connect with the access point for access to the wireless communication network. The beacon also comprises an empty EDCA field. In response to broadcasting the empty EDCA parameter, receiving a direct inquiry from each of the plurality of stations for the general EDCA parameter. Each of the plurality of stations is responded to with a direct communication of a specific parameter corresponding to each station.

Abstract: A spoofed management frame is sent to an unauthorized access point (AP) on behalf of a station from an authorized AP, using a media access control (MAC) address of the station. The spoofed frame triggers a security association (SA) query from an unauthorized AP to reestablish valid communications. An acknowledgment (ACK) frame sent from the client to the unauthorized AP responsive to the SA query request is detected by the AP. A probe response is sent to the client. The probe response includes a channel switching element. The channel switching prevents the client from completing the SA process before a time out.

Abstract: RF tags using source addresses to locate stations on a Wi-Fi network are secured. An RF location server receives a pseudo source address of an RF (radio frequency) tag from a station. The station obtains the pseudo source address while being within radio range of the RF tag and the station receiving a beacon frame from the RF tag. A source address for the RF tag is looked-up utilizing the pseudo source address, and a specific location for the RF tag is looked-up utilizing the source address. Some embodiments store the locations in association with the pseudo address. Either way, the specific location of the station is identified based on the source address of the RF tag. An action is determined in response to at least the specific location of the station. Information related to the action is sent to the station for output to a user of the station. For example, a location-based offer or service can be provided in real-time with a consumer's presence to relevant products or services.