Abstract: The present invention is directed to compounds of formula (I) and (II), wherein all substituents are defined herein, as well as pharmaceutically acceptable compositions comprising compounds of the invention and methods of using said compositions in the treatment of various disorders.

Abstract: In one embodiment, a device in a network receives an access policy and a class behavioral model for a node in the network that are associated with a class asserted by the node. The device applies the access policy and class behavioral model to traffic associated with the node. The device identifies a deviation in a behavior of the node from the class behavioral model, based on the application of the class behavioral model to the traffic associated with the node. The device causes performance of a mitigation action in the network based on the identified deviation in the behavior of the node from the class behavioral model.

Abstract: In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

Abstract: In one embodiment, a device in a network receives an access policy and a class behavioral model for a node in the network that are associated with a class asserted by the node. The device applies the access policy and class behavioral model to traffic associated with the node. The device identifies a deviation in a behavior of the node from the class behavioral model, based on the application of the class behavioral model to the traffic associated with the node. The device causes performance of a mitigation action in the network based on the identified deviation in the behavior of the node from the class behavioral model.

Abstract: In one embodiment, a device in a network receives an access policy and a class behavioral model for a node in the network that are associated with a class asserted by the node. The device applies the access policy and class behavioral model to traffic associated with the node. The device identifies a deviation in a behavior of the node from the class behavioral model, based on the application of the class behavioral model to the traffic associated with the node. The device causes performance of a mitigation action in the network based on the identified deviation in the behavior of the node from the class behavioral model.

Abstract: In one embodiment, a classification device in a computer network analyzes data from a given device in the computer network, and classifies the given device as a particular type of device based on the data. The classification device may then determine whether a manufacturer usage description (MUD) policy exists for the particular type of device. In response to there being no existing MUD policy for the particular type of device, the classification device may then determine patterns of the analyzed data, classify the patterns into context-based policies, and generate a derived MUD policy for the particular type of device based on the context-based policies. The classification device may then apply one of either the existing or derived MUD policy for the given device within the computer network.

Abstract: In one embodiment, a device in a network receives node information regarding a plurality of nodes that are to join the network. The device determines network formation parameters based on the received node information. The network formation parameters are indicative of a network join schedule and join location for a particular node from the plurality of nodes. The device generates, according to the network join schedule, a join invitation for the particular node based on the network formation parameters. The join invitation allows the particular node to attempt joining the network at the join location via a specified access point. The device causes the sending of one or more beacons via the network that include the join invitation to the particular node. The particular node attempts to join the network via the specified access point based on the one or more beacons.

Abstract: Aspects of the embodiments are directed to systems, methods, and computer program products to program, via a northbound interface, a mapping between an endpoint identifier (EID) and a routing locator (RLOC) directly into a mapping database at a mapping system; receive, from a first tunneling router associated with a first virtual network, a mapping request to a second virtual network, the first router compliant with a Locator/ID Separation Protocol, the mapping request comprising an EID tuple that includes a source identifier and a destination identifier; identify an RLOC based, at least in part, on the destination identifier of the EID tuple from the mapping database; and transmit the RLOC to the first tunneling router implementing an high level policy that has been dynamically resolved into a state of the mapping database.

Abstract: In one embodiment, a network controller for a computer network receives details of a provisioned device and policy requirements for the provisioned device. The network controller may then determine, based on the details and policy requirements for the provisioned device, a plurality of network devices that the provisioned device is configured to communicate through, and may then translate the details and policy requirements for the provisioned device into a plurality of network-device-specific policies, each respective network-device-specific policy corresponding to one of the plurality of network devices that the provisioned device is configured to communicate through. As such, the network controller may then transmit a respective network-device-specific policy of the plurality of network-device-specific policies to the plurality of network devices that the provisioned device is configured to communicate through.

Abstract: In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

Abstract: In one embodiment, a classification device in a computer network analyzes data from a given device in the computer network, and classifies the given device as a particular type of device based on the data. The classification device may then determine whether a manufacturer usage description (MUD) policy exists for the particular type of device. In response to there being no existing MUD policy for the particular type of device, the classification device may then determine patterns of the analyzed data, classify the patterns into context-based policies, and generate a derived MUD policy for the particular type of device based on the context-based policies. The classification device may then apply one of either the existing or derived MUD policy for the given device within the computer network.

Abstract: In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

Abstract: In one embodiment, an authorized signing authority server receives an authenticity request from a security registrar to vouch for authenticity of a particular device. Based on receiving the authenticity request, the authorized signing authority server may then determine an authenticity state of the particular device, and may also request a device provisioning file for the particular device from a device provisioning server, the device provisioning file defining one or more network security policies for the particular device. Upon receiving the device provisioning file from the device provisioning server, the authorized signing authority server may then return the authenticity state and the device provisioning file for the particular device to the security registrar, causing the security registrar to complete authentication of the particular device based on the authenticity state and the device provisioning file.

Abstract: Various techniques that allow group members to detect the use of stale encryption policy by other group members are disclosed. One method involves receiving a message from a first group member via a network. The message is received by a second group member. The method then detects that the first group member is not using a most recent policy update supplied by a key server, in response to information in the message. In response, a notification message can be sent from the second group member. The notification message indicates that at least one group member is not using the most recently policy update. The notification message can be sent to the key server or towards the first group member.

Abstract: In one embodiment, a device in a network receives an access policy and a class behavioral model for a node in the network that are associated with a class asserted by the node. The device applies the access policy and class behavioral model to traffic associated with the node. The device identifies a deviation in a behavior of the node from the class behavioral model, based on the application of the class behavioral model to the traffic associated with the node. The device causes performance of a mitigation action in the network based on the identified deviation in the behavior of the node from the class behavioral model.

Abstract: In one embodiment, an authorized signing authority server receives an authenticity request from a security registrar to vouch for authenticity of a particular device. Based on receiving the authenticity request, the authorized signing authority server may then determine an authenticity state of the particular device, and may also request a device provisioning file for the particular device from a device provisioning server, the device provisioning file defining one or more network security policies for the particular device. Upon receiving the device provisioning file from the device provisioning server, the authorized signing authority server may then return the authenticity state and the device provisioning file for the particular device to the security registrar, causing the security registrar to complete authentication of the particular device based on the authenticity state and the device provisioning file.

Abstract: In one embodiment, a network controller for a computer network receives details of a provisioned device and policy requirements for the provisioned device. The network controller may then determine, based on the details and policy requirements for the provisioned device, a plurality of network devices that the provisioned device is configured to communicate through, and may then translate the details and policy requirements for the provisioned device into a plurality of network-device-specific policies, each respective network-device-specific policy corresponding to one of the plurality of network devices that the provisioned device is configured to communicate through. As such, the network controller may then transmit a respective network-device-specific policy of the plurality of network-device-specific policies to the plurality of network devices that the provisioned device is configured to communicate through.

Abstract: A method is provided in one example embodiment and includes receiving at a node of a transitive IP network a data packet including a Network Services Header (“NSH”); accessing by the transitive IP network node context contained in the NSH, wherein the context may be used by the transitive IP network node to perform an enhanced network service in connection with the received data packet; performing by the transitive IP network node the enhanced network service in connection with the received data packet using the accessed context; and, subsequent to the performing, forwarding the received packet to a next node.

Abstract: In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

Abstract: A method is provided in one example embodiment and includes receiving at a node of a transitive IP network a data packet including a Network Services Header (“NSH”); accessing by the transitive IP network node context contained in the NSH, wherein the context may be used by the transitive IP network node to perform an enhanced network service in connection with the received data packet; performing by the transitive IP network node the enhanced network service in connection with the received data packet using the accessed context; and, subsequent to the performing, forwarding the received packet to a next node.