Abstract: Techniques and mechanisms for providing integrity verified paths using only integrity validated pods of nodes. A network service mesh (NSM) associated with a first pod may locally generate a nonce and provide the nonce to the first pod, where the request includes a request for an attestation token. Using the nonce, the first pod may generate the attestation token and reply back to the NSM. The NSM may generate a second request for an attestation token and forward it to a NSE pod, where the request includes a second locally generated nonce generated by the NSM. The NSE pod may generate the second attestation token using the second nonce and reply back to the NSM. The NSM may then have the attestation tokens verified or validated by a certificate authority (CA) server. The NSM may thus instantiate an integrity verified path between the first pod and the NSE pod.

Abstract: Aggregation of cross domain service level indications provide an estimate of available end to end error budget within a service chain of a network system. In some embodiments, service level indications are obtained from a plurality of sub-domains, and aggregated to determine an end to end reliability score. The end to end reliability score is then distributed one or more of the sub-domains. The sub-domains then consider whether to implement a change based on local service level indications as well as the end to end reliability score. In other embodiments, a sub-domain requests approval to implement a change from an error manager. The error manager consults the end to end reliability score to determine whether adequate margin exists in the service chain to allow the change to occur, while still meeting service level objectives of the service chain. The error manager conditionally approves the request based on the determination.

Abstract: This disclosure describes techniques for performing enhanced authentication of a device based on physical and logical proximity of the device to one or more other authenticated devices. An example method includes performing, at a first time, a first authentication of a first device or a first user of the first device and determining that the first device is connected to at least one second device in a communication session. The at least one second device or at least one second user of the at least one second device are authenticated. The example method further includes determining a reauthentication interval based on the first device being connected to the at least one second device in the communication session and initiating, at a second time that is after the first time by the reauthentication interval, a second authentication of the first device or the first user of the first device.

Abstract: A method is performed at one or more entities configured to configure and provide assurance for a service enabled on a network. The service is configured as a collection of subservices on network devices of the network. A definition of the service is decomposed into a subservice dependency graph that indicates the subservices and dependencies between the subservices that collectively implement the service. Based on the subservice dependency graph, the subservices are configured to record and report subservice metrics indicative of subservice health states of the subservices. The subservice metrics are obtained from the subservices, and the subservice health states of the subservices are determined based on the subservice metrics. A health state of the service is determined based on the subservice health states. One or more of the subservices are reconfigured based on the health state of the service.

Abstract: Data related to operational performance of a plurality of nodes in a system is obtained and a first metric anomaly associated with a node of the plurality of nodes in the system is identified. The first metric anomaly indicates that data associated with a first metric is outside a threshold range. Second metrics related to the first metric are identified and it is determined that one of the second metrics is an anomaly. Third metrics related to the second metric are identified and it is determined whether any third metric is an anomaly. The second metric is identified as a probable cause of the first metric anomaly when it is determined that no third metric is an anomaly. A report including information associated with the probable cause of the first metric anomaly is transmitted to a user device.

Abstract: In one embodiment, a device obtains data regarding a transaction attempted by a user account within an online application that is captured by instrumentation code that is inserted into the online application at runtime, wherein the user account has sufficient privileges within the online application to perform the transaction. The device makes an inference about the data regarding the transaction using a behavioral model. The device determines, based on the inference, a mitigation action for performance within the online application according to an enforcement policy. The device enforces the mitigation action within the online application.

Abstract: Methods and devices provide fault injection testing techniques in a production network environment without risking service outages for hosted computing services, by providing examples of a remote network controller configured to communicate with network devices of a network; a remote fault injection communication protocol configuring a remote network controller in communication with a network device to signal a failure injection; and a failure injection module configuring a network device to configure a network device processor to implement a failure injection signaled according to the remote failure injection communication protocol. The method includes a network controller transmitting a failure injection signal in a control plane packet over a network connection to a network device, and the network device creating a child process by executing, in a dedicated runtime environment, a copy of one or more processes impacted by a parsed failure type.

Abstract: Failure prediction signaling and cognitive user migration may be provided. A client device may receive at least a portion of failure prediction data. The client device may then analyze the at least the portion of the failure prediction data. The client device may then roam from a first computing device to a second computing device in response to analyzing the at least the portion of the failure prediction data.

Abstract: In one embodiment, a device obtains data regarding a transaction attempted by a user within an online application that is captured by instrumentation code that is inserted into the online application at runtime, wherein the user has sufficient privileges within the online application to perform the transaction; The device sends, based on the data regarding the transaction, one or more approval requests to one or more authorizers. The device receives one or more responses to the one or more approval requests. The device blocks, and based on the one or more responses, the transaction attempted by the user within the online application via the instrumentation code.

Abstract: Presented herein are methods and systems that facilitate data plane signaling of a packet as a candidate for capture at various network nodes within an IPv6 network. The signaling occurs in-band, via the data plane—that is, a capture or interrogation signal is embedded within the respective packet (e.g., in the packet header) that carries a user traffic. The signaling is inserted, preferably when the packet is classified, e.g., at the ingress node of the network, to which subsequent network nodes with the IPv6 network are signaled to capture or further inspect the packet for capture.

Abstract: Techniques and mechanisms for providing continuous integrity validation-based control plane communication in a container-orchestration system, e.g., the Kubernetes platform. A worker node generates a nonce and forwards the nonce to a master node while requesting an attestation token. Using the nonce, the master node generates the attestation token and replies back to the worker node with the attestation token. The worker node validates the attestation token with a CA server to ensure that the master node is not compromised. The worker node sends its authentication credentials to the master node. The master node generates a nonce and forwards the nonce to the worker node while requesting an attestation token. Using the nonce, the worker node generates the attestation token and replies back to the master node with the attestation token. The master node validates the attestation token with the CA server to ensure that the worker node is not compromised.

Abstract: Techniques for utilizing a cloud service to compute an end-to-end SLA-aware path using dynamic software-defined cloud interconnect (SDCI) tunnels between a user device and an access point-of-presence (POP) node and inter-POP tunnels of the SDCI. The cloud service may include a performance aware path instantiation (PAPI) component including a POP database for storing performance metrics associated with the POPs of the SDCI, an enterprise policy database for storing user specific policies, and/or a path computation component. The path computation component may compute the path, based on the user specific policies, performance metrics associated with the POP nodes, and/or real-time contextual data associated with the user device and/or destination device. The path may include a first tunnel between the user device and the most optimal access POP node of the SDCI and a second tunnel between the access POP node, through the internal POP nodes, and to the destination device.

Abstract: Methods are provided in which a network device hosts distinct network access resources that are managed by different entities. The method includes obtaining a request for partitioning one or more network resources of an on-premise network device for connecting one or more endpoints to a first network managed by a first entity. The on-premise network device connects one or more endpoints to a second network managed by a different entity. The method further involves partitioning, based on the request, the one or more network resources and connecting the one or more endpoints to the first network using the one or more network resources. The one or more network resources are managed by the first entity while at least one other network resource of the on-premise network device is managed by the different entity and is associated with connecting the one or more endpoints to the second network.

Abstract: A device associated with an enterprise receives, from a user device, a message indicating that a user of the user device has requested a service level for accessing a service while performing teleworking activities for the enterprise. The user device accesses the service via a network that includes a portion controlled by an Internet Service Provider (ISP). The enterprise has established an agreement with the ISP indicating that the ISP is to provide service levels for users who are performing teleworking activities for the enterprise via the ISP. The ISP associated with the user device is identified based on the message. A request is transmitted to the ISP to provide the service level for the portion of the network that is controlled by the ISP and the ISP provides the service level for accessing the service based on the request.

Abstract: Systems, methods, and computer-readable for cognitive sensor fusion management include obtaining one or more data streams from one or more sensors. Learning algorithms are used for determining whether a combination of the one or more data streams includes sufficient information for achieving a desired outcome, based on context, business verticals, or other considerations. One or more modifications are determined to at least the one or more data streams or one or more sensors based on whether the combination of the one or more data streams includes sufficient information for achieving the desired outcome. In a closed-loop system, feedback from implementing the one or more modifications can be used to update the desired outcome.

Abstract: A device associated with an enterprise receives, from a user device, a message indicating that a user of the user device has requested a service level for accessing a service while performing teleworking activities for the enterprise. The user device accesses the service via a network that includes a portion controlled by an Internet Service Provider (ISP). The enterprise has established an agreement with the ISP indicating that the ISP is to provide service levels for users who are performing teleworking activities for the enterprise via the ISP. The ISP associated with the user device is identified based on the message. A request is transmitted to the ISP to provide the service level for the portion of the network that is controlled by the ISP and the ISP provides the service level for accessing the service based on the request.

Abstract: An authorization device obtains a registration request associated with an end device, the registration request including a new randomized media access control (MAC) address associated with the end device; determines whether the end device is authorized to use the new randomized MAC address; transmits a message to the end device with a first randomly generated number when it is determined that the end device is authorized to use the new randomized MAC address; obtains integrity information associated with the end device, the first integrity information being computed based on the first randomly generated number; transmits a request to a validation system to validate the end device based on the first integrity information; obtains an indication that the end device is validated; determines policies associated with the end device when it is determined that the end device is validated; and applies the policies to the end device.

Abstract: A system and methods by which a reconfigurable intelligent surface device is dynamically configured to control the reflection of transmissions made between an access point and one or more client devices so as to protect the transmissions from being properly received by an unauthorized device. These methods may be used to maintain data confidentiality, particular for remote workers. The positions of the access point and client devices are used to configure the reconfigurable intelligent surface device to reflect the transmissions inward and avoid/minimize leakage outside a physical space.

Abstract: Methods and devices provide fault injection testing techniques in a production network environment without risking service outages for hosted computing services, by providing examples of a remote network controller configured to communicate with network devices of a network; a remote fault injection communication protocol configuring a remote network controller in communication with a network device to signal a failure injection; and a failure injection module configuring a network device to configure a network device processor to implement a failure injection signaled according to the remote failure injection communication protocol. The method includes a network controller transmitting a failure injection signal in a control plane packet over a network connection to a network device, and the network device creating a child process by executing, in a dedicated runtime environment, a copy of one or more processes impacted by a parsed failure type.

Abstract: A method includes receiving, at an access node of a local network, a connection request from a device and in response to the connection request, establishing a connection with an identity provider. The device, the access node, the local network, and the identity provider are members of an identity federation. The method further includes receiving an indication that the device previously violated a network policy of a network different from the local network and after the device is authenticated with the identity provider, determining, by the access node and based on the indication, whether to allow the device to communicate over the access node.