Abstract: This disclosure describes techniques for performing enhanced authentication of a device based on physical and logical proximity of the device to one or more other authenticated devices. An example method includes performing, at a first time, a first authentication of a first device or a first user of the first device and determining that the first device is connected to at least one second device in a communication session. The at least one second device or at least one second user of the at least one second device are authenticated. The example method further includes determining a reauthentication interval based on the first device being connected to the at least one second device in the communication session and initiating, at a second time that is after the first time by the reauthentication interval, a second authentication of the first device or the first user of the first device.

Abstract: In one embodiment, a device obtains data regarding a transaction attempted by a user account within an online application that is captured by instrumentation code that is inserted into the online application at runtime, wherein the user account has sufficient privileges within the online application to perform the transaction. The device makes an inference about the data regarding the transaction using a behavioral model. The device determines, based on the inference, a mitigation action for performance within the online application according to an enforcement policy. The device enforces the mitigation action within the online application.

Abstract: Data related to operational performance of a plurality of nodes in a system is obtained and a first metric anomaly associated with a node of the plurality of nodes in the system is identified. The first metric anomaly indicates that data associated with a first metric is outside a threshold range. Second metrics related to the first metric are identified and it is determined that one of the second metrics is an anomaly. Third metrics related to the second metric are identified and it is determined whether any third metric is an anomaly. The second metric is identified as a probable cause of the first metric anomaly when it is determined that no third metric is an anomaly. A report including information associated with the probable cause of the first metric anomaly is transmitted to a user device.

Abstract: Methods and devices provide fault injection testing techniques in a production network environment without risking service outages for hosted computing services, by providing examples of a remote network controller configured to communicate with network devices of a network; a remote fault injection communication protocol configuring a remote network controller in communication with a network device to signal a failure injection; and a failure injection module configuring a network device to configure a network device processor to implement a failure injection signaled according to the remote failure injection communication protocol. The method includes a network controller transmitting a failure injection signal in a control plane packet over a network connection to a network device, and the network device creating a child process by executing, in a dedicated runtime environment, a copy of one or more processes impacted by a parsed failure type.

Abstract: Failure prediction signaling and cognitive user migration may be provided. A client device may receive at least a portion of failure prediction data. The client device may then analyze the at least the portion of the failure prediction data. The client device may then roam from a first computing device to a second computing device in response to analyzing the at least the portion of the failure prediction data.

Abstract: In one embodiment, a device obtains data regarding a transaction attempted by a user within an online application that is captured by instrumentation code that is inserted into the online application at runtime, wherein the user has sufficient privileges within the online application to perform the transaction; The device sends, based on the data regarding the transaction, one or more approval requests to one or more authorizers. The device receives one or more responses to the one or more approval requests. The device blocks, and based on the one or more responses, the transaction attempted by the user within the online application via the instrumentation code.

Abstract: Presented herein are methods and systems that facilitate data plane signaling of a packet as a candidate for capture at various network nodes within an IPv6 network. The signaling occurs in-band, via the data plane—that is, a capture or interrogation signal is embedded within the respective packet (e.g., in the packet header) that carries a user traffic. The signaling is inserted, preferably when the packet is classified, e.g., at the ingress node of the network, to which subsequent network nodes with the IPv6 network are signaled to capture or further inspect the packet for capture.

Abstract: Techniques and mechanisms for providing continuous integrity validation-based control plane communication in a container-orchestration system, e.g., the Kubernetes platform. A worker node generates a nonce and forwards the nonce to a master node while requesting an attestation token. Using the nonce, the master node generates the attestation token and replies back to the worker node with the attestation token. The worker node validates the attestation token with a CA server to ensure that the master node is not compromised. The worker node sends its authentication credentials to the master node. The master node generates a nonce and forwards the nonce to the worker node while requesting an attestation token. Using the nonce, the worker node generates the attestation token and replies back to the master node with the attestation token. The master node validates the attestation token with the CA server to ensure that the worker node is not compromised.

Abstract: Techniques for utilizing a cloud service to compute an end-to-end SLA-aware path using dynamic software-defined cloud interconnect (SDCI) tunnels between a user device and an access point-of-presence (POP) node and inter-POP tunnels of the SDCI. The cloud service may include a performance aware path instantiation (PAPI) component including a POP database for storing performance metrics associated with the POPs of the SDCI, an enterprise policy database for storing user specific policies, and/or a path computation component. The path computation component may compute the path, based on the user specific policies, performance metrics associated with the POP nodes, and/or real-time contextual data associated with the user device and/or destination device. The path may include a first tunnel between the user device and the most optimal access POP node of the SDCI and a second tunnel between the access POP node, through the internal POP nodes, and to the destination device.

Abstract: A device associated with an enterprise receives, from a user device, a message indicating that a user of the user device has requested a service level for accessing a service while performing teleworking activities for the enterprise. The user device accesses the service via a network that includes a portion controlled by an Internet Service Provider (ISP). The enterprise has established an agreement with the ISP indicating that the ISP is to provide service levels for users who are performing teleworking activities for the enterprise via the ISP. The ISP associated with the user device is identified based on the message. A request is transmitted to the ISP to provide the service level for the portion of the network that is controlled by the ISP and the ISP provides the service level for accessing the service based on the request.

Abstract: Methods are provided in which a network device hosts distinct network access resources that are managed by different entities. The method includes obtaining a request for partitioning one or more network resources of an on-premise network device for connecting one or more endpoints to a first network managed by a first entity. The on-premise network device connects one or more endpoints to a second network managed by a different entity. The method further involves partitioning, based on the request, the one or more network resources and connecting the one or more endpoints to the first network using the one or more network resources. The one or more network resources are managed by the first entity while at least one other network resource of the on-premise network device is managed by the different entity and is associated with connecting the one or more endpoints to the second network.

Abstract: A device associated with an enterprise receives, from a user device, a message indicating that a user of the user device has requested a service level for accessing a service while performing teleworking activities for the enterprise. The user device accesses the service via a network that includes a portion controlled by an Internet Service Provider (ISP). The enterprise has established an agreement with the ISP indicating that the ISP is to provide service levels for users who are performing teleworking activities for the enterprise via the ISP. The ISP associated with the user device is identified based on the message. A request is transmitted to the ISP to provide the service level for the portion of the network that is controlled by the ISP and the ISP provides the service level for accessing the service based on the request.

Abstract: Systems, methods, and computer-readable for cognitive sensor fusion management include obtaining one or more data streams from one or more sensors. Learning algorithms are used for determining whether a combination of the one or more data streams includes sufficient information for achieving a desired outcome, based on context, business verticals, or other considerations. One or more modifications are determined to at least the one or more data streams or one or more sensors based on whether the combination of the one or more data streams includes sufficient information for achieving the desired outcome. In a closed-loop system, feedback from implementing the one or more modifications can be used to update the desired outcome.

Abstract: A system and methods by which a reconfigurable intelligent surface device is dynamically configured to control the reflection of transmissions made between an access point and one or more client devices so as to protect the transmissions from being properly received by an unauthorized device. These methods may be used to maintain data confidentiality, particular for remote workers. The positions of the access point and client devices are used to configure the reconfigurable intelligent surface device to reflect the transmissions inward and avoid/minimize leakage outside a physical space.

Abstract: An authorization device obtains a registration request associated with an end device, the registration request including a new randomized media access control (MAC) address associated with the end device; determines whether the end device is authorized to use the new randomized MAC address; transmits a message to the end device with a first randomly generated number when it is determined that the end device is authorized to use the new randomized MAC address; obtains integrity information associated with the end device, the first integrity information being computed based on the first randomly generated number; transmits a request to a validation system to validate the end device based on the first integrity information; obtains an indication that the end device is validated; determines policies associated with the end device when it is determined that the end device is validated; and applies the policies to the end device.

Abstract: Methods and devices provide fault injection testing techniques in a production network environment without risking service outages for hosted computing services, by providing examples of a remote network controller configured to communicate with network devices of a network; a remote fault injection communication protocol configuring a remote network controller in communication with a network device to signal a failure injection; and a failure injection module configuring a network device to configure a network device processor to implement a failure injection signaled according to the remote failure injection communication protocol. The method includes a network controller transmitting a failure injection signal in a control plane packet over a network connection to a network device, and the network device creating a child process by executing, in a dedicated runtime environment, a copy of one or more processes impacted by a parsed failure type.

Abstract: A method includes receiving, at an access node of a local network, a connection request from a device and in response to the connection request, establishing a connection with an identity provider. The device, the access node, the local network, and the identity provider are members of an identity federation. The method further includes receiving an indication that the device previously violated a network policy of a network different from the local network and after the device is authenticated with the identity provider, determining, by the access node and based on the indication, whether to allow the device to communicate over the access node.

Abstract: Presented herein are techniques to facilitate infrastructure and policy orchestration in a shared workspace network environment. In one example, a method may include obtaining, by a service broker, a reservation request from a consumer network for a consumer, wherein the reservation request seeks a reservation to reserve, at least in part, at least one workspace device for the consumer for a workspace for a particular day and a particular time period; based on determining that the at least one workspace device is available, providing a response to the consumer network that includes a first indicator for identifying the reservation of the workspace and at least one second indicator identifying the at least one workspace device; and upon receiving a session request from the consumer network that includes the second indicator, establishing a management tunnel to interconnect the consumer network and the at least one workspace device via the service broker.

Abstract: This disclosure describes techniques for performing application-based tagging. An example method includes receiving, at a virtual socket, non-packetized data from an application and generating, by the virtual socket, a label based on the application. One or more data packets are generated by packetizing at least a portion of the non-packetized data. A header field of the one or more data packets includes a tag based on the label.

Abstract: A method, computer system, and computer program product are provided for detecting drift in predictive models for network devices and traffic. A plurality of streams of time-series telemetry data are obtained, the time-series telemetry data generated by network devices of a data network. The plurality of streams are analyzed to identify a subset of streams, wherein each stream of the subset of streams includes telemetry data that is substantially empirically distributed. The subset of streams of time-series data are analyzed to identify a change point. In response to identifying the change point, additional time-series data is obtained from one or more streams of the plurality of streams of time-series telemetry data. A predictive model is trained using the additional time-series data to update the predictive model and provide a trained predictive model.