Abstract: Techniques for associating manufacturer usage description (MUD) security profiles for Internet-of-Things (IoT) device(s) with secure access service edge (SASE) solutions, providing for automated and scalable integration of IoT devices with SASE frameworks. A MUD controller may utilize a MUD uniform resource identifier (URI) emitted by an IoT device to fetch an associated MUD file from a MUD file server associated with a manufacturer of the IoT device. The MUD controller may determine that a security recommendation included in the MUD file is to be implemented by a cloud-based security service provided by the SASE service and cause the IoT device to establish a connection with a secure internet gateway associated with the cloud-based security service. Additionally, or alternatively, the MUD file may include SASE extensions indicating manufacturer recommended cloud-based security services. Further, cloud-based security services may be implemented if local services are unavailable.

Abstract: This disclosure describes techniques for selectively providing access to a physical space. An example method includes identifying a location of a device associated with an authorized user based on an electromagnetic signal received by at least one sensor from the device. The electromagnetic signal has a frequency that is greater than or equal to 24 gigahertz (GHz). The example method further includes determining that the location of the device is within a threshold distance of a location of a threshold to a secured space and determining that an authentication score indicating that an individual carrying the device is the authorized user is greater than a threshold score. The authentication score is associated with multiple authentication factors identified by the device. Based on determining that the authentication score is greater than the threshold score, the threshold is unlocked and/or opened.

Abstract: Techniques for orchestrating a machine learning (ML) system on a distributed network. Determined performance levels for a ML system, determined from performance data received from the distributed network, are compared to performance requirements from the ML system. An orchestration module for the ML system then determines adjustments for the ML system that will improve the performance of the ML system and executes the adjustments for the ML system.

Abstract: In one embodiment, a device including a processor, and a memory to store data used by the processor, wherein the processor is operative to run a manufacturer usage description (MUD) controller operative to obtain a MUD profile of an Internet of Things (IoT) device from a MUD server, the MUD profile of the IoT device including: access rights of the IoT device, and any one or more of the following a default device username and/or a default device password of the IoT device, a recommended/required device password complexity of the IoT device, at least one service that should be enabled/disabled on the IoT device, and/or allowed security protocols and/or ciphers for communication to and/or from the IoT device, enforce security of the IoT device according to the MUD profile of the IoT device. Related apparatus and methods are also described.

Abstract: In one embodiment, a device including a processor, and a memory to store data used by the processor, wherein the processor is operative to run a manufacturer usage description (MUD) controller operative to obtain a MUD profile of an Internet of Things (IoT) device from a MUD server, the MUD profile of the IoT device including: access rights of the IoT device, and any one or more of the following a default device username and/or a default device password of the IoT device, a recommended/required device password complexity of the IoT device, at least one service that should be enabled/disabled on the IoT device, and/or allowed security protocols and/or ciphers for communication to and/or from the IoT device, enforce security of the IoT device according to the MUD profile of the IoT device. Related apparatus and methods are also described.

Abstract: This disclosure describes techniques for selectively providing access to a physical space. An example method includes identifying a location of a device associated with an authorized user based on an electromagnetic signal received by at least one sensor from the device. The electromagnetic signal has a frequency that is greater than or equal to 24 gigahertz (GHz). The example method further includes determining that the location of the device is within a threshold distance of a location of a threshold to a secured space and determining that an authentication score indicating that an individual carrying the device is the authorized user is greater than a threshold score. The authentication score is associated with multiple authentication factors identified by the device. Based on determining that the authentication score is greater than the threshold score, the threshold is unlocked and/or opened.

Abstract: Techniques for a network controller associated with a firewall service to determine a network policy based on operational tolerances associated with a device, and cause the network policy to be provisioned at the firewall service where control commands, such as, for example, supervisory control and data acquisition (SCADA) commands, may be allowed or denied transmission to the device based on the operational tolerance(s) associated with the device. In some examples, the network controller may be configured as a manufacturer usage description (MUD) controller configured to transmit a MUD uniform resource identifier (URI), emitted by the device, to a MUD file server associated with the manufacturer of the device. The MUD file may be enhanced to include the operational tolerances associated with the device and transmitted back to the MUD controller where it may be parsed to determine a corresponding network policy.

Abstract: Systems, methods, and computer-readable mediums for distributing machine learning model training to network edge devices, while centrally monitoring training of the models and controlling deployment of the models. A machine learning model architecture can be generated at a machine learning structure controller. The machine learning model architecture can be deployed to network edge devices in a network environment to instantiate and train a machine learning model at the network edge devices. Performance reports indicating performance of the machine learning model at the network edge devices can be received by the machine learning structure controller from the network edge devices.

Abstract: In one embodiment, a supervisory service for a wireless network obtains frequency-time Doppler profile information for an endpoint node attached to a first access point in the wireless network. The supervisory service uses the frequency-time Doppler profile information for the endpoint node as input to a machine learning model. The machine learning model is trained to output an action for the endpoint node with respect to the wireless network. The supervisory service causes the action for the endpoint node with respect to the wireless network to be performed.

Abstract: Systems and methods provide for Selective Tracking of Acknowledgments (STACKing) to improve buffer utilization and traffic shaping for one or more network devices. A network device can identify a first flow that corresponds to a predetermined traffic class and a predetermined congestion state. The device can determine a current window size and congestion threshold of the first flow. In response to a determination to selectively track a portion of acknowledgments of the first flow, the device can track, in main memory, information of a first portion of acknowledgments of the first flow. The device can exclude, from one or more buffers, a second portion of acknowledgments of the first flow. The device can re-generate and transmit segments corresponding to the second portion of acknowledgments at a target transmission rate based on traffic shaping policies for the predetermined traffic class and congestion state.

Abstract: Systems and methods provide for generating traffic class-specific congestion signatures and other machine learning models for improving network performance. In some embodiments, a network controller can receive historical traffic data captured by a plurality of network devices within a first period of time that the network devices apply one or more traffic shaping policies for a predetermined traffic class and a predetermined congestion state. The controller can generate training data sets including flows of the historical traffic data labeled as corresponding to the predetermined traffic class and predetermined congestion state. The controller can generate, based on the training data sets, traffic class-specific congestion signatures that receive input traffic data determined to correspond to the predetermined traffic class and output an indication whether the input traffic data corresponds to the predetermined congestion state.

Abstract: Techniques for associating manufacturer usage description (MUD) security profiles for Internet-of-Things (IoT) device(s) with secure access service edge (SASE) solutions, providing for automated and scalable integration of IoT devices with SASE frameworks. A MUD controller may utilize a MUD uniform resource identifier (URI) emitted by an IoT device to fetch an associated MUD file from a MUD file server associated with a manufacturer of the IoT device. The MUD controller may determine that a security recommendation included in the MUD file is to be implemented by a cloud-based security service provided by the SASE service and cause the IoT device to establish a connection with a secure internet gateway associated with the cloud-based security service. Additionally, or alternatively, the MUD file may include SASE extensions indicating manufacturer recommended cloud-based security services. Further, cloud-based security services may be implemented if local services are unavailable.

Abstract: Techniques described herein relate to automatically generating standard network device configurations. In one example, one or more groups of network device configuration blocks may be obtained. An analysis of the one or more groups of network device configuration blocks may be performed, including identifying respective frequencies associated with respective network device configuration blocks of the one or more groups of network device configuration blocks. Based on the respective frequencies, one or more network device configuration blocks of the one or more groups of network device configuration blocks may be automatically aggregated into a standard network device configuration.

Abstract: Techniques for a context-aware secure access service edge (SASE) engine for generating security profile(s) associated with endpoint device(s) accessing the network and using the security profile(s) to evaluate a traffic flow from the endpoint device(s). The SASE engine may execute on an edge device of a computing resource network and may be configured to maintain a security profile database including an endpoint security profile mapping. Endpoint device(s) accessing the network may share endpoint, application, and/or user specific information with the SASE engine so that the SASE engine may generate a security profile specific to the endpoint, application, and/or user. Additionally, an enterprise network, associated with endpoint device(s) accessing the network, may provide default SASE security profile templates to the SASE engine.

Abstract: In one example, a logical representation of a first graph is generated. The first graph indicates a configuration of a network device in a network at a first time. The first graph includes a first node representative of a first configuration block of the network device, a second node representative of a second configuration block of the network device, and a first link that indicates, by connecting the first node and the second node, that the first configuration block is associated with the second configuration block. The logical representation of the first graph is compared to a logical representation of a second graph that indicates an actual or planned configuration of the network device at a second time subsequent to the first time. In response, one or more changes in the configuration of the network device from the first time to the second time are identified.

Abstract: Techniques described herein relate to automatically generating standard network device configurations. In one example, one or more groups of network device configuration blocks may be obtained. An analysis of the one or more groups of network device configuration blocks may be performed, including identifying respective frequencies associated with respective network device configuration blocks of the one or more groups of network device configuration blocks. Based on the respective frequencies, one or more network device configuration blocks of the one or more groups of network device configuration blocks may be automatically aggregated into a standard network device configuration.

Abstract: A method includes obtaining performance characterization values from endpoints managed by a first fog node at a first hierarchical level in a hierarchy of fog nodes. The method includes changing a first operating characteristic of the wireless network based on the performance characterization values. The first operating characteristic affects the operation of one or more of the endpoints. The method includes transmitting a portion of the performance characterization values to a second fog node at a second hierarchical level in the hierarchy of fog nodes. The method includes changing a second operating characteristic of the wireless network based on an instruction from the second fog node. The second operating characteristic affects the operation of the first fog node and/or other fog nodes at the first hierarchical level. Changing one or more of the first operating characteristic and the second operating characteristic satisfies an operating threshold for the wireless network.

Abstract: In one example, a logical representation of a first graph is generated. The first graph indicates a configuration of a network device in a network at a first time. The first graph includes a first node representative of a first configuration block of the network device, a second node representative of a second configuration block of the network device, and a first link that indicates, by connecting the first node and the second node, that the first configuration block is associated with the second configuration block. The logical representation of the first graph is compared to a logical representation of a second graph that indicates an actual or planned configuration of the network device at a second time subsequent to the first time. In response, one or more changes in the configuration of the network device from the first time to the second time are identified.

Abstract: Techniques described herein relate to automatically generating standard network device configurations. In one example, one or more groups of network device configuration blocks may be obtained. An analysis of the one or more groups of network device configuration blocks may be performed, including identifying respective frequencies associated with respective network device configuration blocks of the one or more groups of network device configuration blocks. Based on the respective frequencies, one or more network device configuration blocks of the one or more groups of network device configuration blocks may be automatically aggregated into a standard network device configuration.

Abstract: A packet capture operation is configured via a first computing device. The packet capture operation is configured to capture packets provided by a second computing device. The first computing device obtains an indication that a user is within a predetermined location proximity to the second computing device. The packet capture operation is initiated in response to obtaining the indication at the first computing device.