Abstract: In one illustrative example, a controller for use in a private mobile network may determine network service requirements for an industrial device. The controller may select, from a set of network slices, a subset of network slices having network service requirement configurations that most closely support the network service requirements. Each network slice of the set may be associated with an affinity ranking value that is indicative of a service performance of the network slice for industrial device operation in a cell or a zone associated with a zone or security level value assigned to the industrial device. The controller may identify, from the subset of network slices, a selected network slice associated with a best affinity ranking value for the zone or security level value assigned to the industrial device. The controller may assign the selected network slice and associated service parameters for the communications of the industrial device.

Abstract: In one illustrative example, a controller may operate to send a request message towards a user equipment (UE) which operates to communicate traffic in a session in a mobile network. In response, the controller may receive, from a user plane function which anchors the session of the UE, a response message which includes an identifier of the user plane function. The controller may verify whether a zone or security level value that is assigned to the user plane function matches a zone or security level value that is assigned to the UE. If the controller identifies a discrepancy between the zone or security level values, the controller may provide a notification indication to indicate the discrepancy. The UE may be an industrial Internet of Things (IIoT) device and the zone or security level values may be based on International Electrotechnical Commission (IEC) 62443.

Abstract: In one embodiment, a device receives discovery data generated by a plurality of networking devices in a network. The device determines, based on the discovery data, a hierarchy of layers of the network. The device receives a request by a client that is external to the network to access remotely a particular endpoint in the network. The device configures, and in response to the request, a proxy chain of remote access agents executed by a subset of networking devices from the plurality of networking devices to allow the client to access remotely the particular endpoint, each of those networking devices proxying traffic between different layers of the network.

Abstract: A method includes determining a corresponding level of a security model associated with each device of a plurality of devices connected to a network, each level of the security model having a corresponding tag; applying, to each of the plurality of devices, the corresponding tag based on the corresponding level of the security model with which each of the plurality of devices are associated; receiving, over a network connection, network traffic from at least one of the plurality of devices and the corresponding tag; analyzing the corresponding tag associated with the network traffic; determining a destination for the network traffic; applying one or more security measures to the network traffic based on the corresponding tag for the at least one device and a corresponding tag of the destination for the network traffic; and sending the network traffic to the destination with the corresponding tag of the destination.

Abstract: In one embodiment, an illustrative method herein may comprise: detecting, by a device, a new asset in a network with a media access control address; monitoring, by the device, the new asset to learn one or more contextual attributes of the new asset in the network; generating, by the device, a profile of the new asset based on the media access control address and the one or more contextual attributes; and using, by the device, the profile to define access and control over the new asset in the network.

Abstract: A system and method of performing multi-layer client assurance in a private cellular network includes a plurality of assurance points within the network. The method includes receiving, by a network entity, a plurality of parameter sets from the plurality of assurance points. Each of the plurality of assurance points can be configured to obtain measurements from a portion of the private cellular network corresponding to a client assurance layer in a client assurance stack. The method can include combining a first parameter set from the plurality of parameter sets with a second parameter set from the plurality of parameter sets. The first parameter set can be associated with a first client assurance layer and the second parameter set is associated with a second client assurance layer. The method can include determining, based on the combined parameter set, a network service level corresponding to the client device.

Abstract: In one embodiment, an illustrative method herein may comprise: determining, by a device, a profile of an asset in a network, the profile identifying a type of the asset and a particular activity of the asset; determining, by the device, a specific context of the asset within the network; assigning, by the device, a risk score for the profile based on one or more risk factors associated with the profile and a comparison of the profile to an expected behavior of the type of the asset within the specific context; and performing, by the device, one or more mitigation actions based on the risk score.

Abstract: A method includes determining a corresponding level of a security model associated with each device of a plurality of devices connected to a network, each level of the security model having a corresponding tag; applying, to each of the plurality of devices, the corresponding tag based on the corresponding level of the security model with which each of the plurality of devices are associated; receiving, over a network connection, network traffic from at least one of the plurality of devices and the corresponding tag; analyzing the corresponding tag associated with the network traffic; determining a destination for the network traffic; applying one or more security measures to the network traffic based on the corresponding tag for the at least one device and a corresponding tag of the destination for the network traffic; and sending the network traffic to the destination with the corresponding tag of the destination.

Abstract: In one embodiment, a primary server receives, from a client device, a first request to mitigate an external attack on the client device. The primary server sends, to a plurality of secondary servers, a second request to mitigate the external attack, wherein each one of the plurality of secondary servers has associated mitigation resources, and receives from at least one of the plurality of secondary servers an indication that it has mitigation resources capable of mitigating the external attack. The primary server sends, to the client device, a list including the secondary servers having mitigation resources capable of mitigating the attack, and receives, from the client device, an indication that a subset of the list is selected to mitigate the external attack. In response, the primary server sends a request for mitigation services to one of the secondary servers in the subset selected to mitigate the external attack.

Abstract: In one embodiment, a primary server receives, from a client device, a first request to mitigate an external attack on the client device. The primary server sends, to a plurality of secondary servers, a second request to mitigate the external attack, wherein each one of the plurality of secondary servers has associated mitigation resources, and receives from at least one of the plurality of secondary servers an indication that it has mitigation resources capable of mitigating the external attack. The primary server sends, to the client device, a list including the secondary servers having mitigation resources capable of mitigating the attack, and receives, from the client device, an indication that a subset of the list is selected to mitigate the external attack. In response, the primary server sends a request for mitigation services to one of the secondary servers in the subset selected to mitigate the external attack.

Abstract: A system for enforcing policy in a communication network includes a policy server which is operable to receive a request to invoke an application, receive a policy profile for a network user, and decide a proper allocation of network users based on the policy profile, the application, and available network resources. The policy server is further operable to communicate with a non-SIP application. The system also includes a network resource manager operably associated with the policy server and operable to monitor available network in the resources in the communication network. In addition, the network resource manager is functional to allocate network resource amongst a plurality of network users. The system also contains an application control point which is operably associated with the policy server and operable to communicate with a SIP application. The system is operable to use policy peering between the home and visited network to enable user-specific policies to be enforced while roaming.

Abstract: A system for enforcing policy in a communication network includes a policy server which is operable to receive a request to invoke an application, receive a policy profile for a network user, and decide a proper allocation of network users based on the policy profile, the application, and available network resources. The policy server is further operable to communicate with a non-SIP application. The system also includes a network resource manager operably associated with the policy server and operable to monitor available network in the resources in the communication network. In addition, the network resource manager is functional to allocate network resource amongst a plurality of network users. The system also contains an application control point which is operably associated with the policy server and operable to communicate with a SIP application. The system is operable to use policy peering between the home and visited network to enable user-specific policies to be enforced while roaming.

Abstract: A system for enforcing policy in a communication network includes a policy server which is operable to receive a request to invoke an application, receive a policy profile for a network user, and decide a proper allocation of network users based on the policy profile, the application, and available network resources. The policy server is further operable to communicate with a non-SIP application. The system also includes a network resource manager operably associated with the policy server and operable to monitor available network in the resources in the communication network. In addition, the network resource manager is functional to allocate network resource amongst a plurality of network users. The system also contains an application control point which is operably associated with the policy server and operable to communicate with a SIP application. The system is operable to use policy peering between the home and visited network to enable user-specific policies to be enforced while roaming.

Abstract: A method and system to identify an overload state in a remote network device within a communications network in which a local network device can send at least one message to the remote network device. The method comprises detecting at least one message transmission timeout for the message sent from the local network device to the remote network device, the message transmission timeout corresponding to a retransmission of the message from the local network device to the remote network device. The number of message transmission timeouts for the message or several messages is counted, with the method further comprising comparing the number of message transmission timeouts to a predetermined timeout threshold so that an overload state for the remote network device can be inferred when the number of message transmission timeouts exceeds the predetermined timeout threshold.

Abstract: In an example embodiment a method is provided which comprises initiating at an offerer endpoint an offer message in Session Description Protocol (SDP) format. Included in the offer message is an indication of a plurality of potential configurations which the offerer endpoint is capable of supporting. The offer message is sent to an answerer endpoint to allow capability negotiation between the offerer endpoint and the answerer endpoint in a manner that is backwards compatible with existing endpoints. In an example embodiment, the indication of the plurality of potential configurations comprises assigning a new attribute or value to an existing type of SDP identifier.

Abstract: In one embodiment, a method is illustrated as including receiving a data packet at a network device, and upshifting a Quality of Service (QoS) reservation, wherein the upshifting is based upon an observed increase type selected from the group consisting of an observed increase in network traffic, data packet size, and data packet frequency. In a further embodiment, a network device is illustrated as possessing a receiver to receive data packets, and an upshifter to upshift a Quality of Service (QoS) reservation, wherein the upshifter observes an increase type selected from the group consisting of an observed increase in network traffic, data packet size, and data packet frequency.

Abstract: In one embodiment, an endpoint sends messages containing Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) (STUN) requests to traceroute a path to the remote endpoint. The traceroute may be completed through security devices such as NATs and firewalls. Receipt of a STUN response from the remote endpoint signals that one of the traceroute packets reached the remote endpoint whereas the other traceroute packets have elicited error responses from intermediary, on-path routers, allowing these routers to be identified.

Abstract: In one embodiment, a method is illustrated as including receiving a data packet at a network device, and upshifting a Quality of Service (QoS) reservation, wherein the upshifting is based upon an observed increase type selected from the group consisting of an observed increase in network traffic, data packet size, and data packet frequency. In a further embodiment, a network device is illustrated as possessing a receiver to receive data packets, and an upshifter to upshift a Quality of Service (QoS) reservation, wherein the upshifter observes an increase type selected from the group consisting of an observed increase in network traffic, data packet size, and data packet frequency.

Abstract: In one embodiment, an endpoint sends messages containing Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) (STUN) requests to traceroute a path to the remote endpoint. The traceroute may be completed through security devices such as NATs and firewalls. Receipt of a STUN response from the remote endpoint signals that one of the traceroute packets reached the remote endpoint whereas the other traceroute packets have elicited error responses from intermediary, on-path routers, allowing these routers to be identified.

Abstract: A method and system to identify an overload state in a remote network device within a communications network in which a local network device can send at least one message to the remote network device. The method comprises detecting at least one message transmission timeout for the message sent from the local network device to the remote network device, the message transmission timeout corresponding to a retransmission of the message from the local network device to the remote network device. The number of message transmission timeouts for the message or several messages is counted, with the method further comprising comparing the number of message transmission timeouts to a predetermined timeout threshold so that an overload state for the remote network device can be inferred when the number of message transmission timeouts exceeds the predetermined timeout threshold.