Abstract: The disclosed technology relates to a process for metered training of fog nodes within the fog layer. The metered training allows the fog nodes to be continually trained within the fog layer without the need for the cloud. Furthermore, the metered training allows the fog node to operate normally as the training is performed only when spare resources are available at the fog node. The disclosed technology also relates to a process of sharing better trained machine learning models of a fog node with other similar fog nodes thereby speeding up the training process for other fog nodes within the fog layer.

Abstract: Various implementations disclosed herein enable controlling access to networks. In various implementations, a method of controlling access to a network is performed by a computing device including one or more processors, and a non-transitory memory. In various implementations, the method includes obtaining an indication that a mobile device having access to a first network utilizing a first radio access technology (RAT) has requested access to a second network utilizing a second RAT. In some implementations, the method includes determining whether the access to the first network satisfies an authentication criterion associated with the second network. In some implementations, the method includes granting the mobile device access to the second network in response to determining that the access to the first network satisfies the authentication criterion associated with the second network.

Abstract: In one embodiment, a method comprises: determining, by a constrained network device in a low power and lossy network (LLN), a self-estimated density value of neighboring LLN devices based on wirelessly receiving an identified number of beacon message transmissions within an identified time interval from neighboring transmitting LLN devices in the LLN; setting, by the constrained network device, a first wireless transmit power value based on the self-estimated density value; and transmitting a beacon message at the first wireless transmit power value, the beacon message specifying the self-estimated density value, a corresponding trust metric for the self-estimated density value, and the first wireless transmit power value used by the constrained network device for transmitting the beacon message.

Abstract: Automating and extending path tracing through wireless links is provided by receiving request to perform a network trace over a wireless link provided by an Access Point (AP) configured as a transparent forwarder between a trace source and a trace target; monitoring a trace packet from a first time of arrival at the AP, a first time of departure from the AP, a second time of arrival at the AP, and a second time of departure from the AP; monitoring a buffer status of the AP at the first time of arrival and the second time of arrival; and in response to identifying a network anomaly based on the trace packet and the buffer status, adjusting a network setting at the AP.

Abstract: An authorization device obtains a registration request associated with an end device, the registration request including a new randomized media access control (MAC) address associated with the end device; determines whether the end device is authorized to use the new randomized MAC address; transmits a message to the end device with a first randomly generated number when it is determined that the end device is authorized to use the new randomized MAC address; obtains integrity information associated with the end device, the first integrity information being computed based on the first randomly generated number; transmits a request to a validation system to validate the end device based on the first integrity information; obtains an indication that the end device is validated; determines policies associated with the end device when it is determined that the end device is validated; and applies the policies to the end device.

Abstract: A method includes estimating distances between a user device and an access point based on a series of FTM ranging bursts exchanged between the user device and the access point. The method also includes calculating a variance of the estimated distances and in response to determining that the variance exceeds a threshold, instructing the user device to perform an action that reduces the variance. Other embodiments include a device that performs this method.

Abstract: A method, computer system, and computer program product are provided for applying a dynamic security policy to shared content in collaborative applications. A selection of one or more content items is received for sharing in a communication session. A security policy is queried using a key that is associated with each of the one or more content items to determine a security policy for each of the one or more content items. A plurality of users participating in the communication session are identified. Each content item of the one or more content items is selectively presented to a subset of the plurality of users based on an identity of a respective user and the security policy of each content item.

Abstract: A first access point of a wireless network minimizes Media Access Control (MAC) address collisions in the wireless network. The first access point receives an association request from a first wireless device. The association request identifies a first MAC address of the first wireless device. The first access point determines whether a second wireless device is associated with the wireless network using the first MAC address. Responsive to a determination that the second wireless device is associated with a second access point of the wireless network, the first access point obtains a virtual MAC address for the first wireless device. The first access point translates between the first MAC address and the virtual MAC address for network traffic of the first wireless device.

Abstract: Techniques are provided for client-driven Randomized and Changing Media Access Control (MAC) address (RCM) mechanisms. In one example, a wireless client is configured to wirelessly communicate with a wireless network. The wireless client obtains data relating to a level of security for one or more MAC addresses of the wireless client. Based on the data, the wireless client computes a score that represents the level of security for the one or more MAC addresses. Using the score, the wireless client determines when or how frequently to rotate the one or more MAC addresses. Based on determining when or how frequently to rotate the one or more MAC addresses, the wireless client rotates the one or more MAC addresses.

Abstract: Methods are provided to determine validity of a MAC address. The methods involve obtaining a media access control (MAC) address validity message that indicates a plurality of valid MAC addresses in the wireless network using a fully-exploded format or a probabilistic data structure and determining whether a MAC address is valid based on the MAC address validity message. Other methods involve obtaining a query regarding a validity of a media access control (MAC) address, determining whether the MAC address is a value included in a data set of expected values of a probabilistic data structure. The data set represents a list of MAC addresses. The other methods involve determining whether the MAC address is valid in the wireless network based on determining whether the MAC address is the value included in the data set and providing a response indicating whether the MAC address is valid.

Abstract: A user device connected to a wireless network maintains session persistence through a MAC address change of a user device. The user device establishes a multi-path communication session including a first subflow associated with a first MAC address for the user device. When the user device changes from the first MAC address to a second MAC address. the user device establishes a second subflow of the multi-path communication session. The second subflow is associated with the second MAC address. After establishing the second subflow associated with the second MAC address, the user device ends the first subflow associated with the first MAC address.

Abstract: A method is performed at a mesh access point (MAP) of a mesh network in which MAPs are configured to communicate with each other over wireless backhaul links. The method includes: receiving, from a first wireless client having a first client address, client traffic destined for a second wireless client having a second client address, the client traffic including a first source address that represents the first client address, and a first destination address that represents the second client address; generating a first obfuscated source address that differs from the first client address; replacing the first source address in the client traffic with the first obfuscated source address; and transmitting the client traffic with the first obfuscated source address in place of the first source address to a next MAP of the MAPs over a wireless backhaul link for subsequent forwarding to the second wireless client.

Abstract: A method includes receiving, from a plurality of user devices, a plurality of requests to transmit over a wireless fidelity (WiFi) network and in response to determining that the WiFi network cannot support the plurality of requests, determining that a first request of the plurality of requests should be supported by a cellular network. The method also includes instructing a first user device of the plurality of user devices that communicated the first request to perform transmissions corresponding to the first request over the cellular network.

Abstract: A method includes receiving, at an access node of a local network, a connection request from a device and in response to the connection request, establishing a connection with an identity provider. The device, the access node, the local network, and the identity provider are members of an identity federation. The method further includes receiving an indication that the device previously violated a network policy of a network different from the local network and after the device is authenticated with the identity provider, determining, by the access node and based on the indication, whether to allow the device to communicate over the access node.

Abstract: Techniques and systems described herein relate to network system queue management and dynamic real-time re-allocation of resources to prevent oversubscription and packet loss due to oversubscription. The techniques and systems enable monitoring of traffic and initial identification of queues at risk for oversubscription based on a rate of change of traffic load on the queue in advance of oversubscription occurring. After identifying a queue at risk for oversubscription, an Extended Berkeley Packet Filter or other similar component performs a likelihood determination using predictive algorithm techniques to identify a likelihood of oversubscription in the near future and re-allocates to parallel queues for efficient and loss-free use of the queues.

Abstract: Embodiments for securing fine timing measurement (FTM) communications are described. FTM communications include FTM frames sent and received from an initiating station (ISTA) and a responding station (RSTA). The RSTA records a plurality of parameters associated with the FTM frames and uses the plurality of parameters to learn and identify a device profile for the ISTA. The device profile is used to determine a behavior filter for the FTM from the ISTA and the RSTA filters FTM traffic according to the behavior filter to prevent malicious attacks in the FTM communications.

Abstract: Correlating devices and clients across addresses may be provided. A first address associated with a client device may be received. When the client device is not connected to a network, first location data associated with the first address may be obtained using a passive technique. A second address and second location data associated with the second address may then be obtained using an active technique. It may then be determined that the first location data and the second location data correlate. In response to determining that the first location data and the second location data correlate, it may be determined that the client device has changed from the first address to the second address.

Abstract: Techniques for trusted roaming between identity federation based networks. A first wireless access point (AP) receives a roaming request from a wireless station (STA), to roam from the first AP to a second AP. The first AP is associated with a first access network provider (ANP), the second AP is associated with a second ANP, and the first ANP is different from the second ANP. Authentication information relating to the STA is transmitted from the first ANP to the second ANP using a trusted connection. The trusted connection was previously established between the first ANP and the second ANP based on a query to an identity federation to which both the first and second ANP belong. The STA is de-associated from the first AP. The STA is re-associated at the second AP using the transmitted authentication information.

Abstract: This disclosure describes dynamically placing workloads using cloud service energy efficiency. The techniques include obtaining energy efficiency metrics (EEMs) that indicate the carbon footprint for different data centers of cloud service providers. In some configurations, an Energy Efficiency Quotient (EEQ) may be generated by an Energy Telemetry Engine (ETE) that indicates the energy efficiency for each data center/Point of Presence (POP) where a workload may be migrated/hosted. The ETE can be used to rank the different host locations (e.g., different data according to their EEQ. In some examples, one or more other metrics (e.g., latency, bandwidth, . . . ) may be used to identify any POPs that do not meet specified conditions (e.g., latency constraints, bandwidth constraints, . . . ). When a suitable host location is determined (e.g. a POP meets both the performance and EEQ specifications), the workload may be placed onto one or more resources of the selected data center.

Abstract: A protective sleeve for a urinary catheter includes a sleeve configured to extend over an outer surface of the urinary catheter shaft from a proximal insertion end of the catheter shaft to a distal end of the catheter shaft. The protective sleeve includes a protective sleeve tip defining the proximal end portion of the sleeve. The sleeve and the protective sleeve tip are of a single unitary construction and the sleeve and protective sleeve tip are formed of the same thin, flexible film.