Abstract: Presented herein are methodologies for implementing application security. A method includes generating an extraction vector based on a plurality of application security rules to be enforced, transmitting the extraction vector to a first agent operating on a first network device and to a second agent operating on a second network device; receiving, separately, from the first agent and from the second agent, first metadata generated by the first agent and second metadata generated by the second agent by the agents applying the extraction vector to network traffic passing, respectively, through the first network device and the second network device. The first metadata includes a transaction ID assigned by the first agent, and the second metadata includes the same transaction ID. The method further includes correlating the first metadata with the second metadata based on the transaction ID to construct a transactional service graph for the network traffic.

Abstract: Presented herein are methodologies for implementing application security. A method includes generating an extraction vector based on a plurality of application security rules to be enforced, transmitting the extraction vector to a first agent operating on a first network device and to a second agent operating on a second network device; receiving, separately, from the first agent and from the second agent, first metadata generated by the first agent and second metadata generated by the second agent by the agents applying the extraction vector to network traffic passing, respectively, through the first network device and the second network device. The first metadata includes a transaction ID assigned by the first agent, and the second metadata includes the same transaction ID. The method further includes correlating the first metadata with the second metadata based on the transaction ID to construct a transactional service graph for the network traffic.

Abstract: An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.

Abstract: Embodiments are directed to receiving an original packet at a service function; determining, for a reverse packet, a reverse service path identifier for a previous hop on a service function chain; determining, for the reverse packet, a service index for the reverse service path identifier; and transmitting the reverse packet to the previous hop on the service function chain.

Abstract: A method is provided in one example embodiment and includes receiving a data packet transported on a backhaul link at a first network element; de-capsulating the data packet; identifying whether the data packet is an upstream data packet; identifying whether the data packet matches an internet protocol (IP) access control list (ACL) or a tunnel endpoint identifier; and offloading the data packet from the backhaul link. In more specific embodiment, the method can include identifying that the data packet does not match the IP ACL or the tunnel endpoint identifier; and communicating the data packet to a second network element. In other examples, the method can include identifying that the data packet is a downstream data packet; identifying a service to be performed for the data packet that cannot be performed at the first network element; and communicating the data packet to a second network element.

Abstract: Embodiments are directed to a virtual mobility anchor network element to receive, from a packet gateway (PGW) node, a request for an internet protocol (IP) address for a mobile device, establish an IP address for the mobile device; and provide the IP address to the PGW node in response to the request for the IP address for the mobile device. The virtual mobility anchor network element is configured to receive IP traffic from a network location; determine a target destination for the IP traffic based on a destination IP address, the destination IP address comprising the second IP address; and forward the IP traffic to the PGW node associated with the destination IP address. The virtual mobility anchor network element is also configured to receive IP traffic from the PGW node; determine a target destination for the IP traffic; and route the IP traffic to the target destination.

Abstract: Embodiments are directed to receiving an original packet at a service function; determining, for a reverse packet, a reverse service path identifier for a previous hop on a service function chain; determining, for the reverse packet, a service index for the reverse service path identifier; and transmitting the reverse packet to the previous hop on the service function chain.

Abstract: Embodiments are directed to receiving an original packet at a service function; determining, for a reverse packet, a reverse service path identifier for a previous hop on a service function chain; determining, for the reverse packet, a service index for the reverse service path identifier; and transmitting the reverse packet to the previous hop on the service function chain.

Abstract: A method is provided in one example embodiment and includes communicating a message from a network element to a remote data plane element in order to request a data plane resource for hosting a session for a particular subscriber. The remote data plane element is designated to host a data plane function for a particular mobile network subscriber and the data plane resource comprises at least one of memory space and processor allocation. The method further includes discovering nodes capable of supporting the control plane functions; discovering nodes capable of supporting the data plane functions for the session; and performing a system-specific internal configuration to support separation of the data plane functions and the control plane functions.

Abstract: A system is disclosed for measuring data utilization attributable to use by an application being executed on a mobile device. The system has a server operable to register the application and transmit information to establish a connection between the application and a proxy server. The system also has a proxy server operable to establish a first connection with the application, receive direction to establish a second connection with a target endpoint, establish the second connection between the proxy server and the target endpoint, pass data between the target endpoint and the application using the established connections, and measure the amount of data passed between the target endpoint and the application.

Abstract: A method is provided in one example embodiment and includes receiving at a network element a packet including a Network Services Header (“NSH”), in which the NSH includes an Infrastructure (“I”) flag and a service path header comprising a Service Index (“SI”), and a Service Path ID (“SPI”) and determining whether the I flag is set to a first value. The method further includes, if the I flag is set to the first value, setting the I flag to a second value and forwarding the packet to the service function that corresponds to the SI for processing. The method still further includes, if the I flag is not set to the first value, decrementing the SI and making a forwarding decision based on a new value of the SI and the SPI.

Abstract: Embodiments are directed to a virtual mobility anchor network element to receive, from a packet gateway (PGW) node, a request for an internet protocol (IP) address for a mobile device, establish an IP address for the mobile device; and provide the IP address to the PGW node in response to the request for the IP address for the mobile device. The virtual mobility anchor network element is configured to receive IP traffic from a network location; determine a target destination for the IP traffic based on a destination IP address, the destination IP address comprising the second IP address; and forward the IP traffic to the PGW node associated with the destination IP address. The virtual mobility anchor network element is also configured to receive IP traffic from the PGW node; determine a target destination for the IP traffic; and route the IP traffic to the target destination.

Abstract: A method is provided in one example embodiment and includes receiving a data packet transported on a backhaul link at a first network element; de-capsulating the data packet; identifying whether the data packet is an upstream data packet; identifying whether the data packet matches an internet protocol (IP) access control list (ACL) or a tunnel endpoint identifier; and offloading the data packet from the backhaul link. In more specific embodiment, the method can include identifying that the data packet does not match the IP ACL or the tunnel endpoint identifier; and communicating the data packet to a second network element. In other examples, the method can include identifying that the data packet is a downstream data packet; identifying a service to be performed for the data packet that cannot be performed at the first network element; and communicating the data packet to a second network element.

Abstract: A method is provided and may include receiving a request for a network content delivery service from an access device; directing the access device to a network service provider for authentication for the network content delivery service; receiving a network authorization token from the access device, where the network authorization token is associated with the access device; obtaining a network access token from the network service provider; and binding the network access token to a content access token.

Abstract: Embodiments are directed to a virtual mobility anchor network element to receive, from a packet gateway (PGW) node, a request for an internet protocol (IP) address for a mobile device, establish an IP address for the mobile device; and provide the IP address to the PGW node in response to the request for the IP address for the mobile device. The virtual mobility anchor network element is configured to receive IP traffic from a network location; determine a target destination for the IP traffic based on a destination IP address, the destination IP address comprising the second IP address; and forward the IP traffic to the PGW node associated with the destination IP address. The virtual mobility anchor network element is also configured to receive IP traffic from the PGW node; determine a target destination for the IP traffic; and route the IP traffic to the target destination.

Abstract: A method is provided in one example embodiment and includes receiving a data packet transported on a backhaul link at a first network element; de-capsulating the data packet; identifying whether the data packet is an upstream data packet; identifying whether the data packet matches an internet protocol (IP) access control list (ACL) or a tunnel endpoint identifier; and offloading the data packet from the backhaul link. In more specific embodiment, the method can include identifying that the data packet does not match the IP ACL or the tunnel endpoint identifier; and communicating the data packet to a second network element. In other examples, the method can include identifying that the data packet is a downstream data packet; identifying a service to be performed for the data packet that cannot be performed at the first network element; and communicating the data packet to a second network element.

Abstract: An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.

Abstract: In one embodiment, a method includes identifying unusual behavior with respect to a handshake between a first endpoint and a second endpoint that are included in a network, and determining whether the unusual behavior with respect to the handshake indicates presence of malicious software. The method also includes identifying at least one of the first endpoint and the second endpoint as potentially being infected by the malicious software if it is determined that the unusual behavior with respect to the handshake indicates the presence of malicious software.

Abstract: Embodiments are directed to receiving an original packet at a service function; determining, for a reverse packet, a reverse service path identifier for a previous hop on a service function chain; determining, for the reverse packet, a service index for the reverse service path identifier; and transmitting the reverse packet to the previous hop on the service function chain.

Abstract: An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.