Abstract: In various embodiments, a server stores a set of cryptographic keys associated with a client that includes a server-stored bootstrap key, a server-stored authentication key, and a server-stored proposed key. The server receives an authentication request from the client that includes a client-indicated bootstrap key, a client-indicated authentication key, and a client-indicated proposed key. The server makes a determination that the client is authenticated based in part on whether there is a match between the client-indicated authentication key and either the server-stored authentication key or the server-stored proposed key. The server provides, based on the determination, an authentication response to the client indicating that the client has been authenticated.

Abstract: In one embodiment, a service receives a device registration request sent by an endpoint device, wherein the endpoint device executes an onboarding agent that causes the endpoint device to send the device registration request via a cellular connection to a private access point name (APN) associated with the service. The service verifies that a network address of the endpoint device from which the device registration request was sent is associated with an integrated circuit card identifier (ICCID) or international mobile equipment identity (IMEI) indicated by the device registration request. The service identifies a tenant identifier associated with the ICCID or IMEI. The service sends, based on the tenant identifier, a device registration response to the endpoint device via the private APN.

Abstract: A zero-touch deployment (ZTD) manager receives a first request to issue a first cryptographic token to a constrained device for establishing a communications session between the constrained device and a secured resource. The ZTD manager evaluates identity information corresponding to the constrained device and determines whether the identity information is valid. If so, the ZTD manager returns the first cryptographic token to the constrained device, where it is stored in cache memory. The ZTD manager receives a second request to obtain a second cryptographic token from the secured resource. When the second cryptographic token is provided to the secured resource, the secured resource uses this second cryptographic token to validate the first cryptographic token and to facilitate the communications session with the constrained device.

Abstract: According to one or more embodiments of the disclosure, a device associated with a first cluster of data sources may identify an amount of data from the first cluster of data sources to be sent by the device to a satellite. The device may send, to the satellite, a request for a transmission window that indicates the amount of data to be sent by the device to the satellite. The device may receive, from the satellite, an indication of an assigned transmission window during which the device may transmit data to the satellite. The satellite may compute the assigned transmission window based on the amount of data and such that the assigned transmission window does not overlap an assigned transmission window of a neighboring device associated with a second cluster of data sources. The device may send, during the assigned transmission window, the data towards the satellite.

Abstract: According to one or more embodiments of the disclosure, a first device in a network may obtain a satellite communication schedule indicative of when a satellite will be in communication range of the first device. The first device may communicate with the satellite according to the satellite communication schedule. The first device may receive a request for the satellite communication schedule from a second device in the network. The first device may send the satellite communication schedule to the second device, wherein the second device uses the satellite communication schedule to configure a wake schedule of the second device.

Abstract: Disclosed are techniques for dynamically creating policy-based intermediate certificates to sign device certificates of devices deployed in an enterprise network using ZTD. In one aspect, a method includes receiving network policy information to be used for creating policy-based intermediate certificates, each one of the policy-based intermediate certificates being used by a network controller for signing devices certificates of a different cluster of connected IoT devices; receiving, from an IoT device, a request for registration with the network controller; based on identifying information of the IoT device included in the request, determining one of the policy-based intermediate certificates to sign a device certificate of the loT device; and transmitting, to the IoT device, the device certificate signed using the one of the policy-based intermediate certificates.

Abstract: In one embodiment, a service receives a device registration request sent by an endpoint device, wherein the endpoint device executes an onboarding agent that causes the endpoint device to send the device registration request via a cellular connection to a private access point name (APN) associated with the service. The service verifies that a network address of the endpoint device from which the device registration request was sent is associated with an integrated circuit card identifier (ICCID) or international mobile equipment identity (IMEI) indicated by the device registration request. The service identifies a tenant identifier associated with the ICCID or IMEI. The service sends, based on the tenant identifier, a device registration response to the endpoint device via the private APN.

Abstract: In one embodiment, a remote access manager receives an access request from a client to remotely access a device on a local network. The remote access manager generates a universally unique identifier for the access request. The remote access manager sends a response to the client having a one-time use domain name system name that is based on the universally unique identifier. The remote access manager communicates with a web proxy to authorize the client to remotely access the device.

Abstract: In one embodiment, a service receives a device registration request sent by an endpoint device, wherein the endpoint device executes an onboarding agent that causes the endpoint device to send the device registration request via a cellular connection to a private access point name (APN) associated with the service. The service verifies that a network address of the endpoint device from which the device registration request was sent is associated with an integrated circuit card identifier (ICCID) or international mobile equipment identity (IMEI) indicated by the device registration request. The service identifies a tenant identifier associated with the ICCID or IMEI. The service sends, based on the tenant identifier, a device registration response to the endpoint device via the private APN.

Abstract: In one embodiment, a device in a network receives a machine learning encoder and decoder trained by a supervisory service. The service trains the encoder and decoder using vibration measurement data sent to the service by a plurality of devices. The device trains, based on the received encoder, a classifier to determine whether vibration measurement data is indicative of a behavioral anomaly. The device receives vibration measurement data captured by a particular set of one or more vibration sensors of a monitored system. The device evaluates, using the trained decoder, the received vibration measurement data to determine whether the data is indicative of a structural anomaly in the monitored system. The device evaluates, using the trained classifier, the received vibration measurement data to determine whether the data is indicative of a behavioral anomaly in the monitored system.

Abstract: In one embodiment, a service receives a device registration request sent by an endpoint device, wherein the endpoint device executes an onboarding agent that causes the endpoint device to send the device registration request via a cellular connection to a private access point name (APN) associated with the service. The service verifies that a network address of the endpoint device from which the device registration request was sent is associated with an integrated circuit card identifier (ICCID) or international mobile equipment identity (IMEI) indicated by the device registration request. The service identifies a tenant identifier associated with the ICCID or IMEI. The service sends, based on the tenant identifier, a device registration response to the endpoint device via the private APN.

Abstract: In one embodiment, a sender device in a network sends a plurality of uncompressed messages to a receiver device in the network. The sender device generates a sender-side compression dictionary based on the plurality of uncompressed messages. The receiver device also generates a receiver-side compression dictionary based on the uncompressed message. The sender device obtains an approval of the sender-side compression dictionary from the receiver device by sending a checksum of the sender-side compression dictionary to the receiver device, whereby the receiver device generates the approval by comparing the checksum of the sender-side compression dictionary to a checksum of the receiver-side compression dictionary. The sender device sends a compressed message to the receiver device that is compressed using the sender-side compression dictionary, after obtaining the approval of the sender-side compression dictionary from the receiver device.

Abstract: In one embodiment, a device in a network receives a machine learning encoder and decoder trained by a supervisory service. The service trains the encoder and decoder using vibration measurement data sent to the service by a plurality of devices. The device trains, based on the received encoder, a classifier to determine whether vibration measurement data is indicative of a behavioral anomaly. The device receives vibration measurement data captured by a particular set of one or more vibration sensors of a monitored system. The device evaluates, using the trained decoder, the received vibration measurement data to determine whether the data is indicative of a structural anomaly in the monitored system. The device evaluates, using the trained classifier, the received vibration measurement data to determine whether the data is indicative of a behavioral anomaly in the monitored system.

Abstract: In one embodiment, a sender device in a network sends a plurality of uncompressed messages to a receiver device in the network. The sender device generates a sender-side compression dictionary based on the plurality of uncompressed messages. The receiver device also generates a receiver-side compression dictionary based on the uncompressed message. The sender device obtains an approval of the sender-side compression dictionary from the receiver device by sending a checksum of the sender-side compression dictionary to the receiver device, whereby the receiver device generates the approval by comparing the checksum of the sender-side compression dictionary to a checksum of the receiver-side compression dictionary. The sender device sends a compressed message to the receiver device that is compressed using the sender-side compression dictionary, after obtaining the approval of the sender-side compression dictionary from the receiver device.

Abstract: In one embodiment, the system may identify a virtual network, the virtual network including a plurality of virtual entities and connections among the plurality of virtual entities. The system may automatically map each of the plurality of virtual entities to one or more resources or resource pools such that the virtual network is mapped to a physical network, wherein mapping includes allocating one or more resources or resource pools to a corresponding one of the plurality of virtual entities.

Abstract: In one embodiment, an addressing agent determines a logical static IP addressing scheme for a computer network, the addressing scheme shared with an application server and defining a static mapping of IP addresses to particular types of application-based devices that are managed by the application server in particular physical locations within the computer network. The addressing agent determines a topology of the computer network indicative of application-based devices, their type, and their physical location. The addressing agent calculates a dynamic IP address for the devices based on their type and physical location as defined by the addressing scheme, and collaboratively assigns their corresponding calculated dynamic IP address.

Abstract: In one embodiment, an addressing agent determines a logical static IP addressing scheme for a computer network, the addressing scheme shared with an application server and defining a static mapping of IP addresses to particular types of application-based devices that are managed by the application server in particular physical locations within the computer network. The addressing agent determines a topology of the computer network indicative of application-based devices, their type, and their physical location. The addressing agent calculates a dynamic IP address for the devices based on their type and physical location as defined by the addressing scheme, and collaboratively assigns their corresponding calculated dynamic IP address.

Abstract: In one embodiment, the system may identify a virtual network, the virtual network including a plurality of virtual entities and connections among the plurality of virtual entities. The system may automatically map each of the plurality of virtual entities to one or more resources or resource pools such that the virtual network is mapped to a physical network, wherein mapping includes allocating one or more resources or resource pools to a corresponding one of the plurality of virtual entities.

Abstract: In one embodiment, the system may identify a virtual network, the virtual network including a plurality of virtual entities and connections among the plurality of virtual entities. The system may automatically map each of the plurality of virtual entities to one or more resources or resource pools such that the virtual network is mapped to a physical network, wherein mapping includes allocating one or more resources or resource pools to a corresponding one of the plurality of virtual entities.

Abstract: A method is provided in one example embodiment and includes generating a first document and a second document associated with video data that includes a group of pictures (GOPs). The method also includes hashing a plurality of video frames associated with the video data. Additionally, the method includes appending each of the video frames' respective hash and respective display times to the first document, and appending each of a plurality of I-frames' respective hash and respective display times to the second document. The method further includes communicating the first document and the second document in a reliable manner over a network to a next destination.