Abstract: A system for electronically automating reduction component selection, conversion, disaggregation, and assignment is provided. The system generates graphical user interfaces that accept data relating to a reduction component to be analyzed and assigned to a qualified facility. The system identifies a segment associated with each reduction component and identifies all reduction components within a segment. A reduction concentration is determined in near real time for each segment by totaling the concentrations for each reduction component within a segment. The reduction concentration is compared to an Available Reduction Threshold to determine if facility capacity has been exceeded for new reduction components and for previously assigned reduction components.

Abstract: In one embodiment, a method is disclosed comprising: measuring, by a process, a baseline of port and protocol usage of an accessing device while forwarding to a particular remote device is disabled; measuring, by the process, usage by an accessing application of specific ports and protocols while attempting to connect to the particular remote device while forwarding to the particular remote device is disabled; and causing, by the process, opening of the specific ports and protocols for operation of the accessing application with forwarding enabled to the particular remote device.

Abstract: In one embodiment, a process discovers network topology information of a particular computer network and creates a plurality of zones of devices in the particular computer network based on the network topology information. The process also discovers network communication activity patterns and endpoints of the particular computer network and creates a plurality of conduits between devices of the particular computer network based on the network communication activity patterns and endpoints of the particular computer network and association of the devices within the plurality of zones as described above.

Abstract: In one embodiment, a method is disclosed comprising: detecting, by a processor, a remote access session from an accessing device to an accessed device; determining, by the processor, an access session screen-sharing security policy for the accessed device; and preventing, by the processor, the remote access session in response to a violation of the access session screen-sharing security policy.

Abstract: A zero-touch deployment (ZTD) manager receives a first request to issue a first cryptographic token to a constrained device for establishing a communications session between the constrained device and a secured resource. The ZTD manager evaluates identity information corresponding to the constrained device and determines whether the identity information is valid. If so, the ZTD manager returns the first cryptographic token to the constrained device, where it is stored in cache memory. The ZTD manager receives a second request to obtain a second cryptographic token from the secured resource. When the second cryptographic token is provided to the secured resource, the secured resource uses this second cryptographic token to validate the first cryptographic token and to facilitate the communications session with the constrained device.

Abstract: In some implementations, a device receives a login request from a web browser executed by a client endpoint in a first network. The device provides a one-time password to the web browser that causes the client endpoint to invoke a local handler process associated with an access service executed by the client endpoint or invoke access by the web browser to a particular uniform resource locator on the device. The device receives a remote connection request from the access service that includes the one-time password to access a target endpoint in a second network. The device configures, based on the remote connection request, a remote access connection between the client endpoint in the first network and the target endpoint in the second network.

Abstract: In various embodiments, a server stores a set of cryptographic keys associated with a client that includes a server-stored bootstrap key, a server-stored authentication key, and a server-stored proposed key. The server receives an authentication request from the client that includes a client-indicated bootstrap key, a client-indicated authentication key, and a client-indicated proposed key. The server makes a determination that the client is authenticated based in part on whether there is a match between the client-indicated authentication key and either the server-stored authentication key or the server-stored proposed key. The server provides, based on the determination, an authentication response to the client indicating that the client has been authenticated.

Abstract: In one embodiment, a service receives a device registration request sent by an endpoint device, wherein the endpoint device executes an onboarding agent that causes the endpoint device to send the device registration request via a cellular connection to a private access point name (APN) associated with the service. The service verifies that a network address of the endpoint device from which the device registration request was sent is associated with an integrated circuit card identifier (ICCID) or international mobile equipment identity (IMEI) indicated by the device registration request. The service identifies a tenant identifier associated with the ICCID or IMEI. The service sends, based on the tenant identifier, a device registration response to the endpoint device via the private APN.

Abstract: A zero-touch deployment (ZTD) manager receives a first request to issue a first cryptographic token to a constrained device for establishing a communications session between the constrained device and a secured resource. The ZTD manager evaluates identity information corresponding to the constrained device and determines whether the identity information is valid. If so, the ZTD manager returns the first cryptographic token to the constrained device, where it is stored in cache memory. The ZTD manager receives a second request to obtain a second cryptographic token from the secured resource. When the second cryptographic token is provided to the secured resource, the secured resource uses this second cryptographic token to validate the first cryptographic token and to facilitate the communications session with the constrained device.

Abstract: According to one or more embodiments of the disclosure, a device associated with a first cluster of data sources may identify an amount of data from the first cluster of data sources to be sent by the device to a satellite. The device may send, to the satellite, a request for a transmission window that indicates the amount of data to be sent by the device to the satellite. The device may receive, from the satellite, an indication of an assigned transmission window during which the device may transmit data to the satellite. The satellite may compute the assigned transmission window based on the amount of data and such that the assigned transmission window does not overlap an assigned transmission window of a neighboring device associated with a second cluster of data sources. The device may send, during the assigned transmission window, the data towards the satellite.

Abstract: According to one or more embodiments of the disclosure, a first device in a network may obtain a satellite communication schedule indicative of when a satellite will be in communication range of the first device. The first device may communicate with the satellite according to the satellite communication schedule. The first device may receive a request for the satellite communication schedule from a second device in the network. The first device may send the satellite communication schedule to the second device, wherein the second device uses the satellite communication schedule to configure a wake schedule of the second device.

Abstract: Disclosed are techniques for dynamically creating policy-based intermediate certificates to sign device certificates of devices deployed in an enterprise network using ZTD. In one aspect, a method includes receiving network policy information to be used for creating policy-based intermediate certificates, each one of the policy-based intermediate certificates being used by a network controller for signing devices certificates of a different cluster of connected IoT devices; receiving, from an IoT device, a request for registration with the network controller; based on identifying information of the IoT device included in the request, determining one of the policy-based intermediate certificates to sign a device certificate of the loT device; and transmitting, to the IoT device, the device certificate signed using the one of the policy-based intermediate certificates.

Abstract: In one embodiment, a service receives a device registration request sent by an endpoint device, wherein the endpoint device executes an onboarding agent that causes the endpoint device to send the device registration request via a cellular connection to a private access point name (APN) associated with the service. The service verifies that a network address of the endpoint device from which the device registration request was sent is associated with an integrated circuit card identifier (ICCID) or international mobile equipment identity (IMEI) indicated by the device registration request. The service identifies a tenant identifier associated with the ICCID or IMEI. The service sends, based on the tenant identifier, a device registration response to the endpoint device via the private APN.

Abstract: In one embodiment, a remote access manager receives an access request from a client to remotely access a device on a local network. The remote access manager generates a universally unique identifier for the access request. The remote access manager sends a response to the client having a one-time use domain name system name that is based on the universally unique identifier. The remote access manager communicates with a web proxy to authorize the client to remotely access the device.

Abstract: In one embodiment, a service receives a device registration request sent by an endpoint device, wherein the endpoint device executes an onboarding agent that causes the endpoint device to send the device registration request via a cellular connection to a private access point name (APN) associated with the service. The service verifies that a network address of the endpoint device from which the device registration request was sent is associated with an integrated circuit card identifier (ICCID) or international mobile equipment identity (IMEI) indicated by the device registration request. The service identifies a tenant identifier associated with the ICCID or IMEI. The service sends, based on the tenant identifier, a device registration response to the endpoint device via the private APN.

Abstract: In one embodiment, a device in a network receives a machine learning encoder and decoder trained by a supervisory service. The service trains the encoder and decoder using vibration measurement data sent to the service by a plurality of devices. The device trains, based on the received encoder, a classifier to determine whether vibration measurement data is indicative of a behavioral anomaly. The device receives vibration measurement data captured by a particular set of one or more vibration sensors of a monitored system. The device evaluates, using the trained decoder, the received vibration measurement data to determine whether the data is indicative of a structural anomaly in the monitored system. The device evaluates, using the trained classifier, the received vibration measurement data to determine whether the data is indicative of a behavioral anomaly in the monitored system.

Abstract: In one embodiment, a service receives a device registration request sent by an endpoint device, wherein the endpoint device executes an onboarding agent that causes the endpoint device to send the device registration request via a cellular connection to a private access point name (APN) associated with the service. The service verifies that a network address of the endpoint device from which the device registration request was sent is associated with an integrated circuit card identifier (ICCID) or international mobile equipment identity (IMEI) indicated by the device registration request. The service identifies a tenant identifier associated with the ICCID or IMEI. The service sends, based on the tenant identifier, a device registration response to the endpoint device via the private APN.

Abstract: In one embodiment, a sender device in a network sends a plurality of uncompressed messages to a receiver device in the network. The sender device generates a sender-side compression dictionary based on the plurality of uncompressed messages. The receiver device also generates a receiver-side compression dictionary based on the uncompressed message. The sender device obtains an approval of the sender-side compression dictionary from the receiver device by sending a checksum of the sender-side compression dictionary to the receiver device, whereby the receiver device generates the approval by comparing the checksum of the sender-side compression dictionary to a checksum of the receiver-side compression dictionary. The sender device sends a compressed message to the receiver device that is compressed using the sender-side compression dictionary, after obtaining the approval of the sender-side compression dictionary from the receiver device.

Abstract: In one embodiment, a device in a network receives a machine learning encoder and decoder trained by a supervisory service. The service trains the encoder and decoder using vibration measurement data sent to the service by a plurality of devices. The device trains, based on the received encoder, a classifier to determine whether vibration measurement data is indicative of a behavioral anomaly. The device receives vibration measurement data captured by a particular set of one or more vibration sensors of a monitored system. The device evaluates, using the trained decoder, the received vibration measurement data to determine whether the data is indicative of a structural anomaly in the monitored system. The device evaluates, using the trained classifier, the received vibration measurement data to determine whether the data is indicative of a behavioral anomaly in the monitored system.

Abstract: In one embodiment, a sender device in a network sends a plurality of uncompressed messages to a receiver device in the network. The sender device generates a sender-side compression dictionary based on the plurality of uncompressed messages. The receiver device also generates a receiver-side compression dictionary based on the uncompressed message. The sender device obtains an approval of the sender-side compression dictionary from the receiver device by sending a checksum of the sender-side compression dictionary to the receiver device, whereby the receiver device generates the approval by comparing the checksum of the sender-side compression dictionary to a checksum of the receiver-side compression dictionary. The sender device sends a compressed message to the receiver device that is compressed using the sender-side compression dictionary, after obtaining the approval of the sender-side compression dictionary from the receiver device.