Abstract: Embodiments herein describe techniques for conveying performance parameters to client devices using BSS coloring. IEEE 802.11ax introduced BSS color to help with interference between BSSs operating in the same channel or partially overlapping channels in a frequency band. The BSS colors are typically assigned at random. However, in the embodiments herein, the BSS colors can still be relied to help with co-channel interference as intended by IEEE 802.11ax but also can convey performance parameters to the client devices. The AP can leverage the BSS color to convey (or encode) a performance parameter such as radio frequency (RF) conditions, quality of service (QoS) conditions, or a policy of the network in response to expected (or future) conditions to receiving client devices.

Abstract: In one embodiment, an illustrative method herein may comprise: determining, by a device, a profile of an asset in a network, the profile identifying a type of the asset and a particular activity of the asset; determining, by the device, a specific context of the asset within the network; assigning, by the device, a risk score for the profile based on one or more risk factors associated with the profile and a comparison of the profile to an expected behavior of the type of the asset within the specific context; and performing, by the device, one or more mitigation actions based on the risk score.

Abstract: According to one or more embodiments of the disclosure, intelligent closed-loop device profiling for proactive behavioral expectations is described herein. In particular, in one embodiment, a device controller determines a deliberate change to be made within a network, and generates a profile of a behavioral update that an analytics engine should expect to see based on the deliberate change. The device controller then transmits, to the analytics engine, the profile of the behavioral update to cause the analytics engine to proactively expect the behavioral update in response to the deliberate change.

Abstract: Best links for wireless clients may be provided. A computing device may receive, from a client device, a request to join a network. Then, in response to receiving the request to join the network, initial characteristics of the client device may be evaluated. Next, an initial plurality of links list may be provided to the client device in response to evaluating the initial characteristics of the client device. Subsequent characteristics of the client device may then be evaluated. An updated plurality of links list may be provided to the client device in response to evaluating the subsequent characteristics of the client device.

Abstract: Improved mesh performance using Overlapping Basic Service Set (OBSS) coloring and transmission scheduling may be provided. A controller may determine that a plurality of Access Points (APs) in a mesh network each have a Received Signal Strength Indicator (RSSI) that is in a predetermined range. Next, the controller may assign, in response to determining that the plurality of APs each have the RSSI that is in the predetermined range, OBSS colors to links between the plurality of APs to limit packet collision in the mesh network between the plurality of APs. The controller may then create a transmission schedule for transmissions between the plurality of APs in the mesh network based on the assigned OBSS colors.

Abstract: In one embodiment, an edge device of a network maintains intermediate certificates derived from root certificates of different cloud services that identify the edge device to those different cloud services. The edge device receives identity information for a particular device in the network. The edge device generates, using at least one of its intermediate certificates and the identity information for the particular device, one or more local digital identity certificates for the particular device. The edge device causes the particular device to be onboarded to a target cloud service from among the different cloud services, in part by providing the one or more local digital identity certificates to the particular device and to the target cloud service.

Abstract: Failure prediction signaling and cognitive user migration may be provided. A client device may receive at least a portion of failure prediction data. The client device may then analyze the at least the portion of the failure prediction data. The client device may then roam from a first computing device to a second computing device in response to analyzing the at least the portion of the failure prediction data.

Abstract: A method comprising: at an access point configured with a first basic service set identifier (BSSID): performing an association process by which one or more wireless stations wirelessly associate to the access point using the first BSSID; and while the one or more wireless stations remain associated to the access point: sending, to the one or more wireless stations, a protected management frame configured to indicate that the access point will rotate from the first BSSID to a second BSSID; after sending, rotating from the first BSSID to the second BSSID while maintaining continuity of association to the one or more wireless stations; and after rotating, communicating with the one or more wireless stations using the second BSSID.

Abstract: Techniques for dynamically negotiating a service legal agreement (SLA) between a roaming device and a visited network (VN) in an identity federation. An identity profile provided to a user device by an identity provider (IDP) is accessed by the user device. The identity profile includes a first SLA criteria. An advertisement from the VN indicating one or more SLAs supported by the VN is received at the user device. The advertisement is received before the user device has associated with the VN. The IDP and the VN are part of a same identity federation. It is determined that the SLA supported by the VN satisfies the first SLA criteria. Upon that determination, an acceptance is transmitted by the user device to the VN, and the user device is associated with the VN.

Abstract: A method, computer system, and computer program product are provided for managing content items, including tracking and/or updating content items. A content item is received from an author. A key is associated with the content item. Based on the key, a user is identified who is presenting the content item in a communication session. In response to determining that the author has updated the content item, the user is notified that an updated version of the content item is available for presentation in the communication session.

Abstract: Automating and extending path tracing through wireless links is provided by receiving request to perform a network trace over a wireless link provided by an Access Point (AP) configured as a transparent forwarder between a trace source and a trace target; monitoring a trace packet from a first time of arrival at the AP, a first time of departure from the AP, a second time of arrival at the AP, and a second time of departure from the AP; monitoring a buffer status of the AP at the first time of arrival and the second time of arrival; and in response to identifying a network anomaly based on the trace packet and the buffer status, adjusting a network setting at the AP.

Abstract: An authorization device obtains a registration request associated with an end device, the registration request including a new randomized media access control (MAC) address associated with the end device; determines whether the end device is authorized to use the new randomized MAC address; transmits a message to the end device with a first randomly generated number when it is determined that the end device is authorized to use the new randomized MAC address; obtains integrity information associated with the end device, the first integrity information being computed based on the first randomly generated number; transmits a request to a validation system to validate the end device based on the first integrity information; obtains an indication that the end device is validated; determines policies associated with the end device when it is determined that the end device is validated; and applies the policies to the end device.

Abstract: A method includes estimating distances between a user device and an access point based on a series of FTM ranging bursts exchanged between the user device and the access point. The method also includes calculating a variance of the estimated distances and in response to determining that the variance exceeds a threshold, instructing the user device to perform an action that reduces the variance. Other embodiments include a device that performs this method.

Abstract: A method is performed at a mesh access point (MAP) of a mesh network in which MAPs are configured to communicate with each other over wireless backhaul links. The method includes: receiving, from a first wireless client having a first client address, client traffic destined for a second wireless client having a second client address, the client traffic including a first source address that represents the first client address, and a first destination address that represents the second client address; generating a first obfuscated source address that differs from the first client address; replacing the first source address in the client traffic with the first obfuscated source address; and transmitting the client traffic with the first obfuscated source address in place of the first source address to a next MAP of the MAPs over a wireless backhaul link for subsequent forwarding to the second wireless client.

Abstract: Techniques are provided for client-driven Randomized and Changing Media Access Control (MAC) address (RCM) mechanisms. In one example, a wireless client is configured to wirelessly communicate with a wireless network. The wireless client obtains data relating to a level of security for one or more MAC addresses of the wireless client. Based on the data, the wireless client computes a score that represents the level of security for the one or more MAC addresses. Using the score, the wireless client determines when or how frequently to rotate the one or more MAC addresses. Based on determining when or how frequently to rotate the one or more MAC addresses, the wireless client rotates the one or more MAC addresses.

Abstract: A method, computer system, and computer program product are provided for applying a dynamic security policy to shared content in collaborative applications. A selection of one or more content items is received for sharing in a communication session. A security policy is queried using a key that is associated with each of the one or more content items to determine a security policy for each of the one or more content items. A plurality of users participating in the communication session are identified. Each content item of the one or more content items is selectively presented to a subset of the plurality of users based on an identity of a respective user and the security policy of each content item.

Abstract: A method includes receiving, at an access node of a local network, a connection request from a device and in response to the connection request, establishing a connection with an identity provider. The device, the access node, the local network, and the identity provider are members of an identity federation. The method further includes receiving an indication that the device previously violated a network policy of a network different from the local network and after the device is authenticated with the identity provider, determining, by the access node and based on the indication, whether to allow the device to communicate over the access node.

Abstract: A method includes receiving, from a plurality of user devices, a plurality of requests to transmit over a wireless fidelity (WiFi) network and in response to determining that the WiFi network cannot support the plurality of requests, determining that a first request of the plurality of requests should be supported by a cellular network. The method also includes instructing a first user device of the plurality of user devices that communicated the first request to perform transmissions corresponding to the first request over the cellular network.

Abstract: Embodiments for securing fine timing measurement (FTM) communications are described. FTM communications include FTM frames sent and received from an initiating station (ISTA) and a responding station (RSTA). The RSTA records a plurality of parameters associated with the FTM frames and uses the plurality of parameters to learn and identify a device profile for the ISTA. The device profile is used to determine a behavior filter for the FTM from the ISTA and the RSTA filters FTM traffic according to the behavior filter to prevent malicious attacks in the FTM communications.

Abstract: Techniques for trusted roaming between identity federation based networks. A first wireless access point (AP) receives a roaming request from a wireless station (STA), to roam from the first AP to a second AP. The first AP is associated with a first access network provider (ANP), the second AP is associated with a second ANP, and the first ANP is different from the second ANP. Authentication information relating to the STA is transmitted from the first ANP to the second ANP using a trusted connection. The trusted connection was previously established between the first ANP and the second ANP based on a query to an identity federation to which both the first and second ANP belong. The STA is de-associated from the first AP. The STA is re-associated at the second AP using the transmitted authentication information.