Abstract: For providing an efficient network use and resource allocation within the network a method for operating a network is provided, wherein user network traffic is controlled by an operator, comprising the following steps: a) monitoring user network traffic data on a per user basis, b) using said network traffic data in a learning process for providing a prediction of user network traffic on a per user basis, and c) controlling user network traffic under consideration of said prediction, including allocating network resources under consideration of said prediction to one or more users, preferably for providing a definable Quality of Service, QoS, per at least ne of said one or more users and/or per at least one other user. Further, a corresponding network is claimed.

Abstract: For providing an efficient network use and resource allocation within the network a method for operating a network is provided, wherein user network traffic is controlled by an operator, comprising the following steps: a) monitoring user network traffic data on a per user basis, b) using said network traffic data in a learning process for providing a prediction of user network traffic on a per user basis, and c) controlling user network traffic under consideration of said prediction, including allocating network resources under consideration of said prediction to one or more users, preferably for providing a definable Quality of Service, QoS, per at least ne of said one or more users and/or per at least one other user. Further, a corresponding network is claimed.

Abstract: A stateful packet processing system includes: a first stateful stage including a first state table and a first finite state machine (“FSM”) table; and a second stateful stage including a second state table and a second FSM table. The system performs a distribution operation defining when a flow is processed by the first and/or the second stateful stage. The first and/or second FSM table is extended with states and transitions that support the distribution operation. The first and/or second stateful stage executes an evaluation operation that executes the distribution operation. The evaluation operation provides a criterion for moving a particular flow from one of the first or second stateful stage to the other stateful stage. The first and second stateful stages are included in a software-defined networking (“SDN”) switch. The distribution operation operates within defined capabilities of a software and/or hardware pipeline of the SDN switch.

Abstract: A method searches and tests for performance optima in an operating system (OS) configuration space. The method includes generating a plurality of OS configurations. For at least a first OS configuration, of the generated OS configurations, the method further includes: fetching a plurality of OS modules based on the first OS configuration; building a first OS image from the fetched OS modules; and testing the first OS image to determine a first value of a performance metric.

Abstract: A method for executing a binarized neural network (BNN) using a switching chip includes describing an artificial neural network application in a binarized form to provide the BNN; configuring a parser of the switching chip to encode an input vector of the BNN in a packet header; configuring a plurality of match-action tables (MATs) of the switching chip to execute, on the input vector encoded in the packet header, one or more of the operations including XNOR, bit counting, and sign operations such that the plurality of MATs are configured to: implement a bitwise XNOR operation between the input vector and a weights matrix to produce a plurality of first stage vectors, implement an algorithm for counting a number of bits set to 1 in the plurality of first stage vectors to produce a plurality of second stage vectors, and implement a sign operation on the second stage vectors.

Abstract: A method adapts network intrusion detection. The method includes: a) deploying a network traffic capture system and collecting network packet traces; b) using a network audit tool, extracting features from the collected network packet traces; c) feeding the extracted features as unlabeled data into a representation function, and, utilizing the representation function as an unsupervised feature learning algorithm, learning a new representation of the unlabeled data; d) providing a labeled training set capturing examples of malicious network traffic, and, using the learned new representation of the unlabeled data, modifying the labeled training set to obtain a new training set; and e) using the new training set, training a traffic classification machine learning model.

Abstract: A method for service function chaining in a network includes defining, for a flow of packets, a chain of selected network service functions (NSFs) to be traversed by the flow. Each of the selected NSFs is associated with a programmable switch. The method also includes generating a chain establishment packet (CEP) that contains network identifier information (NII) about the selected NSFs and that is configured as a regular network packet to be delivered to the destination node along a network path that includes the programmable switches to which the selected NSFs is associated. Each programmable switch, upon receipt of the CEP and based on the NII about the selected NSFs contained in the CEP, performs installation of packet forwarding rules for the flow together with network address and port translation operations, and selects, on behalf of the respective NSF, socket parameters for use by the NSF for processing the flow.

Abstract: A method for controlling a network. The network includes a plurality of forwarding elements (FE) connected with each other, one or more end hosts (EH) connected to one or more of the FE, and a controller for controlling the FE. The method includes installing packet processing rules for end-host control protocols (ECP) on the FE. When an ECP Request (ECPRQ) is received by an FE and the ECPRQ was not processed by the controller, the ECPRQ is provided to the controller and an ECP response is computed by the receiving FE based on extracted information from the ECPRQ mapped onto forwarding information based on mapping information if provided, otherwise if the ECPRQ was processed by the controller, the ECPRQ is forwarded according to forwarding information of the ECPRQ. When an ECP response (ECPR) is received by an FE, the ECPR is forwarded according to forwarding information.

Abstract: A method for learning vector representations of network traffic data offline includes: receiving historical network traffic data and a domain classification list; generating a unique domain names list based on the historical network traffic data; generating a bad domains list based on the unique domain names list and the domain classification list; modifying the unique domain names list by replacing each entry of the unique domain names list that appears in the bad domains list by a common classification label; and learning a respective vector representation for each entry of the modified unique domain names list.

Abstract: A method for service function chaining within an end-to-end path of a network connection between a source and destination node includes: executing, for a defined service function chain including an ordered sequence of network service functions, an address resolution process that translates names of the network service functions of the defined service function chain into their corresponding IP addresses. The address resolution process is performed at a name server of the destination node by a sequence of name server queries sent in succession to respective name servers of each of the selected network service functions of the defined service function chain in accordance with their order. Each of the name server queries is answered by a response from a name server of the respective network service function that includes IP addresses of selected instances of a respective network service function chosen by the respective name server according to predefined criteria.

Abstract: A method for classifying network traffic data includes: selecting a subset of network destinations from the network traffic data to be evaluated to determine whether to classify the subset of network destinations with a common classification label, the common classification label corresponding to a common classification class; determining a list of vector representations for the subset of the network destinations contained in the network traffic data and a vector representation for the common classification label; computing a distance between a vector representation for a network domain and the vector representation of the classification label, the vector representation for the network domain being determined from the list of vector representations; classifying the subset of the network destinations as belonging to the common classification class based on the distance being less than a predefined threshold.

Abstract: A method for flow rule installation in a flow-based programmable network device, includes obtaining packet flow information that includes information about times and intervals of packet flow transmissions from data transmitting devices, programming, by a controller entity, forwarding rules into a flow table based on the packet flow information, and triggering activation of a forwarding rule programmed for a particular packet flow just-in-time before actual transmission of the particular packet flow. The flow-based programmable network device comprises input/output ports, a flow table including forwarding rules that map packet flows from data transmitting devices in the network, received on an input port, to an output port based on a packet flow matching a rule in the forwarding rules, and a state table including state entries that specify states of the packet flows.

Abstract: A stateful packet processing system includes: a first stateful stage including a first state table and a first finite state machine (“FSM”) table; and a second stateful stage including a second state table and a second FSM table. The system performs a distribution operation defining when a flow is processed by the first and/or the second stateful stage. The first and/or second FSM table is extended with states and transitions that support the distribution operation. The first and/or second stateful stage executes an evaluation operation that executes the distribution operation. The evaluation operation provides a criterion for moving a particular flow from one of the first or second stateful stage to the other stateful stage. The first and second stateful stages are included in a software-defined networking (“SDN”) switch. The distribution operation operates within defined capabilities of a software and/or hardware pipeline of the SDN switch.

Abstract: A stateful network packet processing system includes first and second stateful stages and a distribution mechanism. The first stateful stage includes a first state table and a first FSM table. The second stateful stage includes a second state table and a second FSM table. The distribution mechanism defines when a flow should be processed by either the first stateful stage or the second stateful stage or by a combination of the first stateful stage and the second stateful stage. At least one of the first or second FSM tables is extended with states and transitions that support the distribution mechanism.

Abstract: A method for load balancing in a computer network includes receiving application information for an application and information relating to an artificial neural network (NN) computation to be executed by the application. A configuration is derived for one or more network devices based on the application information and the information relating to the NN computation. The configuration is installed in the one or more network devices such that at least one of the network devices on a path of a network packet performs a subset of the NN computation and encodes a result of the subset of the NN computation into a header of the network packet.

Abstract: A method for establishing a TCP connection between a first end-point and a second end-point includes: establishing a first TCP connection between the first end-point and the second end-point; the second end-point dynamically deciding on redirecting the first TCP connection via a chain of proxies that interconnects the first end-point and the second end-point; based upon a case of a redirection decision by the second end-point occurring, the first end-point establishing a new TCP connection with the first proxy of the chain of proxies; and establishing a segmented TCP connection between the first end-point and the second end-point via the chain of proxies and transferring data between the first end-point and the second end-point through the chain of proxies.

Abstract: A method for flow rule installation in a flow-based programmable network device, includes obtaining packet flow information that includes information about times and intervals of packet flow transmissions from data transmitting devices, programming, by a controller entity, forwarding rules into a flow table based on the packet flow information, and triggering activation of a forwarding rule programmed for a particular packet flow just-in-time before actual transmission of the particular packet flow. The flow-based programmable network device comprises input/output ports, a flow table including forwarding rules that map packet flows from data transmitting devices in the network, received on an input port, to an output port based on a packet flow matching a rule in the forwarding rules, and a state table including state entries that specify states of the packet flows.

Abstract: A method for acceleration of TCP connection establishment between a client and a server in a network includes deploying at least one stateful switch with packet generation capabilities in the network, and configuring the at least one stateful switch to receive a TCP SYN segment from the client, generate a sequence number in a manner coordinated with the server, answer, on behalf of the server, the TCP SYN segment received from the client with a corresponding SYN ACK segment containing the sequence number, forward the TCP SYN segment received from the client to the server, and act as a forwarding element for segments exchanged between the client and the server once a TCP connection is established such that no state relating to the TCP connection is held by the at least one stateful switch.

Abstract: A method for classifying network traffic data includes: selecting a subset of network destinations from the network traffic data to be evaluated to determine whether to classify the subset of network destinations with a common classification label, the common classification label corresponding to a common classification class; determining a list of vector representations for the subset of the network destinations contained in the network traffic data and a vector representation for the common classification label; computing a distance between a vector representation for a network domain and the vector representation of the classification label, the vector representation for the network domain being determined from the list of vector representations; classifying the subset of the network destinations as belonging to the common classification class based on the distance being less than a predefined threshold.

Abstract: A method of forwarding packet flows in a network includes originating the packet flows from a plurality of end hosts in the network; and transmitting the packet flows from a respective end host of the plurality of end hosts to a sink node via a predefined routing path that includes one or more SDN switches that are under control of an SDN controller. The one or more SDN switches include an edge switch having at least one port connected to the end host. Forwarding of a packet flow from the respective end host by the edge switch is enabled by a dedicated door-opener packet that, when being processed at the one or more SDN switches, effectuates activation or installation of a forwarding rule within the one or more SDN switches for forwarding the packet flow to a next switch along the predefined routing path.