Abstract: A novel method for performing replication of messages in a network that bridges one or more physical networks to an overlay logical network is provided. A physical gateway provides bridging between network nodes of a physical network and virtual machines in the overlay logical network by serving as an endpoint of the overlay logical network. The physical gateway does not replicate messages from the bridged physical network to destination endpoints in the overlay logical network directly, but instead tunnels the message-to-be-replicated to a designated tunnel endpoint in the overlay logical network. The designated tunnel endpoint in turn replicates the message that was tunneled to it to other endpoints in the overlay logical network.

Abstract: A method determines whether another party has information about a person without disclosing personal identification information of the person. The method includes receiving, at a third computer system, a first set of data comprising personal identification information of a first person and encrypting the first set of data to generate a third set of data. The method also includes transmitting, to a second computer system, the third set of data. The method further includes receiving, at the third computer system from the second computer system, a message indicating the third set of data matches a fourth set of data encrypted from a second set of data comprising personal identification information of a second person. The method still further includes transmitting, from the third computer system, a message indicating the second person matches the first person when the fourth and third set of data matches.

Abstract: Systems, methods and computer readable media are provided to control anycast traffic using a software defined network controller. Telemetry and event data is gathered from a plurality of service nodes in the network. The telemetry and event data sent by an event broker to an analytic application with a resource conditions at each of the plurality of service nodes is determined based on the telemetry and event data. Traffic routing change recommendations are provided to a software defined network controller based on resource conditions at each of the plurality of service nodes and a set of predetermined policies.

Abstract: The present disclosure describes systems and methods for remote management of appliances. The appliance may be configured to periodically check in a predetermined online location for the presence of a trigger file identifying one or more appliances directed to contact a management server for maintenance. If the file is present at the predetermined location and the file includes the identifier of the appliance, the appliance may initiate a connection to the management server. If the file is not found, then the appliance may reset a call timer and attempt to retrieve the file at a later time. To avoid having to configure addresses on the appliance, link local IPv6 addresses may be configured for use over a virtual private network, allowing administration, regardless of the network configuration or local IP address of the appliance.

Abstract: Aspects described herein are directed to the live updating of user interface elements through multi-select state replication. A resource management server may receive domain and search query information from a user computing device and may execute a database request based on the search query. The results of the search query may be generated by the resource management server in a dropdown user interface element. Through the dropdown element, the resource management server may receive one or more selections of the results of the search query generated in the dropdown element. Based on the one or more selections, the resource management server may add entities corresponding to the one or more selections to the domain and update the dropdown user interface element.

Abstract: The present specification relates to an access control device, an access control system and an access control method using the same.

Abstract: To provide a method of communication control and the like based on a multi-access PDN connection establishment request from a terminal device. Provided is communication control accompanied with establishment of a multi-access PDN connection or with rejection of establishment of a multi-access PDN connection, based on a response to a PDN connectivity establishment request from a terminal device.

Abstract: Methods, non-transitory computer readable media, access policy management apparatuses, and network traffic management systems that send a request received from a client to an application server along with an access token. A determination is made when a received response to the request comprises an unauthorized HyperText Transfer Protocol (HTTP) response status code. The access token is refreshed using a stored refresh token, when the determining indicates that the response is an unauthorized HTTP response status code. The request is resent to the application server along with the refreshed access token. With this technology, an intermediary access policy management apparatus can refresh access tokens automatically and without sending any unauthorized HTTP response status codes received from application servers to client devices, or requiring user re-authorization at the client devices thereby improving the user experience in single sign-on (SSO) federated identity environments.

Abstract: Secure management of an enterprise network is improved by creating a network adapter fingerprint for an endpoint that identifies all of the network adapters for that endpoint. With this information, the location and connectivity of the endpoint can be tracked and managed independent of the manner in which the endpoint is connecting to the enterprise network.

Abstract: Systems and methods are disclosed, including a host interface circuit configured to control communication between a set of virtual functions (VFs) and a media management system (MMS). The host interface circuit can consolidate commands from the set of VFs, dynamically allocate write buffers (WBs) from a set of available WBs to the set of VFs using the commands, and manage WB access for the set of VFs and provide write data to the MMS using the allocated WBs. For each VF in the set of VFs, the host interface circuit can manage a submission queue (SQ) for a respective VF from the set of VFs, receive a command from the respective VF, including one or more submission queue entries (SQEs), and coordinate the one or more received SQEs with allocated WBs.

Abstract: A system and computer-implemented method to test end-to-end performance of a server, wherein the method includes transmitting from a processing device of a remote test system, to at least one monitor device, a proxy-based test for execution by the at least one monitor device to emulate end-user communication using a protocol via one or more networks with a web-based server coupled to the at least one monitor device. The method further includes receiving by the processing device, from the at least one monitor device, responses by the web-based server to the proxy-based test, and performing by the processing device automated web application testing to measure characteristics of communication between the at least one monitor device and the web-based server, the communication including user-emulated messages from the at least one monitor device executing the proxy-based test to the web-based server and corresponding responses from the web-based server.

Abstract: A method for providing lawful interception information for an Internet of Things network (IoT Network) is provided. The method is performed by a topology of probes and comprises: receiving, through an interface, a request for information about a lawful interception target, the request including a specification for the information to be tracked and reported; generating a hierarchy of information elements based on the specification; determining a set of data sources for providing the requested information according to the hierarchy of information elements; determining a hierarchy of probes based on the set of the data sources; configuring the topology of probes based on a set of configurations; activating LI operation in the topology of probes; performing LI operation by the topology of probes; verifying effectiveness of reporting conforming to reporting requirements and taking corrective action; and updating learning data in the historical database at the end of LI operation.

Abstract: A control apparatus includes a synchronization state transmission/reception unit configured to transmit and receive a synchronization state to and from another control apparatus via a network, and a state data transmission/reception unit configured to transmit and receive state data to and from the another control apparatus via the network. Thus, the control apparatus can grasp the synchronization state of the another control apparatus. Further, even when the control apparatus is restarted due to a failure, the control apparatus receives state data from another control apparatus that has been synchronized with the control apparatus and is in operation so that the control apparatus can recover without stopping the entire system.

Abstract: A communication system, comprising: a communication apparatus controlling transmission and reception of data in a network connecting a server and a user terminal; and a management apparatus, the network including an edge apparatus, the communication apparatus including a relay unit which has a queue for each communication flow, and controls the transmission and reception of data using the queue, the management apparatus including a monitoring unit which identifies a communication flow where data loss has occurred, calculates modifications for settings for communication control used for a queue corresponding to the identified communication flow, and transmits to the communication apparatus a modification command including the modifications, and the relay unit modifies settings for communication control using the queue corresponding to the identified communication flow on the basis of the modifications included in the modification command.

Abstract: Embodiments described include systems and methods for providing a preview for a link in a network application. A client application operating on a client device provides access to a network application. The client application includes an embedded browser for accessing the network application. The embedded browser displays a link within a user interface for the network application. When a user provides a user action on the link, a preview engine for the embedded browser detects the user action. The preview engine provides a preview of the link by rendering a preview in a preview region of the embedded browser.

Abstract: Systems, apparatuses and methods may provide for locating operating system (OS) kernel information and user mode code in physical memory, wherein the kernel information includes kernel code and kernel read only data, and specifying permissions for the kernel information and the user code in an extended page table (EPT). Additionally, systems, apparatuses and methods may provide for switching, in accordance with the permissions, between view instances of the EPT in response to one or more hardware virtualization exceptions.

Abstract: A method and device for classifying uniform resource locators based on content in corresponding websites includes extracting, by a network device, a plurality of website contents from a website associated with a URL based on Optical Character Recognition (OCR). Each of the plurality of website contents are classified into a plurality of webpage categories based on machine learning. User actions for the plurality of website contents are simulated based on a webpage category associated with each of the plurality of website contents. An access classification is determined for the URL based on results of simulating the user actions and machine learning.

Abstract: A controller of a network control system for configuring several middlebox instances is described. The middlebox instances implement a middlebox in a distributed manner in several hosts. The controller configures a first middlebox instance to obtain status of a set of servers and disseminate the obtained status to a second middlebox instance. The controller configures the second middlebox instance to use the status to select a server from the set of servers.

Abstract: A method includes receiving, at a first device from a server via a first network associated with a wireless service, an offer for a content item that is deliverable via a multimedia service to a second device distinct from the first device. The offer is based on a characteristic of use of the second device. The method includes receiving, at the first device, input indicating acceptance of the offer. The method also includes sending, from the first device to the server via the wireless service, information indicating acceptance of the offer responsive to the input. Based on the information, the server is configured to send the content item to the second device.

Abstract: An example of an apparatus including a network interface to receive enrollment data from a device, wherein the device is identified by a device identifier. The apparatus further includes a memory storage unit connected to the network interface. The memory storage unit receives device history data associated with the device identifier while the device is enrolled. The memory storage unit is also to maintain a database to store the device history data associated with the device identifier. The apparatus also includes a processor to receive a de-enrollment command associated with the device via the network interface. The de-enrollment command causes the processor to modify the device identifier stored in the database.

Abstract: In one embodiment, a network security device configured to monitor a communication session between a first device and a second device generates a first empty acknowledgment packet specifying a first sequence number and sends the first empty acknowledgment packet to the first device. The network security device may thereafter determine that a response from the first device has not been received within a threshold amount of time and generate, at least partly in response, a second empty acknowledgment packet specifying a second sequence number. The network security device may send the second empty acknowledgment packet to the first device and receive, from the first device, a third empty acknowledgment packet specifying a third sequence number. The network security device may then store the third sequence number in association with the communication session between the first device and the second device.

Abstract: A computer performs dynamic address isolation. The computer comprises an application associated with an application address, a network interface coupled to receive incoming data packets from and transmit outgoing data packets to an external network, a network address translation engine configured to translate between the application address and a public address, and a driver for automatically forwarding the outgoing data packets to the network address translation engine to translate the application address to the public address, and for automatically forwarding the incoming data packets to the network address translation engine to translate the public address to the application address. The computer may communicate with a firewall configured to handle both network-level security and application-level security.

Abstract: Certain aspects of the disclosure are directed to context aggregation in a data communications network. According to a specific example, user-data communications between a client-specific endpoint device and the other participating endpoint device during a first time period can be retrieved from a plurality of interconnected data communications systems. The client station can be configured and arranged to interface with a data communications server providing data communications services on a subscription basis. Context information for each respective user-data communication between the client station and the participating station during the first time period can be aggregated, such that subsequent user-data communications received from the participating station and intended for the client entity, can be routed based on the aggregated context information.

Abstract: Disclosed are various embodiments for controlling a distribution of resources on a network. In one embodiment, among others, a processor is configured to transmit a request to access resources at a distribution service and receives location rules associated with the resources. The location rules specify an authorized location and an authorized perimeter area. The authorized location and the authorized perimeter area specify different access rights to the resources. The processor can determine a location of a computing device and determine that the computing device is compliant with at least one of the location rules based on the location of the computing device. The processor is configured to transmit a compliance indication to the distribution service for the location rules and receive access to at least some of the resources from the distribution service.

Abstract: A Wi-Fi device includes a controller coupled to a writeable memory implementing a MAC and PHY layer and to a transceiver. Connection data stored in the writeable memory includes Wi-Fi connection parameters including ?1 router MAC level information or a most recently utilized (MRU) channel used, and IP addresses including ?1 of an IP address of the Wi-Fi device, IP address of the MRU router, an IP address of a MRU target server, and an IP address of a network connected device. An accelerated reconnecting to a Wi-Fi network algorithm is implemented by the processor is for starting from being in a network disconnected state, establishing current connection parameters for a current Wi-Fi network connection using the Wi-Fi connection parameters for at least one MAC layer parameter for the MAC layer.

Abstract: A method, a computer system, and a computer program product for authenticating a transaction are provided. An authentication system receives the transaction over a particular channel of a plurality of support channels. A risk score is determined for the transaction based on a number of contextual risk factors. An authentication scheme is determined from a number of authentication schemes for authenticating an identity of the user within an authentication context. The authentication scheme is determined based on the particular channel and the risk score. In response to successfully authenticating the identity of the user within the authentication context, the authentication system determines whether the transaction is a permitted transaction based on an assurance level associated with the authentication context. In response to determining that the transaction is the permitted transaction, the transaction is authenticated.

Abstract: A method, computer-readable medium, and apparatus for classifying mobile traffic for securing a network or a mobile user endpoint device are disclosed. For example, a method may include a processor for classifying mobile network traffic using a probabilistic model for a plurality of mobile software applications based on a distribution of domain names, detecting an anomaly associated with a mobile software application of the plurality of mobile software applications, and performing a remedial action to address the anomaly.

Abstract: A method and system include compatibly interfacing a suitably adapted central switch in a computer network virtualization environment to one or more user-end peripheral device(s) to dispense with a need for a user-end thin client. The method and system also include appropriately routing a data associated with a direct and exclusive communication between a virtual machine on a host server including a number of virtual machines and the one or more user-end peripheral device(s) using the central switch.

Abstract: The disclosed computer-implemented method for protecting users may include (i) intercepting an attempt to login to a user account of an application using a login credential, (ii) preventing a user corresponding to the user account from revealing personally identifiable information by populating a field for the login credential with a value for an identity-masking persona as a substitute for the personally identifiable information, and (iii) enabling a completion of the attempt to login to the user account of the application using the value for the identity-masking persona, rather than the personally identifiable information, to provide the user with access to an online resource through the application. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Multi-party consent to performance of an action is securely registered by receiving from at least one consent requesting entity (CRE) a consent action request (CAR), which is matched with a consent policy. The policy may specify a plurality of consent voting entities (CVE), and direct confirmation of registration of an identity of each CVE in a blockchain. A consent request (CR) may then be issued to the CVEs. Consent request responses (CRRs) from the CVEs are then compared with at least one condition in the consent policy. A representation of a state of the CRRs is relative to the consent policy is registered in the blockchain. If the policy condition(s) is satisfied, a subject entity may be signaled to perform the action corresponding to the CAR, and a state indication of performance of the action may also be registered in the blockchain.

Abstract: A method of delivering a webpage is disclosed. It is determined that delivery of at least a portion of third-party content associated with a webpage is to be accelerated. One or more pre-conditions to be met prior to the delivery of the accelerated third-party content are determined. A loading order configuration for the webpage is determined based at least in part on the one or more pre-conditions. At least a portion of the webpage that modifies a loading order of content portions of the webpage is determined based on the loading order configuration.

Abstract: An information handling system comprising a wireless interface for transmitting a data frame via a wireless link in a wireless neighborhood having a plurality of wireless base transceiver stations (BTSs), a plurality of antenna systems operating via the wireless interface executing code instructions for a carrier sense multiple access (CSMA) media access control protocol employing back-off time periods to avoid packet collision, a radio scanning modem for scanning a plurality of radio channels for the BTSs operating in the wireless neighborhood during a tune out time upon detection of carrier frequency operation by a carrier sense mechanism indicating transmission on the wireless link from another device and ending at a next distributed inter-frame space period of the CSMA protocol, a processor implementing a network evaluation scheduling system for detecting a BTS load for each detected BTS system operating in the wireless neighborhood and determining alternative wireless links with alternative BTSs based on

Abstract: A technique for rendering web content includes downloading a framework page from a framework server, the framework page including framework code which, when executed by a browser of a client machine, dynamically downloads a set of plugins from respective service providers. Each plugin includes its own plugin code configured to communicate with the respective service provider and with the framework code, to dynamically render web content specific to the service provider in the framework page running in the browser.

Abstract: For a network including multiple host machines that together implement at least one logical network including a firewall, some embodiments provide a method for collecting traffic flow data that includes identifiers for firewall rules applied to the traffic flow and a logical entity identifier. In some embodiments, the host machines receive traffic monitoring configuration data for a logical network. The traffic monitoring configuration data in some embodiments indicates a set of logical entities of the logical network for which to collect traffic flow data and a set of traffic flow data collectors associated with the set of logical entities. The indicated logical entities may be logical forwarding elements (logical switches, routers, etc.) or logical ports of logical forwarding elements.

Abstract: Methods, systems, and computer readable media can be operable to facilitate the intercept and manipulation of content requested by a client device. The methods, systems, and apparatuses described herein enable the interception and redirection of packets based upon a set of rules. Intercepted packets may be redirected away from an origin server and may be forwarded to a splicing device. The splicing device may establish a session with a corresponding origin server, and retrieve content that is requested by the intercepted packet. In embodiments, the splicing device may identify alternate content that is associated with the intercepted packet and/or content that is further associated with a device or subscriber associated with the packet. One or more segments of the requested content, or the entirety of the requested content may be replaced with the alternate content, and the modified content may be output to the client device requesting the content.

Abstract: A wireless thermostat may be associated with a user account of an external web service that may facilitate remote access and/or control of the wireless thermostat. A remote device may be used to access a user's account hosted by the external web service. The wireless thermostat may be identified to the external web service and associated with the user's account by one or more unique identifiers previously delivered to the remote device from the wireless thermostat.

Abstract: Systems and methods for mapping IP addresses to an entity include receiving at least one domain name associated with the entity. Embodiments may further include determining one or more variations of the at least one domain name based on analysis of domain name data collected from a plurality of domain name data sources that mention a variation of the at least one domain name. Some embodiments may also include identifying one or more IP addresses pointed to by the one or more variations of the entity's domain name based on analysis of IP address data collected from a plurality of IP address data sources. Additional embodiments include assigning weights to each of the identified one or more IP addresses and creating a mapping of IP addresses to associate with the entity based on analysis of the weighted one or more IP addresses.

Abstract: In one embodiment, a method includes creating a catalog of service function (“SF”) profiles, wherein each of the profiles is associated with an SF and indicates a type of the associated SF; storing the catalog of SF profiles in a memory device of a service controller associated with the DVS; creating a service profile group template (“SPGT”) that includes at least one SF profile from the catalog of SF profiles, wherein the SPGT includes a service chain definition identifying at least one service chain comprising the SF associated with the at least one SF profile to be executed in connection with a service path and at least one policy for classifying traffic to the at least one service chain; deploying a first SPG instance based on the SPGT; and deploying an additional SPG instance based on the SPGT in accordance with a scaling policy included in the SPGT.

Abstract: Embodiments disclosed herein address the need to more efficiently backup a network-based storage environment that may be remote from a primary storage environment. For example, embodiments herein can provide a more efficient backup of a storage managed by a third-party entity. To improve the backup process, embodiments herein may optimize the number of scanning threads that are used to identify files that are to be backed up by, for example, analyzing the characteristics of the network and/or the network storage system to determine a number of scanning threads that will enable faster scanning of the network storage system while at the same time not overburden or be slowed down by a network between the network-based storage environment and the primary storage environment.

Abstract: Techniques are disclosed for auditing an IP address prefix that has been assigned to an entity as part of an administrator policy, to determine whether the assignment was implemented on the network. In an embodiment, associations between IP addresses and their assignment are stored in a database. IP addresses are read and semi-authoritative sources (e.g., DNS servers) are queried for information about the IP addresses. Information received in response to the query may be used to validate the IP address (e.g., in a network, all IP addresses used for VM instances will have a corresponding URL in a specific format).

Abstract: Embodiments of the present invention disclose a network function instance management method, including: receiving a management request for a target network function instance, where the management request for the target network function instance carries an identifier of a target virtualized network function descriptor and an identifier of a first network function instance, and the identifier of the first network function instance is used to determine a connection between the target network function instance and the first network function instance; managing the target network function instance based on the management request for the target network function instance; and establishing the connection between the target network function instance and the first network function instance based on the identifier of the first network function instance. In addition, the embodiments of the present invention further disclose a network function instance management apparatus and device.

Abstract: A distributed system allocates capacity in response to client requests. The system monitors a rate of capacity allocation. Based on the monitored rate and on a set of parameters, the system generates a forecast of capacity available for allocation and determines a time when available capacity will fall below a threshold level. The system adjusts the parameters to cause the predicted time to align with a target time, and then causes the system to be reconfigured according to the adjusted parameters.

Abstract: A computer-implemented method for processing serverless functions includes mapping a received event to an event state of a plurality of event states in a function graph according to a mapping rule, the function graph including one or more actions for the event state. A data package of a previous event state of the plurality of event states is filtered to generate a filtered data package, using a payload filter associated with the event state. The actions of the event state are executed, where the one or more actions satisfy the mapping rule. A modified data package is sent to a computer system to trigger executing one or more serverless functions associated with the executed one or more actions. The modified data package is based on a data package of the event and the filtered data package. One or more responses are received based on execution of the serverless functions.

Abstract: A method includes determining a location of a device based on wireless communication of the device with one or more line-of-sight dependent communication devices that allow data transmission between the device and a base station, determining content to be provided to the device based in part on the location of the device, performing computing operations that correspond to the content at the base station using inputs transmitted to the base station from the device, and transmitting outputs of the computing operations from the base station to the device for display at the device.

Abstract: A system and method to auto-determine and install missing components to a to a to-be-managed device by a single execution of unique device setup command has been described. Initially based on a received request, a unique device setup command is generated to on board a device on cloud device management system. Next the unique device setup command is executed that executes several operations including: auto-determining whether the device has required Operating System (OS), system architecture, and one or more software components including a control panel slave to allow retrieval of device monitoring data from the device. The execution of unique device address also execute the operation of installing a control plane slave on the device in communication with a control plane master at the cloud device management system to manage the plurality of devices, when the device has the required OS, architecture, and the one or more software components.

Abstract: A filesystem can be shared between containers. For example, a computing device having a host filesystem can launch a first container from an image file. Launching the first container can include creating an initialization directory for the first container on the host filesystem. The initialization directory can include a filesystem to be shared between containers. Launching the first container can also include creating a first filesystem directory for the first container on the host filesystem and mounting the initialization directory to the first filesystem directory. The computing device can also launch a second container from the image file. Launching the second container can include creating a second filesystem directory for the second container on the host filesystem and mounting the initialization directory to the second filesystem directory to enable the second container to access the filesystem.

Abstract: Systems and techniques for personalized assessment and/or learning are provided. The system may select tasks and task content for a user consistent with an administrator's suggested learning regimen for the user, while also adapting the selection of tasks and task content based on the user's performance and/or context when the user is not being supervised by an administrator.

Abstract: A computer performs dynamic address isolation. The computer comprises an application associated with an application address, a network interface coupled to receive incoming data packets from and transmit outgoing data packets to an external network, a network address translation engine configured to translate between the application address and a public address, and a driver for automatically forwarding the outgoing data packets to the network address translation engine to translate the application address to the public address, and for automatically forwarding the incoming data packets to the network address translation engine to translate the public address to the application address. The computer may communicate with a firewall configured to handle both network-level security and application-level security.

Abstract: A method performed by a wireless device for deciding whether or not to reselect to a neighbor cell is provided. The wireless device is associated with a first cell. The wireless device is further associated with an area, which area is related to any one or more out of: a Tracking Area, TA, multiple TAs, a Radio Access Network, RAN, area. The area comprises one or more cells including the first cell. The wireless device obtains an indication of an area offset related to neighbor cell channel quality. The area offset is associated with said area. The wireless device applies the area offset when the neighbor cell is outside said area. The wireless device then decides whether or not to reselect to the neighbor cell based on the applied area offset.

Abstract: An intelligent and versatile information exchange platform provides a delivery service operable to perform, in a network environment, processing a document in a first process context according to a first itinerary associated with a sender, including determining whether any receiver policy rule is applicable to the document. If so, the delivery service can determine a second itinerary in view of the receiver policy rule and automatically transition to act as a receive service for the receiver such that the document is processed is a second process context according to the second itinerary associated with the receiver. When no receiver policy rule is found or applicable to the document based on the document type of the document, the delivery service can deliver the document to the receiver under the first process context.