Novel tools and techniques are provided for implementing optical frequency spectral optimization in dense wavelength division multiplexing (“DWDM”) flex grid systems. In various embodiments, based on a determination that one or more gaps of optical spectrum exist in a range of optical spectrum that contains one or more media channels that support transmission of corresponding one or more first signals, a computing system may determine a network wavelength service frequency assignment for shifting frequency of at least one media channel among the one or more media channels to optimize one or more spacings among the one or more media channels in the range of optical spectrum for supporting transmission of one or more second signals; and may cause one or more optical signal devices to shift a center frequency of each of the at least one media channel, based on the determined network wavelength service frequency assignment.
Dynamic and self-healing optimized traffic rerouting is provided. A system and method are described for determining and implementing optimized traffic routing decision. A route orchestration system monitors network resource performance characteristics information for identifying a traffic redirection triggering event and for determining an optimized traffic control decision based on the network resource performance characteristics information. The decision may include software defined networking (SDN) instructions that may be communicated to one or more network resources (e.g., PE devices, P devices, and/or routers) that may cause traffic to be rerouted the one or more targeted servers. For example, the optimized traffic control decision may be determined to improve load balancing amongst performing servers and other network resources in the network while reducing or minimizing administrative costs. Network resources may include a programmatic component that allows the optimized traffic control decision determined by the route orchestration system to be implemented by the resource.
Novel tools and techniques are provided for implementing optical switching network and portal. In various examples, a computing system of a service provider network may receive, from a first participant entity via an interface system, a request to establish or modify a network connection between a first participant network and a second participant network. The request may include a request to reserve a line port on a network device of the second participant network and/or a request for network connection at a fraction of a set bandwidth corresponding to bandwidth of cross-connections between participant networks. After confirming system capability to perform the requested establishment or modification and confirming authorization of the first participant entity to perform the requested operations, the computing system may establish or modify the network connection using an optical switching device (and in some cases, an aggregation switch) in the service provider network based on the request.
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
H04L 41/28 - Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
H04Q 11/00 - Selecting arrangements for multiplex systems
Novel tools and techniques are provided for implementing optical switching network and portal. In various examples, a computing system of a service provider network may receive, from a first participant entity via an interface system, a request to establish or modify a network connection between a first participant network and a second participant network. The request may include a request to reserve a line port on a network device of the second participant network and/or a request for network connection at a fraction of a set bandwidth corresponding to bandwidth of cross-connections between participant networks. After confirming system capability to perform the requested establishment or modification and confirming authorization of the first participant entity to perform the requested operations, the computing system may establish or modify the network connection using an optical switching device (and in some cases, an aggregation switch) in the service provider network based on the request.
An identity and access management system including: a processor; and memory including instructions that, when executed by the processor, cause the processor to: receive an API token request for an authorization token to authorize an application function associated with a target API of an application; determine identity information from the API token request; retrieve attributes associated with the identity information; identify the target API and an API function profile associated with the target API for the application function; filter the attributes associated with the identity information based on the API function profile; generate the authorization token according to the filtered attributes; and transmit the authorization token in response to the API token request.
Systems and methods for improved intelligent manipulation of distributed-denial-of-service (DDoS) attack traffic are provided. In implementations, a method may include receiving, at a traffic management system, a mirrored first stream of packets from a router on a first link and a mirrored second stream of packets from the router on a second link. The method may further include determining flow information about the first stream. In examples, the flow information may indicate that a challenge to a particular source IP address has been issued to test the legitimacy of the source IP address. The method may further include sending, by the traffic management system, a routing policy update based on the flow information.
Examples of the present disclosure describe systems and methods for providing enhanced security in edge computing environments. A first aspect describes a method for moving security features dynamically applied to an application at a first deployment location to an application at a second deployment location. A second aspect describes a method for locally expanding/contracting an instance of a deployed application. A third aspect describes a method for redirected network traffic associated with detected malicious conduct from a first application deployment environment to a secured second application deployment environment. A fourth aspect describes a method for performing multi-stage network traffic filtering.
Novel tools and techniques are provided for implementing application programming interface (“API”)-based concurrent call path (“CCP”) provisioning. In various embodiments, in response to receiving a CCP provisioning request, a computing system may determine whether such a request would affect a set of trunk groups assigned to a customer based at least in part on network utilization data. If not, the computing system may cause the nodes in the network to increase or decrease, in near-real-time, the number of CCPs in at least one trunk group assigned to the customer based on the CCP provisioning request. If so, the computing system may cause the nodes in the network to increase or decrease, in near-real-time, the number of trunk groups assigned to the customer and may cause the nodes in the network to increase or decrease, in near-real-time, the number of CCPs in the updated number of trunk groups.
A field device, including: a processor; and memory including instructions that, when executed by the processor, cause the processor to: login to a local node device physically connected to the field device; enable a common command protocol on the local node device; solicit information to configure the local node device; generate a command set in the enabled common command protocol according to the solicited information; and execute the command set to automatically commission the local node device to communicate with one or more other node devices commissioned in a first network.
H04L 41/082 - Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
10.
SECURITY FABRIC PLATFORM NETWORK SERVICES ARCHITECTURE AND FUNCTIONALITIES
Novel tools and techniques are provided for implementing security fabric platform network services architecture and functionalities. In various embodiments, at least one VM among a plurality of virtual machines (“VMs”) that is hosted on a security fabric platform includes dual network interface controllers (“NICs”) or virtual NICs (“VNICs”). A request to perform a set of tasks may be routed to a VM of the plurality of VMs via one of the NICs or VNICs. Two or more VMs and/or one or more containers hosted on the security fabric platform and/or on one or more worker nodes may be service chained from one to another of the NICs or VNICs of the VMs and/or containers. Results of the set of tasks as processed by virtual or cloud-native network functions may be routed via a firewall, via network address translation, from and to a destination network address associated with a destination device.
H04L 41/40 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
The present application describes a system and method for utilizing a tunnel in a networking routing protocol to provide a network segment access to additional servers when certain load balancing trigger events are detected.
Novel tools and techniques are provided for implementing security fabric platform network services architecture and functionalities. In various embodiments, at least one VM among a plurality of virtual machines ("VMs") that is hosted on a security fabric platform includes dual network interface controllers ("NICs") or virtual NICs ("VNICs"). A request to perform a set of tasks may be routed to a VM of the plurality of VMs via one of the NICs or VNICs. Two or more VMs and/or one or more containers hosted on the security fabric platform and/or on one or more worker nodes may be service chained from one to another of the NICs or VNICs of the VMs and/or containers. Results of the set of tasks as processed by virtual or cloud-native network functions may be routed via a firewall, via network address translation, from and to a destination network address associated with a destination device.
Novel tools and techniques are provided for implementing visualization for network services and their relationships with end-users, service locations, and other network services. In various examples, a computing system may collect, from one or more databases, information regarding one or more network services provided by a service provider. The information may include at least one of end-user information, service-specific information, service location information, or contact information, and/or the like. The computing system may identify information objects and their relationships by analyzing the collected information. The computing system may generate a graphical representation of the information objects and their relationships, and may generate a user interface (“UI”) for presenting the generated graphical representation, and may display, on a display screen of a user device, the UI to a user.
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
G06F 3/04842 - Selection of displayed objects or displayed text elements
G06F 3/04845 - Interaction techniques based on graphical user interfaces [GUI] for the control of specific functions or operations, e.g. selecting or manipulating an object, an image or a displayed text element, setting a parameter value or selecting a range for image manipulation, e.g. dragging, rotation, expansion or change of colour
G06T 11/20 - Drawing from basic elements, e.g. lines or circles
Novel tools and techniques are provided for implementing visualization for network services and their relationships with end-users, service locations, and other network services. In various examples, a computing system may collect, from one or more databases, information regarding one or more network services provided by a service provider. The information may include at least one of end-user information, service-specific information, service location information, or contact information, and/or the like. The computing system may identify information objects and their relationships by analyzing the collected information. The computing system may generate a graphical representation of the information objects and their relationships, and may generate a user interface ("UI") for presenting the generated graphical representation, and may display, on a display screen of a user device, the UI to a user.
G06F 3/04817 - Interaction techniques based on graphical user interfaces [GUI] based on specific properties of the displayed interaction object or a metaphor-based environment, e.g. interaction with desktop elements like windows or icons, or assisted by a cursor's changing behaviour or appearance using icons
G06T 11/20 - Drawing from basic elements, e.g. lines or circles
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
15.
CONSOLIDATION OF EXISTING SIGNAL TRANSFER POINTS IN A TELECOMMUNICATION NETWORK
The present disclosure is directed to consolidation of STP pairs without deploying new STP pairs and without making changes at a Service Switching Point to reflect the consolidation. In one aspect, a method includes identifying a first pair of signal transfer point devices to be decommissioned from a telecommunication network; identifying a second pair of signal transfer point devices to assume, in part, functionalities of the first pair of signal transfer point devices, each signal transfer point device of the first pair and the second pair having at least one primary point code and at least one secondary point code assigning a temporary secondary point code to each signal transfer point device of the first pair; and modifying at least one secondary point code of each signal transfer point device of the second pair with a primary point code of at least one signal transfer point device of the first pair.
H04L 41/0816 - Configuration setting characterised by the conditions triggering a change of settings the condition being an adaptation, e.g. in response to network events
H04L 41/082 - Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
H04L 41/0826 - Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability for reduction of network costs
H04W 24/02 - Arrangements for optimising operational condition
H04W 76/11 - Allocation or use of connection identifiers
16.
EDGE COMPUTE ENVIRONMENT AUTOMATIC SERVER CONFIGURATION TOOL
A server configuration tool is presented for autonomously configuring servers located in a network. The tool may autonomously configure multiple servers in parallel based on individual states of the servers, which may be periodically and simultaneously determined. For example, the tool may determine which action to take to begin or continue configuring the server based on the present state of each server. Server states (and corresponding actions) can be edited through a user interface to alter the server configuration process without code changes. At any one time, multiple servers may be in different states requiring different configuration operations to configure the servers to be ready for use. The present systems and methods can be used to move multiple servers iteratively through different configuration actions based on the individual state of each server and to perform non-conflicting configuration operations for multiple servers in parallel.
Aspects of the present disclosure involve systems, methods, for encoding a firewall ruleset into one or more bit arrays for fast determination of processing of a received communication packet by a firewall device associated with a network. Through this bitmap, a number of computation operations needed to determine a processing rule for a received packet is significantly reduced compared to the traditional approach of using a hash or a longest prefix match technique. Rather, determining a processing rule for a received packet may include determining a bit value within one or more arrays. In one implementation, a firewall rule may be encoded into a 64-bit array of bit values in which each bit of the array corresponds to a particular processing rule for a particular network address. The firewall rule may be encoded into a bitmap array of bit values by asserting a particular bit within the array.
Authorization for a user may be dynamically tailored per application or per application function, rather than globally managed by an administrator. For example, in some embodiments, an identity access management system may generate a suitable authorization token (or authorization token information) to enable a user to login to an application or perform a particular function. The authorization token may be dynamically generated and tailored based on filtering various identity information otherwise available from an identity system, access boundaries of applicable application functions, or other factors.
Novel tools and techniques are provided for implementing software-based network probes for monitoring network devices for fault management. In various embodiments, a computing system may receive, from at least one software-based network probe, a first alert associated with a first device among layer 4 devices disposed in a plurality of networks; may parse and store first alert data from the received first alert in a database, in a standardized format; may perform, using an enrichment system, enrichment of the first alert data, by retrieving first enrichment data from one or more second databases and adding the first enrichment data to the parsed and formatted first alert data in the first database to form first consolidated alert data; and may send the first consolidated alert data to a fault management system for display to a user to facilitate addressing of the first alert by the user.
Novel tools and techniques are provided for implementing predictive or preemptive machine learning ("ML") -driven optimization of Internet protocol ("IP") -based communications services. In various embodiments, a computing system may predict future provisioning demands for an IP-based communications system based on at least one of analysis of past IP-based communications patterns, analysis of current network condition data and current event data, and/or one or more trigger events, in some cases using a first ML model. The computing system may identify first (e.g., optimized) resource allocation based on the predicted future provisioning demands for the IP-based communications system, in some cases using a second ML model. The computing system may initiate changes in allocation of network resources for the IP-based communications system based on the identified first resource allocation, by performing at least one of routing or re-routing network traffic, load balancing, and/or adding, reassigning, and/or removing network resources.
H04L 41/147 - Network analysis or design for predicting network behaviour
H04L 41/149 - Network analysis or design for prediction of maintenance
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
21.
PREDICTIVE OR PREEMPTIVE MACHINE LEARNING (ML) -DRIVEN OPTIMIZATION OF INTERNET PROTOCOL (IP) -BASED COMMUNICATIONS SERVICE
Novel tools and techniques are provided for implementing predictive or preemptive machine learning (“ML”)-driven optimization of Internet protocol (“IP”)-based communications services. In various embodiments, a computing system may predict future provisioning demands for an IP-based communications system based on at least one of analysis of past IP-based communications patterns, analysis of current network condition data and current event data, and/or one or more trigger events, in some cases using a first ML model. The computing system may identify first (e.g., optimized) resource allocation based on the predicted future provisioning demands for the IP-based communications system, in some cases using a second ML model. The computing system may initiate changes in allocation of network resources for the IP-based communications system based on the identified first resource allocation, by performing at least one of routing or re-routing network traffic, load balancing, and/or adding, reassigning, and/or removing network resources.
This disclosure describes systems, methods, and devices related to estimating a provisioning of resources in a telecommunications network. A method may include receiving, at a first time, a user request for a service facilitated by a telecommunications network; identifying, based on the service, a device or port to which the user connects to access the telecommunications network; retrieving, using discovery commands, information from one or more additional devices in the telecommunications network; identifying, based on the information, a second device to which the device or port may connect to generate a path to an endpoint of the telecommunications network; identifying, based on the device or port and the second device, a path from the location of the user to the endpoint in the telecommunications network; generating an estimated time to provision the service using the path; and presenting, at the first time, the estimated time to provision the service.
Novel tools and techniques are provided for implementing fraud or distributed denial of service (“DDoS”) protection for session initiation protocol (“SIP”)-based communication. In various embodiments, a computing system may receive, from a first router, first SIP data indicating a request to initiate a SIP-based media communication session between a calling party at a source address and a called party at a destination address. The computing system may analyze the received first SIP data to determine whether the received first SIP data comprises any abnormalities indicative of potential fraudulent or malicious actions. If so, the computing system may reroute the first SIP data to a security deep packet inspection (“DPI”) engine, which may perform a deep scan of the received first SIP data to identify any known fraudulent or malicious attack vectors contained within the received first SIP data. If so, the security DPI engine may initiate mitigation actions.
A dynamic SRMS (DSRMS) in a MPLS network generates unique segment identifiers for nodes of the network lacking segment identifiers (SIDs). The DSRMS receives network information from other nodes of the network that may include, for example, Internal Gateway Protocol (IGP) routing information, advertised prefix values for the nodes, and label values used in MPLS routing. The DSRMS analyzes the information and identifies nodes of the network that are not associated with a SID. For each identified node, the DSRMS generates a unique SID and then announces the SID to other nodes within the network. Generating the unique SID may include executing a hashing function using the IP address of the identified node as an input.
A security platform of a data network is provided that includes security services for computing devices in communication with the data network. The security platform may apply a security policy to the computing devices when accessing the Internet via a home network (or other customer network) and when accessing the Internet via a public or third party network. To provide security services to computing devices via the home network, the security platform may communicate with a security agent application executed on the router (or other gateway device) of the home network. In addition, each of the devices identified by the security profile for the home network may be instructed or otherwise be provided a security agent application for execution on the computing devices. The security agent application may communicate with the security platform when the computing device connects to the Internet over a third party or public access point.
This disclosure describes systems, methods, and devices related to analyzing data stored in a relational database. A method may include installing a structured query language (SQL) server on a host server; installing statistical analysis modules on the host server; executing the statistical analysis modules within a relational database of the SQL server to analyze data stored in the relational database; and generating outputs based on the execution of the statistical analysis modules within the relational database.
The present application describes a system that uses endpoint data and network data to detect an anomaly. Once an anomaly is detected, the system may determine a severity of the anomaly by comparing the anomaly to a global database of known anomalies. The system may then initiate preventative measures to address the anomaly.
A method is disclosed for testing network devices for networks with a large traffic load utilizing one or more traffic load amplifiers to amplify the traffic load. The load amplifiers connected to the device may receive packets of an initial traffic load, multiply or copy the received packet, alter the destination address information in the header of the copied packets to generate packets with different destination addresses, and transmit the altered packets back to the device for further routing. The altered or copied packets may then be routed via the device back to the load amplifier for further amplification. Through this amplification process, a small initial load of packets may be amplified over and over by the load amplifiers until a target traffic load is achieved at the device to test the device performance at a large traffic load.
G06F 9/455 - EmulationInterpretationSoftware simulation, e.g. virtualisation or emulation of application or operating system execution engines
H04L 43/0817 - Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
This disclosure describes systems, methods, and devices related to activating services and devices in a telecommunications network. A method may include receiving a user request for a service facilitated by a telecommunications network; identifying, based on the service, a device or port to which the user connects to access the telecommunications network; sending, based on the device or port, discovery commands to retrieve information from one or more additional devices in the telecommunications network; retrieving, based on the discovery commands, the information from the one or more additional devices; identifying, based on the information, a second device to which the device or port may connect to generate a path to an endpoint of the telecommunications network; generating, based on the device or port and the second device, a path from a location of the user to the endpoint; and provisioning the service for the user based on the path.
H04L 41/0816 - Configuration setting characterised by the conditions triggering a change of settings the condition being an adaptation, e.g. in response to network events
H04L 41/12 - Discovery or management of network topologies
This disclosure describes systems, methods, and devices related to automating and testing communication network topologies. A method may include identifying templates of respective communication network topologies defining network devices, connections between the network devices, roles for the network devices, and performance tests for the communication network topologies; selecting a first template; instantiating an instance to generate a first communication network topology by establishing first connections between first network devices based on the first communication network topology and first roles of first network devices of the first communication network topology; generating performance test results for the first communication network topology based on performance of first performance tests defined by the first template, wherein first test thresholds of the first performance tests are based on a machine learning model trained based on the communication network topologies and the performance tests; and modifying the first test thresholds based on the performance test results.
H04L 41/12 - Discovery or management of network topologies
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
31.
WEB SERVICE-BASED MONITORING AND DETECTION OF FRAUDULENT OR UNAUTHORIZED USE OF CALLING SERVICE
Novel tools and techniques are provided for implementing web-based monitoring and detection of fraudulent or unauthorized use of voice calling service. In various embodiments, a computing system might receive, from a user device associated with an originating party, a request to initiate a call session with a destination party, the request comprising user information associated with the originating party and a destination number associated with the destination party; might query a database with session data (including user information) to access permission data and configuration data; and might configure fraud logic using received configuration data from the database. The computing system might analyze the session data and permission data using the configured fraud logic to determine whether the originating party is permitted to establish the requested call session with the destination party; if so, might initiate one or more first actions; and, if not, might initiate one or more second actions.
The present disclosure describes providing an attestation level to a received communication. The attestation level may be used to communicate a level of security to a network or a called party that receives the communication. The attestation level associated with the communication may indicate to a destination network and/or recipient that the phone number associated with the communication is secure and/or the telephone number has not been spoofed. Determining the attestation level comprises comparing information associated with the communication with stored information and assigning a code based on the comparison. The code may be translated to a tag value that is used to direct the communication to a signing server for attesting the communication at the determined attestation level.
The present application describes systems and methods for secured network information transmission. A network tunnel may be established from a customer premises equipment (CPE) to a routing device at a provider site. The network tunnel may traverse over one or more networks while maintaining a secure path for data. A customer may indicate a chosen configuration for a CPE, and a device at a provider site, a customer device, and/or the CPE itself may automatically, or manually, configure the CPE based on the chosen configuration to allow and/or disallow certain customer network information from being received and/or transmitted through the network tunnel.
The present application describes systems and methods for filtering of malicious domain name system (DNS) queries. A DNS filter inspects a DNS query and drops the DNS query if the DNS query is deemed invalid. The DNS filter allows or drops the DNS query based on a set of rules. The set of rules includes one or more criteria for the validity or invalidity one or more DNS query attributes. The DNS filter logs the dropped DNS queries and provides them to the security analysis service for further investigation. In some examples, the DNS filter runs in a container or a virtual machine (VM) on the same system as the DNS server, or on a separate system in-line with the DNS servers.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
35.
SYSTEMS AND METHODS FOR FILTERING OF MALICIOUS DNS QUERIES
The present application describes systems and methods for filtering of malicious domain name system (DNS) queries. A DNS filter inspects a DNS query and drops the DNS query if the DNS query is deemed invalid. The DNS filter allows or drops the DNS query based on a set of rules. The set of rules includes one or more criteria for the validity or invalidity one or more DNS query attributes. The DNS filter logs the dropped DNS queries and provides them to the security analysis service for further investigation. In some examples, the DNS filter runs in a container or a virtual machine (VM) on the same system as the DNS server, or on a separate system in-line with the DNS servers.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
A network filter request arbiter is provided. An interface (e.g., user interface and/or programmatic interface, such as an application programming interface (API)), is for configuring and automatically implementing one or more filters in an internal and/or external network. The filters may be used to stop distributed denial of service (DDOS) attacks and/or prevent malicious network traffic from reaching a target network or target device(s) within the target network. Filters implemented in a target network may also be distributed to other (e.g., upstream) networks. The distributed filters may similarly be used to stop DDOS attacks and/or prevent malicious network traffic from being carried by the networks and from reaching a target network or target device(s) within the target network.
The present application describes systems and methods for secured network information transmission. A network tunnel may be established from a customer premises equipment (CPE) to a routing device at a provider site. The network tunnel may traverse over one or more networks while maintaining a secure path for data. A customer may indicate a chosen configuration for a CPE, and a device at a provider site, a customer device, and/or the CPE itself may automatically, or manually, configure the CPE based on the chosen configuration to allow and/or disallow certain customer network information from being received and/or transmitted through the network tunnel.
The present application describes systems and methods for network-based blocking threat intelligence. An access control list (ACL) generator may modify ACLs and provide modified ACLs to provider edge routers based on the capabilities of the provider edge routers. In some cases, an additional provider edge router that is more capable of implementing longer ACLs may be used. In some cases, a collector may identify when threat communications are bypassing provider edge routers with limited ACL lengths and provide the customer an opportunity to buy a better router or access to an additional router that supports longer or additional ACLs. A threat intelligence system may update (e.g., continuously update) the ACL provided to the ACL generator, and the ACL generator may accordingly update the modified ACLs provided to the provider edge routers.
This disclosure describes systems, methods, and devices related to managing egress traffic from a network to one or more peer networks. A method may include generating, using a load balancer of a network, a dynamic logical egress traffic threshold for a peer network; determining, using the load balancer, that first traffic from the network to the peer network is below the logical egress traffic threshold; directing second traffic from the network to the peer network based on the determination that the first traffic is below the logical egress traffic threshold; determining, using the load balancer, that the second traffic from the network to the peer network has reached the logical egress traffic threshold; and directing third traffic from the network away from the peer network based on the determination that the second traffic has reached the logical egress traffic threshold.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
This disclosure describes systems, methods, and devices related to managing network capacity using cloud edge providers. A method may include identifying, by an edge device of a network, a request for network capacity received via an application programming interface (API), from a user of the network; identifying offers received via the API by cloud edge providers; determining that the network capacity is available at at least one of the cloud edge providers based on the offers; deploying an edge server at the at least one of the cloud edge providers based on the network capacity being available at the at least one of the cloud edge providers; and directing traffic between the user and the edge server based on the deployment.
H04L 41/082 - Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
The present application describes systems and methods for network-based blocking threat intelligence. An access control list (ACL) generator may modify ACLs and provide modified ACLs to provider edge routers based on the capabilities of the provider edge routers. In some cases, an additional provider edge router that is more capable of implementing longer ACLs may be used. In some cases, a collector may identify when threat communications are bypassing provider edge routers with limited ACL lengths and provide the customer an opportunity to buy a better router or access to an additional router that supports longer or additional ACLs. A threat intelligence system may update (e.g., continuously update) the ACL provided to the ACL generator, and the ACL generator may accordingly update the modified ACLs provided to the provider edge routers.
Novel tools and techniques are provided for implementing cloud-based voice calling service, video calling service, and/or over-the-top (“OTT”) services. In various embodiments, with a unified communications and collaboration interconnection (“UCCI”) interconnection established between separate hyperscalers or communication service providers that have separate administrative domains, Internet Protocol (“IP”) based communications services may be instantiated between a first user device or a first telephone number (or call identifier (“ID”)) via a first hyperscaler and a second user device or a second telephone number (or call ID) via a second hyperscaler, without touching or traversing the public switched telephone network (“PSTN”). By bypassing the PSTN, not only can cloud-based voice calling services be implemented or established over the UCCI, but cloud-based video calling services and OTT services may also be instantiated, with the OTT services being instantiated during either the cloud-based voice calling services or the cloud-based video calling services.
Implementations described and claimed herein provide systems and methods for custom-defined network routing. In one implementation, a set of custom defined network flow rules is received at an edge router of a primary network, which is in communication with a customer network. The set of custom defined network flow rules correspond to network traffic associated with the customer network. The set of custom defined network flow rules is stored in a forwarding table on the edge router. A packet of data is received at the edge router. The packet of data is attributed to the customer network. The set of custom defined network flow rules is applied to the pack of data using the forwarding table.
H04L 45/64 - Routing or path finding of packets in data switching networks using an overlay routing layer
H04L 41/0893 - Assignment of logical groups to network elements
H04L 41/0895 - Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
H04L 41/18 - Delegation of network management function, e.g. customer network management [CNM]
H04L 41/40 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
Novel tools and techniques are provided for implementing emergency call record and address validation. In various embodiments, a computing system may simultaneously initiate two or more test calls among a plurality of test calls to an emergency service provider system. Each test call may simulate an emergency services validation call initiated from a telephone number among a plurality of telephone numbers associated with a corresponding plurality of users to request a determination as to whether a 911 or enhanced 911 (“E911”) address associated with the telephone number is an accurate 911 or E911 address. In response to receiving a corresponding plurality of call responses from the emergency service provider system, the computing system may analyze each call response to determine a result of each corresponding simulated emergency services validation call; and may send each determined result to a corresponding requesting party.
A data network analysis system includes a computer-executable set of instructions that obtain service account information associated with a route provided to a customer through a data communication network having network elements. Using the service account information, the instructions identify a termination port that terminates the route to a customer premises equipment of the customer, and at least one target port of the route and those network elements that are assigned to convey the route through one or more of the network elements. The instructions then obtain the routing information for the route from each of the network elements that are assigned to convey the route.
FlowSpec is a mechanism for distributing rules to routers in a network. Such rules may be used, for example, to drop traffic associated with a distributed denial of service attack. However, a malformed or incorrect FlowSpec announcement may, if distributed in the network, cause legitimate traffic to be dropped, degrading the service experienced by legitimate users. As such, systems and methods for avoiding the distribution of malformed FlowSpec announcements are provided.
The present application describes providing an attestation level to a received communication. The attestation level may be used to communicate a level of security to a network or a called party that receives the communication. The attestation level associated with the communication may indicate to a destination network and/or recipient that the phone number associated with the communication is secure and/or the telephone number has not been spoofed.
A system and method for providing on-demand edge compute. The system may include an orchestrator that provides a UI and controls an abstraction layer for implementing a workflow for providing on-demand edge compute. The abstraction layer may include a network configuration orchestration (NCO) system (e.g., a Network-as-a-Service (NaaS) system) and an API that may provide an interface between the orchestrator and the NCO. The API may enable the orchestrator to communicate with the NCO for receiving requests that enable the NCO to integrate with existing network controllers, orchestrators, and other systems and perform various network provisioning tasks (e.g., to build and provision a communication path between server instances). The various tasks, when executed, may provide end-to-end automated network provisioning services as part of providing on-demand edge compute service to users. The API may further enable the ECS orchestrator to receive information from the NCO, (e.g., network resource information, status messages).
Novel tools and techniques are provided for implementing programmatical public switched telephone network (“PSTN”) trunking for cloud hosted applications. In various embodiments, a computing system may determine one or more first network interconnection characteristics associated with a first entity service provider within a call service network operated by a call network service provider. Based on the determined one or more first network interconnection characteristics associated with the first entity service provider, the computing system may cause a network provisioning application layer to establish one or more network interconnections between a first network associated with the first entity service provider and the call service network, in some cases, by establishing shared peering connections between the first network and the call service network. The shared peering connections may enable a plurality of customers of the first entity service provider to establish call service connections that are shared over the shared peering connections.
Aspects of the present disclosure involve systems, methods, for encoding a firewall ruleset into one or more bit arrays for fast determination of processing of a received communication packet by a firewall device associated with a network. Through this bitmap, a number of computation operations needed to determine a processing rule for a received packet is significantly reduced compared to the traditional approach of using a hash or a longest prefix match technique. Rather, determining a processing rule for a received packet may include determining a bit value within one or more arrays. In one implementation, a firewall rule may be encoded into a 64-bit array of bit values in which each bit of the array corresponds to a particular processing rule for a particular network address. The firewall rule may be encoded into a bitmap array of bit values by asserting a particular bit within the array.
Apparatuses and methods are disclosed for managing network connections. A computing device accesses a request to provision a network connection associated with a first device. The request includes a plurality of connection parameters defining desired specifications for a network connection from the first device to a second device. The connection parameters are validated against information from a database and other predetermined rules. A network connection path is generated to connect the first device with the second device. The network connection path is generated by selecting network elements for the network connection that satisfy the connection parameters. Configuration information for the network elements of the network connection path is aggregated for a configuration system. The configuration information is used to provision the network connection.
Novel tools and techniques are provided for implementing name-based routing through networks. In various embodiments, a broker manager in each of a plurality of networks may receive a subscription request for a network device from a client device, each device being locally accessible or disposed in an upstream or downstream network. The broker manager uses its client broker to communicate with a locally accessible client device, and uses its mediator broker (and, sometimes, an intermediate device(s)) to communicate with a locally accessible network device. The broker manager otherwise uses its messaging brokers to communicate with control channels of one or more networks. Once subscription with the network device has been established, any commands and responses between the client device and the network device may be routed over pub/sub channels via the broker managers and their brokers using name-based routing, without routing based on IP address of the network device.
H04L 41/0604 - Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
H04L 41/0631 - Management of faults, events, alarms or notifications using root cause analysisManagement of faults, events, alarms or notifications using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
H04L 45/00 - Routing or path finding of packets in data switching networks
Novel tools and techniques are provided for implementing monitoring and detection of fraudulent or unauthorized use in telephone conferencing systems or voice networks. In various embodiments, a computing system might monitor call activity through telephone conferencing system or voice network. In response to detecting use of the telephone conferencing system or voice network by at least one party based on the monitored call activity, the computing system might identify incoming and/or outgoing associated with a call initiated by the at least one party. The computing system might analyze the identified incoming and/or outgoing call data to determine whether the call initiated by the at least one party constitutes at least one of fraudulent use or unauthorized use of the telephone conferencing system or voice network. If so, the computing system might initiate one or more first actions.
Novel tools and techniques are provided for implementing wireless functionality, and, more particularly, to methods, systems, and apparatuses for implementing faceplate-based wireless device functionality and wireless extension functionality. In various embodiments, one or more antennas, a power adapter, and at least one processor may be attached to an inner surface of a faceplate configured to be attached to a wall. The one or more antennas may be electrically coupled to the power adapter and communicatively coupled to the at least one processor. Alternatively, a wireless functionality device might include one or more antennas, a power adapter, and at least one processor. The wireless functionality device may be attached to an inner surface of a faceplate configured to be attached to a wall. The one or more antennas of the wireless functionality device may be electrically coupled to the power adapter and communicatively coupled to the at least one processor.
Examples of the present disclosure relate to the optical identification of telecommunications equipment. In examples, a user interacts with an application to capture image data relating to a device according to instructions presented to the user. The application may further generate metadata, such as user responses to one or more questions. The image data and/or metadata are evaluated using a machine learning model to generate an equipment classification for devices pictured therein. The data may also be used to generate an equipment configuration for the device, as well as an operational state (e.g., based on one or more indicators present on the device, log data, etc.). Accordingly, such information may be used to update a pre-existing inventory record for the device, or generate a new inventory record. In other examples, such information is used to generate one or more predicted issues and associated actions to troubleshoot the device.
G06F 18/21 - Design or setup of recognition systems or techniquesExtraction of features in feature spaceBlind source separation
G06K 7/10 - Methods or arrangements for sensing record carriers by electromagnetic radiation, e.g. optical sensingMethods or arrangements for sensing record carriers by corpuscular radiation
G06K 19/07 - Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards with integrated circuit chips
H04L 41/0631 - Management of faults, events, alarms or notifications using root cause analysisManagement of faults, events, alarms or notifications using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
H04L 41/069 - Management of faults, events, alarms or notifications using logs of notificationsPost-processing of notifications
56.
ENHANCED SYSTEMS AND METHODS FOR PERSISTENT NETWORK PATHS
This disclosure describes systems, methods, and devices related to determining persistent service paths between provider edge devices and customer edge devices. A device may identify a service identifier associated with a service provided by a communication network; identify, based on the service identifier and traffic data of the communication network, one or more first adjacencies between provider edge devices, of the communication network, using a service indicated by the service identifier; identify, based on the service identifier and traffic data of the communication network, one or more second adjacencies between the provider edge devices and customer edge devices using the service; and map, based on the one or more first adjacencies and the one or more second adjacencies, a persistent service path between a customer edge device of the customer edge devices and a provider edge device of the provider edge devices.
Novel tools and techniques are provided for implementing management of routing across multiple voice or data networks with separate routing masters. In various embodiments, in response to receiving a request to establish a call between a calling party in a first network and a called party in a second network, a computing system might receive a first set of network information from a first routing database(s) that is operated by a first service provider and a second set of network information from a second routing database(s) that is operated by a second service provider separate from the first service provider; might analyze the received first and second sets of network information to generate a unified routing model for optimizing routing of the call through the first and second networks; and might establish the call through a selected optimized route based on the generated unified routing model.
H04L 45/302 - Route determination based on requested QoS
H04M 7/12 - Arrangements for interconnection between switching centres for working between exchanges having different types of switching equipment, e.g. power-driven and step by step or decimal and non-decimal
58.
SYSTEMS AND METHODS FOR REDUCING ENERGY CONSUMPTION
Methods and systems for reducing energy consumption. A method may include aggregating, for a prior time period, prior usage data from a plurality of computing nodes. Based on the aggregated prior usage data from the plurality of computing nodes, a usage threshold for decreasing cooling system output for the plurality of computing nodes and a local-time threshold for decreasing the cooling system output for the plurality of computing nodes are determined. Current usage data for the plurality of computing nodes is then received. When the current usage data reaches the usage threshold and the local time is after the local-time threshold, output of the cooling systems of the plurality of computing nodes is decreased.
In an alien wave system, one or more transponders connected to a line system may be owned and operated by a different entity from the entity that owns and operates the line system. In such a situation, diagnosing and correcting faults, and achieving good performance, may be challenging. As such, a system and methods for interoperability in an alien wave system are provided.
H04B 10/079 - Arrangements for monitoring or testing transmission systemsArrangements for fault measurement of transmission systems using an in-service signal using measurements of the data signal
60.
ENHANCED SYSTEMS AND METHODS FOR PERSISTENT NETWORK PATHS
This disclosure describes systems, methods, and devices related to determining persistent service paths between provider edge devices and customer edge devices. A device may identify a service identifier associated with a service provided by a communication network; identify, based on the service identifier and traffic data of the communication network, one or more first adjacencies between provider edge devices, of the communication network, using a service indicated by the service identifier; identify, based on the service identifier and traffic data of the communication network, one or more second adjacencies between the provider edge devices and customer edge devices using the service; and map, based on the one or more first adjacencies and the one or more second adjacencies, a persistent service path between a customer edge device of the customer edge devices and a provider edge device of the provider edge devices.
H04L 67/51 - Discovery or management thereof, e.g. service location protocol [SLP] or web services
H04L 61/103 - Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
H04L 101/622 - Layer-2 addresses, e.g. medium access control [MAC] addresses
61.
QUALITY OF SERVICE MANAGEMENT SYSTEM FOR A COMMUNICATION NETWORK
A quality of service management system includes a rules engine that receives information associated with a communication path having an assigned quality of service (QoS) to be provided for a customer communication device, and identifies one or more network elements assigned to provide the communication path. Each network element having a plurality of queues configured to provide varying QoS levels relative to one another. For each of the network elements, the rules engine determines at least one queue that is configured to provide the communication path at the assigned quality of service, and transmits queue information associated with the determined queue to its respective network element, the network element conveying the communication path through the determined queue.
H04L 47/24 - Traffic characterised by specific attributes, e.g. priority or QoS
H04L 45/302 - Route determination based on requested QoS
H04L 47/2408 - Traffic characterised by specific attributes, e.g. priority or QoS for supporting different services, e.g. a differentiated services [DiffServ] type of service
H04L 47/62 - Queue scheduling characterised by scheduling criteria
Novel tools and techniques are provided for implementing real-time fault management or real-time fault management system (“RFM”). In various embodiments, RFM may receive alerts from or associated with network devices (e.g., layer 2, 3, and/or 4 devices, or the like) that are disposed in a plurality of disparate networks that may utilize different alert management protocols and/or different fault management protocols. RFM may collect, enrich, normalize, aggregate, and display the alerts in a user interface to facilitate addressing of the alerts by a user. To enable continuous and real-time functionality, RFM may be implemented in a plurality of siloed platforms in a primary data center, with processing of alerts being load balanced across the siloed platforms, with mirrored group of siloed platforms in a secondary data center located geographically distant from the primary data center and configured to be on “hot standby” and to completely take over RFM processing operations.
Novel tools and techniques are provided for implementing intelligent alert automation (“IAA”). In various embodiments, IAA receives alert/event feeds from several different alerting and ticketing systems via input Redis queues, and uses a triage system to determine whether to process the alert/event or disregard it. If so, IAA may create a flow instance, assign a unique instance ID, and place the flow instance in one of a plurality of jobs queues based on alert/event type and/or or source. An abattoir system retrieves a flow instance from one of the jobs queues (in order of the queue's priority), and processes the next node or step in the flow instance. The flow instance is placed back into the jobs queue for subsequent processing by the same or different abattoir system until no additional nodes or steps remain in the flow, at which point the flow instance is considered complete.
This disclosure describes systems, methods, and devices related to software-defined wide area network (SD-WAN) overlays for evaluating services provided by a communications network. A device may identify a SD-WAN overlaying a virtual private network (VPN) of a communications network, the VPN including multiprotocol label switching (MPLS) and the Internet, the MPLS and the Internet associated with connecting a one or devices to a datacenter; retrieve, using an application programming interface (API), analytical data from the SD-WAN; identify devices and interfaces of the SD-WAN; receive performance metrics of the devices and interfaces; detect, based on comparisons of the performance metrics to event criteria, an occurrence of an event in the VPN; and present, based on the occurrence of the event, of a notification of the event to a customer of the VPN.
H04L 41/122 - Discovery or management of network topologies of virtualised topologies e.g. software-defined networks [SDN] or network function virtualisation [NFV]
This disclosure describes systems, methods, and devices related to automated Ethernet testing for a communications network. A device may identify a service identifier of a service provided by the communications network to a customer; identify, based on the service identifier, a circuit comprising devices and interfaces used to provide the service; determine that the devices include a first device including an Ethernet transport line; present an Ethernet test panel showing an indication of the first device; receive, from the Ethernet test panel, a user request from a customer of the circuit to test the circuit; initiate a live Ethernet diagnostic on the circuit in response to the user request; receive, based on the live Ethernet diagnostic, performance metrics of the circuit; detect an occurrence of an event in the circuit; and present, based on the occurrence of the event, a notification of the event to the customer.
Implementations described and claimed herein provide systems and methods for intelligent node type selection in a telecommunications network. In one implementation, a customer set is obtained for a communications node in the telecommunications network. The customer set includes an existing customer set and a new customer set. A set of customer events is generated for a node type of the communications node using a simulator. The set of customer events is generated by simulating the customer set over time through a discrete event simulation. An impact of the customer events is modeled for the node type of the communications node. The node type is identified from a plurality of node types for a telecommunications build based on the impact of the customer events for the node type.
G06Q 10/04 - Forecasting or optimisation specially adapted for administrative or management purposes, e.g. linear programming or "cutting stock problem"
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
This disclosure describes systems, methods, and devices related to performing event-driven diagnostics for a communications network. A device may identify a service identifier of a service provided by the communications network to a customer; identify, based on the service identifier, a persisted path for the service, the persisted path generated prior to any user request to perform a diagnostic on the service, and the persisted path including devices and interfaces used to provide the service; receive performance metrics of the devices and interfaces of the persisted path; detect, without receiving any user request to perform a diagnostic on the service, based on comparisons of the performance metrics to event criteria, an occurrence of an event in the persisted path; and present, based on the occurrence of the event, a notification of the event to the customer.
Novel tools and techniques are provided for implementing dashboard for alert storage and history (“DASH”). In various embodiments, DASH provides for consolidated tracking and monitoring of two or more of current (or active) alerts, cleared alerts, and/or transactional information for alerts that are stored within corresponding alert live database that mirrors current alert instance data in a real-time fault management system, alert history database that contains a snapshot of an alert history of each alert or corresponding network device, and/or alert log database that contains a full transaction record of every copy of an alert either over a first duration or having a total data size within a first total data size. DASH also cleans received alert data and/or enriches the alert data, and provides a user interface (“UI”) that enables a user to view, absorb, filter, manage, and/or organize alert data to facilitate addressing of alerts in the network(s).
Aspects of the present disclosure involve systems, methods, computer program products for consolidating toll-free and/or tolled features of two or more telecommunications networks. The networks may be consolidated via an Enhanced Feature Server (EFS) deployed in a telecommunications network. The EFS may be configured to receive a toll-free and/or tolled communication and route the communication based on the dialed toll-free number and a carrier identification code (CIC) associated with the communication, or based on the dialing number and a CIC. Routing the communication based at least on the CIC associated with the communication allows the telecommunications network to consolidate a redundant network from the telecommunications network. In circumstances where a CIC is not associated with a communication, the EFS may request a data schema from a toll-free database, or from an automatic number identification (ANI) database, and determine a CIC based on an analysis of the data schema.
Novel tools and techniques are provided for implementing web-based monitoring and detection of fraudulent or unauthorized use of voice calling service. In various embodiments, a computing system might receive, from a user device associated with an originating party, a request to initiate a call session with a destination party, the request comprising user information associated with the originating party and a destination number associated with the destination party; might query a database with session data (including user information) to access permission data and configuration data; and might configure fraud logic using received configuration data from the database. The computing system might analyze the session data and permission data using the configured fraud logic to determine whether the originating party is permitted to establish the requested call session with the destination party; if so, might initiate one or more first actions; and, if not, might initiate one or more second actions.
The present application describes a system and method for passively collecting DNS traffic data as that data is passed between a recursive DNS resolver and an authoritative DNS server. The information contained in the collected DNS traffic data is used to generate a virtual authoritative DNS server, or a zone associated with the authoritative DNS server, when it is determined that the authoritative DNS server has been compromised.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
Apparatus, systems, methods, and the like, for autonomous scaling of security and other network services through initialization of a service from a network service device and/or migration of such services from one service device to another is provided. Such network scaling may allow for migration of services from existing service edges to other service edges. A security management system may coordinate the migration of services provided to a secondary network from one or more service edges to another, separate service edge while providing session synchronization during the migration. To migrate the services from the first service edge to a second service edge, a session table may be shared between the service edges and the first and second service edges may advertise service routes or endpoints with one or more priority values to control or otherwise determine which service edge is selected by a service-receiving device to receive the services.
In an embodiment, a computer implemented method receives flow data for one or more flows that correspond to a device-circuit pair. The method calculates a time difference for each flow that corresponds to a device-circuit pair. Based on the calculated time differences and the received flow data, the method updates a probability distribution model associated with the device-circuit pair. Then, the method determines whether a time bucket is complete or open based on the updated probability distribution model.
This disclosure describes systems, methods, and devices related to requesting use of a zero-copy operation. A method may include: generating, by a first channel of a hierarchy of channels in a user space, a request to retrieve a file descriptor before initiating a zero-copy operation; sending, by the first channel, to the hierarchy, the request; identifying, by a second channel of the hierarchy, a response accepting the request, the response including the file descriptor; adding, by the second channel, additional information to the response accepting the request, the additional information including at least one of a need notify request to be notified of an amount of data transferred using the zero-copy operation or parsed body data; identifying, by the first channel, the file descriptor and the additional information; and initiating, by the first channel, based on identifying the file descriptor, the zero-copy operation.
Systems and methods for enforcing compliance-program conformity during authorization-token generation are presented. Applications may be registered with an identity and access management (IAM) system. The registration of the application may include whether the application is subject to one or more compliance program(s). When an authorization token is requested from the IAM system, the IAM system may (a) determine the set of authorization information needed in the token, and (b) determine whether the application is subject to a compliance program. The IAM system may then check an approval source of record to determine whether the user was legitimately approved for the required authorization prior to granting an authorization token. If there is a mismatch between the approval source of record and the authorization information associated with the user identity, then the mismatch may cause certain mitigation actions to be performed.
Systems and methods for enforcing compliance-program conformity during authorization-token generation are presented. Applications may be registered with an identity and access management (IAM) system. The registration of the application may include whether the application is subject to one or more compliance program(s). When an authorization token is requested from the IAM system, the IAM system may (a) determine the set of authorization information needed in the token, and (b) determine whether the application is subject to a compliance program. The IAM system may then check an approval source of record to determine whether the user was legitimately approved for the required authorization prior to granting an authorization token. If there is a mismatch between the approval source of record and the authorization information associated with the user identity, then the mismatch may cause certain mitigation actions to be performed.
Novel tools and techniques are provided for implementing name-based routing through networks. In various embodiments, a broker manager in each of a plurality of networks may receive a subscription request for a network device from a client device, each device being locally accessible or disposed in an upstream or downstream network. The broker manager uses its client broker to communicate with a locally accessible client device, and uses its mediator broker (and, sometimes, an intermediate device(s)) to communicate with a locally accessible network device. The broker manager otherwise uses its messaging brokers to communicate with control channels of one or more networks. Once subscription with the network device has been established, any commands and responses between the client device and the network device may be routed over pub/sub channels via the broker managers and their brokers using name-based routing, without routing based on IP address of the network device.
H04L 41/0604 - Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
H04L 41/0631 - Management of faults, events, alarms or notifications using root cause analysisManagement of faults, events, alarms or notifications using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
H04L 45/00 - Routing or path finding of packets in data switching networks
Implementations include providing security services to workloads deployed across various types of network environments, such as public networks, private networks, hybrid networks, customer premise network environments, and the like, by redirecting traffic intended for the service device through a security environment of the first network. After application of the security features to the incoming traffic, the “clean” traffic may be transmitted to the service device instantiated on the separate network via a tunnel. Redirection of incoming traffic to the security-providing first network may include correlating a network address of the service device to a reserved network address of a block of reserved addresses and updating a Domain Name Server (DNS) or other address resolving system with the reserved address. The return transmission tunnel may be established between the security environment and the network address of the service device.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
Disclosed herein are system, method, and computer program product embodiments for providing an API description of an external network service and using the API to integrate the external service into a network. An embodiment operates by receiving, from a service provider, a description of an application programming interface (API), transmitting a call to the service provider using the API for creating a new instance of a service and transmitting to the service provider a traffic flow upon which the service will be applied.
Novel tools and techniques are provided for implementing application programming interface (“API”)-based concurrent call path (“CCP”) provisioning. In various embodiments, in response to receiving a CCP provisioning request, a computing system may determine whether such a request would affect a set of trunk groups assigned to a customer based at least in part on network utilization data. If not, the computing system may cause the nodes in the network to increase or decrease, in near-real-time, the number of CCPs in at least one trunk group assigned to the customer based on the CCP provisioning request. If so, the computing system may cause the nodes in the network to increase or decrease, in near-real-time, the number of trunk groups assigned to the customer and may cause the nodes in the network to increase or decrease, in near-real-time, the number of CCPs in the updated number of trunk groups.
Novel tools and techniques are provided for implementing object-based changes to filter-intent over multicast or publication/subscription (“Pub/Sub”) distribution. In various embodiments, a computing system (e.g., a managed device among a plurality of managed devices and/or its corresponding agent) may receive, from a network filter orchestration conductor, a global filter-intent list including a first filter intent that references a corresponding filter-intent object. The computing system may determine whether the at least one first filter intent applies to the managed device. If so, the computing system may translate the at least one first filter intent into a first filter that is specific to a first configuration of the managed device, in some cases, by building the first filter based at least in part on the at least one first filter intent. The computing system may subsequently apply the first filter to one or more network communications handled by the managed device.
Novel tools and techniques are provided for implementing name-based routing through networks. In various embodiments, a broker manager in each of a plurality of networks may receive a subscription request for a network device from a client device, each device being locally accessible or disposed in an upstream or downstream network. The broker manager uses its client broker to communicate with a locally accessible client device, and uses its mediator broker (and, sometimes, an intermediate device(s)) to communicate with a locally accessible network device. The broker manager otherwise uses its messaging brokers to communicate with control channels of one or more networks. Once subscription with the network device has been established, any commands and responses between the client device and the network device may be routed over pub/sub channels via the broker managers and their brokers using name-based routing, without routing based on IP address of the network device.
H04L 41/0604 - Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
H04L 41/0631 - Management of faults, events, alarms or notifications using root cause analysisManagement of faults, events, alarms or notifications using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
H04L 45/00 - Routing or path finding of packets in data switching networks
This disclosure describes systems, methods, and devices related to using an application programming interface (API) gateway orchestration layer. A method may include identifying, by the API gateway orchestration layer, a first API request, received by an API gateway API, to access a first microservice of a first API gateway that uses a first API gateway model; identifying a second API request, received by the API gateway API, to access a second microservice of a second API gateway that uses a second API gateway model; determining, based on the first API request, a first route to the first API gateway; determining, based on the second API request, a second route to the second API gateway; routing the first API request to the first microservice based on the first route; and routing the second API request to the second microservice based on the second route.
The present application describes a system and method for utilizing a tunnel in a networking routing protocol to provide a network segment access to additional servers when certain load balancing trigger events are detected.
Systems and methods for receiving information on network firewall policy configurations are disclosed. Based on the received firewall configuration information, a configuration of a firewall and/or subnet of network devices is automatically provisioned and/or configured to control network traffic to and from the subnet.
Novel tools and techniques are provided for implementing dynamic border gateway protocol (“BGP”) host route generation based on domain name system (“DNS”) resolution. In various embodiments, a computing system may receive, from a user device via a first network, a request to establish a communications link with an external device via a second network that is separate from the first network, based on a first uniform resource identifier (“URI”) indicative of a network location of the external device. The computing system may query a DNS resolver for an Internet Protocol (“IP”) address corresponding to a valid current IP address, based on the first URI, and may advertise the IP address and/or a route based on the IP address. A communications link may be established between the user device and the external device based on the IP address and/or the route.
G06F 16/955 - Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
H04L 61/5046 - Resolving address allocation conflictsTesting of addresses
87.
Secure access service edge (SASE) scriptlets for providing SASE-based network services
Novel tools and techniques are provided for implementing network service ordering and provisioning of secure access service edge (“SASE”) scriptlets for providing SASE-based network. In various embodiments, a computing system may provide a user experience (“UX”) platform for a customer portal, the UX platform being accessible by a user via a user device over a first network(s); may provide, via the UX platform, options to configure, via the customer portal, one or more SASE scriptlets for providing SASE-based network services provided by a service provider; and may autonomously orchestrate deployment and configuration of the one or more SASE scriptlets on one or more network devices that are associated with the user or to an entity with which the user is associated, over a second network(s), based at least in part on user selection of options to configure the one or more SASE scriptlets and/or the corresponding SASE-based network services.
Examples of the present disclosure describe systems and methods for providing enhanced security in edge computing environments. A first aspect describes a method for moving security features dynamically applied to an application at a first deployment location to an application at a second deployment location. A second aspect describes a method for locally expanding/contracting an instance of a deployed application. A third aspect describes a method for redirected network traffic associated with detected malicious conduct from a first application deployment environment to a secured second application deployment environment. A fourth aspect describes a method for performing multi-stage network traffic filtering.
Novel tools and techniques are provided for implementing network service ordering and provisioning of secure access service edge ("SASE") scriptlets for providing SASE-based network. In various embodiments, a computing system may provide a user experience ("UX") platform for a customer portal, the UX platform being accessible by a user via a user device over a first network(s); may provide, via the UX platform, options to configure, via the customer portal, one or more SASE scriptlets for providing SASE-based network services provided by a service provider; and may autonomously orchestrate deployment and configuration of the one or more SASE scriptlets on one or more network devices that are associated with the user or to an entity with which the user is associated, over a second network(s), based at least in part on user selection of options to configure the one or more SASE scriptlets and/or the corresponding SASE-based network services.
H04L 41/40 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
A security platform of a data network is provided that includes security services for computing devices in communication with the data network. The security platform may apply a security policy to the computing devices when accessing the Internet via a home network (or other customer network) and when accessing the Internet via a public or third party network. To provide security services to computing devices via the home network, the security platform may communicate with a security agent application executed on the router (or other gateway device) of the home network. In addition, each of the devices identified by the security profile for the home network may be instructed or otherwise be provided a security agent application for execution on the computing devices. The security agent application may communicate with the security platform when the computing device connects to the Internet over a third party or public access point.
A traffic controller device for distributing or otherwise controlling the distribution of routing information may be included in a telecommunications network. The traffic controller may receive routing tables from a plurality of network devices, such as one or more provider edge devices of the network. The traffic controller, upon receiving the routing information from the provider edge devices, may generate a routing table associated with each device providing the routing information. The traffic controller may also provide updates to one or more of the networking devices associated with the controller. The traffic controller may alter or update, at the traffic controller, the routing table associated with the target provider edge device based on the network policy. The routing information in the routing table for that device and maintained by the traffic controller may be updated with a new route or new local preferred parameter value.
Automatic testing/analysis of local loops of telecommunications networks includes obtaining bits-per-tone data for a local loop of a telecommunications network and generating a bit value string from the bits-per-tone data. The bit value string is then analyzed to determine whether it includes a bit pattern indicative of an impairment of the local loop. Further approaches for automatically testing local loops of telecommunications networks include obtaining attenuation data for multiple tones carried by the local loop and determining whether the attenuation data falls below thresholds for providing a service using the local loop.
In a network system in which a server receives packets each including a source address, and in which the server ordinarily responds to each packet, Distributed Denial of Service attacks may be launched by malicious actors controlling a plurality of network devices. In such an attack, the attacking devices may spoof the IP address of a legitimate device, e.g., they may include, in each packet, the source address of the legitimate device. As such, systems and methods for increased security using client address manipulation are provided.
In a network system in which a server receives packets each including a source address, and in which the server ordinarily responds to each packet, Distributed Denial of Service attacks may be launched by malicious actors controlling a plurality of network devices. In such an attack, the attacking devices may spoof the IP address of a legitimate device, e.g., they may include, in each packet, the source address of the legitimate device. As such, systems and methods for increased security using client address manipulation are provided.
Aspects of the present disclosure involve utilizing network threat information to manage one or more security devices or policies of a communication network. The security system may receive threat intelligence data or information associated with potential threats to a communications network and process the threat intelligence data to determine one or more configurations to apply to security devices of a network. The system may then generate a rule or action to respond to the identified attack, such as a firewall rule for a firewall device to block traffic from the source of the attack. The threat intelligence information may include a confidence score indicating a calculated confidence in the identification of the malicious communications, which may be utilized by the system to determine the type of action taken on the security devices of the network in response to the information or data.
Systems and methods for implementing filters within computer networks include obtaining blocklist data that includes blocklist entries for a network. Each of the blocklist entries includes one or more network traffic attributes for identifying traffic to be blocked. In response to receiving the blocklist data, a filter based on a common network traffic attribute shared between at least two of the plurality of blocklist entries is generated. The filter is then deployed to a network device within the network such that the filter may be implemented at the network device to block corresponding traffic.
H04L 41/0816 - Configuration setting characterised by the conditions triggering a change of settings the condition being an adaptation, e.g. in response to network events
H04L 43/028 - Capturing of monitoring data by filtering
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
Examples of the present disclosure describe systems and methods relating to adaptive virtual services. In an example, a user specifies a device configuration for a platform device. As a result, a service provider installs selected virtual-network functions and defines network connections as specified by the device configuration. Management software may also be installed, thereby enabling the service provider to communicate with and remotely manage the platform device. The installed virtual-network functions are activated on the platform device once it is delivered to the user. In some instances, the user changes the device configuration. For example, the user may install new virtual-network functions, reconfigure or remove existing virtual-network functions, or change defined network connections. As a result, the service provider reconfigures the platform device accordingly. Thus, the user need not purchase new specialized hardware in order to change the available functions of the computer network.
Automatic testing/analysis of local loops of telecommunications networks includes obtaining bits-per-tone data for a local loop of a telecommunications network and generating a bit value string from the bits-per-tone data. The bit value string is then analyzed to determine whether it includes a bit pattern indicative of an impairment of the local loop. Further approaches for automatically testing local loops of telecommunications networks include obtaining attenuation data for multiple tones carried by the local loop and determining whether the attenuation data falls below thresholds for providing a service using the local loop.
Systems and methods for conference security based on user groups are disclosed. In examples, a set of attendees (e.g., in a collaboration group) may be allowed access to a meeting by a host user with a specified access permission. The collaboration group may be in the network hosting the meeting or outside of the network. An attendee requesting access to the meeting may be verified based on the attendee's identity and membership status of the collaboration group. If an attendee's identity is not identified or if the attendee is not a member of the collaboration group, the requesting attendee may be denied access to the meeting. If the requesting attendee's identity is verified and the attendee is a member of the collaboration group, the attendee is allowed access to the meeting with their specified access permission.
Aspects of the disclosure involve systems and methods for utilizing Virtual Local Area Network separation in a connection, which may be a single connection, between a customer to a telecommunications network and a cloud environment to allow the customer to access multiple instances within the cloud through the connection. A customer may purchase multiple cloud resource instances from a public cloud environment and, utilizing the telecommunications network, connect to the multiple instances through a communication port or connection to the cloud environment. To utilize the single connection or port, communication packets intended for the cloud environment may be tagged with a VLAN tag that indicates to which cloud instance the packet is intended. The telecommunications network may route the packet to the intended cloud environment and configure one or more aspects of the cloud environment to analyze the attached VLAN tag to transmit the packet to the intended instance.
