The present application describes systems and methods for filtering of malicious domain name system (DNS) queries. A DNS filter inspects a DNS query and drops the DNS query if the DNS query is deemed invalid. The DNS filter allows or drops the DNS query based on a set of rules. The set of rules includes one or more criteria for the validity or invalidity one or more DNS query attributes. The DNS filter logs the dropped DNS queries and provides them to the security analysis service for further investigation. In some examples, the DNS filter runs in a container or a virtual machine (VM) on the same system as the DNS server, or on a separate system in-line with the DNS servers.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
2.
SYSTEMS AND METHODS FOR SECURED NETWORK INFORMATION TRANSMISSION
The present application describes systems and methods for secured network information transmission. A network tunnel may be established from a customer premises equipment (CPE) to a routing device at a provider site. The network tunnel may traverse over one or more networks while maintaining a secure path for data. A customer may indicate a chosen configuration for a CPE, and a device at a provider site, a customer device, and/or the CPE itself may automatically, or manually, configure the CPE based on the chosen configuration to allow and/or disallow certain customer network information from being received and/or transmitted through the network tunnel.
The present application describes systems and methods for filtering of malicious domain name system (DNS) queries. A DNS filter inspects a DNS query and drops the DNS query if the DNS query is deemed invalid. The DNS filter allows or drops the DNS query based on a set of rules. The set of rules includes one or more criteria for the validity or invalidity one or more DNS query attributes. The DNS filter logs the dropped DNS queries and provides them to the security analysis service for further investigation. In some examples, the DNS filter runs in a container or a virtual machine (VM) on the same system as the DNS server, or on a separate system in-line with the DNS servers.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
A network filter request arbiter is provided. An interface (e.g., user interface and/or programmatic interface, such as an application programming interface (API)), is for configuring and automatically implementing one or more filters in an internal and/or external network. The filters may be used to stop distributed denial of service (DDOS) attacks and/or prevent malicious network traffic from reaching a target network or target device(s) within the target network. Filters implemented in a target network may also be distributed to other (e.g., upstream) networks. The distributed filters may similarly be used to stop DDOS attacks and/or prevent malicious network traffic from being carried by the networks and from reaching a target network or target device(s) within the target network.
The present application describes systems and methods for secured network information transmission. A network tunnel may be established from a customer premises equipment (CPE) to a routing device at a provider site. The network tunnel may traverse over one or more networks while maintaining a secure path for data. A customer may indicate a chosen configuration for a CPE, and a device at a provider site, a customer device, and/or the CPE itself may automatically, or manually, configure the CPE based on the chosen configuration to allow and/or disallow certain customer network information from being received and/or transmitted through the network tunnel.
The present application describes systems and methods for network-based blocking threat intelligence. An access control list (ACL) generator may modify ACLs and provide modified ACLs to provider edge routers based on the capabilities of the provider edge routers. In some cases, an additional provider edge router that is more capable of implementing longer ACLs may be used. In some cases, a collector may identify when threat communications are bypassing provider edge routers with limited ACL lengths and provide the customer an opportunity to buy a better router or access to an additional router that supports longer or additional ACLs. A threat intelligence system may update (e.g., continuously update) the ACL provided to the ACL generator, and the ACL generator may accordingly update the modified ACLs provided to the provider edge routers.
This disclosure describes systems, methods, and devices related to managing egress traffic from a network to one or more peer networks. A method may include generating, using a load balancer of a network, a dynamic logical egress traffic threshold for a peer network; determining, using the load balancer, that first traffic from the network to the peer network is below the logical egress traffic threshold; directing second traffic from the network to the peer network based on the determination that the first traffic is below the logical egress traffic threshold; determining, using the load balancer, that the second traffic from the network to the peer network has reached the logical egress traffic threshold; and directing third traffic from the network away from the peer network based on the determination that the second traffic has reached the logical egress traffic threshold.
This disclosure describes systems, methods, and devices related to managing network capacity using cloud edge providers. A method may include identifying, by an edge device of a network, a request for network capacity received via an application programming interface (API), from a user of the network; identifying offers received via the API by cloud edge providers; determining that the network capacity is available at at least one of the cloud edge providers based on the offers; deploying an edge server at the at least one of the cloud edge providers based on the network capacity being available at the at least one of the cloud edge providers; and directing traffic between the user and the edge server based on the deployment.
H04L 41/082 - Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
The present application describes systems and methods for network-based blocking threat intelligence. An access control list (ACL) generator may modify ACLs and provide modified ACLs to provider edge routers based on the capabilities of the provider edge routers. In some cases, an additional provider edge router that is more capable of implementing longer ACLs may be used. In some cases, a collector may identify when threat communications are bypassing provider edge routers with limited ACL lengths and provide the customer an opportunity to buy a better router or access to an additional router that supports longer or additional ACLs. A threat intelligence system may update (e.g., continuously update) the ACL provided to the ACL generator, and the ACL generator may accordingly update the modified ACLs provided to the provider edge routers.
Novel tools and techniques are provided for implementing cloud-based voice calling service, video calling service, and/or over-the-top (“OTT”) services. In various embodiments, with a unified communications and collaboration interconnection (“UCCI”) interconnection established between separate hyperscalers or communication service providers that have separate administrative domains, Internet Protocol (“IP”) based communications services may be instantiated between a first user device or a first telephone number (or call identifier (“ID”)) via a first hyperscaler and a second user device or a second telephone number (or call ID) via a second hyperscaler, without touching or traversing the public switched telephone network (“PSTN”). By bypassing the PSTN, not only can cloud-based voice calling services be implemented or established over the UCCI, but cloud-based video calling services and OTT services may also be instantiated, with the OTT services being instantiated during either the cloud-based voice calling services or the cloud-based video calling services.
Implementations described and claimed herein provide systems and methods for custom-defined network routing. In one implementation, a set of custom defined network flow rules is received at an edge router of a primary network, which is in communication with a customer network. The set of custom defined network flow rules correspond to network traffic associated with the customer network. The set of custom defined network flow rules is stored in a forwarding table on the edge router. A packet of data is received at the edge router. The packet of data is attributed to the customer network. The set of custom defined network flow rules is applied to the pack of data using the forwarding table.
H04L 45/64 - Routing or path finding of packets in data switching networks using an overlay routing layer
H04L 41/0893 - Assignment of logical groups to network elements
H04L 41/0895 - Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
H04L 41/18 - Delegation of network management function, e.g. customer network management [CNM]
H04L 41/40 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
Novel tools and techniques are provided for implementing emergency call record and address validation. In various embodiments, a computing system may simultaneously initiate two or more test calls among a plurality of test calls to an emergency service provider system. Each test call may simulate an emergency services validation call initiated from a telephone number among a plurality of telephone numbers associated with a corresponding plurality of users to request a determination as to whether a 911 or enhanced 911 (“E911”) address associated with the telephone number is an accurate 911 or E911 address. In response to receiving a corresponding plurality of call responses from the emergency service provider system, the computing system may analyze each call response to determine a result of each corresponding simulated emergency services validation call; and may send each determined result to a corresponding requesting party.
A data network analysis system includes a computer-executable set of instructions that obtain service account information associated with a route provided to a customer through a data communication network having network elements. Using the service account information, the instructions identify a termination port that terminates the route to a customer premises equipment of the customer, and at least one target port of the route and those network elements that are assigned to convey the route through one or more of the network elements. The instructions then obtain the routing information for the route from each of the network elements that are assigned to convey the route.
FlowSpec is a mechanism for distributing rules to routers in a network. Such rules may be used, for example, to drop traffic associated with a distributed denial of service attack. However, a malformed or incorrect FlowSpec announcement may, if distributed in the network, cause legitimate traffic to be dropped, degrading the service experienced by legitimate users. As such, systems and methods for avoiding the distribution of malformed FlowSpec announcements are provided.
The present application describes providing an attestation level to a received communication. The attestation level may be used to communicate a level of security to a network or a called party that receives the communication. The attestation level associated with the communication may indicate to a destination network and/or recipient that the phone number associated with the communication is secure and/or the telephone number has not been spoofed.
A system and method for providing on-demand edge compute. The system may include an orchestrator that provides a UI and controls an abstraction layer for implementing a workflow for providing on-demand edge compute. The abstraction layer may include a network configuration orchestration (NCO) system (e.g., a Network-as-a-Service (NaaS) system) and an API that may provide an interface between the orchestrator and the NCO. The API may enable the orchestrator to communicate with the NCO for receiving requests that enable the NCO to integrate with existing network controllers, orchestrators, and other systems and perform various network provisioning tasks (e.g., to build and provision a communication path between server instances). The various tasks, when executed, may provide end-to-end automated network provisioning services as part of providing on-demand edge compute service to users. The API may further enable the ECS orchestrator to receive information from the NCO, (e.g., network resource information, status messages).
Novel tools and techniques are provided for implementing programmatical public switched telephone network (“PSTN”) trunking for cloud hosted applications. In various embodiments, a computing system may determine one or more first network interconnection characteristics associated with a first entity service provider within a call service network operated by a call network service provider. Based on the determined one or more first network interconnection characteristics associated with the first entity service provider, the computing system may cause a network provisioning application layer to establish one or more network interconnections between a first network associated with the first entity service provider and the call service network, in some cases, by establishing shared peering connections between the first network and the call service network. The shared peering connections may enable a plurality of customers of the first entity service provider to establish call service connections that are shared over the shared peering connections.
Aspects of the present disclosure involve systems, methods, for encoding a firewall ruleset into one or more bit arrays for fast determination of processing of a received communication packet by a firewall device associated with a network. Through this bitmap, a number of computation operations needed to determine a processing rule for a received packet is significantly reduced compared to the traditional approach of using a hash or a longest prefix match technique. Rather, determining a processing rule for a received packet may include determining a bit value within one or more arrays. In one implementation, a firewall rule may be encoded into a 64-bit array of bit values in which each bit of the array corresponds to a particular processing rule for a particular network address. The firewall rule may be encoded into a bitmap array of bit values by asserting a particular bit within the array.
Apparatuses and methods are disclosed for managing network connections. A computing device accesses a request to provision a network connection associated with a first device. The request includes a plurality of connection parameters defining desired specifications for a network connection from the first device to a second device. The connection parameters are validated against information from a database and other predetermined rules. A network connection path is generated to connect the first device with the second device. The network connection path is generated by selecting network elements for the network connection that satisfy the connection parameters. Configuration information for the network elements of the network connection path is aggregated for a configuration system. The configuration information is used to provision the network connection.
Novel tools and techniques are provided for implementing name-based routing through networks. In various embodiments, a broker manager in each of a plurality of networks may receive a subscription request for a network device from a client device, each device being locally accessible or disposed in an upstream or downstream network. The broker manager uses its client broker to communicate with a locally accessible client device, and uses its mediator broker (and, sometimes, an intermediate device(s)) to communicate with a locally accessible network device. The broker manager otherwise uses its messaging brokers to communicate with control channels of one or more networks. Once subscription with the network device has been established, any commands and responses between the client device and the network device may be routed over pub/sub channels via the broker managers and their brokers using name-based routing, without routing based on IP address of the network device.
H04L 41/0604 - Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
H04L 41/0631 - Management of faults, events, alarms or notifications using root cause analysisManagement of faults, events, alarms or notifications using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
H04L 45/00 - Routing or path finding of packets in data switching networks
Novel tools and techniques are provided for implementing wireless functionality, and, more particularly, to methods, systems, and apparatuses for implementing faceplate-based wireless device functionality and wireless extension functionality. In various embodiments, one or more antennas, a power adapter, and at least one processor may be attached to an inner surface of a faceplate configured to be attached to a wall. The one or more antennas may be electrically coupled to the power adapter and communicatively coupled to the at least one processor. Alternatively, a wireless functionality device might include one or more antennas, a power adapter, and at least one processor. The wireless functionality device may be attached to an inner surface of a faceplate configured to be attached to a wall. The one or more antennas of the wireless functionality device may be electrically coupled to the power adapter and communicatively coupled to the at least one processor.
Examples of the present disclosure relate to the optical identification of telecommunications equipment. In examples, a user interacts with an application to capture image data relating to a device according to instructions presented to the user. The application may further generate metadata, such as user responses to one or more questions. The image data and/or metadata are evaluated using a machine learning model to generate an equipment classification for devices pictured therein. The data may also be used to generate an equipment configuration for the device, as well as an operational state (e.g., based on one or more indicators present on the device, log data, etc.). Accordingly, such information may be used to update a pre-existing inventory record for the device, or generate a new inventory record. In other examples, such information is used to generate one or more predicted issues and associated actions to troubleshoot the device.
G06F 18/21 - Design or setup of recognition systems or techniquesExtraction of features in feature spaceBlind source separation
G06K 7/10 - Methods or arrangements for sensing record carriers by electromagnetic radiation, e.g. optical sensingMethods or arrangements for sensing record carriers by corpuscular radiation
G06K 19/07 - Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards with integrated circuit chips
H04L 41/0631 - Management of faults, events, alarms or notifications using root cause analysisManagement of faults, events, alarms or notifications using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
H04L 41/069 - Management of faults, events, alarms or notifications using logs of notificationsPost-processing of notifications
23.
MONITORING AND DETECTION OF FRAUDULENT OR UNAUTHORIZED USE IN TELEPHONE CONFERENCING SYSTEMS OR VOICE NETWORKS.
Novel tools and techniques are provided for implementing monitoring and detection of fraudulent or unauthorized use in telephone conferencing systems or voice networks. In various embodiments, a computing system might monitor call activity through telephone conferencing system or voice network. In response to detecting use of the telephone conferencing system or voice network by at least one party based on the monitored call activity, the computing system might identify incoming and/or outgoing associated with a call initiated by the at least one party. The computing system might analyze the identified incoming and/or outgoing call data to determine whether the call initiated by the at least one party constitutes at least one of fraudulent use or unauthorized use of the telephone conferencing system or voice network. If so, the computing system might initiate one or more first actions.
This disclosure describes systems, methods, and devices related to determining persistent service paths between provider edge devices and customer edge devices. A device may identify a service identifier associated with a service provided by a communication network; identify, based on the service identifier and traffic data of the communication network, one or more first adjacencies between provider edge devices, of the communication network, using a service indicated by the service identifier; identify, based on the service identifier and traffic data of the communication network, one or more second adjacencies between the provider edge devices and customer edge devices using the service; and map, based on the one or more first adjacencies and the one or more second adjacencies, a persistent service path between a customer edge device of the customer edge devices and a provider edge device of the provider edge devices.
Novel tools and techniques are provided for implementing management of routing across multiple voice or data networks with separate routing masters. In various embodiments, in response to receiving a request to establish a call between a calling party in a first network and a called party in a second network, a computing system might receive a first set of network information from a first routing database(s) that is operated by a first service provider and a second set of network information from a second routing database(s) that is operated by a second service provider separate from the first service provider; might analyze the received first and second sets of network information to generate a unified routing model for optimizing routing of the call through the first and second networks; and might establish the call through a selected optimized route based on the generated unified routing model.
H04L 45/302 - Route determination based on requested QoS
H04M 7/12 - Arrangements for interconnection between switching centres for working between exchanges having different types of switching equipment, e.g. power-driven and step by step or decimal and non-decimal
26.
SYSTEMS AND METHODS FOR REDUCING ENERGY CONSUMPTION
Methods and systems for reducing energy consumption. A method may include aggregating, for a prior time period, prior usage data from a plurality of computing nodes. Based on the aggregated prior usage data from the plurality of computing nodes, a usage threshold for decreasing cooling system output for the plurality of computing nodes and a local-time threshold for decreasing the cooling system output for the plurality of computing nodes are determined. Current usage data for the plurality of computing nodes is then received. When the current usage data reaches the usage threshold and the local time is after the local-time threshold, output of the cooling systems of the plurality of computing nodes is decreased.
In an alien wave system, one or more transponders connected to a line system may be owned and operated by a different entity from the entity that owns and operates the line system. In such a situation, diagnosing and correcting faults, and achieving good performance, may be challenging. As such, a system and methods for interoperability in an alien wave system are provided.
H04B 10/079 - Arrangements for monitoring or testing transmission systemsArrangements for fault measurement of transmission systems using an in-service signal using measurements of the data signal
28.
ENHANCED SYSTEMS AND METHODS FOR PERSISTENT NETWORK PATHS
This disclosure describes systems, methods, and devices related to determining persistent service paths between provider edge devices and customer edge devices. A device may identify a service identifier associated with a service provided by a communication network; identify, based on the service identifier and traffic data of the communication network, one or more first adjacencies between provider edge devices, of the communication network, using a service indicated by the service identifier; identify, based on the service identifier and traffic data of the communication network, one or more second adjacencies between the provider edge devices and customer edge devices using the service; and map, based on the one or more first adjacencies and the one or more second adjacencies, a persistent service path between a customer edge device of the customer edge devices and a provider edge device of the provider edge devices.
H04L 67/51 - Discovery or management thereof, e.g. service location protocol [SLP] or web services
H04L 61/103 - Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
H04L 101/622 - Layer-2 addresses, e.g. medium access control [MAC] addresses
29.
QUALITY OF SERVICE MANAGEMENT SYSTEM FOR A COMMUNICATION NETWORK
A quality of service management system includes a rules engine that receives information associated with a communication path having an assigned quality of service (QoS) to be provided for a customer communication device, and identifies one or more network elements assigned to provide the communication path. Each network element having a plurality of queues configured to provide varying QoS levels relative to one another. For each of the network elements, the rules engine determines at least one queue that is configured to provide the communication path at the assigned quality of service, and transmits queue information associated with the determined queue to its respective network element, the network element conveying the communication path through the determined queue.
H04L 47/24 - Traffic characterised by specific attributes, e.g. priority or QoS
H04L 45/302 - Route determination based on requested QoS
H04L 47/2408 - Traffic characterised by specific attributes, e.g. priority or QoS for supporting different services, e.g. a differentiated services [DiffServ] type of service
H04L 47/62 - Queue scheduling characterised by scheduling criteria
Novel tools and techniques are provided for implementing real-time fault management or real-time fault management system (“RFM”). In various embodiments, RFM may receive alerts from or associated with network devices (e.g., layer 2, 3, and/or 4 devices, or the like) that are disposed in a plurality of disparate networks that may utilize different alert management protocols and/or different fault management protocols. RFM may collect, enrich, normalize, aggregate, and display the alerts in a user interface to facilitate addressing of the alerts by a user. To enable continuous and real-time functionality, RFM may be implemented in a plurality of siloed platforms in a primary data center, with processing of alerts being load balanced across the siloed platforms, with mirrored group of siloed platforms in a secondary data center located geographically distant from the primary data center and configured to be on “hot standby” and to completely take over RFM processing operations.
Novel tools and techniques are provided for implementing intelligent alert automation (“IAA”). In various embodiments, IAA receives alert/event feeds from several different alerting and ticketing systems via input Redis queues, and uses a triage system to determine whether to process the alert/event or disregard it. If so, IAA may create a flow instance, assign a unique instance ID, and place the flow instance in one of a plurality of jobs queues based on alert/event type and/or or source. An abattoir system retrieves a flow instance from one of the jobs queues (in order of the queue's priority), and processes the next node or step in the flow instance. The flow instance is placed back into the jobs queue for subsequent processing by the same or different abattoir system until no additional nodes or steps remain in the flow, at which point the flow instance is considered complete.
This disclosure describes systems, methods, and devices related to software-defined wide area network (SD-WAN) overlays for evaluating services provided by a communications network. A device may identify a SD-WAN overlaying a virtual private network (VPN) of a communications network, the VPN including multiprotocol label switching (MPLS) and the Internet, the MPLS and the Internet associated with connecting a one or devices to a datacenter; retrieve, using an application programming interface (API), analytical data from the SD-WAN; identify devices and interfaces of the SD-WAN; receive performance metrics of the devices and interfaces; detect, based on comparisons of the performance metrics to event criteria, an occurrence of an event in the VPN; and present, based on the occurrence of the event, of a notification of the event to a customer of the VPN.
H04L 41/122 - Discovery or management of network topologies of virtualised topologies e.g. software-defined networks [SDN] or network function virtualisation [NFV]
This disclosure describes systems, methods, and devices related to automated Ethernet testing for a communications network. A device may identify a service identifier of a service provided by the communications network to a customer; identify, based on the service identifier, a circuit comprising devices and interfaces used to provide the service; determine that the devices include a first device including an Ethernet transport line; present an Ethernet test panel showing an indication of the first device; receive, from the Ethernet test panel, a user request from a customer of the circuit to test the circuit; initiate a live Ethernet diagnostic on the circuit in response to the user request; receive, based on the live Ethernet diagnostic, performance metrics of the circuit; detect an occurrence of an event in the circuit; and present, based on the occurrence of the event, a notification of the event to the customer.
Implementations described and claimed herein provide systems and methods for intelligent node type selection in a telecommunications network. In one implementation, a customer set is obtained for a communications node in the telecommunications network. The customer set includes an existing customer set and a new customer set. A set of customer events is generated for a node type of the communications node using a simulator. The set of customer events is generated by simulating the customer set over time through a discrete event simulation. An impact of the customer events is modeled for the node type of the communications node. The node type is identified from a plurality of node types for a telecommunications build based on the impact of the customer events for the node type.
G06Q 10/04 - Forecasting or optimisation specially adapted for administrative or management purposes, e.g. linear programming or "cutting stock problem"
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
This disclosure describes systems, methods, and devices related to performing event-driven diagnostics for a communications network. A device may identify a service identifier of a service provided by the communications network to a customer; identify, based on the service identifier, a persisted path for the service, the persisted path generated prior to any user request to perform a diagnostic on the service, and the persisted path including devices and interfaces used to provide the service; receive performance metrics of the devices and interfaces of the persisted path; detect, without receiving any user request to perform a diagnostic on the service, based on comparisons of the performance metrics to event criteria, an occurrence of an event in the persisted path; and present, based on the occurrence of the event, a notification of the event to the customer.
Novel tools and techniques are provided for implementing dashboard for alert storage and history (“DASH”). In various embodiments, DASH provides for consolidated tracking and monitoring of two or more of current (or active) alerts, cleared alerts, and/or transactional information for alerts that are stored within corresponding alert live database that mirrors current alert instance data in a real-time fault management system, alert history database that contains a snapshot of an alert history of each alert or corresponding network device, and/or alert log database that contains a full transaction record of every copy of an alert either over a first duration or having a total data size within a first total data size. DASH also cleans received alert data and/or enriches the alert data, and provides a user interface (“UI”) that enables a user to view, absorb, filter, manage, and/or organize alert data to facilitate addressing of alerts in the network(s).
Aspects of the present disclosure involve systems, methods, computer program products for consolidating toll-free and/or tolled features of two or more telecommunications networks. The networks may be consolidated via an Enhanced Feature Server (EFS) deployed in a telecommunications network. The EFS may be configured to receive a toll-free and/or tolled communication and route the communication based on the dialed toll-free number and a carrier identification code (CIC) associated with the communication, or based on the dialing number and a CIC. Routing the communication based at least on the CIC associated with the communication allows the telecommunications network to consolidate a redundant network from the telecommunications network. In circumstances where a CIC is not associated with a communication, the EFS may request a data schema from a toll-free database, or from an automatic number identification (ANI) database, and determine a CIC based on an analysis of the data schema.
Novel tools and techniques are provided for implementing web-based monitoring and detection of fraudulent or unauthorized use of voice calling service. In various embodiments, a computing system might receive, from a user device associated with an originating party, a request to initiate a call session with a destination party, the request comprising user information associated with the originating party and a destination number associated with the destination party; might query a database with session data (including user information) to access permission data and configuration data; and might configure fraud logic using received configuration data from the database. The computing system might analyze the session data and permission data using the configured fraud logic to determine whether the originating party is permitted to establish the requested call session with the destination party; if so, might initiate one or more first actions; and, if not, might initiate one or more second actions.
The present application describes a system and method for passively collecting DNS traffic data as that data is passed between a recursive DNS resolver and an authoritative DNS server. The information contained in the collected DNS traffic data is used to generate a virtual authoritative DNS server, or a zone associated with the authoritative DNS server, when it is determined that the authoritative DNS server has been compromised.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
Apparatus, systems, methods, and the like, for autonomous scaling of security and other network services through initialization of a service from a network service device and/or migration of such services from one service device to another is provided. Such network scaling may allow for migration of services from existing service edges to other service edges. A security management system may coordinate the migration of services provided to a secondary network from one or more service edges to another, separate service edge while providing session synchronization during the migration. To migrate the services from the first service edge to a second service edge, a session table may be shared between the service edges and the first and second service edges may advertise service routes or endpoints with one or more priority values to control or otherwise determine which service edge is selected by a service-receiving device to receive the services.
In an embodiment, a computer implemented method receives flow data for one or more flows that correspond to a device-circuit pair. The method calculates a time difference for each flow that corresponds to a device-circuit pair. Based on the calculated time differences and the received flow data, the method updates a probability distribution model associated with the device-circuit pair. Then, the method determines whether a time bucket is complete or open based on the updated probability distribution model.
This disclosure describes systems, methods, and devices related to requesting use of a zero-copy operation. A method may include: generating, by a first channel of a hierarchy of channels in a user space, a request to retrieve a file descriptor before initiating a zero-copy operation; sending, by the first channel, to the hierarchy, the request; identifying, by a second channel of the hierarchy, a response accepting the request, the response including the file descriptor; adding, by the second channel, additional information to the response accepting the request, the additional information including at least one of a need notify request to be notified of an amount of data transferred using the zero-copy operation or parsed body data; identifying, by the first channel, the file descriptor and the additional information; and initiating, by the first channel, based on identifying the file descriptor, the zero-copy operation.
Systems and methods for enforcing compliance-program conformity during authorization-token generation are presented. Applications may be registered with an identity and access management (IAM) system. The registration of the application may include whether the application is subject to one or more compliance program(s). When an authorization token is requested from the IAM system, the IAM system may (a) determine the set of authorization information needed in the token, and (b) determine whether the application is subject to a compliance program. The IAM system may then check an approval source of record to determine whether the user was legitimately approved for the required authorization prior to granting an authorization token. If there is a mismatch between the approval source of record and the authorization information associated with the user identity, then the mismatch may cause certain mitigation actions to be performed.
Systems and methods for enforcing compliance-program conformity during authorization-token generation are presented. Applications may be registered with an identity and access management (IAM) system. The registration of the application may include whether the application is subject to one or more compliance program(s). When an authorization token is requested from the IAM system, the IAM system may (a) determine the set of authorization information needed in the token, and (b) determine whether the application is subject to a compliance program. The IAM system may then check an approval source of record to determine whether the user was legitimately approved for the required authorization prior to granting an authorization token. If there is a mismatch between the approval source of record and the authorization information associated with the user identity, then the mismatch may cause certain mitigation actions to be performed.
Novel tools and techniques are provided for implementing name-based routing through networks. In various embodiments, a broker manager in each of a plurality of networks may receive a subscription request for a network device from a client device, each device being locally accessible or disposed in an upstream or downstream network. The broker manager uses its client broker to communicate with a locally accessible client device, and uses its mediator broker (and, sometimes, an intermediate device(s)) to communicate with a locally accessible network device. The broker manager otherwise uses its messaging brokers to communicate with control channels of one or more networks. Once subscription with the network device has been established, any commands and responses between the client device and the network device may be routed over pub/sub channels via the broker managers and their brokers using name-based routing, without routing based on IP address of the network device.
H04L 41/0604 - Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
H04L 41/0631 - Management of faults, events, alarms or notifications using root cause analysisManagement of faults, events, alarms or notifications using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
H04L 45/00 - Routing or path finding of packets in data switching networks
Implementations include providing security services to workloads deployed across various types of network environments, such as public networks, private networks, hybrid networks, customer premise network environments, and the like, by redirecting traffic intended for the service device through a security environment of the first network. After application of the security features to the incoming traffic, the “clean” traffic may be transmitted to the service device instantiated on the separate network via a tunnel. Redirection of incoming traffic to the security-providing first network may include correlating a network address of the service device to a reserved network address of a block of reserved addresses and updating a Domain Name Server (DNS) or other address resolving system with the reserved address. The return transmission tunnel may be established between the security environment and the network address of the service device.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
Disclosed herein are system, method, and computer program product embodiments for providing an API description of an external network service and using the API to integrate the external service into a network. An embodiment operates by receiving, from a service provider, a description of an application programming interface (API), transmitting a call to the service provider using the API for creating a new instance of a service and transmitting to the service provider a traffic flow upon which the service will be applied.
Novel tools and techniques are provided for implementing application programming interface (“API”)-based concurrent call path (“CCP”) provisioning. In various embodiments, in response to receiving a CCP provisioning request, a computing system may determine whether such a request would affect a set of trunk groups assigned to a customer based at least in part on network utilization data. If not, the computing system may cause the nodes in the network to increase or decrease, in near-real-time, the number of CCPs in at least one trunk group assigned to the customer based on the CCP provisioning request. If so, the computing system may cause the nodes in the network to increase or decrease, in near-real-time, the number of trunk groups assigned to the customer and may cause the nodes in the network to increase or decrease, in near-real-time, the number of CCPs in the updated number of trunk groups.
Novel tools and techniques are provided for implementing name-based routing through networks. In various embodiments, a broker manager in each of a plurality of networks may receive a subscription request for a network device from a client device, each device being locally accessible or disposed in an upstream or downstream network. The broker manager uses its client broker to communicate with a locally accessible client device, and uses its mediator broker (and, sometimes, an intermediate device(s)) to communicate with a locally accessible network device. The broker manager otherwise uses its messaging brokers to communicate with control channels of one or more networks. Once subscription with the network device has been established, any commands and responses between the client device and the network device may be routed over pub/sub channels via the broker managers and their brokers using name-based routing, without routing based on IP address of the network device.
H04L 41/0604 - Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
H04L 41/0631 - Management of faults, events, alarms or notifications using root cause analysisManagement of faults, events, alarms or notifications using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
H04L 45/00 - Routing or path finding of packets in data switching networks
Novel tools and techniques are provided for implementing object-based changes to filter-intent over multicast or publication/subscription (“Pub/Sub”) distribution. In various embodiments, a computing system (e.g., a managed device among a plurality of managed devices and/or its corresponding agent) may receive, from a network filter orchestration conductor, a global filter-intent list including a first filter intent that references a corresponding filter-intent object. The computing system may determine whether the at least one first filter intent applies to the managed device. If so, the computing system may translate the at least one first filter intent into a first filter that is specific to a first configuration of the managed device, in some cases, by building the first filter based at least in part on the at least one first filter intent. The computing system may subsequently apply the first filter to one or more network communications handled by the managed device.
This disclosure describes systems, methods, and devices related to using an application programming interface (API) gateway orchestration layer. A method may include identifying, by the API gateway orchestration layer, a first API request, received by an API gateway API, to access a first microservice of a first API gateway that uses a first API gateway model; identifying a second API request, received by the API gateway API, to access a second microservice of a second API gateway that uses a second API gateway model; determining, based on the first API request, a first route to the first API gateway; determining, based on the second API request, a second route to the second API gateway; routing the first API request to the first microservice based on the first route; and routing the second API request to the second microservice based on the second route.
The present application describes a system and method for utilizing a tunnel in a networking routing protocol to provide a network segment access to additional servers when certain load balancing trigger events are detected.
Novel tools and techniques are provided for implementing network service ordering and provisioning of secure access service edge (“SASE”) scriptlets for providing SASE-based network. In various embodiments, a computing system may provide a user experience (“UX”) platform for a customer portal, the UX platform being accessible by a user via a user device over a first network(s); may provide, via the UX platform, options to configure, via the customer portal, one or more SASE scriptlets for providing SASE-based network services provided by a service provider; and may autonomously orchestrate deployment and configuration of the one or more SASE scriptlets on one or more network devices that are associated with the user or to an entity with which the user is associated, over a second network(s), based at least in part on user selection of options to configure the one or more SASE scriptlets and/or the corresponding SASE-based network services.
Systems and methods for receiving information on network firewall policy configurations are disclosed. Based on the received firewall configuration information, a configuration of a firewall and/or subnet of network devices is automatically provisioned and/or configured to control network traffic to and from the subnet.
Novel tools and techniques are provided for implementing dynamic border gateway protocol (“BGP”) host route generation based on domain name system (“DNS”) resolution. In various embodiments, a computing system may receive, from a user device via a first network, a request to establish a communications link with an external device via a second network that is separate from the first network, based on a first uniform resource identifier (“URI”) indicative of a network location of the external device. The computing system may query a DNS resolver for an Internet Protocol (“IP”) address corresponding to a valid current IP address, based on the first URI, and may advertise the IP address and/or a route based on the IP address. A communications link may be established between the user device and the external device based on the IP address and/or the route.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
H04L 61/5046 - Resolving address allocation conflictsTesting of addresses
56.
SYSTEMS AND METHODS FOR PROVIDING ENHANCED SECURITY IN EDGE COMPUTING ENVIRONMENTS
Examples of the present disclosure describe systems and methods for providing enhanced security in edge computing environments. A first aspect describes a method for moving security features dynamically applied to an application at a first deployment location to an application at a second deployment location. A second aspect describes a method for locally expanding/contracting an instance of a deployed application. A third aspect describes a method for redirected network traffic associated with detected malicious conduct from a first application deployment environment to a secured second application deployment environment. A fourth aspect describes a method for performing multi-stage network traffic filtering.
Novel tools and techniques are provided for implementing network service ordering and provisioning of secure access service edge ("SASE") scriptlets for providing SASE-based network. In various embodiments, a computing system may provide a user experience ("UX") platform for a customer portal, the UX platform being accessible by a user via a user device over a first network(s); may provide, via the UX platform, options to configure, via the customer portal, one or more SASE scriptlets for providing SASE-based network services provided by a service provider; and may autonomously orchestrate deployment and configuration of the one or more SASE scriptlets on one or more network devices that are associated with the user or to an entity with which the user is associated, over a second network(s), based at least in part on user selection of options to configure the one or more SASE scriptlets and/or the corresponding SASE-based network services.
H04L 41/40 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
A security platform of a data network is provided that includes security services for computing devices in communication with the data network. The security platform may apply a security policy to the computing devices when accessing the Internet via a home network (or other customer network) and when accessing the Internet via a public or third party network. To provide security services to computing devices via the home network, the security platform may communicate with a security agent application executed on the router (or other gateway device) of the home network. In addition, each of the devices identified by the security profile for the home network may be instructed or otherwise be provided a security agent application for execution on the computing devices. The security agent application may communicate with the security platform when the computing device connects to the Internet over a third party or public access point.
A traffic controller device for distributing or otherwise controlling the distribution of routing information may be included in a telecommunications network. The traffic controller may receive routing tables from a plurality of network devices, such as one or more provider edge devices of the network. The traffic controller, upon receiving the routing information from the provider edge devices, may generate a routing table associated with each device providing the routing information. The traffic controller may also provide updates to one or more of the networking devices associated with the controller. The traffic controller may alter or update, at the traffic controller, the routing table associated with the target provider edge device based on the network policy. The routing information in the routing table for that device and maintained by the traffic controller may be updated with a new route or new local preferred parameter value.
Automatic testing/analysis of local loops of telecommunications networks includes obtaining bits-per-tone data for a local loop of a telecommunications network and generating a bit value string from the bits-per-tone data. The bit value string is then analyzed to determine whether it includes a bit pattern indicative of an impairment of the local loop. Further approaches for automatically testing local loops of telecommunications networks include obtaining attenuation data for multiple tones carried by the local loop and determining whether the attenuation data falls below thresholds for providing a service using the local loop.
In a network system in which a server receives packets each including a source address, and in which the server ordinarily responds to each packet, Distributed Denial of Service attacks may be launched by malicious actors controlling a plurality of network devices. In such an attack, the attacking devices may spoof the IP address of a legitimate device, e.g., they may include, in each packet, the source address of the legitimate device. As such, systems and methods for increased security using client address manipulation are provided.
In a network system in which a server receives packets each including a source address, and in which the server ordinarily responds to each packet, Distributed Denial of Service attacks may be launched by malicious actors controlling a plurality of network devices. In such an attack, the attacking devices may spoof the IP address of a legitimate device, e.g., they may include, in each packet, the source address of the legitimate device. As such, systems and methods for increased security using client address manipulation are provided.
Aspects of the present disclosure involve utilizing network threat information to manage one or more security devices or policies of a communication network. The security system may receive threat intelligence data or information associated with potential threats to a communications network and process the threat intelligence data to determine one or more configurations to apply to security devices of a network. The system may then generate a rule or action to respond to the identified attack, such as a firewall rule for a firewall device to block traffic from the source of the attack. The threat intelligence information may include a confidence score indicating a calculated confidence in the identification of the malicious communications, which may be utilized by the system to determine the type of action taken on the security devices of the network in response to the information or data.
Systems and methods for implementing filters within computer networks include obtaining blocklist data that includes blocklist entries for a network. Each of the blocklist entries includes one or more network traffic attributes for identifying traffic to be blocked. In response to receiving the blocklist data, a filter based on a common network traffic attribute shared between at least two of the plurality of blocklist entries is generated. The filter is then deployed to a network device within the network such that the filter may be implemented at the network device to block corresponding traffic.
H04L 41/0816 - Configuration setting characterised by the conditions triggering a change of settings the condition being an adaptation, e.g. in response to network events
H04L 43/028 - Capturing of monitoring data by filtering
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
Examples of the present disclosure describe systems and methods relating to adaptive virtual services. In an example, a user specifies a device configuration for a platform device. As a result, a service provider installs selected virtual-network functions and defines network connections as specified by the device configuration. Management software may also be installed, thereby enabling the service provider to communicate with and remotely manage the platform device. The installed virtual-network functions are activated on the platform device once it is delivered to the user. In some instances, the user changes the device configuration. For example, the user may install new virtual-network functions, reconfigure or remove existing virtual-network functions, or change defined network connections. As a result, the service provider reconfigures the platform device accordingly. Thus, the user need not purchase new specialized hardware in order to change the available functions of the computer network.
Automatic testing/analysis of local loops of telecommunications networks includes obtaining bits-per-tone data for a local loop of a telecommunications network and generating a bit value string from the bits-per-tone data. The bit value string is then analyzed to determine whether it includes a bit pattern indicative of an impairment of the local loop. Further approaches for automatically testing local loops of telecommunications networks include obtaining attenuation data for multiple tones carried by the local loop and determining whether the attenuation data falls below thresholds for providing a service using the local loop.
Systems and methods for conference security based on user groups are disclosed. In examples, a set of attendees (e.g., in a collaboration group) may be allowed access to a meeting by a host user with a specified access permission. The collaboration group may be in the network hosting the meeting or outside of the network. An attendee requesting access to the meeting may be verified based on the attendee's identity and membership status of the collaboration group. If an attendee's identity is not identified or if the attendee is not a member of the collaboration group, the requesting attendee may be denied access to the meeting. If the requesting attendee's identity is verified and the attendee is a member of the collaboration group, the attendee is allowed access to the meeting with their specified access permission.
Aspects of the disclosure involve systems and methods for utilizing Virtual Local Area Network separation in a connection, which may be a single connection, between a customer to a telecommunications network and a cloud environment to allow the customer to access multiple instances within the cloud through the connection. A customer may purchase multiple cloud resource instances from a public cloud environment and, utilizing the telecommunications network, connect to the multiple instances through a communication port or connection to the cloud environment. To utilize the single connection or port, communication packets intended for the cloud environment may be tagged with a VLAN tag that indicates to which cloud instance the packet is intended. The telecommunications network may route the packet to the intended cloud environment and configure one or more aspects of the cloud environment to analyze the attached VLAN tag to transmit the packet to the intended instance.
A data system is provided for analyzing and maintaining data obtained from one or more data sources on which the data system depends. The system includes a primary database including current values used by the system and a collection of executable algorithms used to generate the data maintained in the primary database. In response to receiving a notification regarding a change in one of the data sources, a dependency database is used to establish an execution order for algorithms of the algorithm collection that are directly or indirectly dependent on the changed data. The algorithms identified in the execution order are then executed in accordance with the execution order and the corresponding result is stored in the primary database. The system may include data harvesters adapted to recognize changes in the data sources and to generate and transmit corresponding change notifications when such changes occur.
Dynamic and self-healing optimized traffic rerouting is provided. A system and method are described for determining and implementing optimized traffic routing decision. A route orchestration system monitors network resource performance characteristics information for identifying a traffic redirection triggering event and for determining an optimized traffic control decision based on the network resource performance characteristics information. The decision may include software defined networking (SDN) instructions that may be communicated to one or more network resources (e.g., PE devices, P devices, and/or routers) that may cause traffic to be rerouted the one or more targeted servers. For example, the optimized traffic control decision may be determined to improve load balancing amongst performing servers and other network resources in the network while reducing or minimizing administrative costs. Network resources may include a programmatic component that allows the optimized traffic control decision determined by the route orchestration system to be implemented by the resource.
An improved autonegotiation approach includes determining that a negotiated rate between a first network device and a second network device exceeds data transfer capacity over a network path downstream of the second network device. In response, a configuration message is generated and transmitted to the first network device. When received by the first network device, the configuration message causes the first network device to limit data transfer between the first network device and the second network device to no more than the downstream data transfer capacity.
H04L 47/21 - Flow controlCongestion control using leaky-bucket
H04J 3/16 - Time-division multiplex systems in which the time allocation to individual channels within a transmission cycle is variable, e.g. to accommodate varying complexity of signals, to vary number of channels transmitted
H04L 47/2425 - Traffic characterised by specific attributes, e.g. priority or QoS for supporting services specification, e.g. SLA
H04L 47/263 - Rate modification at the source after receiving feedback
Implementations described and claimed herein provide systems and methods for correlating one or more service areas of a network with one or more geolocation coordinates to determine available services for customers to the network. A service polygon may be generated that define an area in which a particular service offered by a communications network is available. The boundaries of the service polygons may be adjusted based on information corresponding to physical features of the initial area. The service polygons may aid a communications network in providing a list of available services to potential customers or devices connected to the network by determining one or more geolocation coordinate values of a potential connection site and comparing the values to the service polygons. A network management system may determine the available services, current or in the future, to offer such services to a customer to the network.
A route viewing system includes a computing system that receives information associated with one or more routes through a network, and identifies the routes that are associated with at least one illicit user computer used by an illicit user. The computing system then obtains a source location of a source address of the routes and a destination location of a destination address of the routes, and displays the routes on a geographical display at the source location of the source address and the destination location of the destination address of each of the routes.
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
Novel tools and techniques are provided for implementing telecommunications equipment shelf with integrated power and cooling. In various embodiments, a shelf for a telecommunications equipment mounting structure may be provided that includes one or more power outlets integrated within a body of the shelf, either on a front surface or a rear surface thereof, or both. Each power outlet may include a plurality of receptacles, each of which may be configured, when connected to an authenticated user device via network connectors that are integrated in the body of the shelf and via network cables, to send status information associated with the receptacle and/or its power outlet. In some cases, each shelf may further include a plurality of fans that is also integrated within the body of the shelf to provide air ventilation to cool one or more devices that may be held, supported, and/or mounted on the shelf.
Novel tools and techniques are provided for implementing improvement to domain name system ("DNS") security. In various embodiments, a computing system may receive a user datagram protocol ("UDP") -based DNS request, and may send a UDP-based response message, which may include an empty payload portion and a header portion containing a truncate flag that is set, which indicates to resend the request as a transmission control protocol ("TCP") -based DNS request. When the TCP-based DNS request is received within a first period, the computing system may send, to the source address, a TCP-based response message comprising an answer to a query (in the TCP-based DNS request) for a destination DNS record associated with a destination device. If no TCP-based DNS request is received from the source address within the first period, the computing system may block all UDP-based DNS requests from the source address for at least a second period.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
Aspects of the present disclosure involve consolidating toll-free features of telecommunications networks. In one implementation, the network services may be consolidated through utilization of an Enhanced Feature Server (EFS) or other type of application server deployed in a telecommunications network. The EFS may be configured to receive a toll-free communication and route the communication based on the dialed toll-free number and a carrier identification code (CIC) associated with the communication. Routing the communication based at least on the CIC associated with the communication allows the telecommunications network to consolidate (and ultimately remove) a redundant network or network components from the telecommunications network to improve the operation of the network. In circumstances where a CIC is not associated with a communication, the EFS may request a data schema from a national toll-free number database and determine a CIC for the communication based on an analysis of the data schema.
Aspects of the present disclosure involve systems and methods for a collaboration conferencing system to track a total number of concurrently utilized ports across any number of conferencing bridges of the network for a particular customer and one or more billing actions may occur based on this tracking. This may result in an alternate billing option for the customer's use of the system. Further, a telecommunications network administrator may provide access to the collaboration conferencing system based on a total number of concurrently utilized ports rather than on a per conference or per minute basis. With the information of the number of purchased ports by the customer, the administrator may more accurately predict an available capacity for the collaboration conferencing system needed to support all of the users of the system and the potential collaboration conferences.
Aspects of the present disclosure describe a network site validation and remediation system and method that provides validation and remediation of serviceable site locations in a network. The network site validation and remediation system may determine possible inaccurate site location data and cause one or more mitigation actions to be performed based on the determination of the inaccurate location data. Accuracy of site location is determined based on a combination of rules, where an accuracy score is used to provide a measure of confidence that a site's location data (e.g., address and/or geocoordinates) accurately reflects the physical location where a network connection is provided and thus, where service exists or potentially can be deployed. The one or more mitigation actions may cause inaccurate site location data to be corrected with accurate location data determined by the system.
Novel tools and techniques are provided for implementing improvement to domain name system (“DNS”) security. In various embodiments, a computing system may receive a user datagram protocol (“UDP”)-based DNS request, and may send a UDP-based response message, which may include an empty payload portion and a header portion containing a truncate flag that is set, which indicates to resend the request as a transmission control protocol (“TCP”)-based DNS request. When the TCP-based DNS request is received within a first period, the computing system may send, to the source address, a TCP-based response message comprising an answer to a query (in the TCP-based DNS request) for a destination DNS record associated with a destination device. If no TCP-based DNS request is received from the source address within the first period, the computing system may block all UDP-based DNS requests from the source address for at least a second period.
Systems and methods for blocking spoofed traffic within communications networks include obtaining, at a computing system, routing information for an autonomous system of a communications network, the routing information identifying Internet Protocol (IP) addresses associated with the autonomous system. In response to receiving the routing information, the computing system generates a prefix list based on the routing information, the prefix list including one or more prefixes encompassing the IP addresses identified by the routing information. The computing system then transmits instructions to a network device of the communications network configured to cause the network device to update a filter function of the network device based on the prefix list such that the network device permits network traffic that originates from IP addresses within the prefixes of the prefix list.
H04L 69/325 - Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the network layer [OSI layer 3], e.g. X.25
Novel tools and techniques are provided for implementing management of edge network protection service. In various embodiments, a computing system may receive a request from a customer to manage edge network protection services for at least one Internet circuit. Based on a determination that the customer has been provisioned one or more circuits that are capable of implementing edge network protection services, the computing system may present, or cause to be presented, options to select a circuit, from among the one or more circuits, for which edge network protection service should be provisioned or managed. When a selection of a first circuit is received from the customer, the computing system may automatically cause the selected first circuit to be configured to provision a new service instance of the edge network protection service or reconfigured to modify an existing service instance of the edge network protection service.
Novel tools and techniques are provided for implementing management of edge network protection service. In various embodiments, a computing system may receive a request from a customer to manage edge network protection services for at least one Internet circuit. Based on a determination that the customer has been provisioned one or more circuits that are capable of implementing edge network protection services, the computing system may present, or cause to be presented, options to select a circuit, from among the one or more circuits, for which edge network protection service should be provisioned or managed. When a selection of a first circuit is received from the customer, the computing system may automatically cause the selected first circuit to be configured to provision a new service instance of the edge network protection service or reconfigured to modify an existing service instance of the edge network protection service.
Novel tools and techniques are provided for implementing fraud or distributed denial of service (“DDoS”) protection for session initiation protocol (“SIP”)-based communication. In various embodiments, a computing system may receive, from a first router, first SIP data indicating a request to initiate a SIP-based media communication session between a calling party at a source address and a called party at a destination address. The computing system may analyze the received first SIP data to determine whether the received first SIP data comprises any abnormalities indicative of potential fraudulent or malicious actions. If so, the computing system may reroute the first SIP data to a security deep packet inspection (“DPI”) engine, which may perform a deep scan of the received first SIP data to identify any known fraudulent or malicious attack vectors contained within the received first SIP data. If so, the security DPI engine may initiate mitigation actions.
Novel tools and techniques are provided for implementing 911 or enhanced 911 (“E911”) address update. In various embodiments, in response to a trigger event, a computing system may determine whether E911 address data associated with a customer that is stored in an E911 database requires updating. If so, the computing system may update the E911 database with address data associated with the customer that has been validated or verified (if available). Where no validated or verified address associated with the customer is available, the computing system may send a message to the customer to provide updated 911 or E911 address data; may receive, from a user device associated with the customer via an API over a network(s) operated by the service provider, updated 911 or E911 address data from the customer; and may update the E911 database with the received updated 911 or E911 address data from the customer.
The present application describes providing an attestation level to a received communication. The attestation level may be used to communicate a level of security to a network or a called party that receives the communication. The attestation level associated with the communication may indicate to a destination network and/or recipient that the phone number associated with the communication is secure and/or the telephone number has not been spoofed.
This disclosure describes systems, methods, and devices related to testing servers provisioned in an edge computing device. An edge computing device may detect that a server has been provisioned to access a public network cloud using backbone routers of the edge computing device; provide a neural network for evaluating a probability that a performance of the server will satisfy performance criteria, the neural network trained based on training data comprising labeled settings data and feature weights; input settings and configurations associated with the provisioning of the server as inputs to the neural network; and generate, using the neural network, based on the inputs and the training data, a confidence score indicative of the probability.
This disclosure describes systems, methods, and devices related to analyzing data stored in a relational database. A method may include installing a structured query language (SQL) server on a host server; installing statistical analysis modules on the host server; executing the statistical analysis modules within a relational database of the SQL server to analyze data stored in the relational database; and generating outputs based on the execution of the statistical analysis modules within the relational database.
A system and method for providing on-demand edge compute. The system may include an orchestrator that provides a UI and that controls an abstraction layer for implementing a workflow for providing on-demand edge compute. The abstraction layer may include a server configuration orchestration (SCO) system (e.g., a Metal-as-a-Service (MaaS) system) and API that may provide an interface between the orchestrator and the SCO. The API may enable the orchestrator to communicate with the SCO for receiving requests that enable the SCO to integrate with existing compute resources to perform various compute provisioning tasks (e.g., to build and provision a server instance). The various tasks, when executed, may provide on-demand edge compute service to users. The SCO API may further enable the ECS orchestrator to receive information from the SCO (e.g., compute resource information, status messages).
Novel tools and techniques are provided for implementing optical frequency spectral optimization in dense wavelength division multiplexing (“DWDM”) flex grid systems. In various embodiments, based on a determination that one or more gaps of optical spectrum exist in a range of optical spectrum that contains one or more media channels that support transmission of corresponding one or more first signals, a computing system may determine a network wavelength service frequency assignment for shifting frequency of at least one media channel among the one or more media channels to optimize one or more spacings among the one or more media channels in the range of optical spectrum for supporting transmission of one or more second signals; and may cause one or more optical signal devices to shift a center frequency of each of the at least one media channel, based on the determined network wavelength service frequency assignment.
A routing system can provide a Dynamic-Hybrid Forwarding Information Base (DHFIB). A control component of the routing system can build a routing table that includes routing information (e.g., prefixes, addresses, etc.) for use by a first routing component. The routing table can be ordered or ranked based on traffic information from the first routing component. Then, the control component can create the DHFIB from the routing table, wherein the DHFIB is a portion of the routing table and related to the first routing component. As such, the portion of the routing table selected for the DHFIB can be the set of prefixes in the routing table that represent the most frequently routed or most important prefixes in the routing table. Finally, the control component can forward the DHFIB to the first routing component to allow the routing component to route communications.
Direct to systems and methods for a service activation system in a telecommunications network that utilizes one or more generic container files for building the configuration file to instantiate the service on the network. A request for service from a network may be received from an order entry system that includes specific information about the requested service. A collection of generic configuration files may be selected based on the information included in the service order and arranged to build a configuration file to be executed on the network. The service activation system may also include a component or group of components to verify a received service order and alter the service order with default information or data where applicable. The configuration file may also be executed on the network through one or more drivers communicating with the affected devices to configure the one or more network devices.
H04L 41/5051 - Service on demand, e.g. definition and deployment of services in real time
H04L 41/5041 - Network service management, e.g. ensuring proper service fulfilment according to agreements characterised by the time relationship between creation and deployment of a service
H04L 43/0805 - Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
92.
Carrier identification code delivery to an egress network of a telecommunications network
Aspects of the present disclosure involve systems, methods, computer program products, and the like, for utilizing a CIC value field in signaling information of a communication to provide an identification of the ingress network to an egress or receiving network of a long distance telecommunications network. The system and method provides for the provisioning of a signaling CIC for an ingress trunkgroup or network to a telecommunications network for downstream signaling purposes by overriding a received CIC value with a provisioned CIC value specific to the ingress network. This provisioned CIC value identifies the ingress network to the long distance network to the egress network for use by the egress network.
H04L 12/709 - Route fault prevention or recovery, e.g. rerouting, route redundancy, virtual router redundancy protocol [VRRP] or hot standby router protocol [HSRP] using path redundancy using M+N parallel active paths
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 29/12 - Arrangements, apparatus, circuits or systems, not covered by a single one of groups characterised by the data terminal
Implementations described and claimed herein provide systems and methods for an optical domain controller for managing and maintaining a record of network component configuration and interconnections. The optical domain controller detects changes in a configuration of optical network elements in response to a requested service from the network, coordinates additional changes in configurations to optical network elements that may be affected by the detected change, communicates with the optical network elements to incorporate the changes to the configurations of the network element, and stores the configurations and states of the network elements. The use of the optical domain controller may thus replace or supplement a database storing network configuration information by automatically managing changes to the network as new services are instantiated directly on the optical network elements.
H04B 10/00 - Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
H04B 10/25 - Arrangements specific to fibre transmission
94.
SYSTEMS AND METHODS FOR PROTECTION OF AUTHORITATIVE NAME SERVERS
In a network, Domain Name Service (DNS) queries may be handled by one or more resolvers and one or more authoritative name servers. If a DNS distributed denial of service attack is launched against the network, it may degrade the performance of the authoritative name servers. As such, systems and methods for protection of authoritative name servers are provided.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
A network interface system defines standardized network service requests and related abstracted tasks. In examples, commands needed to configure particular network elements are dependent on the network being utilized and/or the network element(s) being utilized. The network interface system may include a standardization layer, an abstraction layer, and an application programming interface for each of a variety of available networks. Upon a request for a network service, the related abstracted tasks may be translated into network-specific commands to configure network elements of disparate networks to provide the requested service.
A DNS resolution request for a hostname of a CDN is received. An edge server of the CDN may be identified, which may be associated with a subnet. The subnet is used to generate a response IP address, where the remaining bits of the response IP address may be used to store requestor information (e.g., a requestor IP address). When a client computing device uses the response IP address to access the edge server, requestor information is extracted and associated with client computing device information (e.g., an IP address and/or location, etc.) in an association record. Association records may be used to determine predicted characteristics for devices served by a requestor. When the authoritative DNS server resolves a request from the requestor, such predicted characteristics may be used rather than relying solely on information about a requestor. Thus, an edge server proximate to the predicted location may be returned instead.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
H04L 61/4552 - Lookup mechanisms between a plurality of directoriesSynchronisation of directories, e.g. metadirectories
In a network, Domain Name Service (DNS) queries may be handled by one or more resolvers and one or more authoritative name servers. If a DNS distributed denial of service attack is launched against the network, it may degrade the performance of the authoritative name servers. As such, systems and methods for protection of authoritative name servers are provided.
Systems and methods for ingesting, managing, and distributing configuration data in one or more computing networks are provided. In examples, a flexible configuration definition framework is provided to allow for simplified ingestion, management, and distribution of configuration data to various computing devices in complex networks. Rather than table data, the framework permits expression of configuration settings in a non-relational, text-based data format to allow easy searching and filtering of configuration data and targeted distribution of data to machines and applications within the network(s).
H04L 41/084 - Configuration by using pre-existing information, e.g. using templates or copying from other elements
H04L 41/0806 - Configuration setting for initial configuration or provisioning, e.g. plug-and-play
H04L 41/0816 - Configuration setting characterised by the conditions triggering a change of settings the condition being an adaptation, e.g. in response to network events
H04L 41/046 - Network management architectures or arrangements comprising network management agents or mobile agents therefor
H04L 41/0853 - Retrieval of network configurationTracking network configuration history by actively collecting configuration information or by backing up configuration information
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
H04L 43/028 - Capturing of monitoring data by filtering
99.
Systems and Methods for Storing and Transporting Configuration Data to Edge Servers
Systems and methods for ingesting, managing, and distributing configuration data in one or more computing networks are provided. In examples, a flexible configuration definition framework is provided to allow for simplified ingestion, management, and distribution of configuration data to various computing devices in complex networks. Rather than table data, the framework permits expression of configuration settings in a non-relational, text-based data format to allow easy searching and filtering of configuration data and targeted distribution of data to machines and applications within the network(s).
H04L 41/08 - Configuration management of networks or network elements
H04L 41/082 - Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
Implementations described and claimed herein provide systems and methods for identification of connection areas in a telecommunications network. In one implementation, a customer set is obtained for a communications node in the telecommunications network. The customer set includes an existing connection type and a collection of network sites including the connection type is generated from the customer set. An overlay of customer sites without the connection type may be applied to the collection of network sites to generate an intersection of non-connected customer sites within the collection of network sites including the connection type. The intersection provides an indication of underserviced sites connection to the telecommunication network for potential network growth.
G06Q 10/04 - Forecasting or optimisation specially adapted for administrative or management purposes, e.g. linear programming or "cutting stock problem"
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
