Liveness detection for an authenticated client session
Granted: February 13, 2024
Patent Number:
11902380
A network node may determine parameters of an authenticated client session for a client device, wherein the parameters comprise a network address of the client device. The network node may determine inactivity of the client device in the authenticated client session. The network node may generate, based on determining the inactivity of the client device, an address resolution protocol (ARP) message or a neighbor solicitation (NS) message to send to the client device, wherein the ARP…
Generating a network security policy based on a user identity associated with malicious behavior
Granted: February 13, 2024
Patent Number:
11902330
A device may receive data identifying malicious behavior by a compromised endpoint device associated with a network and may receive user identity data identifying a user of the compromised endpoint device associated with the network. The device may receive endpoint device data identifying the compromised endpoint device and other endpoint devices associated with the network and may receive network device data identifying network devices associated with the network. The device may utilize…
System and method for detecting lateral movement and data exfiltration
Granted: February 13, 2024
Patent Number:
11902303
A system configured to detect a threat activity on a network. The system including a digital device configured to detect a first order indicator of compromise on a network, detect a second order indicator of compromise on the network, generate a risk score based on correlating said first order indicator of compromise on the network with the second order indicator of compromise on said network, and generate at least one incident alert based on comparing the risk score to a threshold.
Media access control security (MACsec) enabled links of a link aggregation group (LAG)
Granted: February 13, 2024
Patent Number:
11902256
A device may cause a Media Access Control Security (MACsec) session to be established on a first link of a link aggregation group (LAG) that includes a plurality of links with a different device. The device may cause a data structure to be updated to identify the first link as a MACsec enabled LAG link and may send traffic via the first link. The device may cause a MACsec session to be established on at least one additional link of the LAG and may cause the data structure to be updated…
EVPN host routed bridging (HRB) and EVPN cloud native data center
Granted: February 13, 2024
Patent Number:
11902160
Techniques for EVPN Host Routed Bridging (HRB) and EVPN cloud-native data center with Host Routed Bridging (HRB) are described. A host computing device of a data center includes one or more containerized user-level applications. A cloud native virtual router is configured for dynamic deployment by the data center application orchestration engine and operable in a user space of the host computing device. Processing circuitry is configured for execution of the containerized user-level…
Dynamic internet protocol translation for port-control-protocol communication
Granted: February 13, 2024
Patent Number:
11902159
A network device may receive, from a source device, an option request that includes a source address of the source device and a destination address of a destination device, wherein the network device is associated with an Internet protocol version 6 (IPv6) network. The network device may identify a map code that is associated with an address translation for traffic associated with the destination device and may determine, based on identifying the map code, a source prefix code and a…
High-availability switchover based on traffic metrics
Granted: February 13, 2024
Patent Number:
11902157
A node may be an active node associated with a high-availability service and may route session traffic communicated via a first route path between a first endpoint and a second endpoint. The node may determine a first measurement of a traffic metric of the first route path and may receive, from another node associated with the high-availability service, a second measurement of the traffic metric of a second route path. The node may compare the first measurement and the second measurement…
Compressed routing header
Granted: February 13, 2024
Patent Number:
11902153
A node receives an internet protocol (IP) payload packet that includes an IPv6 transport header that has been extended with a compressed routing header (CRH). The CRH includes a list of segment identifiers (SIDs) that identify nodes that the IP payload packet is to traverse. The node determines, by referencing the list of SIDs, a next segment for the IP payload packet. The node updates a destination IP address that is included in the IPv6 transport header to a particular destination IP…
Determining rate differential weighted fair output queue scheduling for a network device
Granted: February 13, 2024
Patent Number:
11902827
A network device may receive packets and may calculate, during a time interval, an arrival rate and a departure rate, of the packets, at one of multiple virtual output queues. The network device may calculate a current oversubscription factor based on the arrival rate and the departure rate, and may calculate a target oversubscription factor based on an average of previous oversubscription factors associated with the multiple virtual output queues. The network device may determine…
Retaining key parameters after a transmission control protocol (TCP) session flap
Granted: February 13, 2024
Patent Number:
11902404
A network device may monitor a TCP session with another network device, and may identify ingress and/or egress packets, a TCP header, and a socket of the TCP session. The network device may inspect the ingress and/or egress packets, the TCP header, and the socket to identify a zero window advertisement, details of a last quantity of packets sent or received, synchronize, finish, or reset packets sent or received, negotiated TCP options, or buffer space utilization, and may temporarily…
Identifying a maximum segment size (MSS) corresponding to a network path
Granted: February 13, 2024
Patent Number:
11902146
Techniques are disclosed for identifying a maximum segment size (MSS) for a path. For example, a first router includes a routing engine and a packet forwarding engine. The routing engine is configured to identify a path maximum transmission unit (MTU) corresponding to a path between the first router and a second router; and identify a maximum packet overhead size corresponding to a session between a first client device and a second client device over the path between the first router and…
Regulating enqueueing and dequeuing border gateway protocol (BGP) update messages
Granted: February 13, 2024
Patent Number:
11902365
A network device, associated with peer network devices, may receive policy information for a protocol; and compute a first update message based on information regarding a route associated with the policy information. The network device may determine that an upper utilization threshold for one or more of peer queues, associated with the peer network devices, is not satisfied; and write the first update message to the peer queues based on determining that the upper utilization threshold is…
Generating a network security policy based on a user identity associated with malicious behavior
Granted: February 13, 2024
Patent Number:
11902330
A device may receive data identifying malicious behavior by a compromised endpoint device associated with a network and may receive user identity data identifying a user of the compromised endpoint device associated with the network. The device may receive endpoint device data identifying the compromised endpoint device and other endpoint devices associated with the network and may receive network device data identifying network devices associated with the network. The device may utilize…
System and method for detecting lateral movement and data exfiltration
Granted: February 13, 2024
Patent Number:
11902303
A system configured to detect a threat activity on a network. The system including a digital device configured to detect a first order indicator of compromise on a network, detect a second order indicator of compromise on the network, generate a risk score based on correlating said first order indicator of compromise on the network with the second order indicator of compromise on said network, and generate at least one incident alert based on comparing the risk score to a threshold.
Media access control security (MACsec) enabled links of a link aggregation group (LAG)
Granted: February 13, 2024
Patent Number:
11902256
A device may cause a Media Access Control Security (MACsec) session to be established on a first link of a link aggregation group (LAG) that includes a plurality of links with a different device. The device may cause a data structure to be updated to identify the first link as a MACsec enabled LAG link and may send traffic via the first link. The device may cause a MACsec session to be established on at least one additional link of the LAG and may cause the data structure to be updated…
EVPN host routed bridging (HRB) and EVPN cloud native data center
Granted: February 13, 2024
Patent Number:
11902160
Techniques for EVPN Host Routed Bridging (HRB) and EVPN cloud-native data center with Host Routed Bridging (HRB) are described. A host computing device of a data center includes one or more containerized user-level applications. A cloud native virtual router is configured for dynamic deployment by the data center application orchestration engine and operable in a user space of the host computing device. Processing circuitry is configured for execution of the containerized user-level…
Dynamic internet protocol translation for port-control-protocol communication
Granted: February 13, 2024
Patent Number:
11902159
A network device may receive, from a source device, an option request that includes a source address of the source device and a destination address of a destination device, wherein the network device is associated with an Internet protocol version 6 (IPv6) network. The network device may identify a map code that is associated with an address translation for traffic associated with the destination device and may determine, based on identifying the map code, a source prefix code and a…
High-availability switchover based on traffic metrics
Granted: February 13, 2024
Patent Number:
11902157
A node may be an active node associated with a high-availability service and may route session traffic communicated via a first route path between a first endpoint and a second endpoint. The node may determine a first measurement of a traffic metric of the first route path and may receive, from another node associated with the high-availability service, a second measurement of the traffic metric of a second route path. The node may compare the first measurement and the second measurement…
Compressed routing header
Granted: February 13, 2024
Patent Number:
11902153
A node receives an internet protocol (IP) payload packet that includes an IPv6 transport header that has been extended with a compressed routing header (CRH). The CRH includes a list of segment identifiers (SIDs) that identify nodes that the IP payload packet is to traverse. The node determines, by referencing the list of SIDs, a next segment for the IP payload packet. The node updates a destination IP address that is included in the IPv6 transport header to a particular destination IP…
Weighted multicast join load balance
Granted: February 13, 2024
Patent Number:
11902148
In some examples, a method includes receiving, by an egress network device for a network, messages from each of a plurality of ingress network devices for the network, wherein each of the messages specifies a multicast source, a multicast group, and an upstream multicast hop weight value for multicast traffic for the multicast source and the multicast group; selecting, by the egress network device and based on the upstream multicast hop weight values specified by the received messages,…
