A remote node device including a hardware layer, a hardware abstraction layer, and a software stack operating on the hardware abstraction layer. The software stack including an open-source cloud-based operating system integrated with a service provider defined abstraction layer configured to coordinate functionality of the software stack, virtualized software components such as a virtualized Converged Cable Access Platform (vCCAP) implemented in docker containers where the vCCAP is configured to command and control the remote node device with respect to a customer premise equipment. The software layer of the remote node device includes different types of YANG data models for model-driven management and model-driven telemetry from the remote node device and a customer premise equipment to a service provider back-office system.

A computer system automatically tests a network communication model by predicting whether particular traffic (whether actual or simulated) should be allowed on the network, and then estimating the accuracy of the network communication model based on the prediction. Such an estimate may be generated even before the model has been applied to traffic on the network. For example, steps can include observing positive data associated with a network; generating a network communication model based on the positive data; generating negative data based on the network communication model; calculating a precision of the network communication model based on the network communication model and the negative data; and calculating an accuracy of the network communication model based on one or more of the precision of the network communication model, or the network communication model and the positive data.

A computer system automatically tests a network communication model by predicting whether particular traffic (whether actual or simulated) should be allowed on the network, and then estimating the accuracy of the network communication model based on the prediction. Such an estimate may be generated even before the model has been applied to traffic on the network. For example, steps can include observing positive data associated with a network; generating a network communication model based on the positive data; generating negative data based on the network communication model; calculating a precision of the network communication model based on the network communication model and the negative data; and calculating an accuracy of the network communication model based on one or more of the precision of the network communication model, or the network communication model and the positive data.

Some embodiments provide a method for performing deep packet inspection (DPI) for an SD-WAN (software defined, wide area network) established for an entity by a plurality of edge nodes and a set of one or more cloud gateways. At a particular edge node, the method uses local and remote deep packet inspectors to perform DPI for a packet flow. Specifically, the method initially uses the local deep packet inspector to perform a first DPI operation on a set of packets of a first packet flow to generate a set of DPI parameters for the first packet flow. The method then forwards a copy of the set of packets to the remote deep packet inspector to perform a second DPI operation to generate a second set of DPI parameters. In some embodiments, the remote deep packet inspector is accessible by a controller cluster that configures the edge nodes and the gateways. In some such embodiments, the method forwards the copy of the set of packets to the controller cluster, which then uses the remote deep packet inspector to perform the remote DPI operation. The method receives the result of the second DPI operation, and when the generated first and second DPI parameters are different, generates a record regarding the difference.

New methods are proposed to detect misbehaving UEs based on 5GS. The methods allow the network to react accurately and efficiently to deal with misbehaving UE(s).

A forwarding device receives at least one service flow; the forwarding device obtains service information of the at least one service flow, where the service information of the service flow includes identification information of a network object to which the service flow belongs and M key performance indicators KPIs of the service flow, M is an integer greater than 0, and the network object includes one or more devices; and the forwarding device sends training information to a first device, where the training information includes the service information of the at least one service flow or a feature set obtained based on the service information of the at least one service flow, the training information is used to train a fault detection model, and the fault detection model is used to detect whether the network object is in a faulty state.

A forwarding device receives at least one service flow; the forwarding device obtains service information of the at least one service flow, where the service information of the service flow includes identification information of a network object to which the service flow belongs and M key performance indicators KPIs of the service flow, M is an integer greater than 0, and the network object includes one or more devices; and the forwarding device sends training information to a first device, where the training information includes the service information of the at least one service flow or a feature set obtained based on the service information of the at least one service flow, the training information is used to train a fault detection model, and the fault detection model is used to detect whether the network object is in a faulty state.

In certain embodiments, a forwarding device receives at least one service flow. The forwarding device obtains service information of the at least one service flow, where the service information of the service flow includes identification information of a network object to which the service flow belongs and M key performance indicators KPIs of the service flow. M is an integer greater than o, and the network object includes one or more devices. The forwarding device sends detection information to a first device, where the detection information includes the service information of the at least one service flow or a feature set obtained based on the service information of the at least one service flow. The detection information is used to detect whether the network object is in a faulty state.

An analysis system automates IP address structure discovery by deep analysis of sample IPv6 addresses using a set of computational methods, namely, information-theoretic analysis, machine learning, and statistical modeling. The system receives a sample set of IP addresses, computes entropies, discovers and mines address segments, builds a network model of address segment inter-dependencies, and provides a graphical display with various plots and tools to enable a network analyst to navigate and explore the exposed IPv6 address structure. The structural information is then applied as input to applications that include: (a) identifying homogeneous groups of client addresses, e.g., to assist in mapping clients to content in a CDN; (b) supporting network situational awareness efforts, e.g., in cyber defense; (c) selecting candidate targets for active measurements, e.g., traceroutes campaigns, vulnerability assessments, or reachability surveys; and (d) remotely assessing a network's addressing plan and address assignment policy.

An analysis system automates IP address structure discovery by deep analysis of sample IPv6 addresses using a set of computational methods, namely, information-theoretic analysis, machine learning, and statistical modeling. The system receives a sample set of IP addresses, computes entropies, discovers and mines address segments, builds a network model of address segment inter-dependencies, and provides a graphical display with various plots and tools to enable a network analyst to navigate and explore the exposed IPv6 address structure. The structural information is then applied as input to applications that include: (a) identifying homogeneous groups of client addresses, e.g., to assist in mapping clients to content in a CDN; (b) supporting network situational awareness efforts, e.g., in cyber defense; (c) selecting candidate targets for active measurements, e.g., traceroutes campaigns, vulnerability assessments, or reachability surveys; and (d) remotely assessing a network's addressing plan and address assignment policy.