A method for congestion mitigation via admission control in a shared-backhaul telecommunications network is disclosed, comprising: assessing a congestion state in a multi-node radio access network having a shared backhaul connection, the congestion state based on congestion of the shared backhaul connection; retrieving an admission control policy based on the congestion state of the shared backhaul connection; performing a policy action of the admission control policy at a first base station acting as a gateway for the multi-node radio access network with respect to the shared backhaul connection; and sending the admission control policy to other nodes in the multi-node radio access network, thereby causing the other nodes to perform the policy action, wherein the policy action is denying a request from a user equipment to attach to the radio access network.

Example network devices, systems, and methods are disclosed. In an example, a network device includes memory configured to store information associated with one or more service level agreements (SLAs) for applications in a software-defined wide area network (SD-WAN) and an application-based multipath routing (AMR) module including processing circuitry. The AMR module is configured to identify, based on criteria, one or more of the applications for AMR, wherein each criterion of the criteria is associated with a corresponding property of an application. The AMR module is configured to determine a breach of one of the SLAs on each WAN link associated with a first application of the identified one or more applications. The AMR module is configured to apply, in response to determining the breach, AMR for the first application.

A raw policy set is received for the network processor and a dimension bitmap corresponding to the raw policy set. From the raw policy set, a policy tree builder generates a policy tree image from a set of recursive operations on the raw policy set including selecting boundaries of the raw policy set from cuts on a given dimension of the raw policy set, the dimension cut based on a dimension selection and a partition number selection for the raw policy set. Network processor hardware is configured according to the policy tree image including at least one set of registers, at least one set of tables, and at least one sequence of instructions. At runtime, the network processor applies the optimized policy set to processing of the packet session from the data communication network by the network processor hardware.

A raw policy set is received for the network processor and a dimension bitmap corresponding to the raw policy set. From the raw policy set, a policy tree builder generates a policy tree image from a set of recursive operations on the raw policy set including selecting boundaries of the raw policy set from cuts on a given dimension of the raw policy set, the dimension cut based on a dimension selection and a partition number selection for the raw policy set. Network processor hardware is configured according to the policy tree image including at least one set of registers, at least one set of tables, and at least one sequence of instructions. At runtime, the network processor applies the optimized policy set to processing of the packet session from the data communication network by the network processor hardware.

A method and apparatus of a network element that processes network data using a transformed packet classification list in a network element is described. A network element receives a packet classification list and transforms a first set of the plurality of range sets corresponding to a first one of the two or more types of packet characteristics into a first set of range labels. In addition, the network element transforms a second set of the plurality of range sets corresponding to a second one of the two or more types of packet characteristics into a second set of range labels. The network element may create a set of combination labels. The network element further processes network data by performing a first lookup to derive a first combination packet label, performing a second lookup of at least the first combination packet label, and applying a rule resulting from the second lookup to the network data.

A method and apparatus of a network element that processes network data using a transformed packet classification list in a network element is described. A network element receives a packet classification list and transforms a first set of the plurality of range sets corresponding to a first one of the two or more types of packet characteristics into a first set of range labels. In addition, the network element transforms a second set of the plurality of range sets corresponding to a second one of the two or more types of packet characteristics into a second set of range labels. The network element may create a set of combination labels. The network element further processes network data by performing a first lookup to derive a first combination packet label, performing a second lookup of at least the first combination packet label, and applying a rule resulting from the second lookup to the network data.

Methods, systems, and devices for filtering network traffic from automated scanner are described. A device (e.g., an application server) may receive an activity message associated with an interaction with an electronic communication message and identify, from the activity message, at least a source identifier of the activity message and one or more attributes associated with the electronic communication message. The device may then add the activity message to a mapping of source identifiers and attributes associated with previously received activity messages and classify the activity message as being associated with an automated scanner based on a comparison of the received activity message to the mapping over a previous time window. Upon classifying the activity message, the device may transmit a classification result to an external server.

Methods, systems, and devices for filtering network traffic from automated scanner are described. A device (e.g., an application server) may receive an activity message associated with an interaction with an electronic communication message and identify, from the activity message, at least a source identifier of the activity message and one or more attributes associated with the electronic communication message. The device may then add the activity message to a mapping of source identifiers and attributes associated with previously received activity messages and classify the activity message as being associated with an automated scanner based on a comparison of the received activity message to the mapping over a previous time window. Upon classifying the activity message, the device may transmit a classification result to an external server.

Systems, methods, and computer-readable media are provided for generating a unique ID for a sensor in a network. Once the sensor is installed on a component of the network, the sensor can send attributes of the sensor to a control server of the network. The attributes of the sensor can include at least one unique identifier of the sensor or the host component of the sensor. The control server can determine a hash value using a one-way hash function and a secret key, send the hash value to the sensor, and designate the hash value as a sensor ID of the sensor. In response to receiving the sensor ID, the sensor can incorporate the sensor ID in subsequent communication messages. Other components of the network can verify the validity of the sensor using a hash of the at least one unique identifier of the sensor and the secret key.

Systems, methods, and computer-readable media are provided for generating a unique ID for a sensor in a network. Once the sensor is installed on a component of the network, the sensor can send attributes of the sensor to a control server of the network. The attributes of the sensor can include at least one unique identifier of the sensor or the host component of the sensor. The control server can determine a hash value using a one-way hash function and a secret key, send the hash value to the sensor, and designate the hash value as a sensor ID of the sensor. In response to receiving the sensor ID, the sensor can incorporate the sensor ID in subsequent communication messages. Other components of the network can verify the validity of the sensor using a hash of the at least one unique identifier of the sensor and the secret key.