The method of synchronizes network address translation (NAT) records between an active gateway and a standby gateway. The method of some embodiments synchronizes NAT records of long-term data flows more frequently than those of short-term flows. Multiple data flows pass between a device at an internal source address and a device at an external destination address through the active NAT gateway. For each flow, the method generates a NAT record. The method then determines whether the data flow is a short-term flow or a long-term flow and synchronizes the NAT records of the long-term flows, but not the NAT records of the short-term flows, with the standby gateway. The method of some embodiments synchronizing NAT records more frequently when NAT records are being generated quickly relative to prior generation rates and less frequently when NAT records are being generated slowly relative to the prior generation rates.

Presented herein are embodiments that provide mobile edge computing (MEC) with low latency traffic segregation within a packet data network (PDN) using dedicated bearers. Techniques are provided that are performed at an edge user plane entity and a control plane entity to coordinate the directing of low latency traffic over a dedicated bearer broken out at the edge, and to communicate normal latency traffic over a default bearer that is centrally broken out.

Some embodiments provide a method for identifying security threats to a datacenter. The method receives flow attribute sets for multiple flows from multiple host computers in the datacenter on which data compute nodes (DCNs) execute. Each flow attribute set indicates at least a source DCN for the flow. The method identifies flow attribute sets that correspond to DCNs responding to name resolution requests. For each DCN of a set of DCNs executing on the host computers, the method determines whether the DCN has sent responses to name resolution requests in a manner that deviates from a historical baseline for the DCN based on the identified flow attribute sets. When a particular DCN has sent responses to name resolution requests in a manner that deviates from a historical baseline for the particular DCN, the method identifies the particular DCN as a security threat to the datacenter.

An apparatus comprising: at least one processor; and at least one memory including computer program code; the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus at least to: send (800) a registration request comprising a range of addresses and/or ports managed by a network address and/or port translation service and an identifier of the network address and/or port translation service; and receive (804) an address and/or port translation information request comprising an address and/or port used by an application to communicate with a terminal, wherein the address and/or port used by the application to communicate with a terminal is within the range of addresses and/or ports managed by the network address and/ or port translation service.

In one embodiment, an apparatus includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors. The one or more computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the apparatus to perform operations including receiving a user credential from a remote access client within a network and communicating the user credential to an authentication, authorization and accounting (AAA) server within the network. The operations also include receiving a user attribute from the AAA server and generating a contextual label based on the user attribute. The contextual label includes routing instructions associated with traffic behavior within the network. The operations further include advertising a control message, which includes the contextual label, to the remote access client.

Methods and systems for cryptographically secured data validation. The system includes a first validator. The first validator is designed and configured to receive a first instance of an immutable sequential data structure containing at least a first digitally signed textual element containing at least a first physical asset transfer field populated with a at least a first physical asset transfer datum and at least a second digitally signed textual element generated by a second validator. The first validator authenticates the first instance of the immutable sequential data structure. The first validator generates at least a second validity indicating a determination by the first validator as to the accuracy of the at least a first physical asset transfer field. The first validator detects a conflict between the first validity flag and the second validity flag. The first validator transmits to the at least a second validator an indication of the conflict.

Systems and methods for match and collect user data and/or user device data within a current Internet access session of a user for use by user notification systems that generate, distribute and display informational messages over the Internet. The system includes a source data reception unit configured to receive a source IP address and a source user device port matched with the translated IP address and with the translated port of the operator or the provider from the NAT service. A data matching unit matches user data and/or user device data from all available sources, including but not limited to operator or provider databases, using the received source IP address and the received user device port. The systems and methods provide delivery of informational messages based on collected/matched user data and/or user device data provided to the maximum number of real identified users.

Methods and systems for cryptographically secured data validation. The system includes a first validator. The first validator is designed and configured to receive a first instance of an immutable sequential data structure containing at least a first digitally signed textual element containing at least a first physical asset transfer field populated with a at least a first physical asset transfer datum and at least a second digitally signed textual element generated by a second validator. The first validator authenticates the first instance of the immutable sequential data structure. The first validator generates at least a second validity indicating a determination by the first validator as to the accuracy of the at least a first physical asset transfer field. The first validator detects a conflict between the first validity flag and the second validity flag. The first validator transmits to the at least a second validator an indication of the conflict.

Technology described herein determines whether a device is Internet facing. An Internet facing device is a device where traffic coming from the Internet is routable to the device. The technology described herein may comprise two components that work together to identify Internet-facing devices. The first component is a monitoring agent installed on organizational devices. The second component is an Internet-facing management service, which may be cloud based. The monitoring agent communicates connection-event notices to the Internet-facing management service. The source IP address in the connection-event notice is compared to a list of organizational IP addresses. If the source IP address is not on the list, then the computing device associated with the notice is added to a list of Internet-facing devices because the connection originated from the Internet. Software listed in the connection-event notice may be added to a list of internet-facing software instances.

According to one or more embodiments of the disclosure, an asset inventory service executed by one or more devices receives telemetry data collected passively by a sensor application regarding a node in a network. The asset inventory service requests, after receiving the telemetry data, that the sensor application perform active discovery of nodes in the network. The asset inventory service receives active discovery data collected by the sensor application via active discovery of nodes in the network. The asset inventory service generates, based on the telemetry data and the active discovery data, an identity profile for the node.