Abstract: In some implementations, a network device may determine, based on a routing table, a plurality of routing paths from the network device to another network device, wherein the plurality of routing paths are respectively associated with a plurality of security classifications. The network device may receive network traffic that is destined for the other network device and that is associated with a particular security classification of the plurality of security classifications. The network device may forward the network traffic based on a particular routing path, of the plurality of routing paths, that is associated with the other network device and the particular security classification.

Abstract: The presently claimed disclosure is directed to methods that may be implemented at a computer. Methods and systems consistent with the present disclosure may include extending protocols associated with authenticating client (i.e. supplicant) devices and with authorizing those supplicant devices to access a wireless network. These methods may include sending data relating to the failure of an authentication and/or an authorization process to a supplicant device attempting to access a wireless network. Methods discussed within may include securely sending failure codes or reasons to a supplicant device that identify why an authentication or authorization process failed. These methods may include sending messages between a supplicant device, an authenticator device, and an authentication and authorization server. After a first failure, the supplicant device may be able to access the wireless network after a reason or code of that failure has been reported to the supplicant device.

Abstract: Systems, devices, and methods are provided for determining whether security assurances are satisfied by security policies that are used to control access to resources used by a mainframe application. A system may use a database to store a plurality of security policies that may comprise security polices of various resources used by mainframes, including resources managed by operating systems and database systems. A reference policy that corresponds to the security assurance being sought may be determined. The security policies may be evaluated using a satisfiability modulo theories (SMT) solver to determine whether the security policies are equally or less permissive than the reference policy.

Abstract: An encoding method for enabling privacy-preserving aggregation of private data can include obtaining private data including a private value, determining a probabilistic status defining one of a first condition and a second condition, producing a multiset including a plurality of multiset values, and providing the multiset for aggregation with a plurality of additional multisets respectively generated for a plurality of additional private values. In response to the probabilistic status having the first condition, the plurality of multiset values is based at least in part on the private value, and in response to the probabilistic status having the second condition, the plurality of multiset values is a noise message. The noise message is produced based at least in part on a noise distribution that comprises a discretization of a continuous unimodal distribution supported on a range from zero to a number of multiset values included in the plurality of multiset values.

Abstract: A carrier network may detect and prevent completion of SIM swap frauds. For example, a carrier network may, based at least in part on a SIM swap request to replace a first SIM associated with a subscriber with a second SIM, store first information associated with the first SIM. Subsequent to the execution of a SIM swap to replace the first SIM with the second SIM, the carrier network may perform fraud detection on the SIM swap based at least in part on the first information associated with the first SIM stored based at least in part on the SIM swap request and based at least in part on second information associated with the second SIM and based at least in part on the SIM swap being detected as fraudulent by the fraud detection, cause the second SIM to be prohibited from operating with respect to the subscriber.

Abstract: Embodiments of the present disclosure relate to a data analysis system that may automatically generate memory-efficient clustered data structures, automatically analyze those clustered data structures, and provide results of the automated analysis in an optimized way to an analyst. The automated analysis of the clustered data structures (also referred to herein as data clusters) may include an automated application of various criteria or rules so as to generate a compact, human-readable analysis of the data clusters. The human-readable analyses (also referred to herein as “summaries” or “conclusions”) of the data clusters may be organized into an interactive user interface so as to enable an analyst to quickly navigate among information associated with various data clusters and efficiently evaluate those data clusters in the context of, for example, a fraud investigation. Embodiments of the present disclosure also relate to automated scoring of the clustered data structures.

Abstract: A method for automatic key management of network access token public keys for 5GC authorization to mitigate security attacks includes providing, at the NRF, a network access token public key status update notification subscription interface that allows producer NFs to subscribe to receive notifications of updates in status of service access token public keys issued by the NRF. When the NRF determines that an update in status of a service access token public key is required, the NRF updates the status of the public key in its local database and notifies producer NFs that have subscribed to receive the updates. The producer NFs use the public keys to validate service requests from consumer NFs. In one variation, the NRF maintains and updates the status of service access token public keys associated with different service access levels.

Abstract: A computerized system and method to allow patient to control and provide a safe, secure and efficient real-time access to the patient's private health records (PHR) stored in the encrypted uniform format in a Private Health Vault (PHV) database. The system utilizes patient's private encryption key for encrypting and decrypting PHR stored in the PHV. The patient (or patient's appointed agent) controls access to the PHR and authorizes by electronic communications with the PHV server to allow doctors to have access to the centrally maintained and structured medical data in the PHV. The access can be limited in duration. The patient's private keys may be stored in a remote Key Bank database, separately form the PHV database, and the location of the patient's PHV data may also require transmission of the location id from a separate Mapping server.

Abstract: Secure operations can be performed using security module instances offered as a web service through a resource provider environment. State data and cryptographic material can be loaded and unloaded from the instance as needed, such that the instance can be reused for operations of different customers. The material and data can be stored as a bundle encrypted using a key specific to the hardware security module and a key specific to the resource provider, such that the bundle can only be decrypted in an instance of that type of security module from the associated manufacturer and operated by that particular resource provider. The customer is then only responsible for the allocation of that instance during the respective cryptographic operation(s).

Abstract: Examples include service authentication for a principal. A request to access a first service of a plurality of services of a network may be received from a principal by an identity intermediary. An identifier of the first service may be stored at the identity intermediary, and an unsigned credential of the principal and a principal identifier may be transferred from the identity intermediary to a credential provider. The principal identifier and the credential signed by the credential provider may be received, and the signed credential may be transmitted to the first service for authentication.

Abstract: An event analysis system is provided. During operation, the system can determine an event description associated with the switch from an event log of the switch. The event description can correspond to an entry in a table in a switch configuration database of the switch. A respective database in the switch can be a relational database. The system can then obtain an event log segment, which is a portion of the event log, comprising the event description based on a range of entries. Subsequently, the system can apply a pattern recognition technique on the event log segment based on the entry in the switch configuration database to determine one or more patterns corresponding to an event associated with the event description. The switch can then apply a machine learning technique using the one or more patterns to determine a recovery action for mitigating the event.

Abstract: A method, system, and non-transitory computer readable medium are described for providing a sender a plurality of ephemeral keys such that a sender and receiver can exchange encrypted communications. Accordingly, a sender may retrieve information, such as a public key and a key identifier, for the first receiver from a local storage. The retrieved information may be used to generate a key-encrypting key that is used to generate a random communication encryption key. The random communication encryption key is used to encrypt a communication, while the key-encrypting key encrypts the random communication key. The encrypted communication and the encrypted random communication key are transmitted to the first receiver.

Abstract: An intelligent electronic device (IED) of an electric power distribution system includes processing circuitry and a memory having instructions. The instructions, when executed by the processing circuitry, are configured to cause the processing circuitry to determine establishment of setup criteria to operate in a passive mode, operate in the passive mode to communicate data without initiation of a media access control security key agreement (MKA) protocol in response to determination of the establishment of the setup criteria, receive activation data during operation in the passive mode, the activation data being indicative that a media access control security (MACsec) communication link is to be established, and operate in an active mode in response to receipt of the activation data to initiate the MKA protocol to establish the MACsec communication link.

Abstract: Various systems and methods for user-authorized onboarding of a device using a public authorization service are described herein. In an example, a 3-way authorization protocol is used to coordinate device onboarding among several Internet of Things (IoT) Fog users (e.g., devices in a common network topology or domain) with principles of least privilege. For instance, respective onboarding steps may be assigned for performance by different Fog ‘owners’ such as respective users and clients. Each owner may rely on a separate authorization protocol or user interaction to be notified of and to give approval for the specific onboarding actions(s) assigned. Further techniques for implementation and tracking such onboarding actions as part of an IoT network service are also disclosed.

Abstract: A threat detection system for detecting malware can automatically decide, without manual expert-level interaction, the best set of features on which to train a classifier, which can result in the automatic creation of a signature-less malware detection engine. The system can use a combination of execution graphs, anomaly detection and automatic feature pruning. Execution graphs can provide a much richer structure of runtime execution behavior than conventional flat execution trace files, allowing the capture of interdependencies while preserving attribution (e.g., D happened because of A followed by B followed by C). Performing anomaly detection on this runtime execution behavior can provide higher order knowledge as to what behaviors are anomalous or not among the sample files. During training the system can automatically prune the features on which a classifier is trained based on this higher order knowledge without any manual intervention until a desired level of accuracy is achieved.

Abstract: Systems and methods for combining input data and machine learning models that remain secret to each entity are described. This disclosure can allow groups of entities to compute predictions based on datasets that are larger and more detailed collectively than individually, without revealing their data to other parties. This is of particular use in artificial intelligence (AI) tasks in domains which deal with sensitive data, such as medical, financial, or cybersecurity.

Abstract: Generating a rights blockchain storing rights of a user, including: receiving an enrollment request and a public key from the user; verifying that the user has a private key corresponding to the public key; generating a user identifier using the public key; and generating and delivering the rights blockchain having a genesis block including the user identifier to the user.

Abstract: A computing device includes one or more processors, a memory and an encryption accelerator. The memory includes instructions that when executed on the processors cause a first networking session to be established between a pair of communication peers. Encryption of messages of the first session is enabled by a parameter of a security protocol of the session. The encryption accelerator obtains a key determined in the first session, and uses the key to encrypt messages of a second networking session established between the peers.

Abstract: Technologies for securing a virtualization network function (VNF) image includes a security server to generate a wrapping cryptographic key to wrap a private key of the VNF image and replace the private key with the wrapped private key to secure the private key. During operation, the VNF image may be authenticated by a network function virtualization (NFV) server as needed. Additionally, the signature of the VNF image may be updated each time the VNF image is shutdown to ensure the continued authenticity of the VNF image.

Abstract: Examples include a method of predictive rate limiting for performing services requested by a client in a cloud computing system. The method includes receiving a request from a client for one of a plurality of services to be performed, the client belonging to an organization; and determining a current threshold for the organization by applying a real time data model and a historical data model, the real time data model generating a first threshold at least in part by determining a number of requests received from the organization over a first preceding period of time; the historical data model generating a second threshold, the historical data model being generated by applying a machine learning model to historical data stored during processing of previous requests for the plurality of services from the organization over a second preceding period of time, the current threshold being the average of the first threshold and the second threshold.