Abstract: Some embodiments of the invention introduce cloud template awareness in the service policy framework. Some embodiments provide one or more service rule processing engines that natively support (1) template-specific dynamic groups and template-specific rules, and (2) dynamic security tag concepts. A service rule processing engine of some embodiments natively supports template-specific dynamic groups and rules as it can directly process service rules that are defined in terms of dynamic component groups, template identifiers, template instance identifiers, and/or template match criteria. Examples of such services can include any kind of middlebox services, such as firewalls, load balancers, network address translators, intrusion detection systems, intrusion prevention systems, etc.

Abstract: According to an embodiment, a communication system includes a plurality of communication apparatuses. Each of the communication apparatuses includes a key generator and a synchronization processor. The key generator generates shared keys shared with another communication apparatus. The synchronization processor synchronizes at least one of order of using the generated shared keys and roles played when the generated shared keys are used, with another communication apparatus based on a rule determined in advance.

Abstract: In response to receiving an unknown first session identifier from a client for a first communication session between the client and a server, a Man in the Middle (MitM) computer requests a second session identifier from the server for a second communication session between the server and the MitM computer. The MitM computer generates a third session identifier for a third communication session between the MitM computer and the client. The MitM computer generates a fourth communication session between the server and the client using a combination of the second communication session and the third communication session. In response to receiving an invalid session identifier from the client for a fifth communication session between the client and the server, the MitM computer transmits an instruction, to the client, to flush a session cache in the client to force a full TLS handshake between the client and the server.

Abstract: Multiple data sets are preprocessed by WF muxing before stored/transported. WF muxed data is aggregated data from multiple data sets. The original data is reassembled via WF demuxing after retrieving a lesser but scalable number of WF muxed data sets. A customized set of WF muxing on multiple digital files as inputs including at least a data message file and a selected digital envelop file, is configured to guarantee at least one of the multiple outputs comprising a weighted sum of all inputs with an appearance to human natural sensors substantially identical to the appearance of the selected digital envelop in a same image, video or audio format. The output file is the file with enveloped or embedded messages. The embedded message may be reconstituted by a corresponding WF demuxing processor at destination with the known a priori information of the original digital envelope.

Abstract: The present disclosure is directed towards systems and methods for evaluating or mitigating a network attack. A device determines one or more client internet protocol addresses associated with the attack on the service. The device assigns a severity score to the attack based on a type of the attack. The device identifies a probability of a user account accessing the service during an attack window based on the type of attack. The device generates an impact score for the user account based on the severity score and the probability of the user account accessing the service during the attack window. The device selects a mitigation policy for the user account based on the impact score.

Abstract: For digitally signing a document, an apparatus, method, and computer program product are disclosed. The apparatus includes a processor and a memory that stores code, executable by the processor, including code that: detects a trigger, searches a digital document for a user signature in response to the trigger, and applies a digital signature to the digital document in response to the digital document including a user signature. In some embodiments, the digital signature may be based on the user signature.

Abstract: Determining whether to allow access to a message is disclosed. A message is received from a sender. The message is associated with a first time-to-live (TTL) value. A determination is made that the first time-to-live value has not been exceeded. The determination is made at least in part by obtaining an external master clock time. In response to the determination, access is allowed to the message.

Abstract: A system comprises a plurality of personal devices identified by at least one remote storage network as belonging to a user. A personal device comprises a first folder for storing a known a priori digital file, a second folder for storing a data file, a processor, and a network interface. The processor performs an M-to-M waveform multiplexing transformation on M input files, M>1, and generates M output files. Each output file comprises a respective linear combination of the M input files. The M input files comprise the data file and the known a priori digital file. Each of the M output files appears to human perception as having substantially identical visual or audio features to the known a priori digital file. The network interface sends at least M?1 of the M output files to at least one destination in the at least one remote storage network for storage.

Abstract: A blockchain of transactions may be referenced for various purposes and may be later accessed by interested parties. One example may comprise one or more of creating one or more control commands configured to control one or more smart devices, signing the one or more control commands via a key maintained by an entity creating the control commands, broadcasting the one or more control commands to the one or more smart devices, and storing the one or more control commands in a blockchain.

Abstract: A method for providing safe access of a mobile control unit (1) to a field device (2), wherein, in particular, the field device is protected against unauthorized access via a mobile control unit is achieved in that a connection for transmitting data is established between the mobile control unit (1) and the field device (2), that access data for access is exchanged, that a comparison is made between the access data and stored comparison data and a comparison result is generated, and that access of the mobile control unit (1) to the field device (1) is permitted based on the comparison result.

Abstract: An embodiment of a method of providing identity services includes: receiving identity data for an individual for which the identity provider has provided an identity; generating a transaction to store an identifier representing the identity data in a data structure on a blockchain of a distributed system; sending the transaction to at least one node of the distributed system; and generating an identity token incorporating the identifier representing the identity data. An embodiment of a method of verifying an identity includes: receiving data extracted from the identity token, wherein the extracted data includes an identifier representing the identity data; determining whether a data structure containing the extracted identifier representing the identity data is stored on a blockchain of a distributed system; and outputting an indication of a validity of an identity associated with the identity data based on the determination.

Abstract: A new approach is proposed that contemplates systems and methods to support a mechanism to offload IPSec/IKE processing of virtual machines (VMs) running on a host to an embedded networking device, which serves as a hardware accelerator for the VMs that need to have secured communication with a remote device/server over a network. By utilizing a plurality of its software and hardware features, the embedded networking device is configured to perform all offloaded IPSec operations on data packets transferred between the host and the remote device over the network as required for the secured communication before the data packets can be transmitted over the network. The embedded networking device, in effect, acts as a proxy on behalf of the VMs running on the host to perform the offloaded IPSec operations as well as serving as the network interface for the secured communication between the VMs and the remote device.

Abstract: An overlay cyber security networked system and method that includes one or more devices configured to monitor physical-level signal information to determine a cyber security threat or breach event based on activity occurring with physical signals present at one or more components of a Process Control Network (PCN), enabling forensic analysis. The overlay cyber security networked system also provides information needed for real-time incident management by capturing logs of relevant events at various points in the network hierarchy starting at the analog signaling from the sensors to detect unauthorized variances in operational parameters, thereby providing a defense in depth security architecture for PCN-based systems.

Abstract: A method for updating an embedded electronic control unit, including an update gateway requests from a hardware security module an update request destined for the electronic control unit, the update gateway receives from the hardware security module the update request, which is signed by the hardware security module, the update gateway creates a communication channel, based on a cryptographic identity of the update gateway, to a backend, the update gateway sends the update request to the backend, the update gateway receives from the backend via the communication channel an update ticket which corresponds to the update request and is signed by the backend, in addition to associated update data, validates the update data, initiates a validation of the update ticket, checks the result of the validation, and depending on the result, the update gateway updates the electronic control unit with the update data.

Abstract: A request is received from a deployer associated with an application to create an instance broker service instance. A request is received from the deployer to bind the instance broker service instance to the application. Instance broker credentials associated with the instance broker service instance are received and provided to the application. The application uses the instance broker credentials to access the instance broker service instance and determines whether to create a new service instance using the instance broker service instance.

Abstract: A method may include receiving, at an application server, a session initiation protocol (SIP) message including a public user identifier (ID) associated a user. The public user ID corresponds to a plurality of user devices. The method also includes determining an applicable order of alerting at least one of the plurality of user devices. The method further includes identifying at least one available user device associated with the user, based on a terminal identifier (ID) associated with each at least one available user device. The method also includes selecting a user device from the at least one available user device based on the applicable order of alerting. A SIP invite message, including a terminal ID for the selected user device, is generated. The method includes sending the SIP invite message to the selected user device based on the applicable order of alerting, and receiving a response to the SIP invite message.

Abstract: A system, device and method to securely notify a user of a compromise of a device are provided. The system, device and method may include a detection device adapted for determining a compromise of the device communicatively coupled to the first path, a user database including at least information regarding the device and other devices associated with the user, and the secure signal path to at least one of the other devices.

Abstract: A system, method, and non-transitory computer-readable relating to network security are disclosed. In particular, embodiments described generally relate to systems and methods of stateless processing in a fault-tolerant microservice environment. In one example, a method is disclosed, which includes transmitting, by a first microservice, packet data and a context associated therewith; receiving the packet data and the context by a second microservice, the second microservice to: use the context to determine what security processing to perform, perform the security processing over the packet data, and transmit resulting data and the context to a third microservice; and receiving the resulting data and the context by the third microservice, the third microservice to: use the context to determine what security processing to perform, and perform the security processing over the resulting data.

Abstract: To raise confidentiality of the value stored in the ROM, in an IC having a built-in or an externally-attached ROM storing a value (program and/or data) encrypted using a predetermined cryptographic key. The IC includes the ROM storing the encrypted value (program and/or data), a unique code generating unit, and a decrypting unit. The unique code generating unit generates a unique code specifically determined by production variation. The decrypting unit calculates a cryptographic key on the basis of the generated unique code and a correction parameter, and decrypts the encrypted value read out from the ROM by using the calculated cryptographic key. The correction parameter is preliminarily calculated outside the IC, on the basis of an initial unique code generated from the unique code generating unit immediately after production of the IC, and the predetermined cryptographic key used for encryption of the value to be stored in the ROM.

Abstract: The disclosure is directed to a system for improving security of SSL communications. The system can include an device intermediary between one or more servers, one or more clients, a plurality of agents, and a web service. The servers can be configured to receive SSL connections and issue SSL certificates. The device can include a virtual server associated with a respective one of the servers, such that the SSL certificate of the respective server is transmitted through the device. The device can generate service fingerprints for the one or more servers. Each service fingerprint can include information corresponding to an SSL certificate of the virtual server, one or more DNS aliases for a virtual IP address of the respective virtual server, one or more port numbers serving the SSL certificate, and an IP address serviced by the device. The device also can transmit the service fingerprints to a web service.