Abstract: A network device may receive, from an application on a user device, a first network packet associated with a packet flow. The network device may identify an application identifier of the first network packet, wherein the application identifier identifies the application on the user device. The network device may select, based on the application identifier, a security protocol, wherein the security protocol is associated with at least one of an authentication header (AH) or an encryption algorithm. The network device may selectively apply, to a second network packet associated with the packet flow, at least one of the AH or the encryption algorithm, associated with the security protocol, to generate a protected network packet. The network device may transmit the protected network packet.

Abstract: Embodiments of systems and methods for implementing data sovereignty safeguards in a distributed services network architecture are disclosed. Embodiments of a distributed services system may have a number of distributed nodes that each implements a set of services. When a user requests a service at a particular node of a distributed services system, the node is configured to determine if that node is not (or is) data sovereign for a region associated with the user. If the node is not data sovereign for the user's region, the user may be directed to a corresponding service at a node of the distributed service system that is data sovereign for the user's region.

Abstract: Various example embodiments for supporting security in a communication system are presented. Various example embodiments for supporting security in a communication system may be configured to support stateful security redundancy in the communication system. Various example embodiments for supporting stateful security redundancy in a communication system may be configured to support stateful security redundancy for a set of client devices based on a set of security nodes arranged in a security redundancy architecture. Various example embodiments for supporting stateful security redundancy for a set of client devices based on a set of security nodes arranged in a security redundancy architecture may be configured to support stateful security redundancy for a client device based on a security redundancy domain including an active security node and one or more standby security nodes.

Abstract: A computational instance of a remote network management platform may execute a remote access call for a license consolidation server. The remote access call may contain instructions for obtaining concurrent license usage statistics from the license consolidation server. In response to obtaining the concurrent license usage statistics, the computational instance may update a software configuration with the concurrent license usage statistics, where the software configuration contains a license rights allocation for the concurrent software application. Based on the concurrent license usage statistics and the license rights allocations, the computational instance may generate a representation of a graphical user interface that contains an overview pane indicating a utilization of the concurrent software application. Then the computational instance may transmit, to a client device, the representation of the graphical user interface.

Abstract: A malicious anchor node detection and target node localization method based on recovery of sparse terms, includes: S1: establishing an unknown disturbance term by using ranging value attack terms from an attacker to nodes in a wireless sensor network, and introducing a to-be-estimated location of a target node to the unknown disturbance term, to obtain an unknown sparse vector; S2: converting a problem of malicious anchor node detection and target node localization into a problem of recovery of the unknown sparse vector; S3: determining a location of an initial node according to a recursive weighted linear least square method, and recovering and reconstructing the unknown sparse vector with sparsity; and S4: determining a malicious anchor node determination range by approximating a threshold using a recovered value of the unknown sparse vector, to implement malicious anchor node detection, and recovering and determining location information of the target node.

Abstract: Balancing the observed signals used to train network intrusion detection models allows for a more accurate allocation of computing resources to defend the network from malicious parties. The models are trained against live data defined within a rolling window and historic data to detect user-defined features in the data. Automated attacks ensure that various kinds of attacks are always present in the rolling training window. The set of models are constantly trained to determine which model to place into production, to alert analysts of intrusions, and/or to automatically deploy countermeasures. The models are continually updated as the features are redefined and as the data in the rolling window changes, and the content of the rolling window is balanced to provide sufficient data of each observed type by which to train the models. When balancing the dataset, low-population signals are overlaid onto high-population signals to balance their relative numbers.

Abstract: The concepts and technologies disclosed herein are directed to quantum security enhancement for IPsec protocol. According to one aspect disclosed herein, a quantum resource manager (“Q-RM”) can find a recommended quantum routing path for routing data from a first data center to a second data center via a pair of entangled quantum particles. The Q-RM can instruct a first quantum node (“QN”) associated with the first data center and a second QN associated with the second data center to establish a quantum channel that facilitates the recommended quantum routing path. The Q-RM can prepare an IPsec encrypted tunnel to carry a qubit associated with the pair of entangled quantum particles from the first data center to the second data center. The Q-RM can find the recommended quantum routing path responsive to an issue detected with the IPsec encrypted tunnel previously established between the first data center and the second data center.

Abstract: A method, computer program product, and a system where a secure interface control determines whether an instance of a secure guest image can execute based on metadata. The secure interface control (“SC”) obtains metadata linked to an image of a secure guest of an owner and managed by the hypervisor that includes control(s) that indicates whether the hypervisor is permitted to execute an instance of a secure guest generated with the image in the computing system based on system setting(s) in the computing system. The SC intercepts a command by the hypervisor to initiate the instance. The SC determines the presence or the absence of system setting(s) in the computing system. The SC determines if the hypervisor is permitted to execute the instance. If so, the SC enables initiation of the instance by the hypervisor. If not, the SC ignores the command.

Abstract: Systems and methods for software license management using a distributed ledger are disclosed. A method for software license management may include: receiving, from an agent executed by an electronic device in a computer network, a request for a new software license for the electronic device or for a user; determining that there are no available tokens for associated with the software license in a license inventory; obtaining a license for the software; generating a token for the license, wherein the token comprises an identification of a license type and a software identifier; writing the token to a license distributed ledger with an indication that the token is available; reserving the token for the electronic device or the user and writing the reservation to the license distributed ledger; and adding a second token for the license to an electronic wallet associated with the electronic device or the user.

Abstract: An embodiment for media transit management is provided. The embodiment may include receiving one or more images and one or more pre-set configuration criteria regarding management of an image file. The embodiment may also include monitoring for an attempted sharing of the image file. The embodiment may further include in response to determining each object in the one or more images matches each object in the image file, identifying at least one other user who is attempting to share the image file. The embodiment may also include in response to determining the at least one other user is not authorized to share the image file, analyzing the one or more pre-set configuration criteria correlated with the image file. The embodiment may further include in response to determining the image file does not meet the one or more pre-set configuration criteria, prompting the participating user to respond to a notification.

Abstract: In one embodiment, a device in a network receives traffic sent from a first endpoint. The device sends a padding request to the second endpoint indicative of a number of padding bytes. The device receives a padding response from the second endpoint, after sending the padding request to the second endpoint. The device adjusts the received traffic based on the received padding response by adding one or more frames to the received traffic. The device sends the adjusted traffic to the second endpoint.

Abstract: A method for verifying that event can take place before the event is executed is disclosed. A verification system is incorporated into an event processing network, such that the verification system can identify newly proposed events and determine whether they can be completed. The verification system can inform the network about verification results through distributed blockchain records. Other changes in event status can also be communicated through and stored in blockchain records.

Abstract: An enhanced email service that mitigates drawbacks of conventional email services by enabling transmission of encrypted content to a recipient regardless of the recipient having a prior relationship with the sender or having credentials issued from a certificate authority. A method is provided for receiving encrypted content and generating a message includes both the encrypted content as an attachment and a link to enable access to the encrypted content. The method may include transmitting the message to an intended recipient's mailbox while also storing the message in another mailbox to provide for subsequent decryption of the encrypted content. The link may provide the intended recipient of the message with access to the encrypted content in various ways depending on, for example, whether the recipient is viewing the message through a webmail browser or through a local mail client that is compatible with the enhanced email service.

Abstract: Methods, apparatus, systems and articles of manufacture to classify a first file are disclosed herein. Example apparatus include a feature hash generator to generate respective sets of one or more feature hashes for respective features of the first file. The number of the one or more feature hashes to be generated is based on an ability of the feature to distinguish the first file from a second file. The apparatus also includes a bit setter to set respective bits of a first fuzzy hash value based on respective ones of the one or more feature hashes, a classifier to assign the first file to a class associated with a second file based on a similarity between the first fuzzy hash value and a second fuzzy hash value for a second file.

Abstract: A method for the usage-based licensing of one or more applications in a container, wherein the container comprises a license module, an application queries the presence of an application license via the license module and is only executed if an application license is present. In the license module, a linking of one or more application licenses with a unique identifier is stored, and the container comprises a settlement module, which retrieves a usage unit from an external license source. For the duration of an obtained usage unit, the settlement module provides the unique identifier in a secure data storage so that all applications linked with the unique identifier can be executed. A computer system and a computer program product are also provided.

Abstract: The present disclosure describes exemplary methods and systems of protecting an integrated circuit. One exemplary method comprises receiving a plurality of key inputs for enabling operation of the integrated circuit; determining whether the received key inputs are correct key inputs for enabling operation of the integrated circuit; and if the received key inputs are determined to be incorrect key inputs, locking sequential logic and combinational logic of the integrated circuit until correct key inputs are received.

Abstract: A first share value and a second share value may be received. A combination of the first share value and the second share value may correspond to an exponent value. The value of a first register is updated using a first equation that is based on the first and second share values and the value of a second register is updated using a second equation that is based on the second share value. One of the value of the first register or the value of the second register is selected based on a bit value of the second share value.

Abstract: A method for operating an Internet of Things (IoT) system includes obtaining, by a device registration tool, identification information of a first IoT module, obtaining, by the device registration tool, identification information of a device with the first IoT module mounted thereon, and registering, by the device registration tool, the identification information of the first IoT module and the identification information of the device in a database accessible by an IoT network.

Abstract: In some aspects, a method for revoking access to a network application on a client device. The method includes establishing, by a client application on a client device responsive to authenticating a user, access to one or more network applications of one or more first servers of a first entity via an embedded browser of the client application, receiving, by the client application, a notification from a second server of a second entity that access for the user to a network application of the one or more network applications is to be revoked, and performing, by the client application responsive to the notification, one or more revoking actions based at least on a policy.

Abstract: Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.