Abstract: Systems and methods for securely calling APIs on an API gateway from applications that need first party authentication are disclosed. In one embodiment, a method may include: (1) receiving, from a protected service, an authentication system token/cookie identifier, a first plurality of user identifying attributes, and a request to create an oAuth access token; (2) creating an attribute string; (3) encrypting the attribute string with a private key, resulting in the oAuth access token; (4) sending the oAuth access token to the first party computer application; (5) receiving, from the first party computer application, a request to access a backend service, a second plurality of user identifying attributes, and the oAuth access token; (6) decrypting the oAuth access token; (7) validating the decrypted oAuth access token; (8) inserting the authentication system token/cookie identifier into the request to access; and (9) communicating the request to the backend service.

Abstract: This document describes systems, devices, and methods for testing the integration of a content provider's origin infrastructure with a content delivery network (CDN). In embodiments, the teachings hereof enable a content provider's developer to rapidly and flexibly create test environments that send test traffic through the same CDN hardware and software that handle (or at least have the ability to handle) production traffic, but in isolation from that production traffic and from each other. Furthermore, in embodiments, the teachings hereof enable the content provider to specify an arbitrary test origin behind its corporate firewall with which the CDN should communicate.

Abstract: An edge server receives a plurality of requests from a client network application for actions to be performed on a resource that is hosted at an origin server. The edge server determines request attributes of the requests and associates the request attributes with a session identifying the client network application. The edge server generates a confidence value for the client network application based at least on the determined request attributes of the plurality of requests and computed session metrics of the session. When the confidence value indicates that the client network application is malicious, the edge server performs one or more mitigation actions.

Abstract: Embodiments of the present disclosure use natural language processing, machine learning and relevant corpora to detect social engineering attacks with a high degree of accuracy. In various embodiments, lexical features, spelling features and topical features are automatically analyzed from a source text and a model is employed to assess the likelihood that the source message is a social engineering attack.

Abstract: A method, a computer program product, and a computer system cognitively distribute email attachments to recipients. The method includes receiving an email composition for an email to be transmitted to a plurality of recipients, the email composition including at least one attachment. The method includes determining recipient information indicative of respective characteristics of the recipients. The method includes determining a context of a select one of the at least one attachment. The method includes, for each recipient, determining a score indicative of an appropriateness of the selected attachment being distributed to the recipient based on the recipient information of the recipient and the context of the selected attachment. The method includes, as a result of the score for a select one of the recipients satisfying a scoring threshold, distributing the attachment to the selected recipient via the email.

Abstract: Techniques for metadata-based information provenance are disclosed. A node in a data provisioning layer receives encrypted payload data to be delivered to a recipient. The node generates provenance metadata that describes at least one action taken by the node with respect to the encrypted payload data. The node transmits the encrypted payload data and the provenance metadata via the data provisioning layer toward the recipient.

Abstract: A system, method, and an apparatus relate to a system for electronic communication between personnel, and sharing tasks and plant device operating statuses. The use of electronic communication allows for interaction between personnel at different locations and provides real time communication between personnel regardless of their location, whether they are on-site, in a meeting, or out of office. Additionally, the use of electronic communication allows for concurrent viewing of information by all the personnel rather than individually viewing a singular physical log book.

Abstract: Described are techniques for modifying a shareable location in shared posts. The techniques including a method comprising inputting a social networking post received from a user device to a location precision model executing as an application on the user device, and where the social networking post is associated with a first time and a shareable location. The method further comprises outputting, by the location precision model, a modified shareable location. The method further comprises transmitting the social networking post to a social networking system with a modified shareable location, wherein the modified shareable location is a generalized version of the shareable location.

Abstract: Aspects of the present disclosure disclose provide systems and methods for performing session maturity modeling and tracking to aid in the identification of network traffic that should and/or should not be subjected to DOS mitigation mechanisms. More specifically, based on a maturity status of identification information associated with a communication, a communication may bypass high traffic mitigation mechanisms such as packet rate and connection rate limitations.

Abstract: Embodiments provide a method, which can implement establishment of a network function virtualization (NFV) network service chain. The method includes obtaining, by a first communications unit, a service chain rule, where the service chain rule is used to indicate service processing that needs to be performed. The method also includes obtaining, according to the service chain rule, information about a service chain through which a service route passes, where the information about the service chain is used to indicate information about a virtualized network function (VNF) through which the service route passes, and the VNF is configured for the service processing; and sending a route and resource configuration request message, where the route and resource configuration request message carries the information about the service chain, to request to perform, according to the information about the service chain, route and resource configuration for the VNF included in the service chain.

Abstract: An information handling system for managing a network includes a first stackable network switch, a second stackable network switch, and a hardware switching management controller. The first stackable network switch includes a first configuration setting to enable the first stackable network switch to operate in a switch stack. The first configuration setting is accessible via an OpenFlow protocol. The second stackable network switch includes a second configuration setting to enable the second stackable network switch to operate in the switch stack. The second configuration setting is accessible via the OpenFlow protocol. The hardware switching management controller includes an OpenFlow stacking manager configured to set the first configuration setting and the second configuration setting such that the switch stack includes the first and second stackable network switches.

Abstract: Some network architectures include perimeter or edge devices which perform network address translation or otherwise modify data in a network traffic packet header, such as the source address. The modification of the source address prevents downstream devices from knowing the true or original source address from which the traffic originated. To address this issue, perimeter devices can insert the original source address in an X-Forwarded-For field of the packet header. Firewalls and related security services can be programmed to record the original source address in the XFF field in addition to the other packet information and to consider the original source address during security analysis. Using the original source address in the XFF field, services can determine additional characteristics about the traffic, such as geographic origin or associated user accounts, and use these characteristics to identify applicable rules or policies.

Abstract: An electronic platform/system and method that uses electronic data to protect itself by realizing where an individual's device is and where it is being accessed from. As the internet expands into the physical world, with every device being IP enabled and addressable, the geographic proximity, network proximity, proximity to the access point of the internet, the authentication, encryption and presentation and flow of data can be linked to an increasingly addressable and measurable physical reality, a moment in time and a proximity to other data and objects using the system and method. The data itself is IP accessible in the form of IP addressable storage devices, and subject to the same techniques. Geographic, chronological and addressable interrelationship of the data as it is packetized and distributed, and the devices as they communicate, form a fabric.

Abstract: Method and system embodiments for assessing control maturity in security operations environments are described. According to some embodiments, the method facilitates a nonintrusive, automated means to configure and detect security controls installed in an Information Technology (IT) environment. The system verifies that these controls function as expected over a specified period of time and then maps each security control to a cell in a matrix of operational functions crossed with asset classes. The system captures metrics for security control activity that are displayed in the matrix to facilitate an assessment of security control architectural maturity. The system automatically generates visual and textual reports that provide recommendations to improve cybersecurity by enhancing existing and adding new controls, specify a suggested timeline for introducing those controls, and document gaps in compliance.

Abstract: Techniques for smart whitelisting for Domain Name System (DNS) security are provided. In some embodiments, a system/process/computer program product for smart whitelisting for DNS security in accordance with some embodiments includes receiving a set of network related event data, wherein the set of network related event data includes Domain Name System (DNS) related event data; receiving a set of network related threat data, wherein the set of network related threat data includes DNS related threat data; and generating a whitelist using the set of network related event data and the set of network related threat data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data.

Abstract: Disclosed are systems and methods for providing policy selection in a software defined network. An example method includes registering, by an enterprise controller on an enterprise domain, in a shared mapping system on a service provider domain, one or more entries specifying one or more services for one or more classes of traffic to yield registered entries, reading, by a service provider controller, from the shared mapping system, the registered entries, posting, by the service provider controller, the one or more entries to one or more routing tables at a software-defined wide area network of the service provider domain and receiving a request, by a mobile node on the enterprise domain, of a specific service for a particular class of packets according to a classification of the particular class of packets based on a particular label defined in the registered entries for the specific service.

Abstract: Systems, methods, and computer-readable media for locally applying endpoint-specific policies to an endpoint in a network environment. A network device local to one or more endpoints in a network environment can receive from a centralized network controller one or more network-wide endpoint policies. A first endpoint of the one or more endpoints can be configured to inject policy metadata into first data traffic. Policy metadata injected into the first traffic data can be received from the first endpoint. The network device can determine one or more first endpoint-specific polices for the first endpoint by evaluation the first policy metadata with respect to the one or more network-wide endpoint policies. As follows, the one or more first endpoint-specific policies can be applied to control data traffic associated with the first endpoint.

Abstract: A cyber control plane for universal physical space is provided. A method can include establishing, by a device comprising a processor, control of a physical space within a geographic area by a control system for the physical space; in response to the establishing, generating, by the device, an authorization policy that regulates access to a wireless communication network within the physical space based on network access rules provided by the control system; and denying, by the device, access to resources of the wireless communication network within the physical space to a mobile application according to the authorization policy.

Abstract: A method for network flow metadata processing at a network packet broker includes, receiving, as input at the network packet broker, network flow metadata, the network flow metadata including a network flow statistic generated by a network device regarding packets in the network flow. The method further includes accessing, by the network packet broker, a network flow metadata processing rules database and identifying a network flow metadata processing rule to apply to the network flow metadata. The method further includes processing, by the network packet broker, the network flow metadata using the network flow metadata processing rule. The method further includes forwarding, by the network packet broker and based on results of the processing, egress network flow metadata to a network tool.

Abstract: Techniques for device connectivity are provided. A request to discover available cast devices is received from a first user device, and a first logically defined space is identified, where a first user associated with the first user device is authorized to access the space. A set of cast devices that correspond to the first logically defined space is determined. A first local port on a gateway device is allocated to a first cast device of the set of cast devices. Further, a response to the request is generated, where the response indicates the first local port on the gateway device. The response is transmitted to the first user device.