Abstract: A method of an authentication server may include receiving, from a recipient computer system, recipient metadata comprising recipient information from the recipient computing system and a recipient network address. Access to the encrypted payload is authenticated by the recipient computer system using the recipient metadata. A response is sent to the recipient computer system after authenticating the recipient computer system. The recipient computer system decrypts the encrypted payload to access the payload in response to receiving the response.

Abstract: Techniques for using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to anonymize server-side addresses in data communications. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a virtual IP (VIP) address that is mapped to the client device and the endpoint device. In this way, IP addresses of servers are obfuscated by a virtual network of VIP addresses. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.

Abstract: Embodiments of this application provide a message forwarding method and an apparatus, so that a message for joining a multicast group is sent to a multicast user plane network element, and the multicast user plane network element is triggered to establish a tunnel for transmitting multicast data between the multicast user plane network element and an application server. The method may include: a multicast session management network element receives the message that indicates that a terminal is joining the multicast group; and when the terminal is the 1st terminal the multicast group, sends, to the multicast user plane network element, a message that requests to establish the tunnel for transmitting the multicast data between the multicast user plane network element and the application server.

Abstract: Embodiments of the present disclosure can provide network management methods and apparatuses, The method can comprise connecting by a first terminal device to a network through a connection mode; and acquiring management configuration information corresponding to the network system.

Abstract: A network switch includes a plurality of ports for communicating over a network. Processing circuitry processes inbound frames received from the network via the ports and sends outbound frames to the network. Remote management circuitry (RMU) is responsive to commands received from a host device external to the network switch. The RMU receives via one of the ports a remote access request frame from the host device, wherein at least part of the remote access request frame is encrypted, and decrypts the remote access request frame. In response to successful decryption of the part of the remote access request frame, the RMU accesses one or more configuration registers of the network switch in accordance with the remote access request frame, composes a remote access response frame, at least a portion of the remote access response frame being encrypted, and sends the remote access response frame to the host device.

Abstract: Systems and methods for initiating an action based on electronic activities of a user. Generally, a computing device receives a policy for enabling cryptographically secure tracking of electronic activities of a user and a particular electronic computing device. The policy can include definitions for a multiple actions to be taken with respect to certain electronic activities resulting from interaction by the user with the at least one computing device. The computing device can identify a particular electronic activity resulting from user interaction with the at least one computing device. The computing device can determine a particular action to take by applying the policy to the particular electronic activity. The computing device can initiate the particular action with respect to the particular electronic activity.

Abstract: A computing system identifies a third-party dependency to be added to a codebase. The third-party dependency is hosted on a third-party server. The computing system downloads the third-party dependency within a secure runtime environment. The computing system generates a signature value for the third-party dependency. The computing system compares the signature value to a database of signature values of approved third-party dependencies. Upon determining that the signature value does not correspond to any signature values of the approved third-party dependencies, the computing system executes the third-party dependency within the secure runtime environment. The computing system monitors the execution of the third-party dependency within the secure runtime environment to identify suspicious activity. Upon determining that the third-party dependency is not exhibiting suspicious activity, the computing system adds the signature value to the database of signature values of approved third-party dependencies.

Abstract: Methods, terminal and a data center gateway are provided for allowing efficient debugging and troubleshooting of data session encrypted with Perfect Forward Secrecy (PFS) encryption techniques such as for example the Transport Layer Security (TLS) protocol version 1.3. Embodiments of the invention allow the user terminal to authorize a data center gateway to persistently store one or more encryption keys associated with the data session for use to access the recorded data session and troubleshooting it after the session ended, when faults are detected. When a fault is detected, the user terminal provides authorization to the gateway to persistently store the data session along with one or more encryption key(s). With this, the gateway allows for the data session to be later decrypted and faults to be investigated despite the data session being encrypted with PFS techniques.

Abstract: In some implementations, a network device may determine, based on a routing table, a plurality of routing paths from the network device to another network device, wherein the plurality of routing paths are respectively associated with a plurality of security classifications. The network device may receive network traffic that is destined for the other network device and that is associated with a particular security classification of the plurality of security classifications. The network device may forward the network traffic based on a particular routing path, of the plurality of routing paths, that is associated with the other network device and the particular security classification.

Abstract: A User Equipment (UE) including a wireless transceiver and a controller is provided. The controller obtains information indicating that the UE is not allowed to access a 3GPP core network over which one or both or none of the 3GPP access network and the non-3GPP access network. Also, the controller refrains the UE from accessing the 3GPP core network over the indicated one or both of the 3GPP access network and the non-3GPP access network in response to the information indicating that the UE is not allowed to access the 3GPP core network over one or both of the 3GPP access network and the non-3GPP access network.

Abstract: Methods, non-transitory computer readable media, network traffic manager apparatuses, and systems that assist with allocating a traffic load through heterogenous topology of a network includes extracting a header of each of a plurality of received packets of a traffic flow. Each of the headers comprises fields. Next, the network traffic manager apparatus executes a hashing function over the fields of each of the headers, applies a load balancing function to determine one of a plurality of endpoints to send each of the received packets based on one or more endpoint characteristics, and maps the index for each corresponding one of the received packets to the corresponding selected one of the endpoints. The received packets are not evenly divided among the plurality of endpoints. Lastly, the network traffic manager apparatus sends the received packets selected endpoint based on the mapping from the load balancing policy.

Abstract: A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data, that may be communicated using multiple communications paths.

Abstract: Disclosed are hybrid authentication systems and methods that enable users to seamlessly sign-on between cloud-based services and on-premises systems. A cloud-based authentication service receives login credentials from a user and delegates authentication to an on-premises authentication service proxy. The login credentials can be passed by the cloud-based authentication service to the on-premises authentication service proxy, for instance, as an access token in an authentication header. The access token can be a JavaScript Object Notation (JSON) Web Token (JWT) token that is digitally signed using JSON Web Signature. Some embodiments utilize a tunnel connection through which the cloud-based authentication service communicates with the on-premises authentication service proxy. Some embodiments leverage an on-premises identity management system for user management and authentication.

Abstract: In an embodiment, a computer-implemented method for enabling multitenancy for service machines is disclosed. In an embodiment, the method comprises detecting a packet by a service insertion module implemented in a hypervisor. Based on metadata received along with the packet, the service insertion module determines a tenant identifier of a tenant that sent the packet. The service insertion module also determines a plurality of attributes of the packet. Based on the tenant identifier and the plurality of attributes of the packet, an action for the packet is retrieved from a rule table. Based on the action, the service insertion module determines whether at least one service is to be applied to the packet. In response to determining that at least one service is to be applied to the packet, an encapsulated packet is generated by encapsulating the packet with the tenant identifier, and the encapsulated packet is redirected to a service machine that is configured to provide the at least one service to the packet.

Abstract: Collaborative multiparty homomorphic encryption comprising receiving a linear common public key collaboratively generated by a plurality of parties as a sum of linear public key shares associated with the respective plurality of parties. Each of two ciphertexts may be encrypted with the linear common public key and the two ciphertexts may be combined by a non-linear computation to generate a result ciphertext encrypted by a non-linear public key. The result ciphertext may be re-encrypted with a re-linearization key to swap encryption keys from the non-linear public key to a linear public key. The re-encrypted result ciphertext may be distributed to the plurality of parties to each partially decrypt the re-encrypted result ciphertext by a linear secret key share associated with the party, which in combination fully decrypts the result by a linear common secret key that is a sum of the secret key shares of the respective plurality of parties.

Abstract: Techniques described herein relate to a method for performing data protection of file system data on a host. The method includes obtaining a data access request for a file corresponding to a placeholder file from an application during a backup access session; obtaining, in response to the data access request, file system data associated with the file from a backup storage using backup metadata associated with the placeholder file; providing the file system data associated with the file to the application; making, after the providing, a determination that the file is modified by the application; and in response to the determination: flagging the placeholder file.

Abstract: A vehicle electronic control system includes a mode determination unit that is configured to determine whether a customization mode for a screen display related to an approval to a program update is set through a user's customization operation, and a screen display instruction unit that is configured to instruct the display terminal to display a progress screen of the program update according to a current update phase and a setting of the customization mode when the mode determination unit determines that the customization mode is set and instruct the display terminal to display the progress screen of the program update according to the current update phase and an initial setting when the mode determination unit determines that the customization mode is not set. The display terminal is configured to display the progress screen of the program update as instructed by the screen display instruction unit.

Abstract: A system may be configured to prepare and use prediction models for predicting existence of fingerprints among encrypted traffic. Some embodiments may: obtain a machine learner configured to identify statistical differences between pseudo-randomness associated with encrypted user data and higher-entropy randomness associated with a set of other data; determine at least a portion of a path traversed by the encrypted user data in the network based on the identification; and secure the network based on the determination.

Abstract: A system includes a computer processor, a computer memory, and a user interface. The system receives a plurality of tasks, data relating to conditions and environments associated with the plurality of tasks, and a plurality of goals relating to planning and scheduling of the plurality of tasks. The goals are received from a plurality of sources, and the goals are addressed as a function of the conditions and environments. The system displays on the user interface, as a function of the plurality of goals, an analytical view of the conditions and environments relating to the plurality of tasks and an analytical view of a status of the plurality of tasks.

Abstract: Systems and methods include establishing a control channel of a tunnel utilizing a first encryption technique, wherein the tunnel is between a local node including one or more processors and a remote node, and wherein the control channel includes a session identifier; establishing a data channel of the tunnel utilizing a second encryption technique, wherein the data tunnel is bound to the control channel based on the session identifier; performing, over the control channel, device authentication and user authentication of one or more users associated with the remote node, wherein each of the one or more users includes a user identifier; and, subsequent to the device authentication and the user authentication, exchanging data packets over the data channel with each data packet including a corresponding user identifier. The first encryption technique can be one of TLS and SSL, and the second encryption technique can be one of TLS and DTLS.

Abstract: Digital data processing systems of the type in which a server digital data device (“server”) is coupled to a client digital data device (“client”) over a network, e.g., the Internet, include web server software executing within an application layer on the server that responds to a request from the client by (i) validating a key received from the client with that request, (ii) generating a result code indicative of a success of that validation, (iii) initiating processing of the request, including invoking server resource software executing outside the application layer. The server resource software, which checks the result code upon invocation and before performing a protected operation required for processing the request, responds to a result code indicating that the result did not validate by exiting before executing the protected operation.

Abstract: In one embodiment, a scheme is disclosed for supporting wireless access network service request capability in a user equipment (UE) device that is operable in wide area cellular network (WACN) bands as well as in wireless access network bands (e.g., GAN bands and/or UMA bands). The UE device includes capability for gaining Internet Protocol (IP) connectivity with a wireless access network node (e.g., a GAN controller (GANC) or UMA network controller (UNC)). Thereafter, the UE device is operable to initiate a registration request message towards the wireless access network node, wherein the registration request message includes at least one information element pertaining to wireless access network services required by the UE device.

Abstract: Described is a data transmission method, comprising: a first terminal negotiating a shared key with a second terminal by means of a handshake message; and the first terminal transmitting application data to the second terminal by means of a content message, the content message being encrypted and decrypted by using the shared key, wherein the handshake message and the content message have the same message format, the message format comprises a message serial number and a message load, the message serial number comprises a key epoch identifier and a message seq identifier, and the key epoch identifier is characterized by bit information less than a first number of bits, and the message seq identifier is characterized by bit information less than a second number of bits.

Abstract: Restoring a storage system from a replication target, including: receiving, by a first storage system from a computing device, data to be stored on the first storage system; reducing, by the first storage system, the data using one or more data reduction techniques; sending, from the first storage system to the second storage system, the reduced data, wherein the reduced data is encrypted; and retrieving, by the first storage system from the second storage system, the reduced data, wherein the reduced data is encrypted.

Abstract: Embodiments of this application disclose a communication method and a communications apparatus, and are used in the field of communications technologies, to resolve a problem of how to notify an access network device of an NR PC5 QoS parameter of a terminal. The method in one embodiment includes a home V2XCF that obtains an NR PC5 QoS parameter of a terminal, and the home V2XCF sends the NR PC5 QoS parameter to an access network device, such as a first network element that is in an EPS. The first network element receives the NR PC5 QoS parameter and sends the NR PC5 QoS parameter to an MME. After receiving the NR PC5 QoS parameter, the MME sends the NR PC5 QoS parameter to an access network device. The first network element may be an HSS or a PCRF.

Abstract: A computer network security manager device connects to a first wireless router and then connects to a plurality of devices (e.g., a plurality of IoT devices). The computer network security manager device then performs device agnostic activation of the plurality of devices to enable the plurality of devices to perform respective functions of each device. The security manager device prevents the plurality of devices from connecting directly to the first wireless router and only allows other devices on the Internet to communicate with the plurality of devices according to specific firewall rules. In response to receiving an indication that the first wireless router to which the network security manager device is connected is out of service or no longer exists, the network security manager device prevents other devices on the Internet from being able to communicate with the plurality of devices.

Abstract: A method includes allocating an identifier to each of a plurality of policies each comprising a network-isolation identifier associated with a VXWAN directive and transmitting each of the plurality of policies to one or more devices in a network.

Abstract: A method and computer readable software for providing randomized Security Parameter Index (SPI) for distributed Internet Protocol security (IPsec) are disclosed. In one embodiment a method includes designating each IPsec node with a unique node identifier, the IPsec node; performing a hash function on a random SPI to provide a randomized SPI; and assigning the randomized SPI to an IPsec tunnel associated with an IPsec node.

Abstract: Upon receiving a copy of upstream communication from a first switch, a second switch specifies an NF apparatus serving as a transmission source of the upstream communication, based on apparatus information indicating a MAC address of each apparatus and a transmission source MAC address contained in the copy of the upstream communication. The second switch refers to the apparatus information, and MAC address information indicating, for each port of the switch, a MAC address of an apparatus connected via the port, thereby specifying a port of the second switch connected to the NF apparatus, and a MAC address of the transmission source via the port. The second switch stores session information in which information on the specified port and MAC address is associated with header information set for the copy of the upstream communication. Upon receiving downstream communication, the second switch transfers the downstream communication to the NF apparatus.

Abstract: A router includes processing circuitry configured to send a request to a web server to access a website hosted by the web server. Additionally, the processing circuitry is configured identify a pathway between a client device and the web server as well as determine whether the pathway is encrypted or unencrypted. In response to determining that the pathway is unencrypted, the processing circuitry is configured to determine whether an alternative pathway between the client device and the web server via a web host of the web server is available and, in response to determining that the alternative pathway is available, cause the alternative pathway to be established in lieu of the pathway.

Abstract: An information processing device includes a first communication unit, a second communication unit, an information processing unit, and a switching unit. The information processing unit is configured to encrypt information which is received from a terminal device and to transmit the encrypted information to a network and configured to decrypt information which is received from the network and to transmit the decrypted information to the terminal device. The information processing device includes a switching unit configured to directly connect a communication line between the first communication unit and the terminal device to another communication line between the second communication unit and the network, when the information processing unit comes into an inoperable state including at least electric power supply stop state, and to switch into a pass-through mode in which the terminal device and the network communicate directly with each other without through the information processing unit.

Abstract: An indication of a key generation function may be received from a server. A random value may be received based on a volatile memory of a device. A cryptographic key may be generated based on the key generation function from the server and the random value that is based on the volatile memory of the device. The cryptographic key may be stored at a non-volatile memory of the device.

Abstract: Malicious attacks by certain devices against a radio access network (RAN) can be detected and mitigated, while allowing communication of priority messages. A security management component (SMC) can determine whether a malicious attack against the RAN is occurring based on a defined baseline that indicates whether a malicious attack is occurring. The defined baseline is determined based on respective characteristics associated with respective devices that are determined based on analysis of information relating to the devices. In response to determining there is a malicious attack, SMC determines whether to block connections of devices to the RAN based on respective priority levels associated with respective messages being communicated by the devices.

Abstract: Systems and methods include receiving a request for a path in a network including a plurality of network elements interconnected to one another via links, wherein the request includes values for a plurality of criteria, wherein the plurality of criteria include one or more of trust, privacy, and secrecy; utilizing a multi-criteria path selection process to determine the path through the plurality of network elements over the links based on the plurality of criteria and the associated values; and providing a display of the determined path in a network map. The trust quantifies trustworthiness of each link in the network and the values of trust are any of a rating and a selection for inclusion or exclusion, the privacy quantifies a number of the links the network path is routed over for network obfuscation, and the secrecy quantifies a level of encryption utilized on the links.

Abstract: Systems and methods for authenticating a user are disclosed.

Abstract: In an approach for multifactor authorization on hardware calls of resources, a processor receives a request for a hardware resource from a plurality of hardware resources being monitored. A processor calculates a risk level associated with the hardware resource of the request based on a respective risk level data repository. A processor, in response to a determination the risk level requires multifactor authorization, determines that a user associated with the request is logged in. A processor identifies a mechanism used by the user to log in. A processor determines whether a challenge associated with the multifactor authorization based on the mechanism is successful. A processor, in response to a determination the challenge associated with the multifactor authorization is successful, enables access to the hardware resource of the request.

Abstract: In one embodiment, a computing platform features a controller, one or more transit virtual private cloud networks (VPCs), and a plurality of spoke VPCs. Communicatively coupled to the transit virtual VPCs, the spoke VPCs include (i) a first spoke VPC associated with a first security region and (ii) a second spoke VPC associated with a second security region. Herein, the first security region is configured to permit spoke gateways of the first spoke VPC to communicate with each other while precluding communications with spoke gateways associated with another security region absent a connectivity policy being a set of rules established by the administrator/user of the network concerning permitted connectivity between different security regions.

Abstract: Where a single networked security service supports multiple enterprises, this security service can operate as a shared source of trust so that security devices associated with one enterprise can provide authenticated, policy-based management of computing devices associated with another enterprise. For example, an enterprise firewall can advantageously manage network access for a new device based on a shared and authenticated relationship with the networked security service.

Abstract: A method and device (1) for transferring electronic information between a lesser trusted network (7) and a trusted network (8) is disclosed. The method comprises the steps of: receiving original electronic information from a lesser trusted network (7) in a first electrical zone (2); permitting the original electronic information to be transferred between the first electrical zone (2) and the second electrical zone (4) in one direction only; verifying the original electronic information for at least one predetermined characteristic within the second electrical zone (4) so as to provide a verifier output status and verified electronic information; forwarding the verified electronic information to a third electrical zone (3).

Abstract: A method includes determining a corresponding level of a security model associated with each device of a plurality of devices connected to a network, each level of the security model having a corresponding tag; applying, to each of the plurality of devices, the corresponding tag based on the corresponding level of the security model with which each of the plurality of devices are associated; receiving, over a network connection, network traffic from at least one of the plurality of devices and the corresponding tag; analyzing the corresponding tag associated with the network traffic; determining a destination for the network traffic; applying one or more security measures to the network traffic based on the corresponding tag for the at least one device and a corresponding tag of the destination for the network traffic; and sending the network traffic to the destination with the corresponding tag of the destination.

Abstract: Apparatus and associated methods relate to providing secure gatekeeping of communication from a remote internet-based website having an Internet-Protocol (IP) address to an implantable biomedical device. A gatekeeping device receives the communication transmitted by the remote internet-based website. The communication received is encoded using a first encoding algorithm. The gatekeeping device decodes the communication received. The gatekeeping device then encodes the communication decoded using a second encoding algorithm. The gatekeeping device wirelessly relays the communication encoded using the second encoding algorithm to the implantable biomedical device.

Abstract: An illustrative fraud deterrent method includes presenting an identity verification option for a first website displayed in a web-browser, the option including offering a login to a third-party website, unrelated to the first website. The method further includes receiving login information for a first user account on the third-party website and verifying the login information through a verification service associated with the third-party website, to verify that the login information is valid for the first user account, identified by the login information. The method additionally includes verifying an identity at the first website, responsive to the verification.

Abstract: A wireless distribution system (WDS) is configured for transmitting a downlink signal or for receiving an uplink signal. A computing device configured to serve as a client device to the WDS includes a memory; a multiple applications processor in communication with the memory and configured to execute one or more mobile applications; and a wireless service processor in communication with the multi applications processor for communicating via a corresponding wireless service with the WDS. The multi applications processor is configured to execute an instance of a data service to establish a connection with the WDS for a specified application process utilizing the wireless service to provide at least one datum on the WDS. In the method, an instance of a data service is executed to establish a connection with a WDS for a specified application process utilizing a wireless service to provide at least one datum on the WDS.

Abstract: A method and system are provided which facilitate synchronization of client IP binding databases across an extended network by leveraging the BGP control plane. During operation, a switch configures a first synchronization identifier indicating validated Internet Protocol (IP) binding information of an associated client. The switch receives a Border Gateway Protocol (BGP) update message associated with a first client, wherein the BGP update message includes a second synchronization identifier.

Abstract: Various embodiments include implementing an interceptor for application security testing. The interceptor may intercept traffic, including one or more traffic items, between a scan engine and a target application. The traffic item(s) may include a request directed to the target application from a scan engine implementing application security testing or a response from the target application responsive to request(s) from the scan engine. The interceptor may determine that a particular traffic item satisfies a particular traffic trigger associated with a particular traffic action comprising a manipulation to the traffic between the scan engine and the target application. The particular traffic action is one of a plurality of predefined traffic actions that the interceptor is configured to perform across different scan engine versions, different scan configurations, or both.

Abstract: The application discloses Systems and methods for a data synchronization. The system may include a receiving module, an instruction generating module and a sending module. The receiving module may be configured to receive the first instruction. The first instruction may be used to instruct the start of data acquisition of the system. In response to receiving the first instruction, the instruction generating module may be configured to generate a second instruction. The second instruction may be used to trigger at least two sensors to acquire data. The sending module may be configured to send second instruction to at least two sensors respectively based on the first delay. The first delay causes the time difference between at least two sensors starting to acquire data less than the first preset threshold.

Abstract: A computer-implemented method according to one embodiment includes identifying a node within a clustered system, determining a role of the node, based on one or more characteristics of the node, and setting one or more firewall parameters for the node within the clustered system, based on the role of the node.

Abstract: An example method of secure attestation of a workload deployed in a virtualized computing system is described. The virtualized computing system includes a host cluster and a virtualization management server, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts. The method includes storing, in a trust authority, a pre-defined attestation report for a workload executing in a virtual machine (VM) managed by the virtualization layer, the pre-defined attestation report including a hash of at least a portion of an image of the VM; receiving, at the trust authority from a security module of a host in which the VM executes, an attestation report generated by measuring memory of the VM; comparing the attestation report with the pre-defined attestation report; and generating an indication of validity for the workload based on a result of the comparison.

Abstract: A method and a device for device network configuration and registration are disclosed. The method includes: a first device receives a first network configuration parameter from a second device, where the first network configuration parameter includes a local area network identifier of a local area network, an access password of the local area network, and a device identifier, a security parameter, or an access token of the second device. The first device requests to access a server by using the first network configuration parameter. The server assigns a device parameter to the first device, where the device parameter includes a device identifier, a security parameter, and an access token of the first device. The first device requests to access the server by using the device parameter. This method can simplify a network configuration and registration process of a smart device, and implement fast network configuration and registration.

Abstract: One or more data packets at a storage node of a storage cluster system is received via a virtual network associated with a storage tenant. A connection between the storage tenant and a tenant communication component of the storage cluster system is terminated. A new connection is established between the tenant communication component of the storage cluster system and a destination associated with the one or more data packets. The one or more data packets are provided to the destination associated with the one or more data packets using a virtual network associated with storage nodes of the storage cluster system.