Abstract: A computer-implemented method according to one embodiment includes identifying a node within a clustered system, determining a role of the node, based on one or more characteristics of the node, and setting one or more firewall parameters for the node within the clustered system, based on the role of the node.

Abstract: An example method of secure attestation of a workload deployed in a virtualized computing system is described. The virtualized computing system includes a host cluster and a virtualization management server, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts. The method includes storing, in a trust authority, a pre-defined attestation report for a workload executing in a virtual machine (VM) managed by the virtualization layer, the pre-defined attestation report including a hash of at least a portion of an image of the VM; receiving, at the trust authority from a security module of a host in which the VM executes, an attestation report generated by measuring memory of the VM; comparing the attestation report with the pre-defined attestation report; and generating an indication of validity for the workload based on a result of the comparison.

Abstract: A method and a device for device network configuration and registration are disclosed. The method includes: a first device receives a first network configuration parameter from a second device, where the first network configuration parameter includes a local area network identifier of a local area network, an access password of the local area network, and a device identifier, a security parameter, or an access token of the second device. The first device requests to access a server by using the first network configuration parameter. The server assigns a device parameter to the first device, where the device parameter includes a device identifier, a security parameter, and an access token of the first device. The first device requests to access the server by using the device parameter. This method can simplify a network configuration and registration process of a smart device, and implement fast network configuration and registration.

Abstract: One or more data packets at a storage node of a storage cluster system is received via a virtual network associated with a storage tenant. A connection between the storage tenant and a tenant communication component of the storage cluster system is terminated. A new connection is established between the tenant communication component of the storage cluster system and a destination associated with the one or more data packets. The one or more data packets are provided to the destination associated with the one or more data packets using a virtual network associated with storage nodes of the storage cluster system.

Abstract: Device initialization by an access-restricted virtual machine, including: restricting access by a first operating system to a device during one or more device initialization operations, wherein the first operating system is executing in a first virtual machine supported by a hypervisor; determining, by a second operating system executing in a second virtual machine supported by the hypervisor, one or more modifications attempted by the first operating system to the device; and performing, by the second operating system, the one or more modifications to the device.

Abstract: Methods are systems are provided for onboarding network equipment to managed networks. An onboarding controller of a managed network may generate a challenge for network equipment to be onboarded into the managed network, and may send the challenge to a communication device different from the equipment network. The challenge may include information relating to a configuration change to be made to the network equipment. Further, the challenge is sent over a connection that is different than a connection used in communicating with the network equipment. The onboarding controller may verify, based on handling of the configuration change, an identity and/or a network location of the network equipment. Handling the configuration change may include applying the configuration change.

Abstract: A non-transitory computer-readable medium may include computer-executable instructions that, when executed, cause a processor to collect a portion of data associated with an asset from one or more sources based on a request received from a digital representation associated with the asset. The digital representation may perform a first set of simulations related to one or more operations of the asset over time. The processor may then generate a plurality of aligned datasets based the portion of the data, the one or more sources, and an identity of the asset. The processor may also aggregate the plurality of aligned datasets into a single dataset and transmit the single dataset to the digital representation to perform a second set of simulations based on the single dataset.

Abstract: A method may include providing a multi-access interface for network traffic, comprising: receiving information regarding topology of a virtual private network and storing the topology in the form of a routing table. A method may include providing an interface for network traffic, comprising: in a virtual private network comprising a plurality of tunnels delivering only information associated with OSI Level 3, receiving a network communication and performing multicast forwarding among the plurality of tunnels using multicast forwarding from OSI Level 2. A method may include providing an interface for network traffic, comprising, in a virtual private network: establishing a connection between a first node of the virtual private network and a second node serving as a virtual private network broker and fetching, by the first node from the virtual private network broker, information regarding one or more other nodes of the virtual private network.

Abstract: A data transmission method includes establishing, by a first apparatus in a distributed system, a connection to a target end; sending, by the first apparatus, connection information of the connection to a second apparatus that is in the distributed system and that transmits data to the target end; transmitting, by the second apparatus, the data to the target end based on the connection information and using a stream of the connection.

Abstract: A method protects a computer asset by identifying a particular signature, which is software that causes a particular gateway to block an intrusion from reaching a particular computer asset, and installs the particular signature on the particular gateway, thus protecting the computer asset from the intrusion.

Abstract: An illustrative embodiment disclosed herein is a non-transitory computer readable medium. The medium includes instructions for providing a mobile user monitoring solution that, when executed by a processor, cause the processor to identify a user database record associated with a user equipment (UE) using a mobile identity (ID), associate a Next Generation application protocol (NGAP) session with the user database record using an NGAP ID, capture a ciphered message associated with the NGAP session, decipher the ciphered message associated with the NGAP session, extract, from the deciphered message, session details associated with the UE, and store the session details in a session detail record.

Abstract: A device is configured to receive a data request that includes an encrypted data element. The device is further configured to identify a data source device associated with the data request, to identify a first encryption key associated with the data source device, and to decrypt the encrypted data element using the first encryption key. The device is further configured to identify a first data processor device associated with receiving the data request, to identify a second encryption key associated with the first data processor device, wherein the second encryption key is different from the first encryption key, and to re-encrypt the decrypted data element. The device is further configured to identify routing instructions associated with the first data processor device and to send the re-encrypted data element to the first data processor device in accordance with the routing instructions.

Abstract: Exemplary embodiments relate to techniques for transmitting ephemeral content messages. A sending client may establish an end-to-end encrypted session with possible recipients of the message, using a first decryption key during initial session setup. The client may send an ephemeral content message, including encrypted content and a second key, to the recipients through a server. The server may be unable to retrieve the encrypted content due to a lack of the second key. The server may filter a list of intended recipients, and may forward the ephemeral content message to the recipients on the filtered list. The recipients may retrieve the second key from the message, and use the first and second keys to decrypt the encrypted content. The sending client may change the second key each time the recipient list changes from the perspective of the sending client, as determined at the time the ephemeral content message is transmitted.

Abstract: According to an embodiment, a communication control device includes a first communication system connected between a first device and a network communication network, and a second communication system connected between the first device and the network communication network separately from the first communication system. The first communication system and the second communication system each include a controller. The controller executes switching such that one of the communication systems executes communication in the first communication mode, and when a problem is detected in the communication system that is executing communication in the first communication mode, the other communication system executes communication in the first communication mode.

Abstract: A request is received from a client device over a Virtual Private Network (VPN) tunnel. The request is received at a first one of a plurality of edge servers of a distributed cloud computing network. A destination of the request is determined and an optimized route for transmitting the request toward an origin server is determined. The optimized route is based at least in part on probe data between edge servers of the distributed cloud computing network. The request is transmitted to a next hop as defined by the optimized route.

Abstract: Disclosed is a data processing system that processes data therein and a method of using the data processing system. The data processing system includes a plurality of data processing nodes that are coupled together via a data communication network arrangement. The data processing system distributes a plurality of computing tasks across plurality of data processing nodes, wherein plurality of computing tasks are distributed according to a directed acyclic graph (DAG) allocation arrangement, wherein the DAG allocation arrangement employs consensus voting arrangement employing recursive elections of nodes or users of data processing system to control operation of the DAG allocation arrangement to incentivize participation of the plurality of data processing nodes to process the plurality of computing tasks and wherein the DAG allocation arrangement is associated with a ledger arrangement operable to control or record execution of the plurality of computing tasks.

Abstract: A virtual delivery appliance may communicate with a client device over a network to provide the client device with a virtualized session for a user. A processor may be configured to communicate with the client device over the network to perform a registration operation with a relying party. An application within the virtualized session may perform an authentication operation with the relying party to access a resource. The processor may be configured to forward an authentication challenge message to the client device in response to the application receiving the authentication challenge message from the relying party for the user to access the resource, and receive an authentication answer message in response to the authentication challenge message from the client device.

Abstract: A first wireless access device, associated with a wireless service provider, establishes a wireless local area network connection with a second wireless access device and receives a certificate including a unique identifier associated with the second wireless access device. The first wireless access device determines whether the second wireless access device is authorized to connect to the first wireless access device. For example, if the certificate is signed by a certificate authority associated with the wireless service provider and the unique identifier appears in a whitelist stored at the first wireless access device, the first wireless access device and the second wireless access device perform a mutual authentication procedure based on one or more ephemeral keys. The first wireless access device provides the second wireless access device with access to a wide area network based on successful completion of the mutual authentication procedure.

Abstract: An integrated circuit device includes a packet type detection circuit, a security circuitry, and a configuration circuit. The packet type detection circuit is operable to determine a packet type of a packet based on header portions of the packet. The security circuit is operable to perform security processing of the packet according to a set of security parameters. The configuration circuit operable to determine the set of security parameters based on the packet type of the packet, an identifier associated with the packet, and an index associated with the packet, and provide the set of security parameters to the security circuit.

Abstract: An abnormal traffic analysis apparatus includes receiving means for receiving traffic from a device via any of a plurality of communication paths in which different communication methods are used, multiple communication management means for identifying a communication path through which the traffic is transmitted, analysis method determination means for determining an analysis algorithm for detecting abnormality of the traffic according to the communication path identified by the multiple communication management means, analysis means for analyzing whether or not the traffic is abnormal traffic by using the analysis algorithm determined by the analysis method determination means, and analysis result recording means for recording a result of analysis performed by the analysis means.

Abstract: Embodiments are directed to a multi-tenant cloud system. Embodiments receive a request for an authentication action for a user and create an authenticate target action. Embodiments register a cache listener to listen for a target action response that is responsive to the authenticate target action and initiate the authentication action for the user at an on-premise active directory (“AD”) via a bridge. Embodiments wait for a cache callback and, at the cache callback, receive a target action response comprising a result of the authentication action.

Abstract: An example operation includes one or more of generating a key based on an action performed utilizing a component of the transport and a time associated with the action.

Abstract: A network device detecting possible malicious traffic and enlists the help of a co-operative group of downstream routers to perform enhanced deep packet analysis and firewalling in parallel with the transport of the packet through the network. The routers may also use other remote computational resource to perform some of the analysis along or close to the route 80 of the packet through the network. The packets are cached at the exit edge router, which does not release the packet from the cooperative group until all analyzers report the traffic is safe, or deletes the traffic if identified as malicious. By buffering at the remote end the packet can be forwarded promptly if approved, but protects downstream components if the traffic is malicious.

Abstract: The present disclosure is directed to distributing processing capabilities throughout different nodes in a wireless mesh network. Methods and apparatus consistent with the present disclosure increase the efficiency of communications in a wireless mesh network because they help minimize the need to forward communications to other nodes in the wireless mesh network such that an evaluation can be performed. Apparatus and methods consistent with the present disclosure may distribute ratings or verdicts associated with previous requests to access data to different nodes in a wireless mesh network without generating additional wireless communications through the wireless mesh network. Apparatus and methods consistent with the present disclosure distribute content ratings to different nodes in a wireless network such that different wireless nodes may block redundant requests to undesired content without increasing messaging traffic.

Abstract: A storage service is configured to receive one or more instructions specifying transformations that are to be applied to data sets stored by the storage service when the data sets are made available outside of particular storage locations within the storage service. In response to triggering events that make the data sets available outside of the particular storage locations, the storage services causes the transformations to be performed on the data sets prior to the data sets being accessible at one or more destination locations outside of the particular storage locations where the data sets are stored. In some embodiments, the transformations are performed on hardware included in the storage service or are performed on external hardware at the direction of the storage service.

Abstract: Systems and methods for determining network topology by implementing the security parameter index (“SPI”) to map network nodes that are behind a network address translation (“NAT”) address are disclosed.

Abstract: Systems and methods are provided for refreshing encryption and decryption keys. The disclosed techniques can improve refreshing encryption keys by allowing for the process to be automated, preventing downtime in each system and reducing developer labor in preparing and facilitating the exchange. In addition, the embodiments of the present disclosure can enable organizations to store keys (both old keys and newly generated keys) along with metadata in a known location accessible to the other organization.

Abstract: The technology disclosed relates to reducing error in security enforcement by a network security system (abbreviated NSS). The NSS classifies incoming connection access requests as loss prevention inspectable or connection preserving by determining their conformance or non-conformance with semantic and content requirements of HTTP and HTTPs protocols. The NSS forwards the loss prevention inspectable connection access requests to a data inspection and loss prevention appliance (abbreviated DILPA) for deep inspection. The NSS directly sends the connection preserving connection access requests to the destination servers, preventing connection termination and error generation.

Abstract: Disclosed embodiments provide techniques for log file manipulation detection. Log file terms are identified in a set of known good log files. A frequency metric is computed for the log file terms, and one or more clusters are formed that represent the terms and their corresponding frequency metric values within the set of known good log files. New log files are then obtained from an operational computer system. The frequency metric for those terms in the new log files are computed, and checked against the established clusters. A score is computed based on how similar the new log files are to the set of known good log files by comparing the frequency metric for terms in the new log file to the data in the previously obtained cluster(s). In response to a score exceeding a predetermined threshold, one or more mitigation actions are taken.

Abstract: A plurality of clients including a platform (200) and at least one client (100) communicate with each other in accordance with a publish-subscribe model. A topic common key manager (260) of the platform (200) provides, to the client (100), a topic common key associated with a topic and being for encryption and decryption of a message directed to the topic. A message manager (270) transmits the message encrypted with the topic common key associated with the topic, and decrypts a received message with the topic common key associated with the topic. A topic common key storage (150) of the client (100) stores the topic common key provided from the platform (200) in association with identification information of the topic. A message manager (170) transmits the message encrypted with the topic common key, and decrypts a received message with the topic common key.

Abstract: Methods, apparatus, and processor-readable storage media for automated delivery of cloud native application updates using one or more user-connection gateways are provided herein.

Abstract: The present application is directed to a distributed system that provides multi-cloud aggregation and that includes a cloud-connector server, cloud-connector nodes, and one or more service-provider nodes that cooperate to provide services that are distributed across multiple clouds. A service-provider node obtains tenant-associated information from a virtual data center in which the service-provider node is installed and provides the tenant-associated information to the cloud-connector server.

Abstract: A parameter checking method includes substituting a plurality of initial parameters into a data integrity algorithm to obtain syndrome data using a processor, and using a hardware cipher to calculate a calculation result based on the data integrity algorithm based on a plurality of calculation parameters corresponding to the initial parameters. Moreover, when the processor determines that the syndrome data is not the same as the calculation result, the processor outputs a hacker attack message, indicating that at least one of the calculation parameters has been tampered with.

Abstract: The invention provides a method, apparatus and system for preventing exfiltration of data caused by use of an unsanctioned CCS account. The invention intercepts a communication including a request for access to data, where the communication is being transmitted between a user of the CCS, and a CCS host website, referred to as a CCS endpoint. The intercepted communication is inspected for information that is processed to obtain a CCS account identifier associated with a CCS account being used by a user of that CCS account. The CCS account identifier is further processed to access tenant defined policy information associated with the CCS account. The invention further performs actions to determine if the CCS account associated with the account identifier is unsanctioned (unpermitted) with respect to access to the particular data for which access is being requested by the user of that CCS account.

Abstract: A method includes building a firmware image to execute on a bootloader of a system on chip (SoC), the firmware image including first encryption public and private keys, and digitally signing the firmware image with a second encryption private key. The signed firmware image is encrypted with a symmetric encryption key, which in turn is encrypted with a second encryption public key. The encrypted signed firmware image and the encrypted symmetric encryption key are sent to the SoC to cause the SoC to (1) decrypt the encrypted symmetric encryption key to produce the symmetric encryption key using a third encryption private key from a first asymmetric key pair, (2) decrypt the encrypted signed firmware image to produce the signed firmware image using the symmetric encryption key, and (3) verify a digital signature of the signed firmware image using a third encryption public key from a second asymmetric key pair.

Abstract: According to certain embodiments, a method by a user equipment (UE) for securing network steering information includes transmitting a registration request to a Visited Public Land Mobile Network (VPLMN). Upon successful authentication b an authentication server function (AUSF), a home network root key is generated. A protected message comprising Network Steering information is received from a first network node. The protected message is protected using a configuration key (Kconf) and a first Message Authentication Code (MAC-1). The configuration key (Kconf) is determined from the home network root key, and the UE verifies the MAC-1. Based on the Kconf and the MAC-1, it is verified that the VPLMN did not alter Network Steering Information. An acknowledgement message, which is protected with a second Message Authentication Code (MAC-2), is transmitted to a Home Public Land Mobile Network (HPLMN).

Abstract: A network security system provides portals which enable automatic creation of a dynamic one-time port forwarding rule for an authorized user's current IP address following two factor authentication of the authorized user. Such a dynamic one-time port forwarding rule is utilized to set up a connection, at which point the dynamic one-time port forwarding rule is removed, preventing any attacker from subsequently taking advantage of it. Such a methodology is advantageous as compared to conventional port forwarding in that it is much more secure. Such a methodology is advantageous as compared to traditional port forwarding with access control both in that a user does not always have to utilize the same device with a static IP address, and in that the port forwarding rule representing or exposing a potential vulnerability is deleted after a connection is established.

Abstract: In various example embodiments, a system and method for determining a spam publication using a spam detection system are presented. The spam detection system receives, from a device, an image of an item and an item attribute for the item. Additionally, the spam detection system extracts an image attribute based on the received image, and compares the item attribute and the image attribute. Moreover, the spam detection system calculates a confidence score based on the comparison. Furthermore, the spam detection system determines that the item attribute is incorrect based on the confidence score transgressing a predetermined threshold. In response to the determination that the item attribute is incorrect, the spam detection system causes presentation, on a display of the device, of a notification.

Abstract: Techniques provide for data deduplication. Such techniques involve: allocating a storage area in a storage device, the storage area including a first storage segment for storing an incompressible data block and a second storage segment for storing a compressed data block, a first size of the first storage segment being greater than a second size of the second storage segment; in response to receiving a write request, determining whether data block to which the write request is related is compressible; in response to determining that the data block is incompressible, adding header information to the data block to generate a first data segment of the first size; and storing the first data segment in the first storage segment through a deduplication operation. Accordingly, such techniques can increase the flexibility and efficiency of data deduplication.

Abstract: The present invention provides for fabricating virtual networks and allocating request-notifications therein for providing support-services securely and efficiently. In operation, a virtual network is fabricated based on network-registration requests received from plurality of computing devices. Further, a primary data structure representative of registered computing devices categorized into devices offering services and requiring services is generated based on information embedded in network-registration requests. Furthermore, a secondary data structure is generated by sub-categorising categorised computing devices based on information embedded in network-registration requests. Yet further, request-notifications for completing incoming support-requests from registered computing devices requiring services are generated.

Abstract: Methods and apparatus for secure networking protocol optimization via NIC hardware offloading. Under a method, security offload entries are cached in a flow table or a security database offload table on a network interface coupled to a host that implements a host security database mapping flows to Security Association (SA) contexts. Each security offload entry includes information identify a flow and information, such as an offset value, to locate a corresponding entry for the flow in the host security database. Hardware descriptors for received packets that belong to flows with matching security offload entries are generated and marked with the information used to locate the corresponding entries in the host security database. The hardware descriptors are processed by software on the host and the location information is used to de-reference the location of applicable entries in the host security database.

Abstract: There is provided a method of operating a network controller for enabling secure communication between network endpoints in a distributed network, as well as a network controller and a network switch and a method of operating a network switch. The network controller has a secure channel with each of the network endpoints. The network controller is providing, in connection with establishment of a network flow for communication between the network endpoints, symmetric keying material associated with and valid only for that network flow. The network controller is further enabling provisioning of the symmetric keying material to the network endpoints for allowing cryptographically secure communication between the network endpoints on a per-flow basis.

Abstract: Systems and methods to rotate security assets used to for secure communications are disclosed. The system includes initiating a communication session between two servers. Additionally, a server provides a first version of a first certificate to another server. The first version of the first certificate has identifying information including a first public key. The server receives a second certificate. The server determines that the second certificate is trusted by determining that the second certificate has identifying information matching the identifying information of the first version of the first certificate. In response to determining that the second certificate is trusted, the server encrypts the first public key. The server provides the encrypted first public key to the other server. The server then receives a verification of decryption of the encrypted first public key.

Abstract: Described embodiments provide for provisioning devices securely using zero touch deployments. A controller application can receive a first authentication code from the controller. The controller application can establish, responsive to receiving the first authentication code, a short-range wireless connection with the device within a pairing range of the controller application using at least one of one or more short-range wireless communication types. The controller application can receive a second authentication code from the device via the short-range wireless connection. The controller application can determine that the first authentication code received from the controller corresponds to the second authentication code received via the short-range wireless connection.

Abstract: A computer-implemented method, operable with a content delivery network (CDN) uses late binding of caching policies; by a caching node in the CDN, in response to a request for content, determining if the content is cached locally. When it is determined that said content is cached locally, then: determining a current cache policy associated with the content; and then determining, based on said current cache policy associated with the content, whether it is acceptable to serve the content that is cached locally; based on said determining, when it is not acceptable to serve the content that is cached locally, obtaining a new version of the content and then serving the new version of the content, otherwise when it is acceptable to serve the content that is cached locally, serving the content that is cached locally.

Abstract: Systems and methods of dynamic management of private data during communication between a remote server and a user's device, including receipt of a request for retrieval of at least one data packet from the user's device, wherein the user's device is configured to provide a response corresponding to the received request, determination of at least one communication data type of the at least one data packet corresponding to the received request, receipt of a privacy preference for the user's device, wherein the privacy preference comprises a list of allowed data packet communication types for sharing during communication, modification of data packets corresponding to requests for sharing of responses that are not compatible with the received privacy preference and maintenance of communication between the remote server and the user's device, with sharing of the modified data packet.

Abstract: The semiconductor device includes a control unit having redundant processors, a memory storing target data, a secure memory storing a key used for encryption or decryption processing, an cryptographic unit, a secure processor instructing cryptographic processing to the cryptographic unit in response to a request from the control unit, a first bus coupled to the control unit, the memory, the cryptographic unit, and the secure processor, and a second bus coupled to the secure memory, the cryptographic unit, and the secure processor. The control unit communicates with the memory via a predetermined error detection mechanism, the cryptographic unit includes a plurality of cryptographic processors that independently perform cryptographic processing on target data using a key based on an instruction, and each of the plurality of cryptographic processors includes a data transfer unit that performs data transfer with the memory via the error detection mechanism.

Abstract: This disclosure describes various methods, systems, and devices related to identifying path changes of data flows in a network. An example method includes receiving, at a node, a packet including a first value. The method further includes generating a second value by inputting the first value and one or more node details into a hash function. The method includes replacing the first value with the second value in the packet. The packet including the second value is forwarded by the node.

Abstract: The detection of a risky edge in a lateral movement path is detected by determining the weakest point in the configuration of the user accounts, groups, and devices having access to the resources of a tenant of the cloud service. A lateral movement graph having nodes of user accounts, devices, and groups and edges representing relationships between the nodes is used to compute a risk score for each edge in the graph. The risk score of an edge is used to identify a weak connection and potential target for a lateral movement attack.

Abstract: A method for managing a resource system includes obtaining, by a hardware resource manager, a firmware update lockdown request for a lockdown for a firmware device of the resource system, in response to the firmware update lockdown request: identifying a firmware protocol corresponding to the firmware device, generating a firmware lockdown command corresponding to the firmware device based on the firmware protocol, and initiating updating of a lockdown policy based on the firmware lockdown command.