Abstract: Malicious attacks by certain devices against a radio access network (RAN) can be detected and mitigated, while allowing communication of priority messages. A security management component (SMC) can determine whether a malicious attack against the RAN is occurring based on a defined baseline that indicates whether a malicious attack is occurring. The defined baseline is determined based on respective characteristics associated with respective devices that are determined based on analysis of information relating to the devices. In response to determining there is a malicious attack, SMC determines whether to block connections of devices to the RAN based on respective priority levels associated with respective messages being communicated by the devices.

Abstract: A model-based industrial security policy configuration system implements a plant-wide industrial asset security policy in accordance with security policy definitions provided by a user. The configuration system models the collection of industrial assets for which diverse security policies are to be implemented. An interface allows the user to define zone-specific security configuration and event management policies for a plant environment at a high-level based on a security model that groups the industrial assets into security zones. When new industrial devices are subsequently installed on the plant floor, the system determines whether a security policy defined by the model is applicable to the new device and commissions the new device to comply with any relevant security policies. This mitigates the necessity for a system administrator to manually configure individual devices to comply with plant-wide security policies.

Abstract: A communication control method which performs route control in a communication system comprising: a specific network constituting the Internet; a first network configured to accommodate a specific device connected to the specific network; a second network provided between the specific network and the first network; and a processing device configured to perform predetermined processing on the basis of a packet transmitted between the specific network and the first network, the communication control method comprising: causing a path setting device in the communication system to execute a communication route-setting process comprised of, in accordance with first routing information defining a path leading from the first network to the specific network to be branched in the second network, controlling a path so that a first path of the branched path is set as a path via the processing device, and a second path of the branched path is set as a path leading to the specific network.

Abstract: Methods and systems for assessing internet exposure of a cloud-based workload are disclosed. A method comprises accessing at least one cloud provider API to determine a plurality of entities capable of routing traffic in a virtual cloud environment associated with a target account containing the workload, querying the at least one cloud provider API to determine at least one networking configuration of the entities, building a graph connecting the plurality of entities based on the networking configuration, accessing a data structure identifying services publicly accessible via the Internet and capable of serving as an internet proxy; integrating the identified services into the graph; traversing the graph to identify at least one source originating via the Internet and reaching the workload, and outputting a risk notification associated with the workload. Systems and computer-readable media implementing the above method are also disclosed.

Abstract: A device management service of a provider network maintain a device repository that is accessible to a remote managed network. The device management service assigns different service credentials for different edge devices indicated by the device repository. For a particular edge device, the device management service provides, based on the service credentials assigned for the edge device, secure transmission of a message between the device management service and a network manager of the managed network. The network manager of the managed network provides secure transmission of the message between the network manager and the edge device based on local credentials assigned for the edge device.

Abstract: Generally described, the presently disclosed technology utilizes managed Wi-Fi networks pre-installed throughout an MDU property to provide user-specific passphrases that can be used to access the single-SSID wireless network at the property and to provide a cloud portal that can enable convenient access to the functionalities (both by the resident and the manager) provided by the Wi-Fi controller and the Wi-Fi access points. By doing so, the Wi-Fi network management solutions described herein allow the users to experience the benefits of a shared Wi-Fi infrastructure, such as not having to set up and maintain their own Wi-Fi routers, while also allowing them to easily change their Wi-Fi settings from their connected devices.

Abstract: Techniques are provided for enforcing policies at a sub-logical unit number (LUN) granularity, such as at a virtual disk or virtual machine granularity. A block range of a virtual disk of a virtual machine stored within a LUN is identified. A quality of service policy object is assigned to the block range to create a quality of service workload object. A target block range targeted by an operation is identified. A quality of service policy of the quality of service policy object is enforced upon the operation using the quality of service workload object based upon the target block range being within the block range of the virtual disk.

Abstract: A method for preventing duplicate processing of a payment transaction includes: generating a first data structure with a first predetermined time interval and generating a second data structure with a second predetermined time interval. A first overlap region and second overlap region of the first and second predetermined time interval are defined by a same time interval. The method includes receiving first transaction data associated with a first payment transaction, receiving second transaction data associated with a second payment transaction, and determining based on a first transaction ID and a second transaction ID, that the second payment transaction is a duplicate of the first payment transaction. A computer program product and system for preventing duplicate processing of a payment transaction are also disclosed.

Abstract: Described herein are systems, methods, and software to manage private networks for computing elements. In one example, a computing element may obtain credential information associated with a user and generate a public-private key pair for the computing element. The computing element may further communicate the public key from the pair with metadata to a coordination service to register the computing element at the coordination service. Once registered, the computing element may receive communication information associated with one or more other computing elements that permit the computing element to communicate with the other computing elements.

Abstract: Systems, methods, software and apparatus enable end-to-end encryption of group communications by implementing a pairwise encryption process between a pair of end user devices that are members of a communication group. One end user device in the pairwise encryption process shares a group key with the paired end user device by encrypting the group key using a message key established using the pairwise encryption process. The group key is shared among group members using the pairwise process. When a transmitting member of the group communicates with members, the transmitting member generates a stream key, encrypts stream data using the stream key, encrypts the stream key with the group key, then transmits the encrypted stream key and encrypted stream data to group members. The group key can be updated through the pairwise encryption process. A new stream key can be generated for each transmission of streaming data such as voice communications.

Abstract: A method for displaying an attack vector available to an attacker of a networked system including a plurality of network nodes. One or more penetration tests of the networked system are carried out, by a penetration testing system. Based on results of the penetration tests, the attack vector available to an attacker of the networked system is identified. A critical path of the attack vector is determined, and is displayed by displaying the network nodes included in the critical path as a continuous ordered sequence of network nodes. In some embodiments, one or more auxiliary paths of the attack vector may be determined, and may be displayed.

Abstract: A management apparatus includes a memory, a unification policy setting unit, and a security level setting unit. The memory stores, for each of a user belonging to a first group and a user belonging to a second group, an authentication level of a domain assigned to a corresponding one of the users. The unification policy setting unit sets a unification policy that specifies a relationship between the authentication level and a security level for a state after unification. The security level setting unit sets the security level in a case where the first group and the second group undergo the unification into a third group. The security level is set for each of the users belonging to the third group by using the authentication level and the unification policy.

Abstract: Methods and systems for performing a Mapping of Address and Port using translation (MAP-T) data plane verification. A method for performing a MAP-T data plane verification includes initiating, by a diagnostic server provisioned with at least MAP-T diagnostic rules, a MAP-T diagnostic on a border relay provisioned with MAP-T rules, generating, by the diagnostic server, a diagnostic packet per the MAP-T diagnostic rules, sending, by the diagnostic server, the diagnostic packet to the border relay, performing, by the border relay, a translation on the diagnostic packet per the provisioned MAP-T rules, analyzing, by the diagnostic server to generate a report, at least a translation accuracy of a received translated diagnostic packet, and configuring at least one device based on a received report.

Abstract: A method for characterizing network traffic is provided. The method includes maintaining a database identifying a plurality of digital certificates and a number of Internet Protocol addresses associated with each of the plurality of digital certificates, capturing network traffic over a network connection at a network connected device, analyzing the network traffic by determining the digital certificates associated with Internet Protocol addresses associated with the network traffic and a number of Internet Protocol addresses associated with each of the digital certificates and updating the database, and characterizing at least one of the Internet Protocol addresses associated with one of the digital certificates based on the number of Internet Protocol addresses associated with the one of the digital certificates.

Abstract: A packet-filtering system configured to filter packets in accordance with packet-filtering rules may receive data indicating network-threat indicators and may configure the packet-filtering rules to cause the packet-filtering system to identify packets comprising unencrypted data, and packets comprising encrypted data. A portion of the unencrypted data may correspond to one or more of the network-threat indicators, and the packet-filtering rules may be configured to cause the packet-filtering system to determine, based on the portion of the unencrypted data, that the packets comprising encrypted data correspond to the one or more network-threat indicators.

Abstract: A computer network security manager device connects to a first wireless router and then connects to a plurality of devices (e.g., a plurality of IoT devices). The computer network security manager device then performs device agnostic activation of the plurality of devices to enable the plurality of devices to perform respective functions of each device. The security manager device prevents the plurality of devices from connecting directly to the first wireless router and only allows other devices on the Internet to communicate with the plurality of devices according to specific firewall rules. In response to receiving an indication that the first wireless router to which the network security manager device is connected is out of service or no longer exists, the network security manager device prevents other devices on the Internet from being able to communicate with the plurality of devices.

Abstract: To reduce overhead generated by maintaining a full mesh network with static spoke-to-spoke tunnels while providing the efficiency of spoke-to-spoke communication, BGP configuration is automated to provide for dynamic establishment of spoke-to-spoke tunnels. A virtual Internet Protocol (VIP) address is assigned to each spoke in the network. Spokes advertises their VIP address to the hub for communication to the other spokes. A spoke sets the route next hop in its routing table for a remote spoke to the VIP of the remote spoke. Establishment of a tunnel between spokes is initiated after detecting data is to be communicated between the spokes while data is temporarily routed through the hub. Data is routed directly to the receiving spoke through the dynamic tunnel once the tunnel is active. Tunnels between spokes are terminated dynamically after a period of inactivity to reduce overhead caused by consistent maintenance of dynamic tunnels with low use.

Abstract: The present disclosure relates to network security software cooperatively configured on plural nodes to monitor, alert, authenticate, and authorize devices, applications, users, and data protocol in network communications by exchanging nonpublic identification codes, application identifiers, and data type identifiers via pre-established communication pathways and comparing against pre-established values to provide authorized communication and prevent compromised nodes from spreading malware to other nodes.

Abstract: A system for securing a data set include a computing device that provides access to portions of a data set to different users, and can encrypt the portions by generating encryption keys for each portion using a single mathematical function. The keys are generated by applying a starting point and length to a solution of the mathematical function. The process to generate the decryption keys are provided to the authorized users so that they can view and manipulate only the data set portions they are authorized to access.

Abstract: A system and method for implementation of transaction security on a distributed ledger-based Mobility-as-a-Service (MaaS) platform is provided. The system includes a message broker device which receives a transaction request associated with a transport service from a publisher node of a transportation provider. The message broker device routes, via an API gateway hosted on the message broker device, the transaction request to a subscriber node of the transportation provider. The API gateway validates the transaction request based on application of a set of security rules on the transaction request. The subscriber node is associated with a first node of a distributed ledger node that stores a first state object. The first state object includes transaction data associated with the transport service. The distributed ledger node receives the validated first transaction request from the API gateway, via the subscriber node and updates the transaction data based on the received transaction request.

Abstract: A method for providing data to a client computing device from an edge computing device is discussed herein. The method may include performing a network proximity check regarding the client computing device associated with a request for data captured by the wideband sensor. The method may further include determining, based on at least one proximity metric associated with the client computing device, a route for data responsive to the request for data associated with the network proximity check, where the route is one of a route including the cloud storage or a route that does not include the cloud storage. The method may also include receiving the request for data captured by the wideband sensor associated with the network proximity check. The method may also include transmitting the data responsive to the request for data captured by the wideband sensor associated with the network proximity check to the client computing device through the determined route.

Abstract: Examples provided herein describe a method for providing security for Internet of Things (IoT) devices. For example, a data packet from an IoT device may be received at an edge device. A signature associated with the IoT device may be accessed at the edge device, where the signature includes network layer information about the IoT device. A set of rules may be applied by the edge device to validate the IoT device based on the accessed signature. Responsive to the IoT device being validated based on the accessed signature, received data packet, and the applied set of rules, the edge device may process the data packet from the IoT device.

Abstract: A method of remotely initializing at least one device is disclosed. The method includes initializing at a local host a cryptographic authorization sequence after receiving a secure input value. The method further includes receiving at a local host cryptographic controller a first authorization request from a first remote device. After a challenge-response authentication protocol, the first remote device is authenticated and receives a public key infrastructure certificate. The method includes receiving at a first remote cryptographic controller a second request from a second remote device. After a challenge-response authentication protocol, the first remote device is authenticated, but does not receive a public key infrastructure certificate. A system for remotely initiating at least one device is also disclosed.

Abstract: In accordance with an embodiment, described herein is a system and method for autonomous firewall rule management, for use with cloud computing environments or other types of network environments. A firewall rule management automation framework provides rule management for firewalls deployed across availability domains. The system is adapted to automatically determine firewalls that can receive network traffic from a given source subnet or destination subnet; configure the firewalls with required firewall rules; monitor the firewall rules through collection of metrics snapshots and rule hit counts; and purge underused or potentially obsolete firewall rules, for example those having zero hits over a particular period of time or number of snapshots. The system provide generic support for different types of firewall devices, and autonomous management of firewall rules within large heterogeneous computer networks that may include several types of firewalls.

Abstract: Security configuration optimizer system and methods create optimized access control policies. The systems and methods analyze constraints on the secured system and produce a plurality of proposals for an updated security configuration. The proposals are analyzed and filtered. A resulting set of proposals are graded or ranked according to a variety of desirable outcomes. A proposal is selected according to criteria based on the balance of security and complexity. The security configuration is updated according to the selected proposal.

Abstract: Techniques are provided to use a trusted identity and location to select the most appropriate point of interconnect to edge application execution environments as well as a specific edge application execution environment. The techniques may involve obtaining, on behalf of a wireless mobile device, an access identifier that indicates an access location of the wireless mobile device that is wirelessly connected to wireless network infrastructure equipment operated by an access network provider that is associated with, and a member of, a federation of access network providers. The access location for the wireless mobile device is derived based on the access identifier, and the access location is used to select an edge resource to be used by the wireless mobile device.

Abstract: The system may include a method comprising requesting, by a computer, a receiver identifier associated with a receiver; receiving, by the computer, the receiver identifier in association with content; constructing, by the computer, a URL link comprising access to DICOM viewer code, DICOM data for the selected images, a sender identifier and the receiver identifier; generating, by the computer, a notification to the receiver, wherein the notification includes the URL link; and transmitting, by the computer, the notification to a receiver based on the receiver identifier.

Abstract: Access to a shared library API is restricted for a customer application by a security system. A profile for each of a plurality of trusted applications is generated and stored in a security database. When a customer application attempts to access the shared library API, the customer application is verified by extracting a customer application profile for the customer application, comparing the customer application profile with each stored trusted application profile, and verifying that the customer application can access the shared library API based on the comparison. Based on the verification, the customer application may be allowed to or access to the shared library API or may be prevented from accessing the shared library API.

Abstract: Embodiments of the present disclosure provide a method and device for implementing gateway cooperation, a gateway and a storage medium. The method for implementing the gateway cooperation includes: selecting, from gateways in an IoT network, at least one cooperative gateway for a target gateway; notifying the target gateway of the at least one cooperative gateway, wherein the at least one cooperative gateway is used for establishing cooperation with the target gateway and performing cooperative management.

Abstract: Systems and methods for sampling a set of block IDs to facilitate estimating an amount of data stored in a data set of a storage system having one or more characteristics are provided. According to an example, metadata (e.g., block headers and block IDs) may be maintained regarding multiple data blocks of the data set. When one or more metrics relating to the data set are desired, an efficiency set, representing a subset of the block IDs of the data set, may be created to facilitate efficient calculation of the metrics by statistically sampling the block IDs of the data set. Finally, the metrics may be estimated based on the efficiency set by analyzing one or more of the metadata (e.g., block headers) and the data contained in the data blocks corresponding to the subset of the block IDs and extrapolating the metrics for the entirety of the data set.

Abstract: A method includes establishing a session between a first client device and a host device to run an application on the first client device. The method includes receiving an indication to transfer the session from the first client device to a second client device. The method includes storing, in response to receiving the indication, state information of the application for the session. The method includes generating a pointer associated with the session. The method includes generating a scannable code including the pointer. The method includes scanning the displayed scannable code using an imaging element associated with the second client device. The method includes transferring, using the pointer, the session from the first client device to the second client device using the stored state information so that a second display associated with the second client device displays a most recently updated instance of the application from the first client device.

Abstract: A load balancing system, a load balancing method, and a non-transitory recording medium. The load balancing system includes a first client apparatus and a second client apparatus each of which communicates with a particular server among a plurality of servers through a load balancer that distributes load of the plurality of servers. The first client apparatus transmits to the load balancer, a request to the server to acquire identification information for identifying the particular server selected by the load balancer from among the plurality of servers, notifies the second client apparatus of the identification information of the particular server, the second client apparatus requesting the load balancer to connect to the particular server, and requests the load balancer to connect to the particular server using the identification information.

Abstract: The disclosed systems and methods are directed for detecting and resolving write-write conflicts among a plurality of transactions received from master nodes of a multi-writer database system. The method includes receiving a plurality of REDO logs and storing the plurality of REDO logs in a buffer, each REDO log associated with the one of the plurality of transactions, selecting one REDO log of the plurality of REDO logs; persisting the transaction associated with the one REDO log in a local storage when a write-write conflict is detected between the one REDO log and at least one other REDO log of the plurality of REDO logs prior to committing the transaction associated with the one REDO log; and transmitting a status of the transaction associated with the one REDO log to a global transaction manager (GTM).

Abstract: Embodiments establish a pool of tunnel connections using a secure protocol. A pool of tunnels can be initiated from endpoint connection managers to cloud connection managers, where a request is received from the endpoint connection managers by the cloud connection managers. A request from a cloud client to communicate with a secure computing device using a first of the endpoint connection managers is received at a first of the cloud connection managers. One of the pool of tunnels that is connected to the first endpoint connection manager is identified. The identified tunnel is configured to connect the cloud client and the first endpoint connection manager.

Abstract: When a system receives sensitive data, it can request an encryption key from an encryption/decryption unit. A central processing unit (CPU) of the system can encrypt the sensitive data using the encryption key before writing the sensitive data to memory. Thus, the sensitive data is encrypted when written to memory.

Abstract: A key distribution host determines a trust level of a user authentication server, wherein the trust level is based, at least in part, on one or more attributes of the user authentication server and provides one or more authentication keys to the user authentication server only if the trust level of the user authentication server is above a threshold value.

Abstract: A data protection application creates backups of assets. Each asset is mapped in a directory service to one or more asset owners. The directory service is separate from the data protection application. A search query from a user seeking to search the backups is received at the data protection application. The directory service is consulted to identify assets having the user as an asset owner. A search filter is generated including a list of the identified assets. The search filter is applied to the search query to exclude from a search result backups of assets not having the user as the asset owner. The search result is returned to the user, the search result thereby including backups of assets having the user as an asset owner and excluding other backups of other assets not having the user as the asset owner.

Abstract: Provided is a method for disabling encryption of data in motion in response to an event. The method includes a service processing data. The service may process the data while in a public mode, in which the service is configured to encrypt data in motion. The method further comprises detecting an event that triggers the service to go into a protected mode. The method further comprises isolating the service from one or more public systems in response to detecting the event. The method further comprises deactivating encryption of data in motion, and processing the data without encrypting the data while in motion.

Abstract: A first set of one or more tenant communication components are configured to communicate with a first separate system component of a first storage tenant via a first virtual network. A second set of one or more tenant communication components are configured to communicate with a second separate system component of a second storage tenant via a second virtual network. The second virtual network is separate from the first virtual network. A plurality of tenant communication components of the storage cluster system including the first set of one or more tenant communication components and the second set of one or more tenant communication components are configured to communicate internally in the storage cluster system via a third virtual network separate from the first virtual network and the second virtual network.

Abstract: Various techniques for processing sensitive data in an isolated incubator system within a service-provider network are described. The incubator system, for instance, is isolated from a client system in the service-provider network. In an example method, the incubator system receives an indication of an operation, and first encrypted data, from the client system. The incubator system converts the first encrypted data to plaintext and performs the operation. The incubator system converts the processed data into second encrypted data and provides the second encrypted data to the client system. Thus, the incubator system performs the operation on the data without exposing the data to the client system in the plaintext format.

Abstract: A network security system provides portals which enable automatic creation of a dynamic one-time port forwarding rule for an authorized user's current IP address following two factor authentication of the authorized user. Such a dynamic one-time port forwarding rule is utilized to set up a connection, at which point the dynamic one-time port forwarding rule is removed, preventing any attacker from subsequently taking advantage of it. Such a methodology is advantageous as compared to conventional port forwarding in that it is much more secure. Such a methodology is advantageous as compared to traditional port forwarding with access control both in that a user does not always have to utilize the same device with a static IP address, and in that the port forwarding rule representing or exposing a potential vulnerability is deleted after a connection is established.

Abstract: Apparatus to enforce network policy based on identity authentication at a network endpoint device by offloading the authentication to a network attached authentication devices is disclosed. The authentication device may use Statistical Object Identification to perform the authentication. The present disclosure greatly reduces the resources needed by the network endpoint device to perform the authentication and eliminates the topological restrictions found in traditional network appliance based approaches.

Abstract: A network device may receive a first data packet. The network device may determine that a level of available computing resources satisfies a threshold level. The network device may perform a secure socket layer (SSL) proxy function based on the level of available computing resources satisfying the threshold level. The network device may receive a second data packet. The network device may determine that the level of available computing resources fails to satisfy the threshold level. The network device may determine a security characteristic associated with the second data packet. The network device may determine a security rating associated with the second data packet based on the security characteristic. The network device may selectively perform the SSL proxy function based on the security rating.

Abstract: Aspects of the invention include receiving a request from a responder channel on a responder node to initiate a secure communication with an initiator channel on an initiator node. The request includes an identifier of a shared key, and a nonce and security parameter index generated by the initiator node for the secure communication. The receiving is at a local key manager (LKM) executing on the responder node. A security association is created at the LKM between the initiator node and the responder node. The shared key is obtained based at least in part on the identifier of the shared key. Based on obtaining the shared key, a message requesting initialization of the secure communication between the responder channel and the initiator channel is built. The message includes an initiator nonce and an initiator security parameter index generated by the LKM for the secure communication.

Abstract: A system for detecting and responding to an anomaly in a chaotic environment, comprising one or more autonomous agent devices and a central server comprising a processor and non-transitory memory.

Abstract: A method of fault-tolerant process control includes providing a network process control system in an industrial processing facility (IPF) including a plant-wide network coupling a server to computing platforms each including computing hardware and memory hosting a software application for simultaneously supporting a process controller and another process controller or an I/O gateway. The computing platforms are coupled together by a private path redundancy network for providing a hardware resource pool. At least some of the computing platforms are directly coupled by an I/O mesh network to a plurality of I/O devices to field devices that are coupled to processing equipment. Upon detecting at least one failing device in the hardware resource pool, over the private path redundancy network a backup is placed into service for the failing device from the another process controller or I/O gateway that is at another of the computing platforms in the hardware resource pool.

Abstract: A hardware security accelerator includes a configurable parser that is configured to receive a packet and to extract from the packet headers associated with a set of protocols. The security accelerator also includes a packet type detection unit to determine a type of the packet in response to the set of protocols and to generate a packet type identifier indicative of the type of the packet. A configurable security unit includes a configuration unit and a configurable security engine. The configuration unit configures the configurable security engine according to the type of the packet and to content of at least one of the headers extracted from the packet. The configurable security engine performs security processing of the packet to provide at least one security result.

Abstract: Apparatus and methods are disclosed for implementing bandwidth throttling to regulate network traffic as can be used in, for example, vulnerability scanning and detection applications in a computer network environment. According to one embodiment, a method of routing network packets in a networked device having plural network interfaces combines applying traffic class and network interface throttling for marking network packets with a differentiated service code based on input received from a profiler application, throttling the bandwidth of network packets based on a threshold for a designated network interface for the packet, throttling the bandwidth of the bandwidth-throttled packets based on a threshold for its respective differentiated service code, and emitting network packets on each respective designated network interface.

Abstract: A method and system for rendering electronic content is provided. The method includes: receiving a request for electronic content; retrieving browser data associated with a browser configured to render the electronic content; determining a nature of the electronic content; reviewing the browser data in relation to the nature of the electronic content to determine whether the browser supports the electronic content; and if the browser supports the electronic content, transmitting the electronic content supported by the browser. The system includes: a connection module configured to receive a request for electronic content; a browser module configured to retrieve browser data; a content module configured to determine a nature associated with the electronic content; a rendering module configured to review the browser data in relation to the nature of the electronic content to determine whether the browser supports the electronic content.

Abstract: Aspects of the subject disclosure may include, for example, a network API service makes multiple APIs available for guidance and control. The network API service may collect low-level network data related to network elements in access networks and core networks and analyze the low-level network data to create application-level metrics in response to API requests. Other embodiments are disclosed.