Abstract: Aspects described herein may relate to systems and methods for automatically adjusting user device settings when a user attends an event or otherwise brings a user device into a context in which an automatic adjustment of settings is appropriate. By providing for automatic adjusting of user device settings, the systems and methods may achieve greater compliance with rules and other policies of airlines, performance venues, schools, and/or other entities associated with events and/or contexts in which user device settings should be adjusted. Aspects described herein may allow for automatic adjustment of user device settings without compromising a user's privacy, security, or control of a user device.

Abstract: At an artificial intelligence system, one or more classifier training iterations are performed until a training completion criterion is met. A particular iteration comprises obtaining, via an interactive interface, asynchronously with respect to the start of the iteration, class labels for data items identified in a previous iteration as candidates for labeling feedback. The particular iteration also comprises identifying, based on an analysis of classification predictions generated using classifiers trained using class labels obtained via the interface, another set of data items as candidates for labeling feedback. After the training criterion is met, a classifier trained using labels obtained during the iterations is stored.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for managing data usage. An example method includes monitoring electronic usage of a governed data set in a computing environment, wherein the governed data set comprises a governed business element, and wherein the governed business element comprises a business element and a metadata attribute configured to govern electronic usage of the business element. The example method further includes identifying, via a data compliance bot, transmission of an electronic usage request from a user device, wherein the electronic usage request comprises a request for a user of the user device to electronically use the business element in the computing environment. The example method further includes identifying the metadata attribute based on the business element. Subsequently, the example method includes determining whether electronic use of the business element is allowed.

Abstract: Aspects of the disclosure relate to real-time dynamic securitization of blockchain records. A computing platform may receive record retrieval data comprising record data identifying one or more requested records. The computing platform may decrypt the first requested record to generate a decrypted requested record. The computing platform may parse the decrypted requested record to generate parsed record data. The computing platform may determine that the parsed record data comprises a subset of predetermined textual content. The computing platform may mark one or more predetermined textual content of the subset of predetermined textual content for securitization. The computing platform may generate a securitized record by redacting, from the decrypted requested record, each of the one or more predetermined textual content marked for securitization.

Abstract: An AI firewall engine dynamically manages firewall ports of an enterprise network to increase security. The AI firewall engine may begin with a baseline port profile configuration and then add firewall rules derived from natural language processing and machine learning from vendor recommended port requirements for an application. The AI firewall engine builds a dynamic port profile with rules that are applied to the firewalls. The AI firewall engine may then monitor system changes and dynamically updates the port profile and configurations on the firewalls.

Abstract: Disclosed are various embodiments for implementing a decentralized messaging system that allows users to exchange messages via an inbox maintained through a distributed ledger. A messaging inbox can be created for a user in a distributed ledger using an inbox address that includes a string of alphanumeric numbers without an identifying domain name or identifying information about the user. Furthermore, a user may define content preferences associated with the inbox that can be used by the distributed ledger to filter content received in the inbox to minimize unwanted or undesired content provided to the user.

Abstract: Processing electronic mail can include receiving, within an electronic mail server, an electronic mail from a sender client system, sending acceptance criteria for a recipient of the electronic mail to the sender client system responsive to receiving the electronic mail, and receiving, within the electronic mail server, acceptance criteria values from the sender client system in response to the acceptance criteria for the recipient. Using a processor of the electronic mail server, a determination is made whether the acceptance criteria values comply with the acceptance criteria. Responsive to determining that the acceptance criteria values are non-compliant with the acceptance criteria, the electronic mail server rejects the electronic mail, wherein the electronic mail is not delivered to the recipient, and providing, to the sender client system, an indication of rejection of the electronic mail including a reason for non-compliance.

Abstract: A method for operating a distributed application includes: transmitting, by an application frontend, an initialization request to a registration server via a communication network; selecting, by the registration server, an instance of an application backend and transmitting a fully qualified domain name of the selected instance to the application frontend; transmitting, by the application frontend, a lookup request to a domain name server; transmitting, by the domain name server, an IP address associated with the fully qualified domain name to the application frontend; transmitting, by the application frontend, application data to the transmitted IP address via a connection provided by the communication network; selecting, by a core server of the communication network, a quality service for the distributed application; applying, by the communication network, a service quality determined by the selected quality service to the connection; and operating, by the distributed application, with the applied service q

Abstract: A robust, computationally-efficient and secure system is described for streaming content from a server to a client device via the Internet or another digital network. Various aspects relate to automated processes, systems and devices for securing a media stream with efficient yet effective digital cryptography. In particular, content may be transmitted in transport stream (TS) format in which all packets are encrypted (e.g., using a cipher block chain), in which control packets are exempted from encryption (e.g., using an electronic codebook), or in any other manner.

Abstract: A flexible, scalable, and fast query system for a distributed execution environment is provided. An example method includes receiving a plurality of processor summaries, each including a list of job digests, each job digest including a job identifier for a job running on a job processor and a payload portion. The method can also include, for each job digest, determining a location in a probabilistic payload data structure for the job digest and storing the payload portion and a fingerprint portion generated from a portion of a hash of the job identifier in an entry at the location as a job summary and responding to queries using the probabilistic payload data structure. Responding to a particular query may include identifying job properties corresponding to parameters of the particular query, updating job property statistics, and using the job property statistics to change the job properties represented in the payload portion.

Abstract: An approach is provided for providing record-level sensitivity-based data storage in a networked computing environment. For each data record of a plurality of data records (e.g., rows) in a dataset, the record sensitivity is identified based on the data included in the data record, allowing different sensitivities to be identified for different records in the same dataset. A data center that has a data center sensitivity level that matches the record sensitivity is selected for the identified record sensitivity. Each data record is stored to a selected data center, with data records having different record sensitivities being stored in different data centers of different types, locations, etc.

Abstract: In an embodiment, a computer-implemented method prevents use of a network protocol over an encrypted channel. In the method, a packet is received on an encrypted channel addressed to a network address. It is determined whether a network host at the network address is able to service a request formatted according to the network protocol over the encrypted channel. When the network host is determined to be able to resolve to a domain name over the encrypted channel, the network packet is blocked.

Abstract: An information processing apparatus includes an automatic operation application as an application for automatically executing an operation corresponding to a user operation on one or more graphical user interface (GUI) applications, and a determination unit configured to determine whether the one or more GUI applications are started by the automatic operation application. In a case where it is determined that the one or more GUI applications are started by the automatic operation application, an operation log obtained when the one or more GUI applications are executed is not transmitted.

Abstract: This application provides a method for generating a pilot signal, including: obtaining, by a terminal device, a correlation identifier and a port number; determining, by the terminal device, a pilot sequence based on the correlation identifier; and generating, by the terminal device, the pilot signal based on the pilot sequence and the port number. The correlation identifier indicates how a pilot sequence is determined and whether the pilot sequence is correlated with a time slot.

Abstract: A non-transitory computer readable medium including instructions stored thereon, when executed, the instructions being effective to cause at least one processor of a first network device to: derive a private key encryption key based on a public key, a first private key of the first network device, a second private key of a live peer device, and a Connectivity Association Key (CAK); transmit a secret key encrypted by the private key encryption key to the live peer device; and receive a communication from the live peer device, the communication being encrypted by the secret key.

Abstract: A system for signing transactions. The system includes a first module with a communication interface to a public network; and a controller to handle a transaction with a Blockchain network or a transaction server accessible at the public network. The system also includes a second module with a random number generator; and a secure controller to generate seed words and private keys. The system further includes a bridge module with a controller; and a switch to selectively connect the data interface of the bridge module to either the data interface of the first module or the data interface of the second module such that the data interface of the first module is never connected with the data interface of the second module.

Abstract: A command transmission method and apparatus, and an electronic device. The command transmission method includes: acquiring, by a control terminal, an encryption key according to a present time; generating, by the control terminal, an encrypted control command by encrypting the control command using the encryption key; and transmitting the encrypted control command to a computing device.

Abstract: A large-scale Ethernet mesh network is provided, which includes a group connectivity association (CA) including at least thirty-one authenticated supplicant nodes. An authenticator module authenticates each of the authenticated supplicant nodes, and distributes a shared group encryption key to each of the authenticated supplicant nodes. Each of the authenticated supplicant nodes encrypt data using the shared group encryption key, and exchange the encrypted data with any other remaining authenticated supplicant node.

Abstract: A storage system or device selects a memory resource component from an array of memory resources components, where each memory resource component is not accessible over the Internet until that memory resource component is activated. The selection of the memory resource component can be based on the incoming call. The storage system or device generates a trigger signal that activates the selected memory resource component, the such that the activated memory resource component is accessible over a data network that includes the Internet for a given duration.

Abstract: This disclosure describes various methods, systems, and devices related to identifying path changes of data flows in a network. An example method includes receiving, at a node, a packet including a first path signature. The method further includes generating a second path signature by inputting the first path signature and one or more node details into a hash function. The method includes replacing the first path signature with the second path signature in the packet. The packet including the second path signature is forwarded by the node.

Abstract: A computer-implemented method is provided for predicting cloud enablement from storage and data metrics harnessed from across stack. The computer-implemented method includes identifying a corpus of data to be classified, and configuring at least one access threshold and at least one sensitivity threshold. The computer-implemented method also includes classifying at least a portion the data within the corpus based on the at least one access threshold and the at least one sensitivity threshold. Finally, the computer-implemented method includes outputting a model, based on the classification, that identifies at least a portion of the data for migration for enabling a hybrid cloud environment.

Abstract: The system and methods described herein provide content recommendations to user equipment timed to reduce interruption of content. A content recommendation application detects output of first content and determines viewing metrics for the first content. Using the determined viewing metrics, the content recommendation application determines whether output of a content recommendation should be blocked. In response to determining that the viewing metrics indicate output of the content recommendation should be blocked, the content recommendation application blocks the content recommendation. Upon receiving an input changing output of the first content to output of a second content, the content recommendation application unblocks and outputs the content recommendation.

Abstract: A method includes receiving a message, enqueueing the message, dequeueing the message by a fraud detection service, analyzing the message using a trained machine learning model, analyzing an isolated domain name, storing the message, and causing a mitigation action. A computing system includes a transceiver, a processor, a memory storing instructions that when executed by the processor cause the system to receive a message, enqueue the message, dequeue the message, analyze the message using a machine learning model, analyze an isolated domain name, store the message, and cause a mitigation action. A non-transitory computer readable medium contains instructions that when executed, cause a computer to receive a message, enqueue the message, dequeue the message by a fraud detection service, analyze the message using a machine learning model, analyze an isolated domain name, store the message, and cause a mitigation action.

Abstract: A user interface for an online social-interaction system that allows members of the online social-interaction system to add actions to private action lists. Each member can make a post for one or more other members to see, with the post including an add-to-action-list selector. Each member receiving the post can elect to add an action relating to the post to their private action list by selecting the add-to-action-list selector. A member creating a post and desiring to solicit one or more other members to take an action on their behalf can create the post, including selecting a request action selector so that the post includes an add-to-action-list selector. A member creating a post and desiring that one or more volunteers take an action on their behalf can select a send-to-volunteer selector.

Abstract: Isolation types may be determined for resources that execute portions of code. Code may be received via a network-based interface from a client for execution. An execution plan for the code may be generated and evaluated to determine one or more isolation types for computing resources that execute the code. The computing resources that are configured to provide the determined isolation types may then be identified and execution of the code initiated at the identified computing resources.

Abstract: A computer-implemented method of detecting an email spoofing and spear phishing attack may comprise generating a contact model of a sender of emails; determining, by a hardware processor, a statistical dispersion of the generated contact model that is indicative of a spread of a distribution of data in the generated model and receiving, over a computer network, an email from the sender.

Abstract: A request for a content document is sent by a client device to a content server through a first network connection. A current network characteristic of the first network connection differs from a configured download constraint to download a content portion of the content document. A root document that omits the content portion of the content document and that includes a content stub is downloaded from the content server. The content stub identifies the content portion using a content identifier and specifies the configured download constraint. A network connection change to the content server from the first network connection to a second network connection that satisfies the configured download constraint to download the content portion of the content document is detected, and the content portion is downloaded using the second network connection and the content identifier within the content stub.

Abstract: Techniques for device quarantine in a wireless network are described. According to various implementations, a device a mobile client device) that requests a connection to a wireless network is placed in a quarantine state in the wireless network. Attributes of the device are determined and connection parameters are specified based on the attributes. In at least some embodiments, the device can be released from the quarantine state subject to the connection parameters.

Abstract: Disclosed herein are methods, systems, and processes for dynamically deploying deception computing systems based on network environment lifecycle. Lifecycle metadata associated with protected host computing devices in a network is retrieved and a configurable ratio of deception computing systems to the protected host computing devices is accessed. One or more deception computing systems are deployed in or discharged from the network based on the configurable ratio.

Abstract: Aspects of the disclosure relate to processing systems that implement a virtual air gap to facilitate improved techniques for establishing console access to a cyber range virtual environment. A computing platform may receive, via a first firewall, a cyber range request and authentication credentials from a secure console host platform. By comparing the authentication credentials to access records in a stored database, the computing platform may determine an authorization level corresponding to the authentication credentials. After verifying the authentication credentials, the computing platform may grant access to a broker, which may grant access to a console hosted by the secure console host platform. The computing platform may establish, using the broker and between the console and a cyber range host platform, a connection, which may cause a user device to access, through the console, cyber ranges hosted by the cyber range host platform that correspond to the determined authorization level.

Abstract: A method of posting ephemeral posts is disclosed. The method starts with receiving, from a user of a social network, a request to post an ephemeral post, the request including an ephemeral variable associated with a threshold event. The ephemeral post is posted on behalf of the user. Then an occurrence of the threshold event is monitored. When the threshold event has not occurred, the post is allowed to be accessible to at least one viewer other than the user. When the threshold event has occurred, the post is blocked from being accessible by the at least one view other than the user.

Abstract: An information processing apparatus includes a first label determination unit that determines a first label from information included in an e-mail, a second label determination unit that determines a second label from a result of a response made to the e-mail by a user, and a third label determination unit that determines a third label as a negative example for machine learning which is imparted to the e-mail, in a case where the first label and the second label do not correspond to each other.

Abstract: In a device including a processor and a memory in communication with the processor, the memory includes executable instructions that, when executed by the processor, cause the processor to control the device to perform functions of receiving, from a first network assigned to a first tier level, a request for tier level switch from the first tier level to a second tier level; determining that a second network assigned to the second tier level is capable of switching from the second tier level to another tier level; assigning, to the second network, a channel of the first tier level; and assigning, to the first network, a channel of the second tier level.

Abstract: A router system includes a router, a memory storing a client program, and a processor configured to execute the client program. The client program is configured to enable a user to transfer a file from a source to a destination, determine whether data within the file includes sensitive information, determine a probability that transmission of the data from the source to the destination would violate a policy, send normal data packets to the router based on the file, and send a stop data packet to the router when the probability exceeds a threshold. The router forwards the normal data packets to the destination until the router receives the stop data packet.

Abstract: Defending a distributed denial of service attack includes intercepting a service packet sent by the client to a server, according to a rule agreed with the client, obtaining the information carried by a first preset field of the service packet, the inherent information carried by an inherent field of the service packet, and the added information carried by at least one second preset field, according to the hash algorithm agreed with the client, performing a hash processing on the inherent information and at least one added information so as to obtain a hash result, and determining the service packet is discarded when the hash result is different from the information carried by the first preset field.

Abstract: Reducing a negative social interaction includes receiving a response to a post from a user, the response includes content to be posted on an activity stream of a social network, analyzing the content of the response to determine a negative response risk to the post, analyzing a profile of the user to determine a tendency of the user to respond negatively in responses, and executing, based on the negative response risk and the tendency, an action for the response to reduce negative responses directed towards the post.

Abstract: A system for indirect border gateway routing comprising a provider edge router; at least one virtual routing and forwarding instance in communication with the provider edge router, each virtual routing and forwarding instance including a route target; a pointer identification list in communication with the provider edge router, the pointer identification list containing at least one route target associated with a virtual routing and forwarding instance; and a virtual routing and forwarding import instance adapted to receive a route from the provider edge router, the route including a pointer identification directing the virtual routing and forwarding import instance to scan the pointer identification list for the route target associated with the plural virtual routing and forwarding instance, and wherein the virtual routing and forwarding import instance is further adapted to import the route to the at least one virtual routing and forwarding instance having a route target on the pointer identification list.

Abstract: A computer system identifies malicious Uniform Resource Locator (URL) data items from a plurality of unscreened data items that have not been previously identified as associated with malicious URLs. The system can execute a number of pre-filters to identify a subset of URLs in the plurality of data items that are likely to be malicious. A scoring processor can score the subset of URLs based on a plurality of input vectors using a suitable machine learning model. Optionally, the system can execute one or more post-filters on the score data to identify data items of interest. Such data items can be fed back into the system to improve machine learning or can be used to provide a notification that a particular resource within a local network is infected with malicious software.

Abstract: The present disclosure pertains to systems and methods for selectively encrypting data flows within a software defined network (SDN). In one embodiment, a communication device may be configured to receive a plurality of unencrypted data packets. The communication device may receive from an SDN controller a criterion used to identify at least one of the unencrypted data flows to be encrypted. Based on the criterion, an encryption subsystem may generate an encrypted data flow the unencrypted data packets based on an encryption key. In some embodiments, the encryption system may parse the packets and encrypt the data payloads without encrypting the routing information associated with the packet. In other embodiments, the encryption subsystem may be configured to encapsulate and encrypt the entire unencrypted data packet. In some embodiments, the encryption subsystem may further be configured to authenticate a sending device and/or to verify the integrity of a message.

Abstract: A system and method are provided to select mitigation parameters. The method includes receiving selection of at least one mitigation parameter, accessing a selected portion of stored network traffic or associated summaries that corresponds to a selectable time window, applying a mitigation to the selected portion of the stored network traffic or associated summaries using the selected at least one mitigation parameter, and outputting results of the applied mitigation.

Abstract: Described herein are techniques for resolving overlapping IP addresses for subnets assigned to uplink interfaces of a network switching device. As an example, a network switching device may determine that an IP address range of a first assigned subnet to a first uplink interface overlaps an IP address range of a second assigned subnet to a second uplink interface. The network switching device may generate a first map between the first assigned subnet and a first intermediate subnet, and generate a second map between the second assigned subnet and a second intermediate subnet, wherein an IP address range of the first intermediate subnet and an IP address range of the second intermediate subnet are non-overlapping.

Abstract: A secure connection is facilitated between a device and a network. A security buffer device is used to determine an available network and connect to the network. The security buffer device can then allow the device to connect to the network via the security buffer device. The security buffer device can monitor any security breaches from the network and perform an action based on the indication of a security breach.

Abstract: In one embodiment, a method is performed at a first node. The method may include receiving, at a first node, a request from a source host associated with a network to communicate with a destination host. The first node may determine whether the destination host is associated with the network. If the destination host is not associated with the network, the first node may determine an instance identifier (IID) and a proxy egress tunnel router (PETR) locator address used to communicate with the destination host. The first node may send an indicator to an ingress tunnel router (ITR) to encapsulate a packet with the IID and the PETR locator address before sending the packet from the source host to the destination host.

Abstract: Systems, methods, and computer program products to perform an operation comprising receiving, from an application executing on a system, a request to access a data file, receiving data describing the request, wherein the data describing the request includes data from a runtime stack of the application, wherein the data from the runtime stack includes a program statement number, identifying, in a protected memory block, a first rule for accessing the data file, wherein the first rule specifies a program statement number permitted to access the data file, and upon determining that the program statement number from the runtime stack does not match the program statement number specified in the first rule, restricting access to the data file by the application.

Abstract: Requests of a computing system may be monitored. A request associated with the application of a policy may be identified and a policy verification routine may be invoked. The policy verification routine may detect whether the policy of the request is more permissive than a reference policy and perform a mitigation routine in response to determining that the policy of the request is more permissive than the reference policy. Propositional logics may be utilized in the evaluation of policies.

Abstract: A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.

Abstract: Methods, non-transitory computer readable media, and mobile application manager apparatus that assists with enhancing enforcement on compliance based on security violations includes obtaining security violation data associated with a plurality of enrolled mobile devices and identifying one or more of the plurality of enrolled mobile devices causing one or more security violations based on the obtained security violation data. One or more compliance policies are updated based on the obtained security violation data. A compliance check is performed on the identified one or more enrolled mobile devices causing the one or more security violations based on the updated one or more policies and initiating one or more compliance correction actions on the identified one or more enrolled mobile devices causing the one or more security violations.

Abstract: In an embodiment, a computer-implemented method prevents use of a network protocol over an encrypted channel. In the method, a packet is received on an encrypted channel addressed to a network address. It is determined whether a network host at the network address is able to service a request formatted according to the network protocol over the encrypted channel. When the network host is determined to be able to resolve to a domain name over the encrypted channel, the network packet is blocked.

Abstract: Method, product and device for selective traffic blockage. In one embodiment, in response to a detection that a computing device cannot connect to a predetermined server, the blockage policy is applied to an outgoing packet, whereby selectively blocking outgoing packets when the computing device has limited connectivity to the predetermined server. In another embodiment, in response to an attempt to transmit a packet, invoking a local Virtual Private Network (VPN) service that is configured to apply a blockage policy, wherein the local VPN service provides an Application Programming Interface (API) of a VPN service. As a result, selective blockage is implemented using the local VPN service.

Abstract: Databases that reside on a private network behind a firewall may be difficult to access from a cloud platform on the Internet. Techniques disclosed herein allow an Internet system to communicate with multiple different databases behind multiple different firewalls, however. A client-side private computer system, from behind a firewall, transmits a series of database request status inquires to a server system (not behind the firewall). These status inquiries may be sent as HTTP long poll messages. When the server wishes to query a database on the private network, it responds to one of the database request status inquiries. Because the client-side computer initiated communication, the server response is allowed to pass through the firewall when it might otherwise be blocked. Employing such techniques in parallel allows a server to interact with multiple firewalled databases without the difficulties and inconvenience of attempting a VPN connection.