Abstract: The portable peripheral (100) of communication with the data network (105) utilizing the internet protocol, comprises: a connector (110) to mechanically connect and establish a removable wired connection between the peripheral and a portable terminal, a first means (115) of wired bidirectional communication with the portable terminal, a second means (120) of bidirectional communication with a data network and a unit security (122) protecting the communication between the first and the second means of communication, this communication being established between the first and the second means of communication, the security unit (122) comprising a system (127) of autonomous DNS management, the means of communication and the security unit being embedded in a unique housing (130) removable from the portable terminal.

Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.

Abstract: A computing system may include at least one client computing device and a server configured to authenticate the at least one client computing device based upon a user account, with the user account having an enterprise persona and a private persona associated therewith. The server may be further configured to determine whether the enterprise persona or the private persona is active based upon a context associated with the at least one client computing device. When the enterprise persona is active, the server may provide access to a Software as a Service (SaaS) application with a first set of capabilities enabled, and when the private persona is active, the server may provide access to the SaaS application with a second set of capabilities enabled that is different than the first set of capabilities.

Abstract: Embodiments of the present disclosure relate to a method and a device for providing a security service. For example, the method comprises: in response to receiving, at a first controller, a first request to create a first service chain for an application in a network, obtaining configuration information associated with the security service from the first request; generating, based on the configuration information, a second request to create a sequence of security functions associated with the first service chain; sending the second request to a second controller so as to create the sequence of security functions in the network; and in response to receiving from the second controller an acknowledgement for the sequence of security functions, creating the first service chain based on the sequence of security functions. Embodiments of the device are capable of implementing the above method.

Abstract: The disclosure provides an approach for implementing a distributed firewall within a data center. The firewall is implemented as a kernel space filter driver within the operating system of virtual machines. Each virtual machine hosts several user sessions. The firewall may be dynamically updated with new security policies, either by an administrator or a component of the data center.

Abstract: In response to receiving a primary wireless LAN connection request from a computing device, a wireless access point (WAP) establishes a temporary wireless LAN associated with a temporary service set identifier (SSID) of a computing device. WAP stores a computing device identifier of the computing device in association with the temporary SSID. WAP communicates to the computing device, a CAPTCHA challenge-response test requesting connection to the temporary wireless LAN. WAP awaits, for a timeout period, a temporary wireless LAN connection request by the computing device to communicate over the temporary wireless LAN. In response to receiving or failing to receive the temporary wireless LAN connection request from the computing device within a timeout period, WAP classifies the computing device as a human or machine user. WAP applies network policies to communications of the pending computing device over the primary wireless LAN based on the machine or human user classification.

Abstract: A system for performing security functions in a service-oriented computer system includes a router node configured to forward at least one packet of at least one service request to at least one server computer adapted to process the at least one service request; a first server node configured to execute, for the at least one packet, a first protocol layer of a network protocol stack, determine whether the at least one packet is compliant at the first protocol layer, and provide the at least one packet to a second server node responsive to determining that the at least one packet is compliant at the first protocol layer. The second server node is configured to execute, for the at least one packet, a second protocol layer of the network protocol stack, and determine whether the at least one packet is compliant at the second protocol layer.

Abstract: A network device may receive network traffic associated with a network and determine that the network traffic is associated with a dynamic application. The network device may determine, based on the network traffic being associated with a dynamic application, an application feature associated with the network traffic. The network device may perform a lookup operation associated with the application feature to identify policy information associated with the application feature. The network device may selectively permit communication of the network traffic via the network based on the policy information associated with the application feature, wherein the network traffic is to be permitted to be communicated via the network or prevented from being communicated via the network based on an indication from the policy information.

Abstract: Disclosed herein are methods, systems, and processes for implementing a single whitelisted ingress endpoint on both one-way and two-way Transport Layer Security (TLS) connections and performing load balancing. Both two-way TLS agent-based traffic and one-way TLS non-agent-based traffic is routed through a single whitelisted internet protocol (IP) endpoint. A TLS connection is transmitted from a network load balancer and to a platform gateway service that operates as a Server Name Indication (SNI) reverse proxy server. The platform gateway service separates out the one-way TLS non-agent-based traffic that is part of the TLS connection based on a TLS header of the TLS connection. The one-way TLS non-agent-based traffic is then selectively terminated on an elastic load balancer.

Abstract: A security apparatus for data exchange of a component of a wind turbine or a wind farm, in particular a wind farm controller, with a remote computer. In that case the security apparatus includes a first data interface for connecting a component by way of a first data connection and a second data interface for connection to the remote computer by way of second data connection. In addition the security apparatus includes a third data interface for receiving a switching signal by way of a third data connection, a separable internal data connection between the first data interface and the second data interface and a switching unit which is adapted in dependence on the switching signal to separate and/or make a physical connection of the internal data connection. A system having such a security apparatus and a method of data exchange with a component of a wind turbine and/or a wind farm.

Abstract: The disclosure relates generally to methods, systems, and apparatuses for managing network connections. A method may include identifying a first state of a first end-point connection of a first networked machine and a second state of a second endpoint connection of a second network machine, and confirming the first state and the second state based on expected states for the first networked machine and the second network machine, wherein the expected states includes a list of expected connections.

Abstract: In various embodiments, a device classification service clusters devices in a network into a device type cluster based on attributes associated with the devices. The device classification service tracks changes to the device type cluster over time. The device classification service detects an attack on the device classification service by one or more of the devices based on the tracked changes to the device type cluster. The device classification service initiates a mitigation action for the detected attack on the device classification service.

Abstract: Systems, methods, and computer program products to provide direct external network access at an access point (AP) in a managed wide area network (WAN). The method may include establishing an application host interface (AHI) at an access point and receiving application data from one or more client devices connected to the access point. The method may also include determining that the application data is received from a permitted application as shown in a list of applications permitted to use the AHI and routing, using the AHI, the received application data to the data destination via the external network thereby bypassing the WLC.

Abstract: An efficient data storage system is described. An agent software application on computing devices in a first tier processes snapshot backups and pushes them to an appliance software application on a server in a second tier. The appliance software application processes archive backups and pushes them to cloud storage in a third tier. A cloud application on a management server receives storage policy specifications from customers and promulgates the policies to the agent software application and the appliance software application. The policy specifications include a snapshot specification including a snapshot time period for backups in the second tier and an archive specification including an archive time period for backups in the third tier. The backups are created efficiently such that if a file has not changed, a reference to a file is included in a storage set rather than the data file itself. This reduces the size of storage sets.

Abstract: A computerized method is disclosed. Operations of the method include obtaining, by a data retrieval component, the data from a remote electronic device, storing a copy of the data in a first data store, providing an acknowledgement to the remote electronic device based on storage of the copy of the data in the first data store, parsing the data into one or more time-based events, storing the one or more time-based events in a second data store, and deleting the copy of at least the portion of the data from the first data store.

Abstract: In overview, an integrated circuit in accordance with the disclosure comprises first and second network interface processors which are separate processors and which are connected by a first unidirectional interconnect. The first unidirectional interconnect allows data transfer from the first network interface processor to the second network interface processor, while preventing data transfer in the reverse direction. The first network interface processor is for communication with a first network which may be a secure network and the second network interface processor is for communication with second network which may be a public network, for example an insecure public network. In this way, the processing of data received from each of the first and second networks is performed by separate processors and data can only be sent from the first network to the second network, thereby protecting the first network from the second network.

Abstract: A system and a method are provided for integrating a sensitive data discovery engine (SDDE), a data anonymization engine (DAE), a data monitoring module (DMM), and a data retirement module (DRM) and managing sensitive data security across its lifecycle. The SDDE determines sensitive data in similar and variant data sources and applications, identifies their operating application codes, and generates sensitive data discovery intelligence (SDDI). The system generates and distributes one or more templates including the SDDI with metadata, discovery results, and data security rules to the DAE, the DMM, and the DRM deployed on each data source.

Abstract: A method at a system including a firewall and at least one application, the method including obtaining, at the at least one application, a new address for a service provider for the at least one application; triggering a firewall update; obtaining a new firewall configuration; and updating the firewall, wherein the updating the firewall allows a connection from the at least one application to the new address for the service provider.

Abstract: Various systems, methods, and apparatuses relate to managing data transmissions from one or more Internet of Things (IoT) devices. A method includes discovering, by a discovery engine, one or more Internet of Things (IoT) devices; tracking, by the discovery engine, data transmission from the one or more IoT devices; generating, by a privacy lens communicably coupled to the discovery engine, a privacy rule regarding the data transmission from the one or more IoT devices; and applying, by the privacy lens, the privacy rule to the one or more IoT devices, the privacy rule configured to control data transmission from the one or more IoT devices.

Abstract: A novel method for managing firewall configuration of a software defined data center is provided. Such a firewall configuration is divided into multiple sections that each contains a set of firewall rules. Each tenant of the software defined data center has a corresponding set of sections in the firewall configuration. The method allows each tenant to independently access and update/manage its own corresponding set of sections. Multiple tenants or users are allowed to make changes to the firewall configuration simultaneously.

Abstract: In some embodiments, a method can include identifying detection coverage of a set of adversarial techniques based on telemetry data and a detection instance of an environment. The method can further include determining a subset of detection coverage that has a metric value below a metric value threshold and among the detection coverage for the set of adversarial techniques. The method may further include identifying at least one detection instance associated with the subset of detection coverage. The method can further include presenting, via a graphical user interface, a representation of at least one of the subset of detection coverage or the at least one detection instance associated with the subset of detection coverage. The method can further include updating the subset of detection coverage based on the telemetry data, the detection instance, or the at least one detection instance to improve the metric value.

Abstract: A network device may detect, from an application associated with a user space of the network device, a request to configure a firewall provided by a kernel of the network device with a rule. The network device may intercept the request to configure the firewall before the firewall is configured with the rule. The network device, based on intercepting the request to configure the firewall, may analyze the rule to determine whether the rule modifies a critical functionality of the firewall. The network device may reject the request to configure the firewall based on determining that the rule modifies the critical functionality of the firewall.

Abstract: A first network device may configure a high-availability cluster associated with a network that includes the first network device and a second network device. The first network device may identify a plurality of devices communicatively coupled to the network and determine a set of tasks for the plurality of devices. The first network device may queue the set of tasks in a task queue that is accessible to the second network device. The second network device may perform a first task and the first network device may perform a second task of the set of tasks. The first network device may receive first result information that is associated with a performance of the first task. The first network device may determine a result associated with performing the second task. The first network device may synchronize the first result information and the second result information with the second network device.

Abstract: In embodiments of the present invention, a framework for an extensible, file-based security system is described for determining an appropriate application, application environment, and/or access or security control measure based at least in part on a file's reputation. In response to the selection of a file, an application controller may be used to select a software application from two or more software applications to open the selected file, based at least in part on the selected file's reputation. If launched, a software application may be configured to open the file in an environment, such as a virtual machine, quarantined environment, and the like, that is appropriate for the file based at least in part on the reputation information. A software application may be a secure software application configured to manage secure files, or an insecure software application configured to manage insecure files.

Abstract: This disclosure describes systems, devices, and techniques for implementing master rules in firewalls. In some cases, at least one master rule is identified. The at least one master rule can be associated with performing at least one first operation on a first type of data traffic that satisfies at least one first condition. Multiple firewalls may implement the at least one master rule. In addition, a first firewall among the multiple firewalls may implement at least one application-specific rule in addition to the at least one master rule. The at least one application-specific rule may be associated with performing at least one second operation on a second type of data traffic that satisfies at least one second condition. The multiple firewalls may be between multiple applications and at least one network. Specifically, the first firewall may be deployed between a first application among the multiple applications and the network(s).

Abstract: Techniques for providing domain name and URL visual verifications to increase security of operations on a device. The techniques include a visual indicator and/or warning to a user on the user's computing device that a domain or URL requested by the user and the device is unpopular, new, unknown, inauthentic, associated with malware or phishing, or in some other way, risky. The techniques include identifying a domain name in a communication received by a computing device and then determining a popularity ranking and/or an age of the domain name. The device can render, for display on a screen of the device, a visual indicator having the popularity ranking and/or the age of the domain name. Also, the techniques can include identifying a URL in a communication received by a computing device and then rendering, for display on a screen of the device, a visual indicator having the entire URL.

Abstract: Behavior-based security in a datacenter includes monitoring user actions made by users in the datacenter. Behavior-based risk scores are computer for users based on their monitored actions. One or more firewall rules are generated for users based on their behavior-based risk scores. The firewall rules regulate the actions of the users.

Abstract: To dynamically determine and apply WAF protections for an application deployed to the cloud, exposed entities, are identified. The identified entities are further evaluated to determine whether the application is eligible for WAF protection based on whether the application uses a protocol that is compatible with WAF protection. If the application is eligible for WAF protection, after instantiating a WAF, WAF protections that should be enabled or disabled are determined based on characteristics of the application that are identified at runtime. The WAF can then be configured based on the identified protections such that those which are pertinent to the application will be enabled, while those which are not applicable to the application and thus will not be used are disabled. As a result, security provided by the WAF for a cloud application is tailored to the application based on information about the application gathered in the cloud deployment environment.

Abstract: Methods and systems for providing a user interface and workflow for interacting with time series data, and applying portions of time series data sets for refining regression models. A system can present a user interface for receiving a first user input selecting a first model from a list of models for modeling the apparatus, generate and display a first chart depicting a first time series data set depicting data from a first sensor, generate and display a second chart depicting a second time series data set depicting a target output of the apparatus, receive a second user input of a portion of the first time series data set, and generate and display a third chart depicting a third time series data set depicting an output of the selected model and aligned with the second chart of the target output and updated in real-time in response to the second user input.

Abstract: A web application firewall (WAF) receives an application request from a router, wherein the application request is directed to a web application, and wherein the web application firewall is associated with the web application. The WAF updates the application request to include a first header, wherein the first header includes a copy of a uniform resource locator of the application request, and updates the uniform resource locator to indicate an address of the web application firewall. The WAF analyzes the application request to determine whether the application request is secure, wherein the analysis is based on a rule, and in response to a determination that the application request is secure, updates the application request to include a second header, wherein the second header includes an encrypted signature.

Abstract: A connection management device for establishing secured communications connections to an industrial automation system, wherein the device provides, in cases of a positive authorization verification outcome, access control information for establishing an encrypted communication connection between a first communication unit of a requesting user and a selected second communication unit, where the connection management device is formed by a server instance running on a firewall system, where data packets transmitted via an encrypted communications connection between the first communication unit of the requesting user and the selected second communication unit are encrypted for verification by the firewall system, based on specified security rules and, in cases of a successful verification, the data packets are forwarded encrypted to the first communication unit of the requesting user or to the selected second communication unit.

Abstract: Techniques for a firewall to determine access to a portion of memory are provided. In one aspect, an access request to access a portion of memory within a pool of shared memory may be received at a firewall. The firewall may determine whether the access request to access the portion of memory is allowed. The access request may be allowed to proceed based on the determination. The operation of the firewall may not utilize address translation.

Abstract: Disclosed embodiments include systems and methods for filter-based composition of network device configuration including a database associating network devices in management with data points of interest, a network server that communicates over a network with the database and at least one network device in management, and a configuration filter module, stored at least in part on the network server, and including rules for configuring the at least one network device in management.

Abstract: Embodiments for automated content delivery to high-speed data service client using redirection of IP service flows independent of physical media delivery mechanisms add, by a backend environment, an Internet gateway media access control (MAC) address to a content triggered service; send, by the backend environment, a request to a re-direct system for the Internet gateway MAC address to be added to a re-direct list; route, by the backend environment, all Internet traffic to the content playback system; display, by the content playback system, content to a subscribing user until a quota is achieved; and instruct the re-direct system to remove the Internet gateway MAC address from the re-direct list, thereby enabling user devices operatively coupled to the Internet gateway unfettered, monitored Internet access; set a usage threshold; and, in response to the usage threshold expiring, instruct the re-direct system to add the Internet gateway MAC address to the re-direct list.

Abstract: Implementations of the present disclosure include providing graph data defining a graph that is representative of an enterprise network, the graph including nodes and edges between nodes, each node representing an asset within the enterprise network, and each edge representing one or more lateral attack paths between assets in the enterprise network, determining, for each node, an incoming value based on attributes of a set of incoming edges and an outgoing value based on attributes of a set of outgoing edges, the attributes including a number of edges and semantic types of the edges, at least one cardinality value of each node being determined based on one or more of the incoming value and the outgoing value of the node, receiving input representative of filter parameters, generating a sub-graph based on attributes of the nodes and the filter parameters, and displaying, by the visualization platform, the sub-graph in a display.

Abstract: Systems and methods for data protection are disclosed. In one embodiment, in an information processing apparatus comprising at least one computer processor, a method for providing data protection may include: (1) receiving a plurality of data classification rules; (2) receiving end user data classification from end user software; (3) receiving developer data classification from SDLC software; (4) generating a data inventory; and (5) applying at least one data protection to the data inventory based on the data classification rules, the end user data classification, and the developer data classification.

Abstract: Network traffic inspection is disclosed. An application executing on a client device as an operating system that uses a virtual private network (VPN) stack of the operating system intercepts a first IP packet. The application determines that a policy should be applied to the intercepted first IP packet. The policy is applied to the intercepted first IP packet.

Abstract: Embodiments relate to an intelligent computer platform to utilize a micro-service architecture that supports secure connection and policy management for devices. The micro-services include managers to support establishment of a secure connection. The managers register devices in the architecture, and define security policies which are encoded as rules. The policies and corresponding rules are stored in a knowledge base operatively coupled to the architecture. The patterns of security policies are learned over time and used for recommending new rules or validating existing rules. The managers selectively validate one or more rules that correspond to a setting of a requesting device. The secure connection is established for a network level device determined to comply with one or more of the selectively validated rules.

Abstract: The disclosed computer-implemented method for providing secure access to vulnerable networked devices may include identifying a vulnerable network device connected to a local network, identifying local network traffic destined for the vulnerable network device and that has been tagged as safe, passing the local network traffic tagged as safe to the vulnerable network device, and performing a security action on local network traffic destined for the vulnerable network device that has not been tagged as safe. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for preventing hijacking of a web page is provided. A HyperText Markup Language (HTML) source file is received from a web server in response to a HyperText Transfer Protocol (HTTP) access request, the HTML source file being embedded with a script tag corresponding to script code for preventing HTTP hijacking. The script code for preventing HTTP hijacking is pulled from an antihijacking server according to the script tag. It is detected, based on the script code for preventing HTTP hijacking, whether a document object model (DOM) node used for HTTP hijacking exists in a DOM tree. The DOM node used for HTTP hijacking is hidden from a web page of a browser in response to detecting that the DOM node used for HTTP hijacking.

Abstract: System and methods for initiating a media streaming device, particularly for devices associated with a guest services environment. Such initiation may include: receiving, at a proxy server, a request from a mobile device to join a guest services network, the request identifying a user of the mobile device; verifying a registration of the user, the registration indicating permission of the user to join the guest services network, to yield a verification; identifying, based on the verification, a media streaming device associated with the registration of the user; and configuring the media streaming device to be controllable by the mobile device, such that control commands are routed from the mobile device through the proxy server to the media streaming device, and streaming content is routed from the Internet to the media streaming device bypassing the proxy server.

Abstract: A walled garden system includes a firewall controlling access between a first network and a second network at least by allowing connection requests originating from a user device on the first network to a destination IP address on the second network in response to determining that the destination IP address matches a cleared IP address on a cleared IP addresses list. A controller receives a domain name service (DNS) reply from a DNS server on the second network, and determines whether a domain name specified within the DNS reply matches a cleared domain name on a cleared domain names list. In response to determining that the domain name specified within the DNS reply matches the cleared domain name on the cleared domain names list, the controller adds a resolved IP address specified in the DNS reply to the cleared IP addresses list as a new cleared IP address.

Abstract: In described examples, a system on a chip (SoC) and method for sending messages in the SoC include determining locations of initiator-side firewall block and receiver-side firewall block memories using respective pointers to the firewall block memories stored in a single, contiguous memory. Addresses of the pointers within the single memory depend on respective unique firewall identifiers of the firewall blocks. An exclusive security configuration controller uses the pointers to configure the firewall blocks over a security bus which is electrically isolated from a system bus. The system bus is used to send messages from sending functional blocks to receiving functional blocks. The initiator-side firewall block adds a message identifier to messages. The message identifier depends on the initiator-side firewall block's configuration settings.

Abstract: In an embodiment, a computer implemented method receives flow data for a network flows. The method extracts a tuple from the flow data and calculates long-term and short-term trends based at least in part on the tuple. The long-term and short-term trends are compared to determine whether a potential network anomaly exists. If a potential network anomaly does exist, the method initiates a heavy hitter detection algorithm. The method forms a low-complexity intermediate stage of processing that enables a high-complexity heavy hitter detection algorithm to execute when heavy hitters are likely to be detected.

Abstract: A method provides for receiving network traffic from a host having a host IP address and operating in a data center, and analyzing a malware tracker for IP addresses of hosts having been infected by a malware to yield an analysis. When the analysis indicates that the host IP address has been used to communicate with an external host infected by the malware to yield an indication, the method includes assigning a reputation score, based on the indication, to the host. The method can further include applying a conditional policy associated with using the host based on the reputation score. The reputation score can include a reduced reputation score from a previous reputation score for the host.

Abstract: Methods and systems for performing application deployments in a computing environment are presented herein. One or more components of the computing environment may perform a canary deployment of an updated version of an application. As the canary deployment is performed, one or more determinations as to whether to continue, stop, or complete the canary deployment may be performed. These determinations may be based on one or more metrics determined by an application delivery controller of the computing environment. The application delivery controller may be configured to divert or forward traffic to application resources that execute the updated version. Additionally, the canary deployment may be performed in an automated fashion.

Abstract: A cloud-based firewall system and service is provided to protect customer sites from attacks, leakage of confidential information, and other security threats. In various embodiments, such a firewall system and service can be implemented in conjunction with a content delivery network (CDN) having a plurality of distributed content servers. The CDN servers receive requests for content identified by the customer for delivery via the CDN. The CDN servers include firewalls that examine those requests and take action against security threats, so as to prevent them from reaching the customer site. The CDN provider implements the firewall system as a managed firewall service, with the operation of the firewalls for given customer content being defined by that customer, independently of other customers. In some embodiments, a customer may define different firewall configurations for different categories of that customer's content identified for delivery via the CDN.

Abstract: A system and method of securing a computer system by controlling write access to a storage medium by monitoring an application; detecting an attempt by the application to write data to said storage medium; interrogating a rules database in response to said detection; and permitting or denying write access to the storage medium by the application in dependence on said interrogation.

Abstract: A system may determine a plurality of candidate regions in a web page, each candidate region comprising one or more page elements at neighboring positions in the web page. The system may extract, for each of the plurality of candidate regions, extraction values corresponding to a plurality of visual features in the candidate regions, the visual features being perceptible to human eyes, and the extraction values derived from attribute values respectively defined by the web page for the visual features. The system may select, from the plurality of candidate regions, a target region that satisfies an extraction criteria based on the extraction values corresponding to the visual features. The system may extract content information of the target region.

Abstract: A method, including identifying, in network data traffic, multiple scans, each of the scans including an access, in the traffic, of a plurality of ports on a given destination node by a given source node during a predefined period. Respective first probabilities of being accessed during any given scan computed for the communication ports that were accessed in the identified scans, and a respective second probability that both of the ports in the pair were accessed during any given scan are computed for each pair of the ports in the identified scans. Upon detecting a scan by one of the nodes including accesses of first and second ports on a given destination node for which the respective second probability for the pair of the first and second ports is lower than a threshold dependent upon the respective first probabilities of the first and second ports, a preventive action is initiated.