Abstract: In one embodiment, a system for managing a virtualization environment comprises a plurality of host machines, one or more virtual disks comprising a plurality of storage devices, a virtualized file server (VFS) comprising a plurality of file server virtual machines (FSVMs), wherein each of the FSVMs is running on one of the host machines and conducts I/O transactions with the one or more virtual disks, and a virtualized file server backup system configured to back up data stored in a VFS located a cluster of host machines to an object store, and retrieve the backed-up data as needed to restore the data in the VFS. The object store may be located in a public cloud. The object store may include a low-cost storage medium within the cluster. An FSVM of the VFS may provide an object store interface to low-cost storage media.

Abstract: A technique to enforce mobile device security policy is based on a “risk profile” of the individual device, where the risk profile is fine-grained and based on the types of applications installed on the device, the services they are accessing, and the operation(s) the user granted the device authorization to perform. Thus, the approach takes into account not only the actual applications installed on the device (and those actively in use), but also the services those applications are accessing, and the scope of operations the user has granted the device authorization to perform. By combining this information to create the risk profile, a suitable security policy, including one that does not unnecessarily degrade device usability, may then be applied.

Abstract: Application programming interfaces (APIs) can be unintentionally exposed and allow for potentially undesirable use of corporate resources. An API call filtering system configured to monitor API call requests received via an endpoint and API call responses received via a supporting service of an API or web service. The API call filtering system enables enterprises to improve their security posture by identifying, studying, reporting, and securing their APIs within their enterprise network.

Abstract: A method, system, and computer-usable medium are disclosed for (a) responsive to communication of a client handshake from a client to a server for establishing encrypted communications between the client and the server: (i) holding open, by an intermediate verification system interfaced between the server and the client, the client handshake; and (ii) opening a connection between the intermediate verification system and the server via which the intermediate verification system issues a server verification handshake to the server; (b) responsive to issuance of the server verification handshake to the server, receiving a server certificate associated with the server by the intermediate verification system; (c) responsive to receipt of the server certificate, processing, by the intermediate verification system, the server certificate to determine an identity of the server; and (d) rendering, by the intermediate verification system, a security policy decision regarding traffic between the server and client based

Abstract: Disclosed are various embodiments for a multi-tenant authentication and permissions framework. In a first embodiment, an interceptor intercepts a request to perform an operation with respect to a network resource from a client device, authenticates the client device has having a user identity with an authentication service, receives data from a permissions service indicating whether the user identity has permission to perform the operation, and forwards the request to perform the operation to a service.

Abstract: In communication with networked electronic devices, a method for providing a holistic view of a malware attack potentially being conducted on these networked electronic devices is described. The method includes requesting analytic data from each of the plurality of networked electronic devices. Thereafter, the analytic data from each of the networked electronic devices is analyzed to correlate analytic data from each of the plurality of networked electronic devices in order to provide the holistic view of a malware attack potentially being conducted. After correlation, display information is generated, where the display information includes the correlated analytic data.

Abstract: Techniques for content inspection in a communication network, including detecting a packet in transit between a first and second endpoint, determining that content of the packet fails a content check, modifying a payload containing the content, adjusting a sequence number to account for the modification, and injecting a response message into a corresponding stream in an opposite direction. The response message may contain information relating to a reason for the rejection.

Abstract: Methods of facilitating communication between clients and servers are contemplated. Embodiments of the inventive subject matter make it possible for a client to establish a packet-based connection with a server by first authenticating with a web backend. This can enable, for example, a client to establish a packet-based connection with a server though a web browser.

Abstract: Technologies for function as a service (FaaS) arbitration include an edge gateway, multiple endpoint devices, and multiple service providers. The edge gateway receives a registration request from a service provider that is indicative of an FaaS function identifier and a transform function. The edge gateway verifies an attestation received from the service provider and registers the service provider. The edge gateway receives a function execution request from an endpoint device that is indicative of the FaaS function identifier. The edge gateway selects the service provider based on the FaaS function identifier, programs an accelerator with the transform function, executes the transform function with the accelerator to transform the function execution request to a provider request, and submits the provider request to the service provider. The service provider may be selected based on an expected service level included in the function execution request. Other embodiments are described and claimed.

Abstract: The present specification relates to a communication method and a communication device, and a random access method of a user equipment (UE), according to one embodiment of the present specification, comprises the steps of: sensing a random access trigger in a connected state; determining the type of the random access trigger when the random access trigger is sensed; and performing congestion control if the type of the random access trigger is a preset type.

Abstract: An information processing system comprises a terminal device; an end server; and an intermediate server connected to the terminal device and the end server via a network. The intermediate server includes a communication device that communicates with the terminal device and the end server; a memory device that stores an ID correspondence table that registers a combination of first login information and second login information, the first login information being for logging in to the intermediate server, the second login information being for logging in to the end server; and a controller, when the controller executes an information processing program, the controller operating as an ID issue receiving unit, an end server accessing unit, an ID issuing unit, and an end server access receiving unit.

Abstract: Intrusion preludes may be detected (including detection using fabricated responses to blocked network requests), and particular sources of network communications may be singled out for greater scrutiny, by performing intrusion analysis on packets blocked by a firewall. An integrated intrusion detection system uses an end-node firewall that is dynamically controlled using invoked-application information and a network policy. The system may use various alert levels to trigger heightened monitoring states, alerts sent to a security operation center, and/or logging of network activity for later forensic analysis. The system may monitor network traffic to block traffic that violates the network policy, monitor blocked traffic to detect an intrusion prelude, and monitor traffic from a potential intruder when an intrusion prelude is detected.

Abstract: An architecture and methods for self-sovereign digital identity is described. The method mimics the handling of identities in the physical world, by provisioning unique digital identities to people. Digital identities and consent tokens are said to be self-sovereign because they are tightly controlled by their owners using identity engines installed on personal devices. Identity engines are interoperable, establishing a web identity layer. Self-sovereign digital identities are used to identify their holders, sign and encrypt transactions, and create digital seals that cannot be repudiated. Digital seals affix the identities and attestations of collaborating parties to digital identities, consent tokens, transactions, documents, and other artifacts. Self-sovereign digital identities can be exchanged securely, verified using proof-of-possession and proof-of-custody tests when collaborating synchronously, and verified using a proof-of-existence identity registry when collaborating asynchronously.

Abstract: The present specification relates to a communication method and a communication device, and a random access method of a user equipment (UE), according to one embodiment of the present specification, comprises the steps of: sensing a random access trigger in a connected state; determining the type of the random access trigger when the random access trigger is sensed; and performing congestion control if the type of the random access trigger is a preset type.

Abstract: Detecting and blocking content that can develop undesired behavior by artificial intelligence (AI) entities toward users during a learning process is provided. Input information is received for a set of one or more AI entities. Characteristics of the input information are evaluated based on rules of a selected policy from a set of policies and learned characteristics of information associated with a corpus of information. It is determined whether a result of evaluating the characteristics of the input information exceeds a predefined threshold. In response to determining that the result of evaluating the characteristics of the input information exceeds the predefined threshold, the input information for the set of AI entities is filtered by performing a selective filtering action, using a firewall, based on context of the input information.

Abstract: A device system includes a first server on a first network and a second server on a second network. The second server stores processing data transmitted from the first server in the second memory, in response to a request for processing the processing data from the electronic device, transmits the processing data to the electronic device, and stores, in the second memory, information indicating that the processing data has been processed in association with the processing data in response to reception of a notification indicating that the processing data has been processed from the electronic device. The first server determines whether the second server stores the information indicating that the processing data has been processed, and stores the information indicating that the processing data has been processed in the first memory based on a determination that the second server stores the information indicating that the processing data has been processed.

Abstract: Systems and methods for decentralized and asynchronous authentication flow between users, relying parties and identity providers. A trusted user agent application or digital lock box under a user's control may perform the functions of an authentication broker. In particular, the user agent application or digital lock box can accept relying party requests and respond with authentication and identity data previously obtained from an identity provider server, and without the involvement of a centralized broker server.

Abstract: A system and method for of temporary password management may include: obtaining, by a password management entity, a request to login a local device into an authentication authority; generating, by the password management entity, a temporary password; sending, by the password management entity, the temporary password to the authentication authority; sending, by the password management entity, the temporary password to a user device; obtaining, at the authentication authority the temporary password from the local device; comparing, by the authentication authority, the temporary password obtained from the local device with the temporary password obtained from the password management entity; and authorizing the login if a match is found.

Abstract: Non-limiting embodiments of the present technology are directed to a field of computer science, and particularly to the methods and systems for remote access detection when browsing web resource pages. A method comprises receiving data representative of a periodicity of a computer mouse movement events; generating a statistical model, the statistical model representative of a typical periodicity of the computer mouse movement events associated with a legitimate user of the electronic device; receiving an indication of computer mouse movement events from the electronic device during a browsing session of the web resource; comparing a periodicity of the computer mouse movement events with the statistical model; in response to detecting a deviation in computer mouse movement events, generating a notification determining a presence of a remote connection to the browsing session; transmitting the notification to an entity associated with the web resources.

Abstract: An automation system comprises a local threat information server operating within automation plant and a plurality of field devices operating at a control layer of the automation plant. The local threat information server is configured to: receive threat information from one or more external sources, receive plant information from one or more internal sources, set a threat level according to one or more of the threat information and the plant information, and distribute an indication of the threat level to one or more control layer devices. Each respective field device is configured to: receive the indication of the threat level, identify one or more security operations corresponding to the threat level, and execute the one or more security operations.

Abstract: The present specification relates to a communication method and a communication device, and a random access method of a user equipment (UE), according to one embodiment of the present specification, comprises the steps of: sensing a random access trigger in a connected state; determining the type of the random access trigger when the random access trigger is sensed; and performing congestion control if the type of the random access trigger is a preset type.

Abstract: A method for controlling access to one or more of a plurality of target systems includes receiving profile data that defines one or more features associated with a plurality of individuals with one or more entitlements of those individuals. Each entitlement is indicative of target system access. The method further includes generating a model that includes one or more sets of rules where each set of rules is associated with an entitlement of the profile data. Each entitlement is indicative of target system/application access. Each rule within a set relates a combination of one or more features of the profile data with a confidence value. Profile data that defines one or more features associated with a target individual is received from a first user management system. A listing that includes one or more entitlements associated with the target individual, and confidence values associated with the one or more entitlements is generated based on the profile data and the rules.

Abstract: Techniques to provide secure access to a cloud-based service are disclosed. In various embodiments, a request is received from a client app on a device to connect to a security proxy associated with the cloud-based service. A secure tunnel connection between the device and a node with which the security proxy is associated is used to establish the requested connection to the security proxy. Information associated with the secure tunnel is used to determine that the requesting client app is authorized to access the cloud-based service from the device and to obtain from an identity provider associated with the cloud-based service a security token to be used by the client app to authenticate to the cloud-based service.

Abstract: The present disclosure provides a method for superseding a log-in through PKI-based authentication with respect to a log-in request of a user by using a blockchain database.

Abstract: The present specification relates to a communication method and a communication device, and a random access method of a user equipment (UE), according to one embodiment of the present specification, comprises the steps of: sensing a random access trigger in a connected state; determining the type of the random access trigger when the random access trigger is sensed; and performing congestion control if the type of the random access trigger is a preset type.

Abstract: A method for providing congestion information in a network is performed in a memory available to a computing entity. A traffic demand is obtained within a certain part of the network by evaluating an amount of traffic in the part of the network per time. A congestion value representing a congestion level of a bottleneck connection link in the network is calculated. The congestion value is a scalar and calculated based on a comparison between measured and/or estimated traffic and traffic demand within a certain part of said network.

Abstract: A system and method for generating network traffic logs including product identifiers is presented. A first computer system includes a first memory coupled to a first processor. The first memory includes instructions that upon execution cause the first computer system to receive a log entry from a second computer system. The log entry includes a virtual network interface identification associated with a first virtual computer system instance. The instructions cause the first computer system to determine a machine image using the virtual network interface identification, and update a record indicating usage of virtual computer system instances created using the machine image.

Abstract: The disclosed embodiments disclose techniques for optimizing data transfer costs for cloud-based security services. During operation, an intermediary computing device receives a network request from a client located in a remote enterprise location that is sending the network request to a distinct, untrusted remote site (e.g., a site separate from the distinct locations of the remote enterprise, the cloud data center, and the intermediary computing device). The intermediary computing device caches a set of data associated with the network request while forwarding the set of data to the cloud-based security service for analysis. Upon receiving a confirmation from the cloud-based security service that the set of data has been analyzed and is permitted to be transmitted to the specified destination, the intermediary computing device forwards the cached set of data to the specified destination.

Abstract: A system and method for of temporary password management may include: obtaining, by a password management entity, a request to login a local device into an authentication authority; generating, by the password management entity, a temporary password; sending, by the password management entity, the temporary password to the authentication authority; sending, by the password management entity, the temporary password to a user device; obtaining, at the authentication authority the temporary password from the local device; comparing, by the authentication authority, the temporary password obtained from the local device with the temporary password obtained from the password management entity; and authorizing the login if a match is found.

Abstract: A method is provided for exchanging data flows between two terminals, via a multipath link formed of a plurality of transmission channels at least one of the channels of which is a unidirectional channel. The method implements two interface modules operating in transmission mode or in reception mode, respectively. In transmission mode, an interface module separates the transmitted data flow into a plurality of secondary data flows and transits them via the plurality of transmission channels. In reception mode, it reassembles the received secondary data flows into a single data flow. The interface modules route the acknowledgement information of the data packets transiting via a unidirectional channel via the return path of a bidirectional channel.

Abstract: A variety of mechanisms to perform End-to-End authentication between entities having diverse capabilities (E.g. processing, memory, etc.) and with no prior security associations are used. Security provisioning and configuration process is done such that appropriate security credentials, functions, scope and parameters may be provisioned to an Entity. Mechanisms to distribute the security credentials to other entities which could then use the credentials to perform an End-to-End authentication at the Service Layer or the Session Layer and using Direct or Delegated modes are developed.

Abstract: Disclosed systems and methods for monitoring an execution system of a programming logic controller (PLC), the method comprising: accessing, by a security module, the PLC execution system and dividing the code and data of the PLC execution system into a plurality of program modules; modifying, by the security module, data exchange interfaces of the program modules used for the interaction between the program modules and the resources of the operating system such that said interaction occurs through the security module, while a format of the data being exchanged complies with a format specified by the security module; and monitoring, by the security module, the execution of the PLC execution system, including monitoring the interaction of the program modules of the PLC execution system with each other and with the resources of the operating system.

Abstract: Provided is a process including: receiving, with an intermediary server, a request to access web content at a web server; submitting, from the intermediary server a value by which possession of an access credential is demonstrated, wherein the value is withheld from the client web browser; receiving, by the intermediary web browser, instructions to store in web browser memory an access token; and sending, from the intermediary server, to the client web browser executing on the client computing device, instructions to store the access token in browser memory of the client web browser, thereby authenticating the client web browser without the client web browser having access to the value by which possession of the access credential is demonstrated.

Abstract: Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has a set of one or more servers that acts as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The server set in some embodiments also enforces these API-authorizing policies. Conjunctively, or alternatively, the server set in some embodiments distributes the defined policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls. From an associated application, a local agent receives API-authorization requests to determine whether API calls received by the application are authorized.

Abstract: A device is provided including processing circuitry configured to generate a plurality of file fragments by splitting a file stored in the device, and to determine a plurality of cloud storages used to store respective file fragments from the plurality of file fragments, wherein the plurality of cloud storages are from among cloud storages in which a user of the device is registered; and communication circuitry configured to request the plurality of cloud storages to respectively store the plurality of file fragments.

Abstract: In one example of federated mobile device management, a first management server federates with a second management server based on an exchange of one or more identity authentication certificates between them. After the first and second management servers have federated or affiliated, they can exchange mobile device management data, including compliance policies, rules, resources, etc., with each other. Based on a request from a client device for affiliated mobile device management, the first management server can request and receive device management data from the second management device. The first management server can evaluate the device management data received from the second management device for conformity with a baseline management policy. If it conforms, the first management server can use the device management data from the second management server, at least in part, to manage the client device.

Abstract: An event-analysis system detects anomalies in the operation of a service by processing operational logs, trace files, and event databases produced by the service in accordance with a hierarchical behavioral profile. The event analysis system converts the operational logs, trace files, and event databases into a normalized event stream which is sent to an analysis engine. The analysis engine converts the stream of normalized events to a set of metrics maintained in association with the profile hierarchy. Operational anomalies of the service are detected by analyzing incoming events in the context of metrics maintained in association with applicable leaf-node profiles, root node profiles, and intermediate node profiles.

Abstract: Various embodiments of the present technology provide a distributed overwatch system that allows transactions with government-grade privacy and security. The security and privacy can be achieved by a combination of distributed trusted proxies, to which anonymous users connect with the overwatch of a variety of network security engines. The structured ecosystem provides mechanism for the blockchain to be monitored by an overwatch capability combining big data analytics, intelligent learning, and comprehensive vulnerability assessment to ensure any risks introduced by vulnerabilities are effectively mitigated. The system may include multiple proxy servers geographically distributed around the world. Each proxy can be associated with local network security engines to probe and analyze network traffic. Each proxy can mask sensitive data (e.g., personally identifiable information) within the transaction before it is stored.

Abstract: A method and apparatus for pre-configuring a communication network to support delivery of a service to an end point associated with the service is provided. A virtual network (VN) having a plurality of VN nodes is provided and associated with a respective plurality of physical network nodes of the communication network. Logical tunnels communicatively interconnect the VN nodes. VN virtual routers (v-routers) associated with the VN nodes are provided and configured to route packets between the VN nodes via the logical tunnels. Edge nodes of the communication network are configured to monitor for a packet associated with the service, and to submit the packet to the VN for handling thereby.

Abstract: Systems and methods for enhanced monitoring and adaptive management of inter-network Domain Name System (“DNS”) traffic include an information capture device in a monitored network. The information capture device receives a redirected connection request originated by a client machine in the monitored network in response to a modified DNS answer from a recursive name server outside of the monitored network, captures detailed information associated with the redirected connection request that is inaccessible to the recursive name server, and sends the captured information to a data storage accessible to the recursive name server for storage as augmented DNS data associated with the client machine and/or the redirected connection request. The information capture device further provides, in response to the redirected connection request, an adaptive answer generated based on the augmented DNS data to the client machine.

Abstract: Exemplary methods, apparatuses, and systems perform a live migration of a virtual infrastructure from a first set of data stores to a second set of data stores using a placement engine configured to determine optimal locations for placement of components of the virtual infrastructure and an optimal order of migration for the components of the virtual infrastructure from the first set of data stores to the second set of data stores.

Abstract: A connection establishment method, a device, and a system are disclosed to resolve a problem in the prior art that because first user equipment is connected to any user equipment, security of a relay service function is poor. A specific solution is: receiving, by first user equipment, a served object group identifier sent by a network device; receiving discovery information sent by second user equipment; and when determining that an identifier of a second group is included in the served object group identifier, establishing a connection between the first user equipment and the second user equipment according to a data link layer ID of the second user equipment.

Abstract: A computer-implemented method includes: detecting, by a user device, an event that indicates a potential security compromise of the user device; determining, by the user device, a service accessible on the user device; sending, by the user device, a breach notification to a service provider corresponding to the service accessible on the user device; receiving, by the user device, a security profile from the service provider; and restricting, by the user device, access to the service provider by a client of the service provider on the user device until the security profile is satisfied by a user completing a security challenge defined in the security profile.

Abstract: At least one application may include instructions comprising application instructions and a plurality of separate pipeline definition instructions. The application instructions may be within a virtual container including at least one program that is generically executable in a plurality of different continuous integration and delivery (CI/CD) environments. Each of the plurality of separate pipeline definition instructions may be configured for each of the plurality of different CI/CD environments such that each pipeline definition may operate only in the CI/CD environment for which it is created. Each pipeline definition may be configured to cause the CI/CD environment for which it is created to execute the at least one program.

Abstract: A technology is provided for improving computer network throughput. Data located in memory of a processing device may be identified. The data packets located in the memory may be sent through a tunneling interface to encapsulate the data packets using a tunneling protocol on a first computing device. Alternatively, the data packets can be sent through a split proxy interface system. The data packets received in the interface may also be encoded using random linear network coding (RLNC) to form encoded packets, using a processor. Further, the encoded packets may be sent across a packet network to a second computing device.

Abstract: Systems and methods are described to enable mitigation of network attacks in communication networks. When a network attack is detected, packets within the communication network are routed through a hierarchical mitigation system, which includes at least two tiers of mitigation devices configured to apply mitigation techniques to the packets. Outer tiers of the hierarchical mitigation system (e.g., closer to an edge of the communication network) can apply simple mitigation techniques that are efficient even when distributed, and which provide early mitigation for attack packets while not requiring large amounts of computing resources. Inner tiers of the hierarchical mitigation system (e.g., closer to a destination device) can apply more complex mitigation systems that may require centralized application, and which provide more robust mitigation at a potentially higher computing resource cost.

Abstract: A method of charging an electric vehicle (EV) includes receiving a user's authentication code in an electric vehicle service equipment (EVSE) from a user's mobile device, comparing in the EVSE the user's authentication code to a whitelist having a plurality of authorized user authentication codes, and enabling an electric vehicle (EV) charging transaction serviced by the EVSE in response to the comparing of the user's authentication code to the whitelist so that a user's authentication code is authenticated to enable the EV charging transaction without concurrent access to an EVSE-related remote server.

Abstract: One aspect relates to initiating, by a device, a connection with an application server associated with one or more application services. A gateway derives an uplink network token and/or a downlink network token. The tokens are provisioned to the device and/or an application server over the user-plane. The tokens are included with uplink and/or downlink packets, respectively. Another aspect relates to receiving a data packet at a gateway. The gateway determines a requirement for a network token from the packet. The gateway derives the network token based on a device subscription profile maintained by a network. The network token may be sent with the packet to a destination address associated with the packet. A packet including a network token may be received at a gateway. The gateway may verify the network token and send the data packet to an application server or a device if the verifying is successful.

Abstract: Concepts and technologies are disclosed herein for providing a basic firewall using a virtual networking function. A control system having a processor can detect a firewall request that can include a request to create a basic firewall. The processor can analyze a recipe to determine a virtual switch and a basic firewall virtual function that are to provide the functionality of the basic firewall. The processor can trigger instantiation of the virtual switch via a network control function and instantiation of the basic firewall virtual function via a service control function. The processor also can validate the basic firewall. The basic firewall can provide filtering of traffic at the network transport layer using the virtual switch, and as such, the virtual switch may not operate on the application layer.

Abstract: A method and apparatus for a multi-compatible 6LoWPAN gateway system may include a main processor directing operation of a plurality of wireless adapters, each of the plurality of wireless adapters operably connected to one of a plurality of microcontroller processors, and each microcontroller processor executing code instructions of a real-time operating system. The main processor may route an incoming transmission to a first of the plurality of wireless adapters, and, upon notification from a first microcontroller processor operably connected to the first of the plurality of wireless adapters that the first wireless adapter did not receive the incoming transmission, or that the first real-time operating system did not process a data packet within the incoming transmission, may route the incoming transmission to a next wireless adapter operably connected to a next microcontroller processor until the data packet has been processed.