Abstract: A device is described that includes a first microprocessor configured for interfacing with a digital access control backend, and a second microprocessor configured for dedicated communications with an access control manager device backend. The first microprocessor is a master device that controls the operation of the second microprocessor as a secondary device. The proposed device is configured for operation of the first microprocessor and the second microprocessor at low clock speeds and to maintain a hash segregation between locally received data sets and data sets transmitted to an external authentication system.

Abstract: A multi-enterprise system for selecting custom high-value sets of SIEM rules for individual member enterprises communicates with member enterprises via network connections. User interfaces are implemented to enable member enterprises to access the system for search, download, and other functions. Advanced rule identification using a sophisticated security knowledge graph enhances processing efficiency and effectiveness.

Abstract: A data security system, including a security manager computer making network application programming interface (API) calls to a cloud-based service that performs data exchange transactions among end users, the API calls remotely controlling the cloud-based service so that the security manager computer accesses transactions that have entered the cloud-based service, whereby an end user may forward a transaction received through the cloud-based service to a central authority as being a potentially harmful or deceptive transaction, and a data inspector operative to analyze a transaction as being indeed harmful or deceptive, by applying machine learning, wherein the security manager computer controls the cloud-based service so as to transmit to the security manager transactions forwarded to the central authority, instead of or in addition to transmitting these transactions to the central authority, for analysis by the data inspector.

Abstract: Detection and notification of malware at a user device may be performed by a validation server. The user device may hash elements associated with a document object model of a webpage and send generated hash values to the validation server. The validation server may validate the hash values. Based on detection of hash values corresponding to elements maliciously-injected by malware, the validation server may send one or more notifications to other servers that may communicate with the user device.

Abstract: A method including receiving, at a VPN server from a user device during an established VPN connection between the VPN server and the user device, a data request for the VPN server to retrieve data of interest from a host device; utilizing, by the VPN server, a first exit IP address to transmit a query for retrieving the data of interest to the host device during the established VPN connection; determining, by the VPN server based at least in part on transmitting the query, that the first exit IP address is blocked by the host device; and utilizing, by the VPN server, a second exit IP address to retransmit the query for retrieving the data of interest to the host device during the established VPN connection is disclosed. Various other aspects are contemplated.

Abstract: Device and method for intrusion detection in a computer network. A data packet is received at an input of a hardware switch unit, an actual value from a field of the data packet being compared in a comparison by a hardware filter with a setpoint value for values from the field, the field including data link layer data or network layer data, a value for a counter determined as a function of a result of the comparison being provided by the hardware switch unit, and a computing device determining a result of the intrusion detection as a function of the value of the counter in the hardware switch unit and independently of information from the data packet, in particular, without an evaluation of information from the data packet by the computing device.

Abstract: Aspects of the disclosure relate to monitoring virtual desktops accessed by devices at remote locations using machine-learning models to mitigate potential cyber-attacks. In some embodiments, a computing platform may monitor data associated with a series of activities from a virtual desktop accessed by a remote computing device. Subsequently, the computing platform may detect new activity data on the virtual desktop accessed by the remote computing device, and evaluate the new activity data relative to the data associated with the series of activities, wherein evaluating includes applying a machine learning model to the new activity data. Based on evaluating the new activity data, the computing platform may determine if the new activity data is indicative of a potential cyber-attack. In response to determining that the new activity data is indicative of a potential cyber-attack, the computing platform may initiate one or more security response actions.

Abstract: Described embodiments provide systems and apparatuses for enhanced quality of service, steering and policy enforcement for https traffic via intelligent in-line path discovery of a TLS terminating node. The system may include a first network device having a secure connection traversing through the first network device, and in communication with a second network device. The first network device and the second network device may be intermediary to a client device and a server. The first network device may determine that the second network device terminates the secure connection. The first network device may receive key generation information of the secure connection from the second network device following determining the second network device terminates the secure connection.

Abstract: According to examples, an apparatus may include a processor and a memory on which are stored machine-readable instructions that when executed by the processor, may cause the processor to obtain an encryption key from a user. The processor may identify session activity data during a proxy session of the user and may encrypt the identified session activity data using the encryption key obtained from the user. The processor may store the encrypted session activity data.

Abstract: A system for firewall data log processing, comprising a firewall logging system operating on a first processor and configured to cause the first processor to receive firewall log data and to process the firewall log data on a periodic basis to reduce the size of the firewall log data and a firewall reporting system operating on a second processor and configured to process the reduced size firewall log data to generate a report on a user interface that includes one or more analytics from the reduced size firewall data.

Abstract: A privatized link between an origin server and a content delivery network is provided. A privatized link can be a direct connection that does not route over the internet. Another privatized link is one that rotates IP addresses. An origin server may be assigned to use a set of multiple IP addresses for communication with the content delivery network. However, at any given time, the origin server is only using a small number of IP addresses. When one of the IP addresses being used to communicate with the content delivery network comes under attack, the origin server switches to another IP address in the set in order to continue serving content to the content delivery network via an IP address that is not under attack.

Abstract: A method, including identifying, in network data traffic, multiple scans, each of the scans including an access, in the traffic, of multiple ports on a given destination node by a given source node during a time period. A group of high-traffic ports are identified in the traffic that include one or more ports that receive respective volumes of the traffic that exceed a threshold, and respective signatures are generated for the identified port scans that indicate the ports other than the high-traffic ports that were accessed in each of the port scans. A respective frequency of occurrence of each of the signatures over the set of the port scans is computed, and a whitelist of the signatures for which the respective frequency of occurrence is greater than a threshold is assembled. Upon detecting a port scan for which the respective signature is not whitelisted, a preventive action is initiated.

Abstract: A method comprising: receiving a request from a second application to access information from a first application, said first and second applications installed on a user equipment, and in response to said request, determining whether said second application is operating in accordance with at least one rule.

Abstract: This disclosure provides a device monitoring method and apparatus and a deregistration method and apparatus. The device monitoring apparatus has a capability of obtaining signaling plane data exchanged between a core network element and a terminal device, and after obtaining the signaling plane data, the device monitoring apparatus can determine, by analyzing attribute information of the signaling plane data, a device that may initiate a DoS attack.

Abstract: A control device is connected to a plurality of networks, dispatches a packet received from a user terminal to a network among the plurality of networks, and includes a memory and a processor configured to execute receiving a DNS query packet transmitted from the user terminal, and based on a query target of the DNS query packet, dispatching the DNS query packet to a network among the plurality of networks; and receiving a packet, determining a destination of the packet based on a destination address of the packet, and transmitting the packet to the determined destination.

Abstract: Systems and methods for implementing filters within computer networks include obtaining blocklist data that includes blocklist entries for a network. Each of the blocklist entries includes one or more network traffic attributes for identifying traffic to be blocked. In response to receiving the blocklist data, a filter based on a common network traffic attribute shared between at least two of the plurality of blocklist entries is generated. The filter is then deployed to a network device within the network such that the filter may be implemented at the network device to block corresponding traffic.

Abstract: The present disclosure is directed to systems and methods for logical flow aggregation for fragmented multicast flows, the methods including the steps of identifying a plurality of fragmented multicast flows that are logically related as a single flow in a multicast network; generating a plurality of multicast joins associated with the plurality of fragmented multicast flows, wherein each multicast join of the plurality of multicast joins includes a join attribute comprising a common flow identifier that identifies the plurality of fragmented multicast flows as logically related; and selecting a reverse forwarding path toward an upstream device for the plurality of multicast joins.

Abstract: Embodiments are directed to monitoring communication between computers using network monitoring computers (NMCs). NMCs identify a secure communication session established between two of the computers based on an exchange of handshake information associated with the secure communication session. Key information that corresponds to the secure communication session may be obtained from a key provider such that the key information may be encrypted by the key provider. NMCs may decrypt the key information. NMCs may derive the session key based on the decrypted key information and the handshake information. NMCs may decrypt network packets included in the secure communication session. NMCs may be employed to inspect the one or more decrypted network packets to execute one or more rule-based policies.

Abstract: A plurality of security rule processing nodes is configured for network traffic of a set of sources and destinations. Respective subsets of configuration information of the sources and destinations, including security rules, are transmitted to the nodes. Respective addresses of at least a subset of the nodes are transmitted to a packet processing intermediary. The intermediary requests evaluation of applicable security rules with respect to packet flows by selected nodes prior to initiating routing actions for packets of the flows.

Abstract: Methods and apparatuses providing file type inspection in firewalls by moving the flow between deep inspection file and lightweight accelerated paths. The method includes obtaining, by a network security device, a packet flow of a file transfer session in which at least two files are transferred and determining, by the network security device, at least an offset parameter based on at least one attribute of at least a first packet in the packet flow. The offset parameter is for a first file being transferred of the at least two files and relates to an expected positon of a control data sequence within the packet flow. In this method, based on the offset parameter, directing, by the network security device, to an accelerated packet inspection path instead of to a deep packet inspection path, a portion of the packet flow including one or more packets that follow the first packet.

Abstract: A secure data exchange system comprising a security device including a first external device plug, and a security engine operative to enforce a security policy on data transfer requests received from the host; an external device including a second external device plug; and a host including a first external device port operative to communicatively couple with the first external device plug, a second external device port operative to communicatively couple with the second external device plug, and a driver, e.g., a redirect driver, operative to transfer a data transfer request to the security device before executing the data transfer request.

Abstract: To provide a structure capable of performing more secure authentication between devices. There is provided a processing device comprising: a processing unit that executes a defined process that is defined in advance according to an input first request, executes calculation using first information included in the first request, and transmits a first response including a result of the calculation to a first device having output the first request, wherein the processing unit transmits a second request including second information different from the first information to at least one second device different from the first device, and acquires a second response including a result of calculation using the second information from the at least one second device.

Abstract: A first device may receive content from a second device based on a request for the content. The first device may be located between the second device and a third device. The first device may determine a value for a portion of the content using a function, where the value is to be used to analyze the content. The value may uniquely identify the portion of the content. The first device may determine whether a classification of the content can be determined. The first device may selectively determine the classification of the content by providing the value or the portion of the content corresponding to the value, to a fourth device when the classification cannot be determined, or determine the classification of the content using a data store when the classification can be determined. The first device may perform an action with respect to the content.

Abstract: It is provided a method, comprising triggering a terminal of a wireless network to establish a control session to a translator device via the wireless network; providing a control port to a station of a wireline network; forwarding at least one of a first message from the station received on the control port via the control session to the translator device and a second message received via the control session from the translator device to the station.

Abstract: A network device may receive a first configuration object associated with an application and may parse the first configuration object to identify first configuration data. The network device may calculate a first hash value based on the first configuration data and may generate a first operational object based on the first configuration data and the first hash value. The network device may receive a second configuration object associated with the application of the network device and may parse the second configuration object to identify second configuration data. The network device may calculate a second hash value based on the second configuration data and may determine whether the first hash value matches the second hash value. The network device may prevent, based on the first hash value matching the second hash value, generation of a second operational object based on the second configuration data and the second hash value.

Abstract: In response to a first programmatic request, metadata indicating that a first isolated read channel of a real-time category has been associated with a first target stream is stored at a stream management service. In response to another request, metadata indicating that a second isolated read channel of a non-real-time category has been associated with a second target stream is stored. In response to a read request indicating the first channel or the second channel, one or more data records of the corresponding target streams are provided.

Abstract: A cloud-based traffic classification engine maintains a catalog of application-based traffic classes which have been developed based on known applications, and a local traffic classification engine maintains a subset of these classes. Network traffic intercepted by the firewall which cannot be classified by the local engine is forwarded to the cloud-based engine for classification. Upon determination of a class of the traffic, the cloud-based engine forwards the determined class and corresponding signature to the local engine. The firewall maintains a cache which is updated with the signatures corresponding to the class communicated by the cloud-based engine. Subsequent network traffic sent from the application can be determined to correspond to the application and classified according locally at the firewall based on the cached signatures. Localization of the cache to the firewall reduces latency of traffic classification operations as the catalog of classification information stored in the cloud scales.

Abstract: Network interface provisioning of containerized instances based on tenant policies. A network interface assignment process (NIAP) receives a first request to assign a network interface to a first containerized instance comprising at least one container. The NIAP determines that a first tenant of a plurality of different tenants is associated with the first containerized instance. The NIAP accesses a first network assignment tenant policy (NATP) that corresponds to the first tenant. Based on the first NATP, the NIAP assigns, to the first containerized instance, a first network interface via which the first containerized instance can communicate with other containerized instances associated with the first tenant.

Abstract: Audio visual privacy controls can be provided. A privacy service can be configured to interface with multiple filter drivers that are loaded above components of an AV platform to enable the privacy service to selectively block a particular AV app's access to an AV device based on context. A privacy service may leverage a first filter driver to identify an AV app and may leverage a second filter driver to block the AV app's access. The privacy service may consider different types and combinations of context to determine when access to an AV device's stream should be blocked.

Abstract: A logic circuit for managing reception of secure data packets in an industrial controller snoops data being transferred by a Media Access Controller (MAC) between a network port and a shared memory location within the industrial controller. The logic circuit is configured to perform authentication and/or decryption on the data packet as the data packet is being transferred between the port and the shared memory location. The logic circuit performs authentication as the data is being transferred and completes authentication shortly after the MAC has completed transferring the data to the shared memory. The logic circuit coordinates operation with the MAC and signals a Software Packet Processing (SPP) module when authentication is complete. The logic circuit is further configured to decrypt the data packet, if necessary, and to similarly coordinate operation with the MAC and delay signaling the SPP module that data is ready until decryption is complete.

Abstract: A method performed by a node of a communications network such as a virtual routing function or policy enforcement node comprises receiving at least one packet, such as an internet protocol packet having an associated address and obtaining one or more metrics. The method involves dynamically configuring a longest-prefix match process on the basis of at least the metric(s). The dynamically configured longest-prefix match process is used with the associated address to identify an action and the identified action is applied to the packet.

Abstract: What is disclosed is a method for efficient capture and streaming of data packets in a network device comprises capturing data packets matching predetermined filters, packaging said data packets into samples, and aggregating one or more samples in a high speed bus payload. The method also comprises transferring said high speed bus payload to a CPU, extracting said samples from the high speed bus payload and storing said samples in a shared memory of the CPU, and accessing said samples from the shared memory for streaming to one or more client.

Abstract: A communication security apparatus includes a communicator that receives a packet from a first device and transmits the received packet to a second device, a memory that retains address authentication information containing pairs of a physical address and a logical address of one or more devices, and a controller. After a learning period of receiving and transmitting packets, the controller determines whether a pair of a physical address and a logical address of the first device and the second device match any one of the pairs of the physical address and the logical address of the one or more devices in the packet, and discards the packet when the pair of the physical address and the logical address of the first device and the second device do not match any one of the pairs of the physical address and the logical address of the one or more devices.

Abstract: Disclosed herein are methods, systems, and processes for provisioning and deploying deception computing systems with dynamic and flexible personalities. A network connection is received from a source Internet Protocol (IP) address at a honeypot. In response to receiving the network connection, a personality state table is accessed and a determination is made as to whether a personality that corresponds to the source IP address exists in the personality state table. If the personality exists, the personality is designated to the source IP address. If the personality does not exist, an attack characteristic of the network connection is determined and an alternate personality that is substantially similar to the attack characteristic is designated to the source IP address.

Abstract: Aspects of the subject disclosure may include, for example, a method in which a processing system authenticates a communication device roaming from a home network that does not support Voice over Long Term Evolution (VoLTE) roaming, and in which the processing system communicates with a packet gateway (PGW) of an evolved packet core (EPC) separate from the processing system, to facilitate communication between the communication device and a subsystem of the EPC; the subsystem emulates the home network to provide a VoLTE roaming service to the communication device. The communication device also engages in a session initiation protocol (SIP) with the subsystem to initiate a communication session with the subsystem; in accordance with the communication session, the subsystem provides the VoLTE roaming service to the communication device. Other embodiments are disclosed.

Abstract: A method for filtering communication data arriving from a communication partner via a communication connection, which provides access to at least one storage means of a receiving data processing device having at least one computation unit, in the data processing device, wherein PCI Express, in an interface unit, receiving the communication data, of the data processing device, a filter means, at least part of which is embodied as hardware, is used so that, according to configuration information, prescribed on the data processing device, containing at least one approval condition that rates the at least one property of the useful data contained in the communication data, only the communication data meeting at least one approval condition are forwarded from the interface unit to at least one further component of the data processing device.

Abstract: In one embodiment, a method is provided. The method includes receiving a data packet via an ingress interface of the network device. The method also includes determining whether the data packet comprises an Internet Protocol version 4 (IPV4) or an Internet Protocol version 6 (IPV6) packet. The method further includes in response to determining that the packet comprises an IPV4 packet, identifying a first entry in an adjacency table. The first entry is associated with an address prefix. The address prefix is associated with first Internet Protocol (IP) address of the data packet. The first entry indicates a next hop for the data packet. The adjacency table comprises a second entry associated with the address prefix. The method further includes forwarding the packet to the next hop indicated by the first entry in the adjacency table, via an egress interface of the network device.

Abstract: In a server 10, a communication unit 12 receives a signal including processed data and a Bloom filter in accordance with a process pattern executed on the processed data transmitted from an edge equipment 20-2 directly connected to the server 10. A process pattern specifying unit 13 specifies a process pattern executed on the processed data received by the communication unit 12 based on the “process pattern list” and the Bloom filter received in the communication unit 12.

Abstract: Methods and systems for configuring a modular building control system. An illustrative method may include entering a configuration mode in a base module and in each of the expansion modules. While in the configuration mode, the base module may collect information from each of the expansion modules. A system configuration may be created for the modular building control system based at least in part on the collected information and includes configuration parameters for the base module and each of the expansion modules. The base module may transmit to each of the expansion modules their respective configuration parameters. The base module and each of the expansion modules may install their respective configuration parameters, exit the configuration mode, and enter an operation mode. While in the operation mode, the base module and each of the expansion modules may control the modular building control system.

Abstract: In particular embodiments, a data processing data inventory generation system is configured to: (1) generate a data model (e.g., a data inventory) for one or more data assets utilized by a particular organization; (2) generate a respective data inventory for each of the one or more data assets; and (3) map one or more relationships between one or more aspects of the data inventory, the one or more data assets, etc. within the data model. In particular embodiments, a data asset (e.g., data system, software application, etc.) may include, for example, any entity that collects, processes, contains, and/or transfers personal data (e.g., such as a software application, “internet of things” computerized device, database, website, data-center, server, etc.). The system may be configured to identify particular data assets and/or personal data in data repositories using any suitable intelligent identity scanning technique.

Abstract: A non-transitory storage medium having stored thereon logic wherein the logic is executable by one or more processors to perform operations is disclosed. The operations may include parsing an object, detecting one or more features of a predefined feature set, evaluating each feature-condition pairing of a virtual feature using the one or more values observed of each of the one or more detected features, determining whether results of the evaluation of one or more feature-condition pairings satisfies terms of the virtual feature, and responsive to determining the results of the evaluation satisfy the virtual feature, performing one or more of a static analysis to determine whether the object is associated with anomalous characteristics or a dynamic analysis on the object to determine whether the object is associated with anomalous behaviors.

Abstract: In some variations, first and second rule sets may be received by a network protection device. The first and second rule sets may be preprocessed. The network protection device may be configured to process packets in accordance with the first rule set. Packets may be received by the network protection device. A first portion of the packets may be processed in accordance with the first rule set. The network protection device may be reconfigured to process packets in accordance with the second rule set. A second portion of the packets may be processed in accordance with the second rule set.

Abstract: A packet-filtering network appliance such as a threat intelligence gateway (TIG) protects TCP/IP networks from Internet threats by enforcing certain policies on in-transit packets that are crossing network boundaries. The policies are composed of packet filtering rules derived from cyber threat intelligence (CTI). Logs of rule-matching packets and their associated flows are sent to cyberanalysis applications located at security operations centers (SOCs) and operated by cyberanalysts. Some cyber threats/attacks, or incidents, are composed of many different flows occurring at a very high rate, which generates a flood of logs that may overwhelm computer, storage, network, and cyberanalysis resources, thereby compromising cyber defenses.

Abstract: Systems, methods, and computer-readable media for on-demand security provisioning using whitelist and blacklist rules. In some examples, a system in a network including a plurality of pods can configure security policies for a first endpoint group (EPG) in a first pod, the security policies including blacklist and whitelist rules defining traffic security enforcement rules for communications between the first EPG and a second EPG in a second pods in the network. The system can assign respective implicit priorities to the one or more security policies based on a respective specificity of each policy, wherein more specific policies are assigned higher priorities than less specific policies. The system can respond to a detected move of a virtual machine associated with the first EPG to a second pod in the network by dynamically provisioning security policies for the first EPG in the second pod and removing security policies from the first pod.

Abstract: A computer system has a separation mechanism which enforces separation between at least two execution environments such that one execution environment is a gatekeeper which interposes on all communications of the other execution environment. The computer system has an attestation mechanism which enables the gatekeeper to attest to properties of the at least two execution environments. A first one of the execution environments runs application specific code which may contain security vulnerabilities. The gatekeeper is configured to enforce an input output policy on the first execution environment by interposing on all communication to and from the first execution environment by forwarding, modifying or dropping individual ones of the communications according to the policy. The gatekeeper provides evidence of attestation both for the application specific code and the policy.

Abstract: Provided is a system and method for searching for a target key in a database, the method including populating a hash-offset table of a sorted key table with hash-offset table entries, the hash-offset table entries having a hash-value corresponding to a respective key, and a hash offset, sorting the hash-offset table entries based on the hash-values, searching for a target hash-value of the hash-values corresponding to a target key in the hash-offset table, locating a target key-value pair corresponding to the target key based on the target hash-value, and saving a location of the target key-value pair.

Abstract: Information associated with a controlled-environment facility resident communications and/or data device, such as device location within the controlled-environment facility, may be used to determine whether the resident device is approved for two-way video visitation or restricted to on-way video visitation. Video visitation may be initiated and voice and video captured and streamed by a non-resident communications and/or data device, as well as voice and/or video captured and streamed by the resident device, is received by a controlled-environment facility electronic communications management system. Voice and video captured at the non-resident device is transmitted to the resident device and, if the resident device is permitted two-way video visitation, voice and video captured by the resident device is transmitted to the non-resident device, if the resident device is restricted to one-way video visitation, only voice is transmitted to the non-resident device.

Abstract: The present disclosure provides technical solutions related to distributed IPSec gateway. A control plane and a data plane of the IPSec gateway are divided, a plurality of gateway processing nodes may be run in the data plane to process data packets of incoming ESP/AR traffic and/or data packets of outgoing IP traffic. IKE information interaction may be handled in the control plane and the traffic may be steered on each gateway processing node in the data plane.

Abstract: A system and method for holistic computer system cybersecurity evaluation and risk rating that takes into account the operation of the entire computer system environment comprising hardware, software, and the operating system. Not only are the hardware, software, and operating system evaluated separately for cybersecurity concerns, their interaction and operation as a whole are also evaluated and scored. The results of such analyses may be used, for example, by underwriters of cybersecurity insurance policies to determine policy terms and rates.

Abstract: An approach for detecting anomalous flows in a network using header field entropy. This can be useful in detecting anomalous or malicious traffic that may attempt to “hide” or inject itself into legitimate flows. A malicious endpoint might attempt to send a control message in underutilized header fields or might try to inject illegitimate data into a legitimate flow. These illegitimate flows will likely demonstrate header field entropy that is higher than legitimate flows. Detecting anomalous flows using header field entropy can help detect malicious endpoints.