Abstract: A computer-implemented method for creating a classified token database usable for dynamically redacting confidential information from communications includes performing natural language processing on training input and determining whether a confidentiality level is present in the training input. The method includes, in response to determining that the confidentiality level is present, adding at least one classified token associated with the training input to a classified token database.

Abstract: A control device includes a controller configured to instruct a mitigation device executing a defending process against an attack on a network to execute the defending process in response to reception of a defending request indicating a request for executing the defending process. When predetermined specific data included in the received defending request is valid, the controller instructs the mitigation device to execute the defending process at an earlier timing after the reception of the defending request than when the specific data is not valid or the specific data is not included in the defending request.

Abstract: A device may receive data identifying applications, wherein each application includes files and each file includes functions and lines of code. The device may generate file hashes for the files, line hashes for the lines of code, and function hashes for the functions. The device may store, in a data structure, data identifying one or more of the applications, the files, the lines of code, the functions, the file hashes, the line hashes, and the function hashes. When scanning a new application, the device may generate a hash associated with one of the files of the new application, and may determine that the hash associated with the file of the new application matches one of the file hashes. The device may refrain from performing a scan of the file of the new application based on determining that the hash of the file matches one of the file hashes.

Abstract: Provided is a deep learning method including a step of each of at least two or more deep learning machines learning a web traffic by using a hexadecimal; a step of the deep learning machines learning the web traffic by using an incremental learning using a weight; a step of, when the web traffic is received, each of the deep learning machines encoding a character string of the web traffic with UTF-8 hexadecimal; a step of each of the deep learning machines converting the character string into an image and deep learning the image.

Abstract: Systems and methods for providing collaboration rooms with dynamic tenancy and role-based security are disclosed herein. An example method includes establishing a digital collaboration room for an entity, generating a token for a first user, receiving a request to perform an action on a portion of the data, performing a hierarchical permissions analysis to determine if the first user has permission to perform the action and access the portion of the data and determine if the user currently has permission to enter the digital collaboration room. The method includes retrieving the portion of the data from the database for the digital collaboration room and allowing the first user to perform the action when the user currently has permission to enter the digital collaboration room and the user has permission to perform the action and access the portion of the data.

Abstract: Methods and systems for protecting a secured network are presented. For example, one or more packet security gateways may be associated with a security policy management server. At each packet security gateway, a dynamic security policy may be received from the security policy management server, packets associated with a network protected by the packet security gateway may be received, and at least one of multiple packet transformation functions specified by the dynamic security policy may be performed on the packets.

Abstract: Embodiments of a method and device are disclosed. In an embodiment, an in-vehicle network interface device includes a data port to send and receive data packets, a plurality of packet processing pipelines coupled to the data port, each to inspect a single data packet to determine an action to perform on the single data packet, and a safety module to receive the determined action from each packet processing pipeline and to select one of the determined actions to perform on the single data packet and to cause a selected one of the packet processing pipelines to perform the selected action.

Abstract: A method and system for automatically classifying protected devices of a protected network to protection groups providing customized protection. The method includes accessing network flow information that includes network statistics processed from observed data obtained by packet interception devices, accessing at least one model that was trained using machine learning and a training data set of the network flow information to classify protected devices having addresses that correspond to destination addresses associated with the training data set to respective protection groups as a function of the network statistics that correspond to the training data set, and classifying a protected device that has an address that corresponds to a destination address associated with a portion of the network flow information to at least one of the protection groups using the at least one model and machine learning and as a function of the network statistics that correspond to the portion of the network flow information.

Abstract: The present disclosure relates to a process-based virtualization system comprising a data processing unit. The system comprises a computer readable storage media, wherein a first memory component of the computer readable storage media is configured for access by an OS, secure and non-secure applications and the firmware, and wherein a second memory component of the computer readable storage media is configured for access by the firmware and not by the OS and the non-secure application. The data processing unit is configured to operate in a first mode of operation that executes a non-secure application process using the OS, and to operate in a second mode of operation that executes the secure application using the firmware, thereby executing application code using the second memory component.

Abstract: A method by one or more runtime agents protecting a web application for capturing contextual information for data accesses. The method includes determining first metadata associated with a web application layer request sent by a web application firewall to the web application, determining second metadata associated with the web application layer request based on information available to the web application, serializing the first metadata and the second metadata to generate serialized metadata, and adding the serialized metadata to a database query that is to be submitted by the web application to the database server, wherein execution of the database query that includes the serialized metadata by the database server is to cause the database activity monitor to store the serialized metadata and third metadata associated with the database query determined by the database activity monitor in a data storage.

Abstract: A system and a method are described for data packet fragmentation for replicated packet traffic through an SD-WAN. In an example a first packet has an internet protocol identification (IP-ID). The first packet is replicated to create a second packet. The first packet and the second packet are fragmented into fragments for transmission through a tunnel in one or more paths between the source address and the destination address. The IP-ID of the second packet is modified. The fragments of the first packet and the second packet are separately encapsulated. The first and second packet fragments are received through the tunnel at a second node. The second node reassembles the first packet using the first packet fragments and reassembles the second packet using the second packet fragments. The IP-ID of the reassembled second packet is restored to be the IP-ID of the first packet.

Abstract: Systems and methods perform selective rate limiting with a distributed set of agents and a remote controller. An agent receives a packet from a client, and inspects the packet using different rules. Each rule may include at least one different (i) rule definition with traffic dimensions identifying a different attack, (ii) signal with which to identify attack traffic matching the rule definition, (iii) threshold specifying a condition, and (iv) action to implement based on the condition of the threshold being satisfied. The agent provides the signal in response to the packet matching the traffic dimensions from the rule definition of a particular rule. The controller updates a value linked to the signal and a client identifier of the client, and implements the action of the particular rule across the distributed set of agents in response to the value satisfying the condition for the particular rule threshold.

Abstract: A data transmission method includes determining that a first network address segment overlaps with a second network address segment, and creating at least two subnets on a virtual private cloud (VPC). The first network address segment is a network address segment of a subnet in which a target server is located, and configured to run on the VPC. The first network address segment belongs to a network address segment of the VPC. The second network address segment is a network address segment of a subnet in which a first electronic device is located. A network address segment of one of the at least two subnets on the VPC does not overlap with the first or second network address segment. Network interfaces in the at least two subnets are configured to sequentially forward a data packet being transmitted between the target server and the first electronic device at least two times.

Abstract: Using a natural language analysis, a current message is classified into a current message class, the current message being a portion of an interaction in narrative text form. For the interaction using a state prediction model, an interaction outcome corresponding to the current message class is forecasted, the forecasting comprising computing a probability that the current message class will result in a successful message class. Using the state prediction model, a set of next message classes and a set of predicted interaction outcomes are determined, each message in the set of next message classes corresponding to the current message class, each predicted interaction outcome in the set of predicted interaction outcomes corresponding to a next message class in the set of next message classes. According to the corresponding predicted interaction outcome, the set of next message classes is ranked.

Abstract: Systems and methods are provided for near real-time IP user mapping. Such methods may include obtaining IP address assignment data points from different sources including an authentication, authorization, and accounting (AAA) server of a private network, a service provider that provides a computer-based service within the private network, and user devices that have access to the private network. The methods may also include applying an IP mapping rule to the obtained IP address assignment data points to generate IP address mapping.

Abstract: A method for wireless communication is provided. In some implementations, the method includes receiving, by a first device, a first packet from a second device in a network. The method further includes comparing, by the first device, a first received signal strength of the first packet to a second received signal strength of a second packet associated with a third device, the third device associated with the first device in the network. The method further includes transmitting, by the first device and based on to the comparing, a third packet to the second device, the third packet indicating a disassociation of the first device with the third device and an association of the first device with the second device.

Abstract: A traffic analysis apparatus includes an information amount calculation part that calculates information amounts of a plurality of items of time series data relating to communication traffic and an input information selection part that selects at least one item of time series data based on the information amounts of the plurality of items of time series data.

Abstract: Activity data of a set of tasks as a training set is obtained from a list of communication platforms associated with the tasks. For each of the tasks in the training set, a set of activity metrics is compiled according to a set of predetermined activity categories based on the activity data of each task. The activity metrics of all of the tasks in the training set are aggregated based on the activity categories to generate a data matrix. A principal component analysis is performed on the metrics of its covariance matrix to derive an activity dimension vector, where the activity dimension vector represents a distribution pattern of the activity metrics of the tasks. The activity dimension vector can be utilized to determine an activity score of a particular task, where the activity score of a task can be utilized to estimate a probability of completeness of the task.

Abstract: A system described herein may provide techniques for a geographically-based traffic handling policy. An originating device may mark traffic with geographic restriction information, such as in a header of network traffic, indicating a geographic restriction on the propagation of the traffic. The geographic restriction may indicate a geographic region in which the traffic may be forwarded, or a geographic region in which the traffic is prohibited from being forwarded. Network devices in a path between the originating device and a destination device may determine whether to drop the traffic or perform other policy-related actions based on whether such devices are inside the geographic region in which the traffic may be forwarded. In some implementations a destination device may register as an exception to such policies, based on which an originating device or a router may bypass geographically-based traffic handling policies with respect to marked traffic directed to the destination device.

Abstract: A disclosed method may include (1) receiving a packet at a tunnel driver in kernel space on a routing engine of a network device, (2) identifying, at the tunnel driver, metadata of the packet that indicates whether at least one firewall filter had already been correctly applied to the packet before the packet arrived at the tunnel driver, (3) determining, based at least in part on the metadata of the packet, that the firewall filter had not been correctly applied to the packet before the packet arrived at the tunnel driver, and then in response to determining that the firewall filter had not been correctly applied to the packet, (4) invoking at least one firewall filter hook that applies at least one firewall rule on the packet before the packet is allowed to exit kernel space on the routing engine. Various other apparatuses, systems, and methods are also disclosed.

Abstract: A threat detection system for industrial controllers, comprising: at least one Programmable Logic Controller (PLC); at least one physical device connected with the PLC; a Deterministic Fictitious Programmable Logic Controller (DFPLC) deterministically programmed to respond with at least one predetermined signal to at least one input signal received; and a monitoring unit connected with the DFPLC; the DFPLC disguised as a PLC; and the monitoring unit configured to send at least one input signal to the DFPLC, receive at least one response from the DFPLC and communicate at least one alert upon the at least one response being other than an expected response according to the deterministic programming of the DFPLC.

Abstract: In one embodiment, a method includes providing a first profile to a plurality of edge routers of the SD-WAN, the plurality of edge routers operable to interface a plurality of devices to the SD-WAN. The first profile enables the plurality of edge routers to discover which devices of the plurality of devices support a first application. The method includes receiving, from one or more of the edge routers, information indicating which devices of the plurality of devices support the first application and building a first application fabric based on the information indicating which devices of the plurality of devices support the first application.

Abstract: Methods for detecting and preventing an adversarial network entity (e.g., fake base stations, etc.) from tracking a wireless device's location. A wireless device may be equipped with a random value (RAND) database or cache memory RAND values previously received by the wireless device. In response to receiving an authentication request message from a network component, performing AKA procedures and determining that the authentication failed, the wireless device may compare the RAND value included in the received authentication request message to RAND values stored in secure storage memory. The wireless device may generate an authentication response message that includes an error code that is different than standard error code used so that the target wireless device can't be differentiated from other wireless devices thereby preventing tracking in response to determining that the RAND value included in the received authentication request message is included in the RAND secure storage memory.

Abstract: Methods to secure against IP address thefts by rogue devices in a virtualized datacenter are provided. Rogue devices are detected and distinguished from a migration of an endpoint in a virtualized datacenter. A first hop network element in a one or more network fabrics intercepts a request that includes an identity of an endpoint and performs a local lookup for the endpoint entity identifier. Based on the lookup not finding the endpoint entity identifier, the first hop network element broadcasts a message such as a remote media access address (MAC) query to other network elements in the one or more network fabrics. Based on the received response, which may include an IP address associated with the MAC address, the first hop network element performs a theft validation process to determine whether the request originated from a migrated endpoint or a rogue device.

Abstract: Various technologies described herein pertain to detecting operation of an autonomous vehicle on an untrusted network. The autonomous vehicle retrieves a beacon token from a data store of the autonomous vehicle. The beacon token comprises an identifier for the autonomous vehicle and an identifier for a server computing device. The autonomous vehicle generates a data packet based upon the beacon token, wherein the data packet includes the identifier for the autonomous vehicle. The autonomous vehicle transmits the data packet to the server computing device. When the data packet is transmitted via a trusted network, networking rules of the trusted network prevent the data packet from being received by the server computing device. When the data packet is transmitted via the untrusted network, the server computing device receives the data packet. Responsive to receiving the data packet, the server computing device generates and transmits an alert to a computing device.

Abstract: Distribution and management of services in virtual environments is described herein. In one or more implementations, a service distribution and management model is implemented in which system services and applications are seamlessly distributed across multiple containers which each implement a different runtime environment. In one or more implementations, a system for distributing access to services in a host operating system of a computing device includes a host operating system configured to implement a host runtime environment, and one or more services implemented by the host operating system. The system further includes a service control manager configured to enable communication between a client stub of a service implemented in a client runtime environment and a service provider of the service that is implemented in a service runtime environment that is separate from the first client runtime environment.

Abstract: A packet-filtering network appliance protects networks from threats by enforcing policies on in-transit packets crossing network boundaries. The policies are composed of packet filtering rules derived from cyber threat intelligence (CTI). Logs of rule-matching packets and their flows are sent to cyberanalysis applications located at security operations centers (SOCs). Some cyber threats/attacks, or incidents, are composed of many different flows occurring at a very high rate, generating a flood of logs that may overwhelm computer, storage, network, and cyberanalysis resources, thereby compromising cyber defenses. The present disclosure describes incident logging that efficiently incorporates logs of many flows that comprise the incident, potentially reducing resource consumption while improving the informational/cyberanalytical value for cyberanalysis when compared to the component flow logs. Incident logging vs. flow logging can be automatically and adaptively switched on or off.

Abstract: This application discloses a service flow control method and apparatus, to resolve an existing problem of relatively low security. The method includes: generating, by a terminal device, a service flow policy; and sending, by the terminal device, the service flow policy to a routing device, where the service flow policy is used to instruct the routing device to perform data packet filtering on a downlink data packet according to the service flow policy.

Abstract: A communication apparatus comprises a rollback control unit that rolls back a first process to a second process; and a storage unit to store one or more network states shared by the first process and the second process, the second process enabled to take over or more network states from the first process; wherein the rollback control unit includes a network state control unit that controls to provide delayed updating of at least one of the one or more network states taken over by the second process.

Abstract: An apparatus for deploying a firewall on a software-defined network (SDN) includes a public key distributor configured to transmit a public key, a resource monitor configured to monitor resources of a network, a host monitor configured to receive a firewall rule of at least one host, which is encrypted by the public key, a decryption unit configured to decrypt information received from the host monitor by using a secret key, a merge unit configured to merge the decrypted information to provide a merged firewall rule, and a firewall deployment unit configured to deploy the merged firewall rule to a switch.

Abstract: Methods and systems for a two-stage attribution of application layer DDoS attack are provided. In a first table just a hash index is maintained whereas the second stage table keeps the string parameter corresponding to the application layer attribute under attack. A linked list maintains a plurality of rows if there is hash collision in the first table. The second table is aged out and reported periodically with details of large strings.

Abstract: A method for configuring a firewall equipment in a first communication network managed by an access equipment for accessing a second communication network. Such a method implements: obtaining characteristic information of a user equipment in the first network by analyzing its active interfaces in the network; generating configuration rules for configuring the firewall equipment on the basis of the obtained features and of a predetermined configuration model; and transmitting, to the firewall equipment, an update command message to update a configuration, including the determined configuration rules.

Abstract: The innovation disclosed and claimed herein, in one aspect thereof, comprises systems and methods of reconfiguring network settings. The systems and methods monitor a network and detect a hacker on a network. The systems and methods can reconfigure network settings of the network upon detecting the hacker. The systems and methods can analyze the hack for severity; and determine a reconfiguration layer based on the severity of the hack. The reconfiguration layer determines a subset of the network settings to be reconfigured. The systems and methods can dismantle the network and generate a replacement network having the reconfigured set of network settings and replace the network with the replacement network.

Abstract: Systems and methods for implementing filters within computer networks include obtaining blocklist data that includes blocklist entries for a network. Each of the blocklist entries includes one or more network traffic attributes for identifying traffic to be blocked. In response to receiving the blocklist data, a filter based on a common network traffic attribute shared between at least two of the plurality of blocklist entries is generated. The filter is then deployed to a network device within the network such that the filter may be implemented at the network device to block corresponding traffic.

Abstract: In one embodiment, a monitoring process identifies a set of counters maintained by a networking device by comparing a configuration of the networking device to an object relationship model. The monitoring process obtains counter values from the identified set of counters maintained by the networking device. The monitoring process detects an anomaly by using the obtained counter values as input to a machine learning-based anomaly detector. The monitoring process generates an anomaly detection alert for the detected anomaly.

Abstract: An apparatus and method is disclosed for the secure access to field instruments. An interface device that includes a built-in firewall, is communicatively coupled between the device manager of an industrial automation process control system and a network of field instruments. The interface device includes at least one processor configured to execute instructions that provides a firewall for the one or more field instruments by blocking one or more user selected commands from being sent to the field instruments from the device manager.

Abstract: The present application is directed a computer-implemented methods and systems implementing Virtual Private Network (VPN) policies created or modified by Software Defined Network (SDN) applications. The VPN policies can be provided to SDN controllers for implementation. An SDN application can handle a request to establish a VPN by transmitting the request to a VPN provider, obtaining credentials for the VPN, and providing a security policy to an SDN controller.

Abstract: Provided are a network system and a network bandwidth control management method capable of preventing packets that need to preferentially flow from being discarded at a time of high load. A network system includes an external switch that is provided between a virtualization platform and an external network and configured to control a bandwidth amount of packets flowing into an open virtual switch, and an network control management device that is configured to modify a configuration of bandwidth control and priority control of the external switch in response to addition or deletion of a service of the virtualization platform based on information acquired from compute nodes, a network node, and a controller node.

Abstract: Embodiments of the present disclose provide a method and apparatus for identifying network attacks. The method can include: acquiring access data within at least two time periods of a target website server, wherein the access data include one or more fields; determining, for each of the at least two time periods, a quantity of access data having same content in at least two of the one or more fields; determining whether the quantities of access data for each of the at least two time periods are the same; and in response to the quantities of access data being the same, determining that at least two access requests of the access data are network attacks.

Abstract: The technology disclosed relates to securely encrypting a document. In particular, it relates to accessing a key-manager with a triplet of organization identifier, application identifier and region identifier and in response receiving a triplet-key and a triplet-key identifier that uniquely identifies the triplet-key. Also, for a document that has a document identifier (ID), the technology disclosed relates to deriving a per-document key from a combination of the triplet-key, the document ID and a salt. Further, the per-document key is used to encrypt the document.

Abstract: Systems and methods are provided for mitigating security attacks by enabling collaboration between security service functions. A Service Function Chaining (SFC) node receives a packet and determines whether to apply a service function to the packet. Responsive to determining that the packet has been treated by the service function, the packet can be reclassified and switched to a different SFC path.

Abstract: In particular embodiments, a data processing data inventory generation system is configured to: (1) generate a data model (e.g., a data inventory) for one or more data assets utilized by a particular organization; (2) generate a respective data inventory for each of the one or more data assets; and (3) map one or more relationships between one or more aspects of the data inventory, the one or more data assets, etc. within the data model. In particular embodiments, a data asset (e.g., data system, software application, etc.) may include, for example, any entity that collects, processes, contains, and/or transfers personal data (e.g., such as a software application, “internet of things” computerized device, database, website, data-center, server, etc.). The system may be configured to identify particular data assets and/or personal data in data repositories using any suitable intelligent identity scanning technique.

Abstract: An artificial intelligence (AI) system which utilizes machine learning algorithm such as deep learning and application is provided. The artificial intelligence (AI) system includes a controlling method of an electronic device for determining a chatbot using an artificial intelligence learning model includes receiving a voice uttered by a user, processing the voice and acquiring text information corresponding to the voice, and displaying the text information on a chat screen, determining a chatbot for providing a response message regarding the voice by inputting the acquired text information and chat history information regarding the chat screen to a model which is trained to determine the chatbot by inputting text information and chat history information, transmitting the acquired text information and the chat history information regarding the chat screen to a server for providing the determined chatbot, and receiving a response message from the server and displaying the response message on the chat screen.

Abstract: Certain embodiments of the present disclosure provide a method and apparatus for processing data. The method comprises, at an edge device, parsing a first data packet after receiving the first data packet sent by a client device to obtain a virtual IP address and a destination port that correspond to the first data packet; querying an IP address mapping table according to the virtual IP address to obtain a destination IP address corresponding to the virtual IP address; and sending the first data packet according to the destination IP address and the destination port.

Abstract: A method for reducing unwanted data traffic in a computer network due to a Distributed Reflection Denial of Service (DRDoS) attack. The method comprises operating a filtering module in a normal mode or a blocking mode to allow or block requests from being communicated within a computer network in response to data from a honeypot device in the computer network. The method allows the honeypot device to continue to monitor further attack requests that are received during the DRDoS attack.

Abstract: A technique for network attack tainting and tracking includes monitoring data packets received from a network for a malicious request. Responsive to detecting a malicious request, a forensic token is created having information pertaining to the malicious request that is configured to be stored by a source of the malicious request and discoverable regarding involvement of the source in the malicious request. The forensic token is injected into a response message, and the response message is then transmitted to the source of the request as a response to the request.

Abstract: A router of a private cellular network is configured to receive data packets from a plurality of endpoints; analyze the data packets to determine a corresponding source of each data packet; determine whether each corresponding source is a valid source; drop a data packet for which the corresponding source is invalid; for a data packet received from a valid source, determine whether to process the data packet internally or forward the data packet for external processing and route the data packet to a corresponding destination, the corresponding destination being one of a local enterprise network or a corresponding home cellular network of the valid source from which the data packet is received, wherein the private cellular network is configured to service a confined physical location in which home cellular networks of data packets received from valid sources do not provide cellular connectivity that meets a threshold level of cellular service.

Abstract: Disclosed herein is a network evaluating apparatus including: an acquisition section acquiring a plurality of packets each of which includes an identification value indicating an order in accordance with which data is transmitted from a transmission source, the plurality of packets being received one by one; and an evaluation section, in a case where the identification value included in a first packet as any one of the plurality of received packets indicates that the first packet is transmitted before a second packet received before the first packet, increasing an evaluation value indicating instability of a transmission and reception path.

Abstract: A method, including identifying, in network data traffic, multiple scans, each of the scans including an access, in the traffic, of multiple ports on a given destination node by a given source node during a time period. A group of high-traffic ports are identified in the traffic that include one or more ports that receive respective volumes of the traffic that exceed a threshold, and respective signatures are generated for the identified port scans that indicate the ports other than the high-traffic ports that were accessed in each of the port scans. A respective frequency of occurrence of each of the signatures over the set of the port scans is computed, and a whitelist of the signatures for which the respective frequency of occurrence is greater than a threshold is assembled. Upon detecting a port scan for which the respective signature is not whitelisted, a preventive action is initiated.

Abstract: Provided herein are identification of a distributed denial of service attack and automatic implementation of preventive measures to halt the distributed denial of service attack. At substantially the same time as the attack, valid users/customers (e.g., devices) are provided quality of service and continued access to a website experiencing the distributed denial of service attack. Further, service to temporary or unknown users (e.g., devices) with public access to the website is suspended during the duration of the distributed denial of service attack.