Abstract: Implementations disclosed herein provide a managed security service that distributes processing tasks among a number of network security modules working in parallel to process component portions of a replayed network traffic stream. If a network security module detects a potential security threat, the network security module may generate a delivery request specifying other information potentially useful in further investigation of the potential security threat. The delivery request is communicated to a plurality of other processing entities, such as the other network security modules, and any processing entity currently receiving the requested information may respond to the delivery request. Once a source of the requested information is determined, the requested information is routed to the origin of the request.

Abstract: An elevator system stores, in a server, information on an elevator installed in a building that is communicably connected to a data center in which the server is installed, the building and the data center being communicable independently via a first network and a second network, respectively, wherein the building includes: an information collection device configured to collect information on the elevator; a sorting device configured to determine which of the first network and the second network is to be used as a transmission path via which the information on the elevator collected by the information collection device is to be transmitted to the data center; and a communication device configured to transmit the information on the elevator collected by the information collection device to the data center via the transmission path determined by the sorting device.

Abstract: According to one aspect, a system for locating application-specific data that includes a server, a broker, and an agent. An operator may define a command using the server, and this command may be sent to the broker. The broker may then send the command to the agent operating on an end-point system. The agent may then conduct an application-specific data search on the end-point system in respect of the user command. Search results may then be sent to the broker. The broker may then sent the search results to the server.

Abstract: A method for containing a threat in network environment using dynamic firewall policies is provided. In one example embodiment, the method can include detecting a threat originating from a first node having a source address in a network, applying a local firewall policy to block connections with the source address, and broadcasting an alert to a second node in the network. In more particular embodiments, an alert may be sent to a network administrator identifying the source address and providing remedial information. In yet other particular embodiments, the method may also include applying a remote firewall policy to the first node blocking outgoing connections from the first node.

Abstract: A technique for network attack tainting and tracking includes monitoring data packets received from a network for a malicious request. Responsive to detecting a malicious request, a payload is created that is digitally signed. The digitally signed payload is encrypted and injected into a response message, and the response message is then transmitted to a source of the request as a response to the request.

Abstract: This document describes a system and method for quantitatively unifying and assimilating all unstructured, unlabelled and/or fragmented real-time and non-real-time cyber threat data generated by a plurality of sources. These sources may include cyber-security surveillance systems that are equipped with machine learning capabilities.

Abstract: A novel algorithm for packet classification that is based on a novel search structure for packet classification rules is provided. Addresses from all the containers are merged and maintained in a single Trie. Each entry in the Trie has additional information that can be traced back to the container from where the address originated. This information is used to keep the Trie in sync with the containers when the container definition dynamically changes.

Abstract: A gateway device for a vehicle network system, the vehicle network system including a bus, a first electronic control unit connected to the bus, and the gateway device connected to the bus. The gateway device comprising: one or more memories; and circuitry which, in operation, performs operations including: receiving a first frame transmitted to the bus by the first electronic control unit; when the first frame is received, including first control information in a second frame, the second frame including information based on content of the first frame, the first control information related to a restriction on processing, the restriction on processing being after a reception of the second frame; and transmitting the second frame to the bus.

Abstract: Systems and methods that determine an anomaly in a network are provided. A monitoring engine is installed on a computing device that monitors network information and application information for data flows generated on the computing device and transmitted over a network and for data flows received by the computing device from the network. The network information includes an internet protocol (IP) source address, a source port, an IP destination address, a destination port, and a transport protocol, and a number of bytes sent or received by the flow. The application information includes a process identifier (ID), the threads ID, an application ID and/or a function call, arguments passed to the function, a stack trace of the function, etc., that application used to generate the data flows. The network information and application information can be used to identify the application, thread and/or a function that caused an anomaly in the network.

Abstract: Disclosed are techniques for implementing network devices with pluralities of packet checkers or packet generators. The packet generators can be configured to self generate data packets with a packet payload and header information and a test type of data packets. The packet checkers can determine if a data packet is a test type of data packet and perform one or more actions.

Abstract: The present invention provides a method for detecting a website attack, comprising: selecting multiple uniform resource locators (URLs) from history access records of a website; clustering the multiple uniform resource locators; and generating a whitelist from the multiple uniform resource locators according to a clustering result. In some embodiments of the present invention, a common OWASP attack at URL level can be checked.

Abstract: A security network system is disclosed. The security network system includes a processor selectively operable in either a normal world or a secure world, wherein the processor receives, from an external network, a packet by using a network driver module of the secure world, extracts data of the packet by using a TCP/IP module of the secure world if the packet received from the external network is used in the secure world, uses the data of the packet in the secure world, and extracts the data of the packet by using the TCP/IP module of the secure world so as to transmit the data of the packet to the normal world if the packet is not used in the secure world.

Abstract: Private network request forwarding can include receiving a request from a user for Internet services over a public network. Private network request forwarding can include analyzing the request and determining whether the request is legitimate. Private network request forwarding can include forwarding the request to an entity through a private network when it is determined that the request is legitimate, wherein the user has access to the entity through a proxy.

Abstract: A deployment service at a remote provider network receives topology data for a local network and generates data filters for edge devices of the local network based on the topology data. The deployment service then sends the data filters to a hub device connected to the local network. The hub device deploys the data filters to respective edge devices of the local network. The data filters may be configured to discard a sufficient portion of collected data to prevent routers from being overloaded by network traffic. The data filters may also be configured to discard a sufficient portion of collected data to prevent the edge devices from consuming too much power in order to preserve energy cost or battery life.

Abstract: Disclosed are techniques for implementing features within a network device. The network device can function to forward sequences of data packets received by the network device as well as concurrently generate or check test type of data packets.

Abstract: Methods, apparatus, systems, and articles of manufacture to correlate a demographic segment with a fixed device are disclosed. An example method includes accessing a record indicating a public Internet Protocol (IP) address used by a fixed device. A monitoring data record received from a mobile device is accessed. A demographic segment of a user of the mobile device is determined. The mobile device is associated with the fixed device when an IP address of the mobile device from the monitoring data record matches the public IP address used by the fixed device. The demographic segment of the user of the mobile device is associated with the fixed device based on the association of the fixed device and the mobile device.

Abstract: A method includes establishing, by a mobile device in a wireless network, an indirect connection of a first device to a node of the wireless network using the mobile device as an intermediate node for wireless transport and transferring, by the mobile device, data over the indirect connection via a first wireless link comprising a direct device connection between the first device and the mobile device and a second wireless link comprising a direct 3GPP (3rd Generation Partnership Project) connection between the mobile device and the wireless network. The indirect connection supports security protection of communications between the node of the wireless network and the first device based at least in part on an active security context maintained within the wireless network for communication via at least one messaging protocol layer with at least the first device.

Abstract: A first device may receive content from a second device based on a request for the content. The first device may be located between the second device and a third device. The first device may determine a value for a portion of the content using a function, where the value is to be used to analyze the content. The value may uniquely identify the portion of the content. The first device may determine whether a classification of the content can be determined. The first device may selectively determine the classification of the content by providing the value or the portion of the content corresponding to the value, to a fourth device when the classification cannot be determined, or determine the classification of the content using a data store when the classification can be determined. The first device may perform an action with respect to the content.

Abstract: The disclosed embodiments relate to provisioning of a service, such as a financial service, to a device, such as a mobile device operative to access the service wirelessly or otherwise, in a manner which efficiently provides a consistent user experience which meets a user's expectations as to the functionality and quality of the service, including the user interface therefore and service delivery, which leverages the available capacities of the devices through which the service is provided so as to maximize the functionality and quality of the provided service without diminishing the experience, i.e. without substantially reducing the quality or functionality.

Abstract: In some variations, first and second rule sets may be received by a network protection device. The first and second rule sets may be preprocessed. The network protection device may be configured to process packets in accordance with the first rule set. Packets may be received by the network protection device. A first portion of the packets may be processed in accordance with the first rule set. The network protection device may be reconfigured to process packets in accordance with the second rule set. A second portion of the packets may be processed in accordance with the second rule set.

Abstract: A system that communicates information is described. This system includes: a network interface, a proxy device coupled to the network interface, and an interface node coupled to the proxy device and configured to couple to a channel. Note that the network interface is configured to transmit outbound messages from the system to a location and to receive inbound messages to the system from the location, and the channel is configured to convey the outbound messages and the inbound messages. Moreover, the proxy device is configured to inspect a given message inbound or outbound based on a pre-determined profile of the location and pre-defined communication rules. Then, the proxy device is configured to restrict the given message based on a result of the inspection, where the restriction occurs after the system begins a communication session with the location and is performed for the duration of the communication session.

Abstract: A network system is provided between at least a first client site and a second client site, the first and the second client site are at a distance from one another. A client site network component is implemented at least at the first client site, the client site network component bonding or aggregating one or more diverse network connections so as to configure a bonded/aggregated connection that has increased throughput. At least one network server component may be configured to connect to the client site network component using the bonded/aggregated connection. A cloud network controller may be configured to manage the data traffic and a virtual edge providing transparent lower-link encryption for the bonded/aggregated connection between the client site network component and the network server component.

Abstract: Systems, methods, and computer-readable media for identifying bogon addresses. A system can obtain an indication of address spaces in a network. The indication can be based on route advertisements transmitted by routers associated with the network. The system can receive a report generated by a capturing agent deployed on a host. The report can identify a flow captured by the capturing agent at the host. The system can identify a network address associated with the flow and, based on the indication of address spaces, the system can determine whether the network address is within the address spaces in the network. When the network address is not within the address spaces in the network, the system can determine that the network address is a bogon address. When the network address is within the address spaces in the network, the system can determine that the network address is not a bogon address.

Abstract: Systems and methods are described to predict spikes in requests for content on a computing network based on referrer field values of prior requests associated with spikes. Specifically, a traffic spike prediction service is disclosed that can analyze information regarding past requests on the computing network to detect a spike in requests to a content item, where a significant number of request within the spike include a common referrer field value. The traffic spike prediction service can then detect a request to a second content also including the common referrer field value, and predict that a spike is expected to occur with respect to the second content. The traffic spike prediction service can manage the expected spike by increasing an amount of computing resources available to service requests to the second content and by marking traffic of the expected spike as likely legitimate, as opposed to malicious.

Abstract: In some variations, first and second rule sets may be received by a network protection device. The first and second rule sets may be preprocessed. The network protection device may be configured to process packets in accordance with the first rule set. Packets may be received by the network protection device. A first portion of the packets may be processed in accordance with the first rule set. The network protection device may be reconfigured to process packets in accordance with the second rule set. A second portion of the packets may be processed in accordance with the second rule set.

Abstract: Systems and methods of monitoring and controlling Internet of Things (IOT) and ZeroConf devices using a cloud-based security system include receiving fingerprints of the IOT and ZeroConf devices and data related to operation from a plurality of user devices; receiving updates related to the IOT and ZeroConf devices, configuration thereof, and proper operation thereof; determining security risk of the IOT and ZeroConf devices based on the fingerprints, the data related to operation, and the updates; and providing the security risk to the plurality of user devices and causing one or more policy-based actions to be performed based on the security risk.

Abstract: A method for waking up a radio communications module (RCM) of a station with a wake-up receiver includes receiving a wake-up signal with the wake-up receiver, waking up the RCM from a sleeping mode, transmitting a second frame if a first frame is received within a specified time after waking up the RCM and if an integrity of the first frame is verified successfully, and placing the RCM into the sleeping mode and the wake-up receiver into an active mode if the first frame is not received within the specified time after waking up the RCM or if the first frame is received within the specified time after waking up the RCM but the integrity of the first frame is not verified successfully.

Abstract: A system that includes a switch, a network authentication server (NAS), and a threat management server. The NAS sends a device identifier for an endpoint device to the threat management server in response to the endpoint device connecting to a port on the switch. The threat management server identifies the endpoint device for removal in response to receiving the device identifier. The threat management server determines the number of times the endpoint device has failed authentication exceeds a first threshold value within a first time period. The threat management server blocks the endpoint device from accessing the network via the port on the switch in response to identifying the endpoint device for removal.

Abstract: A system for secure network communications is provided. The system includes an enforcement switch in communication with a third-party device and an external device and a plurality of core devices in communication with the third-party device and a plurality of access devices. The enforcement switch is configured to receive a secure frame from the external device. The secure frame includes one or more security features. The secure frame is destined for one or more of the plurality of access devices. The enforcement switch is also configured to generate a regular frame based on the secure frame by removing the one or more security features and transmit the regular frame to the third-party device for routing to the one or more of the plurality of access devices through at least one of the plurality of core devices.

Abstract: The invention provides a master MMC/SD apparatus for simultaneously supporting bulk storage and Ethernet communication, a slave MMC/SD apparatus for simultaneously supporting bulk storage and Ethernet communication, a system composed of these two apparatuses as well as a method of operating the system. The apparatuses, system and method which simultaneously support bulk storage and Ethernet communication and which are based on MMC/SD interface enable a master apparatus with MMC/SD interface to support network function while maintaining bulk storage function as well, thus greatly expanding applicable areas of such embedded terminal apparatus with the MMC/SD interface that has bulk storage function.

Abstract: A system that includes a switch, a network authentication server (NAS), and a threat management server. The NAS sends a device identifier for an endpoint device to the threat management server in response to the endpoint device connecting to a port on the switch. The threat management server determines the endpoint device is present in the device log file using the device identifier. The threat management server determines the number of times the device has failed authentication exceeds a first threshold value within a first time period and determines the number of times the device has passed authentication is less than a second threshold value within a second time period. The threat management engine determines the device does not have a lease for the port on the switch and blocks the device from accessing the network via the port on the switch in response to identifying the device for removal.

Abstract: The present invention is related to verifying an installed lighting system (300), in particular an Ethernet-based lighting system (300), without it being necessary to employ a designated lighting controller and allowing the automatic commissioning of the installed lighting system (300). According to an aspect of the invention, this is achieved by providing a network switch (200) that comprises a plurality of ports for coupling luminaires (312A, 312B, 312C, 312D) and sensors and or actuators (314A, 314B) of the lighting system (300) to the network switch (200); and by setting the network switch (200) such that a signal received at a first port (e.g. port 4) of the plurality of ports is only forwarded to pre-selected ports (e.g. ports 2,3,5,6 and 7) of the plurality of ports.

Abstract: A method for measuring performance of virtual desktop services offered by a server including a processor is described. A first encoded watermark is embedded into user interface display generated by a virtual desktop when initiating an operation. The first encoded watermark includes pixels identifying the operation and indicating its initiation. A second encoded watermark is embedded into the user interface upon completion of the operation indicating completion of the operation. An action performance time is then computed and stored in a memory. Multiple performance times may be compiled from multiple operations of multiple virtual desktops to assess the performance of the system as a whole.

Abstract: A first node receives data packets of a flow and forwards the data packets of the flow to a second node. The first node takes a first decision whether to perform inspection of a payload section of at least one data packet of the flow at the first node and indicate a result of the first decision to the second node. The second node receives the data packets of the flow from the first node. On the basis of the result of the first decision indicated by the first node, the second node takes a second decision whether to perform inspection of a payload section of at least one data packet of the flow at the second node.

Abstract: In particular embodiments, a computer-implemented data processing method for responding to a data subject access request comprises: (A) receiving a data subject access request from a requestor comprising one or more request parameters; (B) validating an identity of the requestor by prompting the requestor to identify information associated with the requestor; (C) in response to validating the identity of the requestor, processing the request by identifying one or more pieces of personal data associated with the requestor, the one or more pieces of personal data being stored in one or more data repositories associated with a particular organization; and (D) taking one or more actions based at least in part on the data subject access request, the one or more actions including one or more actions related to the one or more pieces of personal data.

Abstract: In an on-vehicle system, the gateway is duplexed, and a countermeasure table is included. The countermeasure table defines a failure phenomenon occurring in communication, an identification method for identifying a factor on whether the failure phenomenon is caused by a failure of the gateway or caused by a security attack on the gateway, and a corresponding countermeasure method. When it is detected that a failure phenomenon has occurred is communication through the gateway, the on-vehicle system determines a factor of the detected failure phenomenon based on the identification method defined in the countermeasure table, and makes countermeasures in accordance with the corresponding countermeasure method.

Abstract: Systems and methods provide for management of a gateway. In one embodiment, a method includes: in response to a request from a client device, establishing, by a computer system implementing a gateway to a private network, a network tunnel between the client device and the gateway; and starting a firewall service with a set of firewall rules on the computer system for selectively blocking and allowing network traffic between the client device and one or more network devices in the private network.

Abstract: Outbound traffic of a host application may be received from a host device having a host processor. The secure resource may be configured to provide a secure transaction based on the outbound network traffic. Using a second processor different than the host processor, it may be determined whether the host application is authorized to provide the outbound network traffic to the secure resource. The outbound network traffic may be allowed to be forwarded to the secure resource if the host application is authorized. The outbound network traffic may be disallowed to be forwarded to the secure resource if the host application is not authorized.

Abstract: Described are techniques for identifying anomalous and non-anomalous requests based on metric values determined from a request. Weights to be associated with particular metric values may be determined based on metric data for those values. The metric data may indicate a total number of accesses by requests having a particular metric value, a frequency of access, or particular access times. Based on the weight values and the metric values for the request, a security score for the request may be determined. The security score may indicate a confidence that the request is anomalous or non-anomalous. Potentially anomalous requests may be determined to be non-anomalous if the metric values correspond to known sets of metric values, determined from previous requests. In some cases, metric data may be normalized prior to use to facilitate faster queries and conserve available data storage.

Abstract: An attack stream identification method, apparatus, and device on a software defined network is presented, where an invalid stream filter table is stored in a switch, and the method includes the steps of the switch receives a data packet of a data stream and searches, according to a characteristic value of the data packet, the invalid stream filter table for a state field of a filter entry; when the state field is a suspected attack stream state or a non-attack stream state, the switch sends a report message to a controller, determines a rate value for sending the report message to the controller, and fills the rate value in a rate field of the filter entry; and when the rate value is greater than a preset rate threshold, the switch changes the state field of the filter entry to an attack stream state.

Abstract: Methods and systems are described for detecting command injection attacks. A positive, taint inference method includes receiving signature fragments on one hand, converting command injection instructions into command fragments on another hand, thus identifying potential attacks upon the condition that a command injection instruction includes critical untrusted parts by using signature fragments. A system detects command injection attacks using this kind of method, and remediates and rejects potential attacks.

Abstract: Some embodiments provide a method for a managed forwarding element that processes packets through a set of packet processing tables by matching rules in the tables. The method receives an update that requires modification to at least one of the packet processing tables. Each rule in the packet processing tables is assigned a range of packet processing table versions in which the rule is valid for processing packets. The method modifies the packet processing tables according to the received update by at least one of (i) modifying the range of packet processing table versions in which an existing rule is valid to end after a current packet processing table version and (ii) adding a new rule with a range of valid packet processing table versions that begins with a next packet processing table version. The method increments the current version of the packet processing tables to commit the modifications.

Abstract: The invention relates to a computer-implemented method for controlling access of a terminal (118) to an attribute (112) stored in an ID token (100), wherein the ID token (100) is associated with a user, wherein the method comprises receipt of an identification of the terminal (118) by the ID token (100) and checking by the ID token (100) if a session identification validly associated with the identification of the terminal (118) is stored in the ID token (100), wherein, if a session identification validly associated with the identification of the terminal (118) is stored in the ID token (100), the ID token (100) transmits the session identification to the terminal (118) and grants the terminal (118) access to the attribute (112), wherein a subsequent communication with access to the attribute (112) is carried out in an encrypted manner using a session-specific session key, wherein the session-specific session key is stored in the ID token (100) in a manner associated with the session identification or the ide

Abstract: Systems and methods for guarding a controller area network are disclosed. In one embodiment, a system for guarding a controller area network comprises one or more processors. The one or more processors may be configured to receive a message destined for the controller area network. The one or more processors may further be configured to determine whether the message is legitimate. The one or more processors may further be configured to modify the message, if the message is determined as illegitimate, as an error message.

Abstract: The following disclosure relates a method and mediation device (100) in a Lawful Interception (LI) system for detecting and correlating copies of SIP and RTP flows, from different domains EPS or IMS, said method comprising to determine a unique IMS Communication Identity Number, IMS CIN, and a corresponding correlation set of identifiers, storing each unique IMS CIN together with its correlation set for an intercepted communication session, correlating a SIP or RTP flow received from one domain to the same SIP or RTP flows of the same communication session received from the other domain by comparing the flow identity information of the received flow to the stored correlation sets for identifying a matching correlation set and its unique IMS CIN and sending to a LEA requesting for LI of the target said received SIP or RTP flow comprising said identified unique IMS CIN for a matching correlation set.

Abstract: A network security apparatus includes a packet detector detecting transmission of data packets between a plurality of hosts and a plurality of domains and defining a plurality of links therefrom. A model builder circuit receives the plurality of links from the packet detector, receives ground truth information labeling one or more of the plurality of hosts or one or more of the plurality of domains as benign or malicious, generates predictive models from the received links and ground truth information, and stores generated predictive models in a predictive model database. An anomaly detector circuit retrieves the generated predictive models from the predictive model database and uses the predictive models to label each of the plurality of hosts and plurality of domains, that have not previously been labeled by the ground truth information, as benign or malicious.

Abstract: A determination is made as to whether a password is required for connecting to a wireless network. In response to determining that no password is required for connecting to the wireless network, data is retrieved from at least one predefined network address through the wireless network. A determination is made as to whether a secondary login verification is required for connecting to the wireless network based on, at least, the retrieved data from the at least one predefined network address.

Abstract: A method of creating micro-segmentation policy for a network is provided. The method monitors the network packet traffic to identify network traffic types and patterns. The method, based on the network traffic types and patterns, identifies a set of components as an affinity group associated with each application. The method generates an application template that includes a set of application components for each application based on information provided by the vendor of the application. The method creates micro-segmentation policy for the network based on a mapping of the components of each affinity group into the components of the template generated for the associated application.

Abstract: Aspects of the embodiments are directed to a network element that is configured for receiving, from an access point, a data packet originating from a client, the data packet comprising a packet header that comprises a packet header augmented with context information; decapsulating the packet header to identify the context information; applying a client-specific policy on the packet based, at least in part, on the context information; and forwarding the packet to a next hop in the network. The network element can be part of a network, such as a datacenter fabric architecture.

Abstract: An electronic device has first and second circuitry. A wireless trigger signal at the first circuitry causes the second circuitry to power up to receive a second wireless signal. The second signal is according to a radio access technology for which the trigger signal is incompatible. In various embodiments the first circuitry (a low power receiver) may autonomously power up upon expiration of a timer. One or more security checks can be performed at various steps, each step conditional on passing the previous security check. The first circuitry operates at a lower power than the second circuitry which comprises a broadband radio. For example, the first circuitry might be a Bluetooth low energy receiver, and a trigger signal there causes a WLAN receiver to power up in order to download software/firmware updates or user content while the device is enroute between the manufacturer and end user.