Abstract: Systems and methods for supporting inter subnet control plane protocol for consistent multicast membership and connectivity across multiple subnets in a high performance computing environment. In accordance with an embodiment, by associating a multicast group with an inter-subnet partition, and enforcing a dedicated router port for the multicast group, multicast loop avoidance can be provided for between connected subnets. Because only a single router port is selected as being capable of handling the MC packet, no other router port in the subnet can then pass a multicast packet back to the originating subnet.

Abstract: The present disclosure is directed towards systems and methods for rewriting a HTTP response transmitted via a clientless SSL VPN session. An intermediary device may identify, in a HTTP response transmitted via a clientless SSL VPN session, an absolute URL that includes a first hostname of the server. The device may provide a unique string corresponding to the first hostname of the server. The device may generate a URL segment by combining the unique string with a second hostname of the device. The device may rewrite the absolute URL by replacing the first hostname in the absolute URL with the generated URL segment. A domain name system (DNS) server for the client may be configured with a DNS entry comprising a wildcard combined with the second hostname, to cause the DNS server to resolve the rewritten absolute URL to an IP address of the device.

Abstract: In one illustrative example, a router may be configured to provide a plurality of virtual private network (VPN) instances for a plurality of VPNs associated with a plurality of IDs. Each VPN instance may comprise a forwarding table instance for storing a plurality of host-to-router mappings for the VPN. The router may be further configured to provide a virtual VPN instance for a virtual VPN associated with an ID of a remote extranet VPN. The virtual VPN instance may comprise a map-cache for storing a host-to-router mapping for the remote extranet VPN. The virtual VPN instance has no corresponding forwarding table instance for user plane traffic associated with the remote extranet VPN, but rather serves as part of a control plane interface for control signaling associated with the remote extranet VPN. Accordingly, the router may provide multiple updates to host-to-router mappings in forwarding table instances of the VPNs in accordance with a change in the host-to-router mapping in the virtual VPN instance.

Abstract: A technology is provided for security appliance provisioning. In one example, a method includes providing a variety of types of physical security appliances in a service provider environment. A selection may be received identifying a selected security appliance from among the variety of types of physical security appliances for use in a customer virtual infrastructure within the service provider environment. The selected security appliance may be provisioned for use at an edge location of the customer virtual infrastructure. The selected security appliance may be configured to enforce a security policy defined for the customer virtual infrastructure.

Abstract: Disclosed are systems that provide for secure and reliable remote management. Cryptographic health tickets provided by a management server are provided to a protected process executing on a computing device. In some examples, the health tickets reset an authenticated watchdog timer that resets the computing device if the timer expires. In some examples, the computing device may contact the management server prior to loading an operating system to receive instructions, but may omit contacting the management server if a valid health ticket is found.

Abstract: A SDN controlled Overlay Network. Embodiments disclosed herein relate to multi-RAT (Radio Access Technology) wireless communication network and more particularly to a SDN (Software Defined Networking) controlled network overlaid on a multi-RAT wireless communication network. Embodiments herein enhance relay functionality in wireless communication networks using overlay networks, wherein the overlay network is controlled and managed by a SDN (Software Defined Networking) controller.

Abstract: Disclosed is a system comprising: an authentication datastore; a device presence engine; a traffic monitor engine; an authentication presence monitor engine; an authentication server selection engine; and a traffic routing engine. In operation: the device presence engine is configured to detect presence of a user device on a trusted network; the traffic monitor engine is configured to monitor, in response to the detection, traffic on the trusted network from the device; the authentication presence monitor engine is configured to evaluate onboarding characteristics of the user device in response to the monitoring; the authentication server selection engine is configured to select one of a plurality of authentication servers to authenticate the user device to the trusted network, the selecting based on the onboarding characteristics; and the traffic routing engine is configured to route traffic from the user device to the selected authentication server.

Abstract: Systems, methods and apparatus for electric power grid element and network management are disclosed. At least one grid element constructed and configured for electrical connection and for internet protocol (IP)-based network communication with a server operatively coupled with a memory. The at least one grid element is automatically and/or autonomously transformed into at least one active grid element after automatically communicating an initial message to the server for registration. The at least one active grid element functions actively within the electric power grid. The at least one active grid element has a profile comprising an energy usage pattern or an energy supply pattern. The at least one active grid element sends and receives messages to and from the server.

Abstract: A method, a device, and a non-transitory storage medium are described in which a resource allocation service is provided in relation to a virtual device. The resource allocation service calculates an allocation of a shared processor and a shared memory in support of the virtual device based on whether packet loss is permitted or not. The calculation of the processor allocated to the virtual device may be based on buffer memory allocation. Alternatively, the calculation of the processor allocated to the virtual device may be based on a packet loss ratio and a buffer memory allocation.

Abstract: A user equipment receives an Extensible Authentication Protocol Authentication and Key Agreement Prime (EAP AKA?) message, from an authentication server related to the user equipment, in an authentication procedure being part of setting up a connection from the user equipment through an access network. The user equipment sets up an IP Security tunnel between the user equipment and an evolved Packet Data Gateway responsive to the EAP AKA? message indicating that the access network is untrusted.

Abstract: A system that detects any unauthorized communication without imposing a processing load on a control device is provided. In the incident detection system configured to detect any security incident, a gateway device includes: an ID generation unit that generates its own gateway device identification information; a detection packet generation unit that generates a detection packet including control information transmitted from a control device and path information obtained by adding its own gateway device identification information to a communication packet; a log generation unit that generates log information including the detection packet; and a device communication unit that transmits the log information to a management server connected to the gateway device over a network or transmits the detection packet to a control device controlled based on the control information.

Abstract: A communication system according to an embodiment of the present invention includes a robot control device, a programmable logic controller for establishing communication with the robot control device, and a communication setting device that is loaded with a configuration file to define communication parameters used in the communication. The communication setting device sets the communication parameters to the programmable logic controller. The robot control device includes a file output unit for outputting the configuration file depending on an internal state of the robot control device.

Abstract: A server computing system provides a web application graphical user interface (GUI) that has a first pane and a second pane. The first pane includes data items of the web application. When a user selects multiple data items in the first pane, the second pane identifies the actions that are available for the data items that are selected in the first pane. When an action is selected in the second pane, the data items in the first pane are modified in response to the selection without a web browser refreshing or reloading a corresponding web page. The server computing system receives a user request for additional information for a data item in the first pane and provides the additional information in a third pane that is together with the first pane in the GUI without the web browser refreshing or reloading the corresponding web page.

Abstract: A communication device and system are disclosed for providing communication and data services to residents of a controlled facility. The device can be restricted to communicating only using an internet protocol so as to restrict the device communication to an internal intranet. Wireless access points may be disposed throughout the environment to route calls and data between the device and a central processing center. By converting a protocol of the communications received from the device to a protocol used by the central processing center, minimal modifications to the central processing center are needed to support a wireless communication infrastructure. Many restrictions and safeguards may be implemented within the phone and system in order to prevent improper use.

Abstract: Systems and methods for protecting private data behind a privacy firewall are disclosed. A system for implementing a privacy firewall to determine and provide non-private information from private electronic data includes a data storage repository, a processing device, and a non-transitory, processor-readable storage medium. The storage medium includes programming instructions that, when executed, cause the processing device to analyze a corpus of private electronic data to identify a first one or more portions of the data having non-private information and a second one or more portions of the data having private information, tag the first one or more portions of the data as allowed for use, determine whether the second one or more portions of the data includes non-private elements, and if the second one or more portions of the data comprises non-private elements, extract the non-private elements and tag the non-private elements as information allowed for use.

Abstract: A network system includes a first network access device having an input/output (IO) module of a firewall to capture a packet of a network session originated from a first node associated with the first network access device, a first security device having a firewall processing module to determine based on the captured packet whether the first node is a destination node that is receiving VM migration from a second node that is associated with a second network access device. The first security device is to update a first flow table within the first network access device. The network system further includes a second security device to receive a message from the first security device concerning the VM migration to update a second flow table of the second network access device, such that further network traffic of the network session is routed to the first node without interrupting the network session.

Abstract: Systems herein include thin clients that operate with managed profile-based virtual machines. This can allow users to utilize personal user devices in an enterprise environment without subjecting sensitive enterprise credentials to the user device. A management server can determine a profile associated with the user device. Based on the profile, a virtual machine can be instantiated at a thin server, remotely from the thin client. The profile-specific virtual machine can include a particular guest operating system, guest applications, security features, or functionality. The instance of the virtual machine can communicate graphics information from a guest application to the thin client, and the thin client can communicate user interface events to the instance for controlling the guest application.

Abstract: A traffic analyzer of a provider network identifies endpoint categories into which traffic directed to or from a first isolated virtual network of the provider network is to be classified. A first endpoint category includes an endpoint configured in a second isolated virtual network. Using packet-level metrics collected at virtualization management components of virtualization hosts, the traffic analyzer determines the amount of data transmitted between the first isolated virtual network and the various endpoint categories during selected time intervals. The traffic analyzer provides the categorized traffic amounts as input to a predictive model, and stores expected future traffic trends generated by the model.

Abstract: A method for verifying the authenticity of a certificate in a web browser using an SSL/TLS protocol in an encrypted Internet connection to an HTTPS website includes establishing an encrypted connection to the HTTPS website using the web browser on a user's terminal device. A certificate including a public key of the HTTPS website and signed by a trusted certificate authority is sent to the user's web browser from the web server using the Internet connection. The certificate authority that signed the certificate is compared against the list of trusted certificate authorities. The certificate authority is verified as being included in the list. The thumbprint of the certificate is sent as an additional security check key using a second messaging channel, external to the Internet connection between HTTPS website and web browser of the user's terminal device, and the contact data in the customer register. The additional security check key is compared with the thumbprint received by the web.

Abstract: A technique for providing fault tolerance for virtual machines in a hybrid cloud computing system is discussed. When a primary virtual machine (VM) in a private data center is configured for fault tolerance, a secondary VM is instantiated in a public cloud computing system. Changes to the execution state of the primary VM are recorded and relayed to the secondary VM by way of caching modules, which provide acknowledgements messages back to the primary VM. A technique for failback from the public cloud computing system to the private data center is also discussed.

Abstract: A method of delivering video content. The method may comprise receiving a request for a first video from a video-playing device that is coupled to a network, determining whether to include a second video, generating a playlist comprising the first video and the second video, and transmitting the playlist to the Internet video-playing device. The second video may comprise a video advertisement. Additionally, a system for delivering video content is described. The system may include a processor, storage, an operating system, a logging module, one or more network interfaces capable of communicating with a plurality of video advertising networks, and a scripting engine.

Abstract: Provided is a feature-value display system which can display a feature value of a node for accurate prediction of a state of the node in a graph structure or a network structure. The feature-value display system 1 displays the feature value of the current node, considering information generated on the basis of attribute information associated with the nodes adjacent to or closer to a current node in the graph structure or the network structure, as the feature value of the current node itself.

Abstract: A computer-implemented method for configuring a network topology within a cloud computing environment is disclosed. The method includes providing a user interface (UI) to a user to configure a selection of network topology features. The UI enables the user to specify network topology features at the physical device level. Available cloud computing resources that are associated with the cloud computing environment are detected and the configured network topology is mapped to the available cloud computing resources. The user may then access the mapped cloud resources as a virtual network.

Abstract: In one embodiment, a system includes a processing circuit and logic integrated with and/or executable by the processing circuit. The logic is configured to cause the processing circuit to collect all data socket descriptor databases from individual servers operating in a data center, each data socket descriptor database storing attributes of a base socket and one or more data socket descriptors used by an application or application instance operating on an individual server. The logic is also configured to cause the processing circuit to store data from the data socket descriptor databases for all applications and application instances operating in the data center in a central data socket descriptor database, the central data socket descriptor database being configured to store attributes of all data socket descriptors used by all applications or application instances operating in the data center.

Abstract: Techniques described herein convert mobile traffic between different types of VPN protocols, including IP and Transport. In an embodiment, a security proxy associated with a server receives a packet associated with a client app on a device, the packet including a source identifier and a destination identifier. The security proxy reassigns a tunnel identifier as the source and a node identifier as the destination, then stores a correlation of the tunnel identifier, the source identifier, and the destination identifier. The security proxy forwards the packet to the node inside the security proxy, and determines the destination identifier based on the correlation. The node then forwards the packet to the destination. This allows for multiple devices to use a same source identifier, e.g., same IP address. In some embodiments, a secure connection is established and/or the device and server are mutually authenticated prior to the processing of the packets.

Abstract: Authentication of a networked device with limited computational resources for secure communications over a network. Authentication of the device begins with the supplicant node transmitting a signed digital certificate with its authentication credentials to a proxy node. Upon verifying the certificate, the proxy node then authenticates the supplicant's credentials with an authentication server accessible over the network, acting as a proxy for the supplicant node. Typically, this verification includes decryption according to a public/private key scheme. Upon successful authentication, the authentication server creates a session key for the supplicant node and communicates it to the proxy node. The proxy node encrypts the session key with a symmetric key, and transmits the encrypted session key to the supplicant node which, after decryption, uses the session key for secure communications. In some embodiments, the authentication server encrypts the session key with the symmetric key.

Abstract: The present invention relates to a method that may be used in a digital data communication system comprising a communication network constituted of a plurality of nodes, and a plurality of subscriber equipment units each connected to a node, includes: a transmission phase (P1) including the steps of limiting of the size of each frame to be transmitted, adding identification-authentication credentials, and transmitting the frames with a predetermined transmission interval; and a transmission phase (P2) including the steps of monitoring-checking for compliance with the input conditions; removal of each frame that is non-compliant, replicating each frame that is compliant, monitoring-checking for compliance with the output conditions, removing each frame that is non-compliant, transmitting each frame that is compliant, and recording and storing of the identification-authentication credential for each frame transmitted.

Abstract: The present invention enables the selection of network routes based on a combination of traditional route table entries and identity policy information determined dynamically for each network session. This enables a network operator to apply different policies to network entities presenting differing identity credentials. It also allows network operators to block access to networks and network resources when identity credentials are not provided or are unauthorized.

Abstract: A request message is generated with a trusted network entity executing trusted code on a first network layer. The request message to target a non-trusted network entity executing non-trusted code on a second network layer. The request message is transmitted from the trusted network entity to the non-trusted network entity through at least a policy enforcement entity. The policy enforcement entity applies one or more network traffic rules to enforce a unidirectional flow of traffic from the first network layer to the second network layer. A response check message is generated with the trusted network entity. The response check message to determine whether response information is available on the non-trusted network entity in response to the request message. The response check message is transmitted from the trusted network entity to the non-trusted network entity through at least the policy enforcement entity.

Abstract: A computer system implements a plurality of modules, including a tenant administration proxy that receives session credentials from a tenant application in the private communication system and authenticates the tenant application in response to the session credentials, a connector service that receives a bridge setup request from the tenant application and establishes a bridge connection with the tenant application in response to the bridge setup request; and a configuration manager that stores service information regarding a cloud-based service that is accessible through the computer system. The tenant administration proxy retrieves the service information from the configuration manager and provides the service information to the tenant application in response to a request from the tenant application, and wherein the connector service facilitates communication between the cloud-based service and an enterprise service in the private communication system over the bridge connection.

Abstract: A communication device for reporting a wireless local area network (WLAN) connection status in a wireless communication system comprises a storage device for storing instructions and a processing circuit coupled to the storage device. The processing circuit is configured to execute the instructions stored in the storage device.

Abstract: In some embodiments, an apparatus includes a network node configured to be included in a set of network nodes operatively coupled to a core network node. The network node is configured to receive a first packet and a second packet from a host device operatively coupled to the network node. The network node is configured to send the first packet to the core network node via a first path of a tunnel between the network node and the core network node. The first path of the tunnel has a first cost. The network node is configured to send the second packet to the core network node via a second path of the tunnel. The second path has a second cost different than the first cost.

Abstract: Some embodiments of the invention introduce cloud template awareness in the service policy framework. Some embodiments provide one or more service rule processing engines that natively support (1) template-specific dynamic groups and template-specific rules, and (2) dynamic security tag concepts. A service rule processing engine of some embodiments natively supports template-specific dynamic groups and rules as it can directly process service rules that are defined in terms of dynamic component groups, template identifiers, template instance identifiers, and/or template match criteria. Examples of such services can include any kind of middlebox services, such as firewalls, load balancers, network address translators, intrusion detection systems, intrusion prevention systems, etc.

Abstract: A secure demand paging system (1020) includes a processor (1030) operable for executing instructions, an internal memory (1034) for a first page in a first virtual machine context, an external memory (1024) for a second page in a second virtual machine context, and a security circuit (1038) coupled to the processor (1030) and to the internal memory (1034) for maintaining the first page secure in the internal memory (1034).

Abstract: A method and related apparatus for providing latency optimized segment routing tunnels is described herein and includes obtaining a latency metric for each segment that links respective pairs of nodes in a network, determining a tunnel through the network between a first endpoint and a second endpoint that is optimized for latency, and, once such a tunnel is determined, causing a packet to travel along the tunnel that is optimized for latency by encoding the packet with segment routing instructions for the network, wherein the network is configured to provide shortest paths according to a metric other than latency.

Abstract: A Software-Defined Network (SDN) data-plane machine stores flow data and a hardware-trust key. The SDN data-plane machine receives and processes a hardware-trust challenge based on the hardware-trust key to generate and transfer a hardware-trust response. The SDN data-plane machine receives and routes user data based on the flow data. The SDN data-plane machine receives flow modification data from SDN controllers and determines if the SDN controllers are authorized by the hardware-trust controller before modifying the flow data. The SDN data-plane machine receives and routes additional user data responsive to the modified flow data. The SDN data-plane machine reports SDN controllers that attempt to modify the flow data but that are not authorized by the hardware-trust controller to modify the flow data.

Abstract: Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a firewall maintains multiple configuration schemes, each defining a set of administrator-configurable content filtering process settings. The firewall also maintains a security policy database including multiple firewall security policies. At least one of the firewall security policies includes an associated configuration scheme and an action to take with respect to a particular network session based on a set of source Internet Protocol (IP) addresses, a set of destination IP addresses and/or a network service protocol.

Abstract: A request message is generated with a trusted network entity executing trusted code on a first network layer. The request message to target a non-trusted network entity executing non-trusted code on a second network layer. The request message is transmitted from the trusted network entity to the non-trusted network entity through at least a policy enforcement entity. The policy enforcement entity applies one or more network traffic rules to enforce a unidirectional flow of traffic from the first network layer to the second network layer. A response check message is generated with the trusted network entity. The response check message to determine whether response information is available on the non-trusted network entity in response to the request message. The response check message is transmitted from the trusted network entity to the non-trusted network entity through at least the policy enforcement entity.

Abstract: Name information which is generated by using a value corresponding to a decryption key and address information of a key cloud device which provides a cloud-key management type decryption service in which the decryption key is used are stored in a storage of a directory service device in a manner to associate the name information with the address information, and a searching unit of the directory service device searches the storage by using the inputted name information to obtain address information corresponding to the inputted name information.

Abstract: Techniques described herein relate to generating and managing digital credentials using a digital credential platform in communication with various digital credential template owners and digital credential issuers. In some embodiments, a digital credential platform server may receive and coordinate requests and responses between the digital credential template owners and a set of digital credential issuers, to determine which digital credential issuers are authorized to issue digital credential based on which digital credential templates. The digital credential platform server may provide the authorized issuers with access to particular digital credential templates and the functionality to issue digital credentials to users based on any of the particular digital credential templates. Additional techniques described herein relate to tracking, analyzing, and reporting data metrics for issued digital credentials.

Abstract: Disclosed are approaches for distributing credentials using derived credentials, such as by relaying a simple certificate enrollment protocol (SCEP) payload. A computing device configures a device profile corresponding to a client device. The device profile can include a SCEP payload. The computing device later receives an override for the SCEP payload from a broker service. In response, the computing device creates a copy of the device profile that includes the override for the SCEP payload. The computing device then sends the copy of the device profile to the client device.

Abstract: Techniques are described for managing customer-specified routing policies for network-accessible computing resources. In some situations, the customer-specified routing policies may be based at least in part on DNS (“Domain Name System”) information specified by a customer, such as if the customer specifies one or more target destinations to use with an indicated DNS domain name that are different from the destination IP address(es) provided for that DNS domain name by DNS servers—if so, the managing of such a DNS-based routing policy for that customer may include identifying when network-accessible computing resources provided to the customer send electronic communications to that DNS domain name, and causing those electronic communications to be redirected to the customer-specified target destination(s). Such customer-specified target destinations may include, in different situations, final destinations, intermediate destinations, etc., as well as identify particular routes.

Abstract: Systems and methods for the management of virtual machine instances are provided. The hosted virtual machine networks are configured in a manner such that communications within the hosted virtual machine network are facilitated through a communication protocol. Illustrative embodiments of the systems and methods may be implemented on a virtual network overlaid on one or more intermediate physical networks that are used as a substrate network. Through the utilization of one or more virtual network mapping components in communication with the hosted virtual network components, communications to and from the hosted virtual networks can be processed by mapping relationships between the virtual network communication protocol and the router communication protocol. The mapping information can be provided in advance or as requested to the router components and hosted virtual network components to facilitate bi-lateral communications between the components.

Abstract: Detecting malware is disclosed. A candidate malware application is caused to be executed using a virtual machine. Traffic analysis is performed on network traffic associated with the execution of the candidate malware application. A determination is made as to whether the candidate malware application is malicious or not, based at least in part on the traffic analysis and an application type associated with the candidate malware application.

Abstract: Methods, systems, and computer readable media for application session sharing are disclosed. According to one method, the method includes receiving, from a first client node, a request for initiating a remote application session for interacting with an application instance by one or more users. The method also includes initiating the remote application session and configuring a remote control server for interacting with the remote application session. The method further includes providing communications between the first client node and the application instance associated with the remote application session using the remote control server.

Abstract: An intermediate device (such as a firewall) is disposed between first and second devices (such as a client and a server device, respectively). Communications between the first and second devices are intercepted in both directions by the intermediate device, which spoofs the receiving device by modifying messages sent by the transmitting device. The modified message uses a key held by the intermediate device instead of a key belonging to the sending device.

Abstract: Virtual private network (VPN)-related techniques are described. The techniques provide intuitive mechanisms by which a client device more efficiently establishes a VPN connection. In one example, a client device includes a memory, processor(s), and a VPN handler. The VPN handler is configured to monitor actions initiated by one or more applications executable by the programmable processor(s), and determine whether each of the initiated actions requires a VPN connection via which to transmit outbound data traffic corresponding to a respective application of the one or more applications. The VPN handler is further configured to, in response to a detection that at least one initiated action requires the VPN connection via which to transmit the outbound data traffic, automatically establish the VPN connection to couple the client device to an enterprise network, and transmit the outbound data traffic corresponding to the respective application, via the VPN connection.

Abstract: A traffic management device (TMD), system, and processor-readable storage medium directed towards automatically configuring an AAA proxy device (also referred to herein as “the proxy”) to load-balance AAA request messages across a plurality of AAA server devices. In one embodiment the proxy receives an AAA handshake message from an AAA client device. The proxy forwards the handshake message to each of the plurality of server devices and, in reply, receives an AAA handshake response message from each of the plurality of server devices. The proxy extracts attributes from each of the handshake response messages and automatically configures itself based on the extracted attributes. The proxy then load-balances, modifies and/or routes subsequently received AAA request messages based on the extracted attributes.

Abstract: The present invention includes systems and methods for retrieving information via a flexible and consistent targeted search model that employs interactive multi-prefix, multi-tier and dynamic menu information retrieval techniques (including predictive text techniques to facilitate the generation of targeted ads) that provide context-specific functionality tailored to particular information channels, as well as to records within or across such channels, and other known state information. Users are presented with a consistent search interface among multiple tiers across and within a large domain of information sources, and need not learn different or special search syntax. A thin-client server-controlled architecture enables users of resource-constrained mobile communications devices to locate targeted information more quickly by entering fewer keystrokes and performing fewer query iterations and web page refreshes, which in turn reduces required network bandwidth.

Abstract: Techniques are described for providing managed virtual computer networks that may have a configured logical network topology with one or more virtual networking devices, with corresponding networking functionality provided for communications between multiple computing nodes of the virtual computer network by emulating functionality that would be provided by the networking devices if they were physically present. In some situations, the emulating of networking device functionality includes receiving routing communications directed to the networking devices and using included routing information to update the configured network topology for the managed computer network.