Abstract: An electronic device includes a network communications interface, a processor, and a memory configured to store instructions that, when executed by the processor, cause the processor to instantiate a set of processes; receive, over a network and via the network communications interface, a policy for network socket creation; receive, from the set of processes, a set of requests to create a first set of network sockets used to communicate over the network via the network communications interface; collect telemetry pertaining to a second set of network sockets used to communicate over the network via the network communications interface; allow or block creation of network sockets in the first set of network sockets, in accordance with the collected telemetry and the policy for network socket creation; and transmit at least part of the collected telemetry to a controller, over the network and via the network communications interface.

Abstract: A method for assessing a network environment includes obtaining, by the network assessment computing device, device information for one or more devices each with an Internet Protocol address currently on a defined network in a network environment from a network appliance device coupled to the network environment. Each of the identified devices are assessed, by the network assessment computing device, for one or more vulnerabilities. Network status data and any actionable items for the identified devices for the one or more vulnerabilities is generated, by the network assessment computing device, based on the assessing. The generated status data and any actionable items are provided by the network assessment computing device.

Abstract: A communication device management device includes: at least one memory configured to store instructions; and at least one processor configured to execute the instructions to: detect a change in possibility/impossibility of communication with a communication device, based on a response from the communication device to a confirmation signal to be transmitted at every predetermined time; and perform, when a restriction is imposed on a predetermined function of the communication device in which the communication possibility/impossibility is changed from impossible to possible, the restriction after canceling the restriction of the communication device, and perform, when the restriction of the communication device is not imposed, the restriction of the communication device.

Abstract: Disclosed are devices, systems, apparatus, methods, products, and other implementations, including a method that includes determining whether an operation to access a memory location containing executable code comprises a general-purpose memory access operation, and changing content of the memory location in response to a determination that the operation to access the memory location containing the executable code comprises the general-purpose memory access operation to the memory location.

Abstract: The technology disclosed relates to a steering logic for policy enforcement on IoT devices. In particular, the technology disclosed provides a system. The system comprises an in-network intermediary. The in-network intermediary is configured to receive outbound network traffic from a plurality of special-purpose devices on a network segment of a network. The outbound network traffic is directed at one or more out-of-network servers. The in-network intermediary is further configured to determine, from the outbound network traffic, metadata required for policy enforcement. The in-network intermediary is further configured to append the metadata to the outbound network traffic, and send the outbound network traffic appended with the metadata to a policy enforcement point for policy enforcement.

Abstract: Various embodiments include an industrial control system security analysis method. The method may include: collecting a communication data packet of interactive data transmitted between control devices in a first industrial control system; extracting network identifiable information; and determining whether it matches a pre-created event database. If the information matches: determining that the communication data packet is a malicious data packet; acquiring security policies of the first industrial control system and a second industrial control system; and determining a threat coefficient of the communication data packet for the second industrial control system based on the network identifiable information and each of the security policies, wherein the threat coefficient represents a degree of threat of the communication data packet to the second industrial control system.

Abstract: The invention provides a method, apparatus and system for preventing exfiltration of data caused by use of an unsanctioned CCS account. The invention intercepts a communication including a request for access to data, where the communication is being transmitted between a user of the CCS, and a CCS host website, referred to as a CCS endpoint. The intercepted communication is inspected for information that is processed to obtain a CCS account identifier associated with a CCS account being used by a user of that CCS account. The CCS account identifier is further processed to access tenant defined policy information associated with the CCS account. The invention further performs actions to determine if the CCS account associated with the account identifier is unsanctioned (unpermitted) with respect to access to the particular data for which access is being requested by the user of that CCS account.

Abstract: A method in a virtual private network (VPN) environment, the method including determining, by a processor, that a VPN service provider is unreachable via utilization of received domain information; determining, by the processor, first substitute domain information based at least in part on determining that the VPN service provider is unreachable via utilization of the received domain information; and determining, by the processor, second substitute domain information based at least in part on determining that the VPN service provider is unreachable via utilization of the first substitute domain information, the second substitute domain information being different than the first substitute domain information. Various other aspects are contemplated.

Abstract: Systems and methods provide for provisioning services for an unmanned aerial system (UAS) in a 3GPP network, enabling communication for command and control in 5G systems, and enabling UAS service for identification and operation in a 3GPP system.

Abstract: Performing a networked transaction with proof of honesty is described. An identity credential is generated for a user based on an underlying secret associated the user. The identity credential is augmented with Rulebook credentials, and proof of honesty based thereon is conveyed to another user. On this basis, the user is permitted to transact with the other user in connection with the proof of honesty.

Abstract: An indication to perform a permissions policy search may be received by an interface of an identity management service. A context may be determined associated with the permissions policy search. A plurality of weights for a plurality of permissions policies may be calculated based on the context. An order for display of the plurality of permissions policies may be determined based on the plurality of weights. The plurality of permissions policies may be presented, in a display area within the interface, in the order that is based on the plurality of weights. A selection of a first permissions policy from the plurality of permissions policies may be received by the interface. The first permissions policy may be attached to a first identity based at least in part on the selection of the first permissions policy.

Abstract: A method including transmitting, by an infrastructure device to a user device, an invitation link to enable the user device to receive network services from the infrastructure device; transmitting, by the infrastructure device to the user device based on verifying that the invitation link was activated by the user device, seed information to enable the user device to determine authentication information; determining, by the user device, the authentication information based on utilizing the seed information; transmitting, by the user device to the infrastructure device during a communication session, a user request related to an action to be performed regarding receiving the network services, the user request being signed based on utilizing a first portion of the authentication information; and authorizing, by the infrastructure device, the user request based on verifying that the communication session is currently active. Various other aspects are contemplated.

Abstract: Apparatuses, methods, systems, and program products are disclosed for endpoint-based security. An apparatus includes a network module that is configured to receive, at an end user device, a request for content from a network source. An apparatus includes a policy module that is configured to compare a network source of requested content against a policy that is stored on an end user device prior to the content being allowed on the end user device. An apparatus includes an action module that is configured to modify at least one header in a request for content based on a requirement for a network source.

Abstract: Apparatuses, methods, systems, and program products are disclosed for endpoint-based security. An apparatus includes a network module that is configured to receive, at an end user device, a request for content from a network source. An apparatus includes a policy module that is configured to compare a network source of requested content against a policy that is stored on an end user device prior to the content being allowed on the end user device. An apparatus includes an action module that is configured to segment network traffic associated with a request for content from a network source, based on a comparison of the network source against a policy, between at least one of directly accessing the content from the network source and indirectly accessing the content via a remote cloud device by rerouting the network traffic from an end user device to the remote cloud device.

Abstract: A system and method for mapping licenses from disparate data sources and databases from third parties triggered by a system registration request, analyzing data structures for license information records and third-party information records, cross-referencing a license record with a third-party information record, flagging database records that reflect a license field record change, updating mapping-related procedures and queries, and providing a presentation of license information records and related status.

Abstract: A device may monitor traffic associated with a user equipment (UE) on multiple interfaces of a network. The device may determine an identity associated with the UE or the traffic on the multiple interfaces by correlating identifiers associated with the UE or the traffic across the multiple interfaces. The identity may uniquely identify a subscriber associated with the UE or the traffic. The device may determine a set of elements to be used to decipher the traffic after determining the identity associated with the UE or the traffic. The device may decipher the traffic utilizing the set of elements after determining the set of elements.

Abstract: A building system including one or more memory devices configured to store instructions that cause one or more processors to store a graph data structure in a data storage device including a plurality of nodes representing a plurality of entities and a plurality of edges between the plurality of nodes representing a plurality of relationships between the plurality of entities, wherein the plurality of entities include a first entity representing one of a person, place, or piece of equipment of the building, wherein a second entity of the plurality of entities represents a software component, wherein the software component performs operations for the person, place, or piece of equipment of the building indicated by one or more edges of the plurality of edges relating the first entity to the second entity and cause the software component to execute and perform the operations for the person, place, or piece of equipment.

Abstract: A system according to this invention is directed to a virtual network system that prevents unauthorized registration, alteration, or occurrence of erroneous registration when registering a virtual network function produced by a third party or system vender. The virtual network system includes an acceptor that accepts a virtual network function performing one of functions included in a virtual network service and information of a provider providing the virtual network function from the provider, a first authenticator that authenticates, based on the virtual network function and the provider information, that the provider is a valid provider, and a registration unit that registers the virtual network function when the first authenticator authenticates that the provider is a valid provider.

Abstract: Aspects of the disclosure relate to processing systems for performing cross-sectional asset editing. A computing platform may receive permission to perform a first subset of event processing steps. The computing platform may delegate permission to an external event processor to perform a second subset of event processing steps and to an external resource management platform to perform a third subset of event processing steps. The computing platform may generate an element chain corresponding to the account. In response to receiving a request to process an event, the computing platform may add a sub-element to the element chain containing a fixed parameter corresponding to an expected value associated with the event and a variable parameter corresponding to an actual value associated with the event. In response to receiving a request to write the actual value to the element chain, the computing platform may modify the variable parameter of the sub-element accordingly.

Abstract: Apparatuses, methods, systems, and program products are disclosed for endpoint-based security. An apparatus includes a network module that is configured to receive, at an end user device, a request for content from a network source. An apparatus includes a policy module that is configured to compare a network source of requested content against a policy that is stored on an end user device prior to the content being allowed on the end user device. An apparatus includes an action module that is configured to replay at least one header of the request for content at a remote device where the requested content is further analyzed based on the comparison between the network source of the requested content and the policy.