Abstract: A method performed by a system includes instantiating a vulnerability-risk-threat (VRT) service for a security edge protection proxy (SEPP) element of a 5G telecommunications network. The system intercepts and parameterizes network traffic of the SEPP element to identify network functions (NFs) or associated services that requires cybersecurity protection and selects security resources for protecting the identified NFs or associated services. The system prioritizes an NF or associated service that is most frequently used (MFU) or most recently used (MRU) and then allocates the security resources in accordance with the prioritization.

Abstract: Technologies discussed include receiving a set of rules associated with a document type from a supplier entity. Each rule identifies a set of conditions and a set of actions to be taken after a document of a document type is signed if the set of conditions is satisfied. When a supplier entity sends a document of the document type to a signing entity and the signing entity provides an electronic signature, the system determines whether conditions of rules associated with the document type are satisfied. For each rule that is satisfied, the system performs actions identified by the rule.

Abstract: When an EBI needs to be assigned to an EPS bearer to which a QoS flow is mapped in an EPS, whether user plane security enforcement information of a PDU session matches user plane encryption protection information of the EPS is determined, that is, whether a user plane capability of the EPS can meet a user plane security requirement of the PDU session is determined. The EBI is assigned to the EPS bearer only when the requirement is met. Otherwise, the EBI is not assigned to the EPS bearer or the EBI is released if the EBI has been assigned. In this way, when UE moves from a 5GS to the EPS, the EPS bearer is prevented from using an EBI that does not meet the user plane security requirement for data transmission.

Abstract: System and method for executing scan operations on computing systems use a sparse file that represents a storage device of a computing system to scan a file stored in the storage device. The sparse file is created and mounted to a scanner appliance such that the sparse file appears to a scan engine of the scanner appliance as a local storage device. When a read request for the file stored in the storage device is issued from the scan engine that results in an implicit read request to the sparse file, the implicit read request is trapped. While the implicit read request is trapped, data of the file is retrieved from the storage device of the computing system to the scanner appliance using a communication transport. The retrieved data of the file is then scanned using the scan engine at the scanner appliance.

Abstract: A network system is provided that enables a user to record media in connection with a user operating a service application to participate in a transport service. In examples, the network system includes a user computing device on which media is recorded and stored in an unrenderable state. The user can elect to make a media recording submission for a particular service activity (e.g., trip provided or received by user). In response to the media recording submission, the user computing device identifies one or more media files that contain media data which depict the service activity. The identified media files are transmitted to a service computing system where the media files can be rendered.

Abstract: A method for mitigating a 5G roaming attack for an Internet of things (IoT) device based on expected user equipment (UE) behavior patterns includes receiving, at a network function (NF) including at least one processor, a service request message requesting a service from a home public land mobile network (PLMN) of a UE identified in the service request message, wherein the UE comprises an IoT device and obtaining, for the UE identified in service request message, at least one parameter provisioned in the home PLMN to indicate an expected UE behavior pattern. The method further includes comparing the at least one parameter provisioned in the home PLMN to indicate the expected UE behavior pattern to at least one parameter from the service request message and that the at least one parameter from the service request message is not indicative of the expected UE behavior pattern of the UE. The method further includes dropping or rejecting the service request message.

Abstract: Systems and methods restrict content inserted into information resources. A computing device can identify a content element included in an information resource. The computing device can identify a bit stream corresponding to the content element included in the information resource. The computing device can hash the identified bit stream to generate an element identifier corresponding to the content element. The computing device can access a restricted content database using the element identifier. The computing device can modify, responsive to finding the element identifier in the restricted content database, the presentation of the content element on the information resource in accordance with the content restriction policy.

Abstract: A set of data packets transmitted by an IoT device is received at a system. At least one packet included in the set of data packets is analyzed. An Authentication, and Account (AAA) message, including contextual information associated with the IoT device, is transmitted on behalf of the IoT device.

Abstract: A method for managing certificates includes the steps of transmitting, over an electronic network by an electronic device of a client, a certificate request to a certificate management portal separate from the client, establishing an interaction with an electronic interface of a certificate authority by the certificate management portal; generating, by the certificate authority, a certificate package, delivering the generated certificate package to the certificate management portal, and downloading from the certificate management portal, by the client, at least one certificate of the delivered certificate package.

Abstract: A system for determining an entity's security rating may include a ratings engine and a security database. The security database may include a manifest and a distributed index containing security records. Each of the security records may have a key (e.g., a network identifier of a network asset) and a value (e.g., security information associated with the network asset identified by the key). The keyspace may be partitioned into multiple key ranges. The manifest may contain references to segments of the distributed index. Each segment may be associated with a key range and may index a group of security records having keys within the key range. The manifest and the segments may be stored in an object storage system. The ratings engine may determine the security rating of an entity based on security records of the entity's network assets, which may be retrieved from the database.

Abstract: Systems and methods for providing security services during a power management mode are disclosed. In some embodiments, a method comprises detecting with a mobile security system a wake event on a mobile device, providing from the mobile security system a wake signal, the providing being in response to the wake event to wake a mobile device from a power management mode, and managing with the mobile security system security services of the mobile device. Managing security services may comprise scanning a hard drive of the mobile devices for viruses and/or other malware. Managing security services may also comprise updating security applications or scanning the mobile device for unauthorized data.

Abstract: A method, device, and system for configuring a session for communication between electronic devices includes sending, by a session management entity of a wireless network, a first request message to a policy control entity of the wireless network, the first request message comprising a key identifier, receiving, by the session management entity, a first response message from the policy control entity, wherein the first response message corresponds to a response to the first request message, and the first response message comprises a session policy for a communication session corresponding to the key identifier, and configuring, by the session management entity, the communication session based at least in part on the session policy.

Abstract: Systems and methods are presented for implementing hacker traffic barriers for mitigating unauthorized account usage. A security system securely associates a primary trusted device with a user using encrypted tokens stored in an enclave within the primary trusted device, authorizes web browser authentication, and provides both intrinsic and explicit checks for unauthorized access to an account.

Abstract: A method, non-transitory computer readable medium, and device for analyzing network traffic and enforcing network policies includes analyzing network traffic data based on one or more network traffic rules. An attack on the network such as a current or predicted attack is determined based on the analysis. Next, one or more policy changes to a plurality of existing network policies are identified when the current or predicted attack on the network is determined to be present. The identified one or more policy changes are enforced on one or more client computing devices causing the determined current or the predicted attack on the network.

Abstract: Integrity protection is used to assist in ensuring the secure transmission of wireless data within a cellular network. Instead of performing integrity protection on each packet data unit (PDU) transmitted/received within a PDU session, integrity protection is performed on a portion of PDUs transmitted within a cellular network. For instance, partial integrity protection may be performed on at least one predetermined PDU (e.g., the first, second, fourth, . . . ) that is transmitted via a Physical Downlink Shared Channel (PDSCH)/Physical Uplink Shared Channel (PUSCH) during a communication session. By performing partial integrity protection, user data may be transmitted more quickly throughout the cellular network, compared to performing full integrity protection, while still providing integrity protection.

Abstract: Some embodiments of the invention provide a forwarding element that has a data-plane circuit (data plane) that can be configured to implement a DDoS (distributed denial of service) attack detector. The data plane has several stages of configurable data processing circuits, which are typically configured to process data tuples associated with data messages received by the forwarding element in order to forward the data messages within a network. In some embodiments, the configurable data processing circuits of the data plane can also be configured to implement a DDoS attack detector (DDoS detector) in the data plane. In some embodiments, the forwarding element has a control-plane circuit (control plane) that configures the configurable data processing circuits of the data plane, while in other embodiments, a remote controller configures these data processing circuits.

Abstract: Technology related to obfuscating programs using different instruction set architectures is disclosed. In one example, a method includes receiving a program implemented as a set of ordered instructions. Each instruction of the set of ordered instructions has a type specified by a first instruction set architecture (ISA). A subgroup of instructions is selected from the set of ordered instructions. A new instruction type is generated to perform the operations of the subgroup of consecutive instructions. The new instruction type is added to a second ISA. An updated program is generated by replacing the subgroup of instructions with a new instruction of the generated new instruction type. An interpreter for executing programs using the second ISA is generated. In response to a request for the program, the updated program and the interpreter is sent.

Abstract: Detection and notification of malware at a user device may be performed by a validation server. The user device may hash elements associated with a document object model of a webpage and send generated hash values to the validation server. The validation server may validate the hash values. Based on detection of hash values corresponding to elements maliciously-injected by malware, the validation server may send one or more notifications to other servers that may communicate with the user device.

Abstract: Systems and methods for generating account permissions for an account on a computing system are provided. In some embodiments, application programming interface (API) interactions involving an external application and the computing system are used to generate a corresponding set of account permissions for the account. API permissions for the external application may also or instead be used to generate the set of account permissions for the account. The set of account permissions may enable the account to access the same resources on the computing system as the external application, which may avoid granting the account overly broad access to the computing system.

Abstract: Devices and methods for protecting server devices from physical attacks use an encrypted overlay network to securely communicate between a trusted network and one or more host computer devices in communication with the trusted network. The devices and methods may generate VPN tunnels to communicate directly with individual host computer devices. The devices and methods may securely transmit data packets between the trusted network and the host computer devices using the VPN tunnels.