Abstract: A UE communicates with a network gateway to access a provisioning device via a provisioning network. The provisioning device uses identification data of the UE to authenticate the UE for a primary network, and provides primary network configuration data to the UE. Using the primary network configuration data, the UE communicates with the network gateway to access the primary network. The primary network configuration data can include data to enable the UE to establish communications with one or more private networks accessible via the primary network.

Abstract: One example may include forwarding a request sent outside a VPN server, via a client device, to access a second communication network detected by the client device, and the client device is communicating with the VPN server over a first communication network, responsive to receiving a captive portal, forwarding, via the client device, authentication information to obtain access to the second communication network, and the authentication information is not forwarded to the VPN server, and receiving data, by the client device, from a remote server over a bonded connection including a first connection provided by the first communication network bonded with a second connection provided by the second communication network to form the bonded connection.

Abstract: A method including receiving a record in a first timeframe; establishing a plurality of threat vectors for the record; merging the plurality of threat vectors to the record; generating a risk valuation for the record based on the plurality of threat vectors; merging the risk valuation to the record to form a risk event; and storing the risk event in a computer-readable data store.

Abstract: When a client requests a data import job, a remote storage service provider provisions a shippable storage device that will be used to transfer client data from the client to the service provider for import. The service provider generates security information for the data import job, provisions the shippable storage device with the security information, and sends the shippable storage device to the client. The service provider also sends client-keys to the client, separate from the shippable storage device (e.g., via a network). The client receives the device, encrypts the client data and keys, transfers the encrypted data and keys onto the device, and ships it back to the service provider. The remote storage service provider authenticates the storage device, decrypts client-generated keys using the client-keys stored at the storage service provider, decrypts the data using the decrypted client-side generated keys, and imports the decrypted data.

Abstract: A message authentication code, for a message transmitted and received over a communications network, is formed by applying inputs to an integrity algorithm acting on the message. The inputs comprise: an integrity key; a value indicating a transfer direction; and a frame-dependent integrity input, wherein the frame-dependent integrity input is a frame-dependent modulo count value that also depends on a random value and on a frame-specific sequence number.

Abstract: A computer-implemented method includes: connecting, by a computing device, to a database using an outbound connection, wherein the computing device is an information technology (IT) product in a private network and the database is outside the private network; receiving, by the computing device, a response from the database, the response including a command; executing, by the computing device, the command; and sending, by the computing device, result data to the database, wherein the result data is data that results from executing the command on the computing device.

Abstract: A network device may establish a media access control security (MACsec) key agreement (MKA) session with another network device via a MACsec communication link; establish a fast heartbeat session via the MACsec communication link, between a first packet processing engine of the network device and a second packet processing engine of the other network device, where the fast heartbeat session is to permit the first packet processing engine and the second packet processing engine to exchange fast heartbeat messages via the fast heartbeat session and the MACsec communication link; place an MKA protocol of the MKA session in a pause state until the first packet processing engine detects a rekey event; determine that a key for the MKA session is to be regenerated based on detection of the rekey event; and perform an action based on the rekey event for the MKA session.

Abstract: A technical validation mechanism is described that includes the use of facial feature recognition and tokenization technology operating in combination with machine learning models can be used such that specific facial or auditory characteristics of how an originating script is effectuated can be used to train the machine learning models, which can then be used to validate a video or a particular dynamically generated passphrase by comparing overlapping phonemes or phoneme transitions between the originating script and the dynamically generated passphrase.

Abstract: Various embodiments employ technology solutions to enable isolated client device interaction with building automation and control (BAC) networks, for example including configuration of a third-party application access framework which enables access to physical devices in a built environment. For example, a data exchange gateway interfaces a system with a BAC (Building Automation and Control) network, wherein the BAC network provides via the gateway, on a periodic basis, data values presented by each of a plurality of physical devices on the BAC network. A data exchange module receives periodic data values and causes recording of those values in a BAC database isolated from the BAC network. A permissions rules module control access to data in the BAC database. An API request handling module handles requests from third-party software platforms via an API.

Abstract: A messaging system for exchanging messages between nodes in a network via a broker that uses a publish-subscribe message protocol, which nodes have object identifications (IDs). Messages between the nodes are routed using the object IDs of the nodes. Secure communication is provided using authentication according to digital certificates being used as first and second tiers by a commissioning broker and a data broker, respectively, in which the second tier certificate used by the data broker has a shorter lived expiration time.

Abstract: According to examples, an apparatus may include a processor that may determine that an application was accessed through a portal. Based on a determination that the application was accessed through the portal, the processor may determine whether a first credential type or a second credential type was supplied to access the application, in which the first credential type may include a set of personal credentials of a user and the second credential type may include a set of single sign-on credentials that the user may use to access multiple applications. The processor may also output a trace that may indicate an identification of the application that was accessed and the type of the credential supplied to access the application, in which a backed entity may analyze the data included in the trace.

Abstract: In an embodiment, a method of securing remote technical support includes monitoring a computing environment for at least one indicator of remote-control software in the computing environment in accordance with stored authentication settings. The method also includes, responsive to the monitoring, detecting the at least one indicator of remote-control software in the computing environment. The method also includes, responsive to the detection, identifying an authentication profile in the stored authentication settings that is applicable to the at least one indicator of remote-control software. The method also includes executing an authentication workflow in accordance with the authentication profile. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods.

Abstract: Systems and methods of detecting an unauthorized data insertion into a stream of data segments extending between electronic modules or between electronic components within a module, wherein a Secret embedded into the data stream is compared to a Replica Secret upon receipt to confirm data transmission integrity.

Abstract: Systems and methods for combining personal networks in a Multi-Dwelling Unit (MDU).

Abstract: The present disclosure relates to a computer-implemented method of processing a data transfer. The method comprises generating a first identifier for a first entity; linking the first identifier with a second identifier associated with a second entity; sending the first identifier and the second identifier to the first server; verifying the first entity based at least on the first identifier and the second identifier; sending a message to a second server, the message comprising at least the first identifier, the second identifier, and a name associated with the first identifier; and authenticating the data transfer for the first entity based at least on the information contained in the message.

Abstract: A system for and method of transmitting verifiable e-mail includes a message ID sent to a recipient of the e-mail. A system for and method of transmitting encrypted files using e-mail and other electronic communication channels includes a computer program for storing encrypted files supplied by a user, creating a link to the encrypted files to be e-mailed to a recipient, allowing download of the encrypted files when an authorization code is provided after the link is used to go to a system server, wherein the authorization code is sent to a telephone of the recipient, via text or aurally.

Abstract: Mitigation of attack vectors that persist elevated permissions within a computing environment. Mitigated attack vectors may be configured to respond to a trigger by generating computing resources with a built-in vulnerability. Mitigated attack vectors may elevate permissions of the computing resources to some heightened level which the malicious actor had previously gained. For example, if the malicious actor had breached a user account having administrator privileges, the attack vector may respond to the trigger by creating the virtual machine and then linking the virtual machine to a service principal having the administrator-level permissions. Left unmitigated the attack vector would enable the malicious actor to regain “administrator-level” privileges even after access to the user account is halted.

Abstract: A dynamically generated search query is generated based on rarity scores associated with raw-level computer events. Event data is pre-processed using historical information about the frequency, or rarity, of instances of individual events. Each event is assigned one or more labels that identify the event based on the historical information. The rarity scores represent probabilities of events occurring with the same labels. The rarity scores are associated with n-grams of the labels (e.g., a combination of two labels, three labels, etc.). A label n-gram score is calculated based on newly observed events and the rarity scores corresponding to the label n-grams. The search query is generated based on the label n-gram score. The search query is executed against a database to retrieve information, such as diagnostics, used to alert an administrator to events that are potentially anomalous.

Abstract: A computing system has a computing device. The computing system has an input data path, which unidirectionally connects an interface device to the computing device, and an output data diode, which unidirectionally connects the computing device to the interface device. The input data path has a data lock which is connected to the interface device by a first terminal and to the computing device by a second terminal. The data lock has a storage unit for storing data and is configured such that the storage unit can be selectively connected solely to the first or second terminal but not to both terminals simultaneously. The computing device accepts data from the interface device solely if the data is transmitted to the computing device from the interface device via the input data path within a transmission session initiated by the computing device using the output data diode.

Abstract: Techniques are described herein for security hardened processing devices. For example, a method can include performing a secure boot of a processing device of a computer system. The processing device is configured as a root of trust for a secure boot process. The computer system can include the processing device and a non-volatile memory storing a basic input/output system (BIOS) for the secure boot process. The method can include identifying a set of programmable fuses of the processing device, deriving an encryption key using a value encoded by the set of programmable fuses in the processing device, and authenticating the BIOS to perform the secure boot process using a key derivation algorithm based on the encryption key.