Abstract: A method, computer program product, and computer system for applying a firewall security layer to software for hardware interface. Sensor data imported by the hardware interface may be secured using the firewall security layer. The sensor data may be provided to an artificial intelligence (AI) expert system. The sensor data provided to the AI expert system may be analyzed. An indication of an insecure condition may be provided via a user interface based upon, at least in part, analysis of the sensor data.

Abstract: Systems and methods of detecting network traffic tampering by monitoring the network traffic for network packets that arrive outside of an allowable error band and rejecting those packets for which transit times are outside the control limits due to possible tampering are provided.

Abstract: Presented herein is a solution in which a Producer that provides Transport Layer Security (TLS) over a hybrid Information Centric Network (hICN) announces two different hICN prefixes or namespaces. One hICN prefix is for performing a TLS handshake (also called a handshake prefix or handshake namespace) and another hICN prefix (also called a secure prefix or secure namespace) is to publish content in a secure, and confidential manner with a Consumer that correctly performs a TLS handshake. While the handshake prefix is public and shared by multiple Consumers, a secure prefix is uniquely assigned to a Consumer after the TLS handshake successfully terminates. Content published under the secure prefix is encrypted with the encryption key established during the TLS handshake. Names used in the secure namespace are private, meaning only the Consumer and Producer that perform the handshake can infer any information about a content by looking on the name.

Abstract: A computer method and system for detecting denial of service network attacks by analyzing intercepted data packets on a network to determine a user account associated with a preselected target host sought to be accessed via a user account login attempt. Determine if the login attempt exceeds a predetermined login value for previous failed login attempts associated with the user account sought to be accessed. Determine a geographic location associated with the login attempt if determined the login attempt exceeded the predetermined login value. Determine if a prior login attempt to the user account sought to be accessed was successful from the determined geographic location. Authenticate the login attempt to the user account sought to be accessed in the event it was determined a prior successful login attempt was made to the user account from the determined geographic location or no prior login attempts originated from the determined geographic location.

Abstract: Techniques are provided for secure message passing. A sender process has a clear (non-encrypted) text message to pass to a recipient process as an encrypted message. The sender generates a message encryption key (MEK) for encrypting the message and sends the MEK to a first intermediary process, which encrypts the MEK. The sender uses the MEK to encrypt the message and passes both the encrypted message and the encrypted MEK to a second intermediary process. The second intermediary verifies that the sender is authorized to send messages and retains the encrypted message and the encrypted MEK. The second intermediary passes the encrypted message and the encrypted MEK to the recipient, which requests decryption of the encrypted MEK from the first intermediary. The first intermediary then decrypts the MEK and returns it to the recipient. Finally, the recipient decrypts the message using the MEK.

Abstract: Systems and methods are described for determining an on-net/off-set status of a client device. An endpoint security program running on the client device maintains an enterprise public Internet Protocol (IP) list containing one or more ranges of public IP addresses associated with an enterprise network. Further, the endpoint security program sends a request to a cloud-based service for information regarding a public IP address of the client device. In response to the request, the endpoint security program receives from the cloud-based service a response containing the public IP address and determines a connection status of the client device with respect to the enterprise network by comparing the public IP address to the enterprise public IP list.

Abstract: A method of providing an infrastructure of virtual resources in a cloud comprising automatically provisioning the virtual resources with other virtual resources with which to communicate to access data they need to provide functionalities to the infrastructure.

Abstract: A computer-implemented method for controlling email distribution list membership in an enterprise email system, including the steps of monitoring and collecting continuously updated information regarding access to email distribution lists of an email system by members of the email distribution lists, ascertaining that a particular member of at least one of the email distribution lists has not accessed the at least one of the email distribution lists for a predetermined period of time, and responsive to the ascertaining, at least one of recommending revoking membership of the particular member to the at least one of the email distribution lists and automatically revoking membership of the particular member to the at least one of the email distribution lists.

Abstract: The present invention generally relates to network-attack-resilient intrusion-tolerant Supervisory Control and Data Acquisition (SCADA) systems. Some implementations utilize redundant, proactively-recovery-configured servers at multiple centers communally executing a replication protocol. Some implementations, in addition to control centers, include data centers, which participate in the replication protocol, except that they may not be capable of controlling remote units such as Remote Terminal Units (RTUs).

Abstract: Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one of a plurality of virtualization servers, and the resources of the virtualization servers and other physical resources in the cloud may be reallocated and reconfigured to provide additional usage capacity to the virtual machines.

Abstract: A cloud computing environment may have a landscape space for singleton applications including a SAAS UAA component to receive a subscription request associated with a user and a platform SAAS application. A user system registry may indicate spaces in which the user is registered, a route proxy agent may route communications via a first secure communication channel in accordance with information in the user system registry, and a route service broker may handle binding requests. The environment may also include a first system space for first system microservices with a first system onboarding application that receives provisioning application information via the route proxy agent and the secure communication channel. First backend microservices may similarly receive application router information, and a first route service shared instance clone may provide binding requests to the route service broker. A second system space for second system microservices may similarly be provided.

Abstract: A method for dynamically remediating a security system entity includes establishing a security score for a security system entity (SSE) supporting a trusted network based on a security policy configuration of the SSE. The method further includes receiving, by the SSE, ingress network traffic flows directed to the trusted network and determining an updated security score for the SSE based on the security policy configuration of the SSE and the ingress network traffic flows that are permitted into the trusted network via the SSE. The method also includes remedying the security policy configuration of the SSE if the updated security score differs from the baseline security score by a predefined amount.

Abstract: Technologies for distribution of a shared image include determining results of a first hash operation applied to a plurality of elements of an image of a software installation, determining results of the first hash operation applied to the plurality of contents of a client, comparing results of the first hash operation applied to the plurality of elements of the image with the results of the first hash operation applied to the plurality of contents of the client, determining that one or more of the plurality of elements of the image are unavailable on the client based on the comparison of the results of the first hash operation applied to the plurality of elements of the image with the results of the first hash operation applied to the plurality of contents of the client, and causing the transmission of the elements to the client.

Abstract: Described is an improved approach to ensure high availability for established sessions (e.g., application layer sessions) over network connections that negotiates and renegotiates encryption keys (e.g., TLS/SSL) at clean boundaries to ensure in-transit data are properly handled during migration of an application (e.g., a reverse proxy server instance). Connected TCP sessions may be handed off to another application (e.g., from existing proxy server to new/upgraded proxy server) and after establishing a new TLS session with a new encryption key, data transfer may be resumed between a client and a server using the new/upgraded application in a client-server architecture.

Abstract: A processor may analyze one or more social media messages from one or more social media platforms. Each of the one or more social media messages may include a generalized metadata tag and the one or more social media messages may be categorized as a generalized group. The processor may determine, from the generalized group, that the one or more social media messages exceeds a generalized threshold. The processor may generate a first specialized metadata tag for a first set of social media messages included in the one or more social media messages. The processor may partition, based on the first specialized metadata tag, the first set of the one or more social media messages into a specialized group within the generalized group. The processor may direct one or more users associated with the first set of social media messages to the specialized group.

Abstract: Techniques for managing data include receiving, at a data store, a persistent data object generated by a source application, the object configured to be compatible with a plurality of applications and document types. The object is associated with a unique identifier. In response to a request for the object, the object is accessed based on its unique identifier and sent to a computing device executing a destination application. The object is incorporated by and is compatible with a destination document being edited by the destination application. An update to the object is received that is generated by a user application editing a user document. In response to receiving an indication that the object has been inserted in the destination document, the update is sent by the data store to the destination computing device and is usable to update the object as incorporated in the destination document.

Abstract: Disclosed are various examples for managing and customizing policy configurations on user devices enrolled in an enterprise management service. The policy configurations can include machine policies and/or user policies. An administrator can customize a baseline including a list of policies supported by an operating system of managed user devices. A management component on the user devices can obtain the baseline specified by the administrator from a managing service and apply the policies to the user device.

Abstract: A whitelist generation possibility/impossibility determination unit transmits a signal for permitting generation of a whitelist to a whitelist generating unit, in a case where an IP address corresponding to a source MAC address stored in a protocol information table matches the extracted source IP address, and in a case where an IP address corresponding to a destination MAC address stored in the protocol information table matches the extracted destination IP address.

Abstract: Method and apparatus for preventing communications with potentially compromised computing instances are described. An example method generally includes receiving, from a requesting device, a request to interact with the resource instance in the computing environment. A system examines current ownership information associated with the resource instance in the computing environment and determines that the resource instance is potentially compromised based, at least in part, on a determination that the ownership information associated with the resource instance has changed from the owner identified in a historical record to a second owner. Responsive to the determination that the resource instance is potentially compromised, the system takes action to manage communications with the resource instance so as to prevent the requesting device from sharing information with the resource instance.

Abstract: Deploying configurations on computing devices and validating compliance with the configurations during scheduled intervals. Particular embodiments described herein include computing devices that send a requests to a management platform at different time periods for lists of configurations that are assigned to those computing devices at those different time periods. Received lists include identifiers of the configurations that are assigned to the those computing devices during the different time periods. Local agents on the computing devices use the received lists to determine if each of the configurations in that list are implemented. If a configuration is not implemented on a computing device, the local agent on that computing device implements that configuration or alerts the management platform that the configuration could not be implemented.