Abstract: Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.

Abstract: Certificates issued by a CA are distributed across multiple CRLs. Each certificate issued by the CA is assigned to a specific CRL, and the address of that CRL is written to the appropriate field of the certificate, such that an authenticating application can subsequently determine if the certificate is revoked. When the CA revokes a specific one of the issued certificates, it determines to which CRL the revoked certificate is assigned, and updates the specific CRL accordingly. In some embodiments, a single one of the multiple CRLs is active for assignment of certificates at any given time, and each certificate issued by the CA is assigned to the currently active CRL. In other embodiments, assignments of issued certificates are distributed between different ones of a pre-determined number of multiple CRLs by applying a statistical distribution formula to each issued certificate to determine a corresponding target CRL.

Abstract: Systems and methods for configuration vulnerability checking and remediation are provided. The systems provided herein identify risk based upon service indications of a particular configuration, such that automated risk analysis may be facilitated.

Abstract: Techniques for applying context-based security over interfaces in O-RAN environments in mobile networks are disclosed. In some embodiments, a system/process/computer program product for applying context-based security over interfaces in O-RAN environments in mobile networks includes monitoring network traffic on a mobile network at a security platform to identify a GTP-U tunnel session setup message associated with a new session; extracting a plurality of parameters from the GTP-U tunnel session setup message and from F1AP traffic to extract contextual information at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to apply context-based security to the network traffic transported between O-RAN Distributed Unit (O-DU) and O-RAN Centralized Unit Control Plane (O-CU-CP) nodes in an O-RAN environment in the mobile network.

Abstract: A computer-implemented method for managing a memory in a network to which a unit for detecting or preventing undesirable network intrusions is assigned. A first message is received by a user of the network in the process. If the first message is to be stored, a second message is randomly selected from the messages stored in the memory, the randomly selected second message is deleted from the memory, and the first message is stored in the memory.

Abstract: A method and an apparatus are provided for deploying a security access control policy in the field of network security. The method, executed by a cloud management platform, includes: determining, according to an application creation instruction, an application template used for an application that needs to be created and a security profile corresponding to the application template; instructing a virtualization platform to create, according to the application template, a corresponding virtual machine for each application component in the application, and obtaining an IP address of each virtual machine created by the virtualization platform; generating a group of security access control policies corresponding to the application according to the IP address of each virtual machine and by using the security profile; and delivering the group of security access control policies to a corresponding firewall. Therefore, a security access control policy is automatically deployed.

Abstract: Systems and methods for utilizing an image capture device to scan facial features of a user, responsive to recognition of a plurality of beam projection points on the face of the user. The first data captured from scanning the facial features may be authenticated against a facial depth map stored as a data structure in a data storage medium. In response to successful authentication, the facial features of the user may be continually scanned to detect facial movements indicative of the user's liveness. Access may be granted to the user, in response to verifying the user's liveness.

Abstract: A first server receives a set of cryptographic parameters from a second server. The set of cryptographic parameters is received from the second server as part of a secure session establishment between a client device and the second server. The first server accesses a private key that is not stored on the second server. The first server signs the set of cryptographic parameters using the private key. The first server transmits the signed set of cryptographic parameters to the second server. The first server receives, from the second server, a request to generate a premaster secret using a value generated by the second server that is included in the request and generates the premaster secret. The first server transmits the premaster secret to the second server for use in the secure session establishment between the client device and the second server.

Abstract: A management service can be used to manage enterprise applications. Management agents can be installed in each enterprise application, e.g., in each virtual machine of each enterprise application. The management agent can check each process created by its host virtual machine against a local whitelist. If the local whitelist indicates the process is safe, the process can be executed. Otherwise, an alert including a process description is sent to the management service. An alert analyzer of t he management service can check information of the management service itself as well as third-party information to determine whether or not the process is safe. In the event the alert analyzer determines a process that was the subject of an alert is, in fact, safe, an indication that the process is safe is added to the local whitelist.

Abstract: A technique to manage a configuration database (CDB) for a network device is disclosed. Network devices may receive a configuration change request as a configuration change object. To process that request, a current configuration CLI set representative of the current CDB may be generated. The network device creates a shadow CDB initially corresponding to the current CDB and processes the change request against the shadow CDB. An updated configuration CLI set may then be generated from the updated shadow CDB. A differential CLI set indicating the difference between the first CLI set and the second CLI set may be generated to represent a set of CLI commands to transition from one CDB to the other (e.g., implement the request). Authorization of the user to execute the CLI commands of the differential CLI dataset may be verified. Upon verification, the current CDB may be replaced with the updated shadow CDB.

Abstract: A blockchain integrated station receives a configuration instruction after accessing a blockchain network. The blockchain integrated station configures, based on the configuration instruction, a first network address corresponding to a certificate authority center and a second network address corresponding to a first blockchain node in the blockchain network. The blockchain integrated station initiates an authentication request to the certificate authority center based on the first network address. The blockchain integrated station receives, from the certificate authority center, a digital certificate after the certificate authority center determines that the authentication request passes verification. The blockchain integrated station sends, based on the second network address, the digital certificate to the first blockchain node, where the digital certificate is used by the first blockchain node to add the blockchain integrated station as a new blockchain node in the blockchain network.

Abstract: A customer blockchain data store is provided. An exemplary method comprises obtaining a blockchain associated with a given customer of an enterprise having multiple customer communication channels, wherein the blockchain comprises transaction data for the given customer with the customer communication channels; obtaining new transaction data for the given customer for a given one of the customer communication channels; providing the new transaction data for the given customer to additional customer communication channels; receiving a validation of the new transaction data from the additional customer communication channels based on one or more predefined validation criteria; and storing the validated new transaction data for the given customer in the blockchain associated with the given customer.

Abstract: A method for setting permissions of a user in a system in an information exchange unit is disclosed in the present invention, including: setting multiple information sections for the information exchange unit; setting participation roles for each information section respectively, wherein the participation role includes one or more roles in the system; and setting permissions of each of the participation roles in the information section, wherein each role is an independent individual not a group/a class, one role can only be related to a unique user during the same period, and one user is related to one or more roles; and creating relations between users and roles in the system. According to the present invention, when an employee changes his/her work content or is transferred from a post, permissions of the employee in an information section of the information exchange unit do not have to be set separately.

Abstract: One embodiment of the invention is a method utilizing a CAPTCHA to generate a human likeness score including blocks: a) receiving a user solution to the CAPTCHA; b) receiving a user interaction pattern descriptive of an interaction undertaken by the user, through a graphical interface of the CAPTCHA, to achieve the user solution; c) determining the accuracy of the user solution; d) comparing the user interaction pattern against an interaction model generated from interaction patterns of previous users; e) calculating the human likeness score based upon the determination of block c) and the comparison of block d), wherein the human likeness score lies within a continuum of human likeness scores.

Abstract: Events within a computer system are grouped in order to identify security threats and, in some cases, perform an action to mitigate the threat. In some aspects, a computing system event that meets a criterion, are identified. A first layer of computing resources is determined which includes computing resources referenced during the computing system event. A second layer of computing resources is then determined, the second layer including one or more of a parent process or file loaded by the first layer processes, a process writing to a file included in the first layer of computing resources, or a previous version of a file included in the first layer of computing resources. Similarities between computing resource pairs in the first and second layers are determined, and a group of high similarity pairs related to each other is identified. In some embodiments, a mitigating action is identified based on the group.

Abstract: Described herein are systems, methods, and software to enhance the management of responses to incidents. In one example, a method of improving responses to incidents in an information technology environment includes identifying an incident associated with a component of the information technology environment. The method further provides determining a predicted resolution time for the incident by each analyst of the plurality of analysts based on the incident response information and selecting an analyst to resolve the incident based on the predicted resolution times.

Abstract: An encrypted communication is correctly decrypted even when key exchange completion notification is delayed. A key storage (10) stores at least one common key which is shared with another encrypted communication device. A key selecting unit (11) selects an encryption key from the at least one common key stored in the key storage (10). An encrypting unit (12) generates encrypted data by encrypting, by using the encryption key, data to be transmitted to the other encrypted communication device. A transmitting unit (13) transmits, to the other encrypted communication device, the encrypted data with a key index, by which the encryption key is uniquely identified, added thereto. A receiving unit (14) receives the encrypted data with the key index added thereto from the other encrypted communication device. A key obtaining unit (15) obtains, from the at least one common key stored in the key storage (10), a decryption key corresponding to the key index added to the encrypted data.

Abstract: An application-specific integrated circuit (ASIC) and method are provided for executing a memory-hard algorithm requiring reading generated data. A processor or state machine executes one or more steps of the memory-hard algorithm and requests the generated data. At least one specialized circuit is provided for generating the generated data on demand in response to a request for the generated data from the processor. Specific embodiments are applied to memory-hard cryptographic algorithms, including Ethash and Equihash.

Abstract: A hardware device with embedded software, for detecting Wi-Fi network attacks, including random access memory storing operating software for the device, Flash or EEPROM memory storing Wi-Fi network attack rules and attack data, a Wi-Fi interface monitoring and intercepting Wi-Fi packets and Wi-Fi frames transmitted to and from a mobile station being protected by the device, embedded operating software analyzing sequences of Wi-Fi packets and frames intercepted by the Wi-Fi interface to detect an attempted Wi-Fi network attack, based on the attack rules and the attack data stored in the Flash or EEPROM memory, and sending a notification message to the mobile station when an attempted Wi-Fi network attack is detected, a processor running the embedded operating software, and a power supply supplying power to the processor, to the random access memory, to the Flash or EEPROM memory, and to the Wi-Fi interface.

Abstract: Technologies for detecting abnormal activities in an electric vehicle charging station include an apparatus. The apparatus includes circuitry configured determine a cyber security threat level for the charging station in which the electric vehicle charger is located. Additionally, the circuitry is configured to perform, as a function of the determined cyber security threat level, a responsive action to protect the charging station from a cyber security threat.