Abstract: Systems and methods for using an application control prioritization index are disclosed.

Abstract: An endpoint in an enterprise network is monitored, and when a potential trigger for a distributed denial of service (DDoS) attack is followed by an increase in network traffic from the endpoint to a high reputation network address, the endpoint is treated as a DDoS service bot and isolated from the network until remediation can be performed.

Abstract: A system and method are described for information extraction from network traffic traces that are both encrypted and non-encrypted. The system includes a client computer and a remote computer, where the client computer communicates data over a network. The client computer sets a session key log file environment variable, such that when the client computer launches a supported browser, a session key log file (KLF) is created, computer network traffic traces are captured by retrieving data from encrypted traffic, and the KLF and captured traffic are periodically transferred to a remote server. A remote computer performs traffic mining to analyze the captured traffic traces and extract sensitive pieces of information.

Abstract: In one embodiment, a method is provided. The method includes receive, by a networking device, a request from a first computing device, to connect to the networking device. The method also includes creating a first network. The first network is one of a set of networks of the networking device. The first computing device is one of a set of computing devices that are connected to the network device. Each network of the set of networks is initially isolated from other networks of the set of networks when the network is created. Each network of the set of networks comprises a respective computing device of the set of computing devices. The method further includes assigning the first computing device to the first network.

Abstract: Provided in the embodiments of the present disclosure are a blockchain-based method and system for handling domain name abuse. All network nodes in a public blockchain can report domain name abuse, and all network nodes receiving reported data are entitled to participate in the process of judging whether domain name abuse exists in the reported data. The public blockchain obtains a target judgment result of whether domain name abuse exists by means of integrating first judgment results of multiple identification nodes on whether domain name abuse exists in the reported data and credit value of each identification node. Alternatively, when the number of identification nodes in the public blockchain is less than a preset number of nodes, a consortium blockchain composed of regulatory agencies directly judges whether domain name abuse exists in the reported data, and the judgment result serves as the target judgment result.

Abstract: An apparatus comprises a processing device configured to determine an asset identifier for an information technology asset, to encrypt the asset identifier utilizing a public key of a first homomorphic encryption key pair, and to evaluate a first homomorphic encryption function for a first homomorphically encrypted access authorization object that takes as input the encrypted asset identifier and provides as output an encrypted access authorization identifier. The processing device is also configured to decrypt the access authorization identifier utilizing a secret key of the first homomorphic encryption key pair and, responsive to validating the access authorization identifier, to evaluate additional homomorphic encryption functions for additional homomorphically encrypted access authorization objects that return encrypted access authorization information.

Abstract: A method, node, wireless device and installation device are disclosed. In one or more embodiments, a node configured to operate a security virtual local area network (VLAN) and a customer VLAN independent from the security VLAN is provided. The security VLAN is configured to operate using a first network partition different from a second network partition used by the customer VLAN. The node includes processing circuitry configured to receive information from a first device requesting access to the node, determine whether to add a first device to the security VLAN based at least on the received information from the first device meeting a predefined criterion, and configure the first device to access one of the security VLAN and customer VLAN based at least on the determination.

Abstract: Techniques for expressing, communicating, de-conflicting, and enforcing consistent access policies between an IBN architecture and a Cloud-Native architecture. Generally, network administrators and/or users of a Cloud-Native architecture and an IBN architecture express access policies independently for the two different domains or architectures. According to the techniques described herein, a Network Service Endpoint (NSE) of the Cloud-Native architecture may exchange access policies with a network device of the IBN architecture. After exchanging access policies, conflicts between the sets of access policies may be identified, such as differences between allowing or denying communications between microservices and/or applications. The conflicts may be de-conflicted using various types of heuristics or rules, such as always selecting an access policy of the IBN architecture when conflicts arise.

Abstract: Methods and systems for providing vendor agnostic captive portal authentication in a network that includes a plurality of network access devices are provided. For instance, one method includes receiving a redirect request for a communication between a first user-terminal and a first network access device, the redirect request including at least one of a vendor-specific item of information of the first network access device and an Internet Protocol (IP) address of the first network access device. The method further includes comparing the at least one of the vendor-specific item of information of the first network access device and the IP address of the first network access device against each of a plurality of entries of a network access device database, and providing the first user-terminal access to a captive portal page in response to an appropriate match.

Abstract: A multi-tenant computer system authenticates access to a shared datastore by a shared service running on the multi-tenant computer system. The shared service is operable to access the shared datastore to execute requests from a plurality of multi-tenant cloud computing services. The requests include an indication of a particular tenant and a particular tenant grouping indicator. Requests are authenticated by cryptographically verifying the request and verifying that the particular tenant is associated with the particular tenant grouping indicator. In response to authenticating a request, the shared service accesses the shared datastore to execute the first request.

Abstract: A middleware system and corresponding methods are described whereby data communications, either inter-device or intra-device, are coordinated using a set of cryptographic identifiers that correspond to computing elements, such as interfaces, methods, parameters, classes, among others. The cryptographic identifiers are coupled to data messages being sent across the middleware system and processed to indicate adherence to protocol standards and/or to cause transformation of the data messages such that the receiver receives a data message adhering to their acceptable protocol standards.

Abstract: Systems and methods for memory isolation are provided. The methods include receiving a request to write a data line to a physical memory address, where the physical memory address includes a key identifier, selecting an encryption key from a key table based on the key identifier of the physical memory address, determining whether the data line is compressible, compressing the data line to generate a compressed line in response to determining that the data line is compressible, where the compressed line includes compression metadata and compressed data, adding encryption metadata to the compressed line, where the encryption metadata is indicative of the encryption key, encrypting a part of the compressed line with the encryption key to generate an encrypted line in response to adding the encryption metadata, and writing the encrypted line to a memory device at the physical memory address. Other embodiments are described and claimed.

Abstract: Authentication management by receiving a request to initiate an authentication from a computing device of a user, directing the request to a selected authentication service of a plurality of authentication services, wherein the selected authentication service is determined dynamically based on respective authentication metrics of the plurality of authentication services, receiving authentication information via the selected authentication service, and authenticating the user based on the received authentication information.

Abstract: The systems and methods of gesture triggered automatic erasure on a private network, comprising: securely connecting, embedding, sending information within one or more secure objects on the first computing device; detecting, by the first computing device, a signal as a zeroization trigger responsive to a user gesture; and sending, by the first computing device via the private network, a message informing the second computing device of the zeroization trigger, the message causing the second computing device to execute automatic erasure of the one or more secure objects stored on the second computing device; wherein: the second computing device belongs to a zeroization group; the message causing each member computing device belonging to the zeroization group to execute the automatic erasure of the one or more secure objects.

Abstract: First data from a user device is received on an electronic computing device. The first data is encrypted to generate second data. The second data is fragmented and stored in a plurality of data stores.

Abstract: An information processing apparatus includes a processor configured to transmit connection information regarding a repay apparatus to a terminal in a case where terminal unique information is received from the terminal subjected to network authentication performed by communication equipment of a carrier, and cause the terminal to connect to the relay apparatus using the connection information regarding the relay apparatus, where the relay apparatus is associated with the terminal unique information as an apparatus to be connected to a local network, and where the relay device is on a public network connected to a mobile carrier network provided by the carrier. If the relay apparatus successfully authenticates the terminal, the terminal and the relay apparatus are connected to each other over a virtual private network.

Abstract: One or more embodiments of the present specification relate to a data processing method for binding server accounts. An example method includes, in response to obtaining a binding request, determining a first account, and sending binding request feedback data to a terminal device. In response to obtaining binding object selection data that indicates a selection of candidate binding objects presented by the terminal device, a respective target binding object is determined for each selected candidate binding object, and a respective target server is determined for each target binding object. For each target server, the first account is bound to a second account of the target server.

Abstract: The techniques herein are directed generally to personalized secure communication session management, such as for virtual private networks (VPNs). In one embodiment, a user is authenticated at a client device to verify that the user is present at the client device and authorized to access one or more secured resources, and in response, a secure communication session is established for the client device to access the secured resources. At a later time during the secure communication session, it is determined whether the user is still authenticated at the client device, such that if so, access to the one or more secured resources is maintained on the secure communication session, or else access is restricted to the one or more secured resources (e.g., the session is terminated, or access is otherwise limited).

Abstract: A method for managing information handling systems includes obtaining, by a stackable system role (SSR) manager of an information handling system, an SSR instruction, performing an encoding on the SSR instruction using a public key to obtain an encoded instruction value, providing an encoded SSR instruction to a local hardware resource manager of the information handling system, wherein the encoded SSR instruction comprises the SSR instruction and the encoded instruction value, obtaining, from the hardware resource manager, a response, wherein the response specifies whether the encoded SSR instruction is valid, and based on the response, initiating an execution of the SSR instruction.

Abstract: A protocol that is managed by a coordinating network element or third-party intermediary or peer network elements and utilizes tokens prohibits any subset of a union of the coordinating network element or third-party intermediary, if any, and a proper subset of the processors involved in token generation from substantively accessing underlying data. By one approach, processors utilize uniquely-held secrets. By one approach, an audit capability involves a plurality of processors. By one approach, the protocol enables data transference and/or corroboration. By one approach, transferred data is hosted independently of the coordinating network element. By one approach, the coordinating network element or third-party intermediary or a second requesting network element is at least partially blinded from access to tokens submitted by a first requesting network element. By one approach, a third-party intermediary uses a single- or consortium-sourced database.