Abstract: A method, system and apparatus are disclosed. According to one or more embodiments, a detection node in communication with a network function virtualization, NFV, system operating a NFV stack that is logically separable into a plurality of levels including a first level and a second level is provided. The detection node includes processing circuitry configured to: translate an executed first level event sequence to at least one translated second level event sequence, and compare the at least one translated second level event sequence to an executed second level event sequence to at least in part detect inconsistencies between the at least one translated second level event sequence and the executed second level event sequence where the executed second level event sequence and the executed first level event sequence being part of a multi-level sequence flow.

Abstract: Systems and methods for anonymizing data are provided herein. A network node can receive privacy constraints from a data owner and utility requirements from at least one data processor. An anonymization mechanism can be selected for each data attribute in a data set, based on its specified privacy constraint and/or utility requirement, from the available anonymization mechanism(s) appropriate for its associated attribute type.

Abstract: A method, system and nodes are disclosed. According to one or more embodiments, a management node (16) is provided. The management node (16) includes processing circuitry (36) configured to receive an origin certificate for a first service type where the received origin certificate includes a public key and a private key, receive a certificate request for a first instance of the first service type, generate a first proxy certificate based at least on the received origin certificate, and transmit the first proxy certificate and the public key of the received origin certificate to a first virtual network function component where the public key of the received origin certificate is for inclusion to a listing of trusted certificates at the first virtual network function component.

Abstract: A method, system and apparatus are disclosed. According to one or more embodiments, a data node is provided. The data node includes processing circuitry configured to: receive an anomaly estimation for a first privatized dataset, the first private dataset being based on a dataset and a first noise profile, apply a second noise profile to the dataset to generate a second privatized dataset, the second noise profile being based at least on the anomaly estimation, and optionally cause transmission of the second privatized dataset for anomaly estimation.

Abstract: A method, system and apparatus are disclosed. According to one or more embodiments, a detection node in communication with a network function virtualization, NFV, system operating a NFV stack that is logically separable into a plurality of levels including a first level and a second level is provided. The detection node includes processing circuitry configured to: translate an executed first level event sequence to at least one translated second level event sequence, and compare the at least one translated second level event sequence to an executed second level event sequence to at least in part detect inconsistencies between the at least one translated second level event sequence and the executed second level event sequence where the executed second level event sequence and the executed first level event sequence being part of a multi-level sequence flow.

Abstract: According to some embodiments, a security management entity is provided. The security management entity includes processing circuitry configured to: generate a key having a plurality of key parts, anonymize at least a first data instance at least in part by using the key with threshold cryptography, transmit a respective key part to each one of the plurality of trusted entities, store at least one key part where the stored at least one key part is different from the transmitted respective key parts, receive a message from a first trusted entity of the plurality of trusted entities for investigating the anonymized first data instance where the message includes one of the transmitted respective key parts, and deanonymize the first data instance using the stored at least one key part and the one of the transmitted respective key parts associated with the first trusted entity.

Abstract: A method, computing device and system are disclosed for evaluating security of virtual infrastructures of tenants in a cloud environment. At least one security metric may be calculated for virtual infrastructures of a tenant based on information associated with at least one virtual resource of the first tenant and at least one interaction of the at least one virtual resource of the first tenant with at least one virtual resource of at least one other tenant in a multi-tenant virtualized infrastructure. At least one security parameter may be evaluated for the first tenant based at least in part on at least one of the at least one calculated security metric for monitoring a security level of the first tenant relative to the at least one other tenant in the multi-tenant virtualized infrastructure.

Abstract: A security management system including a first TEE and a common TEE is provided. The first TEE is a secured environment for data associated with a first entity. The common TEE is a seemed environment for data associated with any one of a plurality of entities. First anonymization parameters are shared between the first TEE and the common TEE The first anonymization parameters arc based at least in part on at least one privacy requirement of the first entity and at least one utility requirement of the security management system. The security management system includes processing circuitry configured to: anonymize first data associated with the first entity based at least in part on the first anonymization parameters, analyze at least the anonymized first data for performing data investigation, and generate analysis results based at least in part on the analysis of at least the anonymized first data.

Abstract: Systems and methods for verifying the validity of a network link are described herein. A verification packet and an associated packet handling flow can be generated and added to a network in order to investigate a link between network nodes (e.g. switches).

Abstract: A method, system and apparatus are disclosed. In one or more embodiments, a differential privacy, DP, node is provided. The DP node includes processing circuitry configured to: receive a query request; receive a first input corresponding to a utility parameter; receive a second input corresponding to a privacy parameter; select a baseline DP mechanism type based at least on a query request type of the query request, the first input and the second input, where the baseline DP mechanism type includes at least a noise parameter; generate a noise distribution based on the baseline DP mechanism type using a first value of the noise parameter; and determine a DP query result based on applying the noise distribution to the query request applied on a data set.

Abstract: Systems and methods for anonymizing data are provided herein. A network node can receive privacy constraints from a data owner and utility requirements from at least one data processor. An anonymization mechanism can be selected for each data attribute in a data set, based on its specified privacy constraint and/or utility requirement, from the available anonymization mechanism(s) appropriate for its associated attribute type.

Abstract: Systems and methods for managing firewall rules in a distributed firewall system are provided. A first subset of rules is identified to be removed from a first firewall in a first domain and to be added to a second firewall in a second domain. A second subset of rules is identified to be duplicated from the first firewall to the second firewall. Usage statistics for the rules in the identified subsets are synchronized between the first and second firewalls and the second firewall can be configured accordingly.

Abstract: A node includes processing circuitry configured to encrypt first network data including a first tenant identifier using a first cryptographic key to generate first encrypted data and anonymize the first encrypted data to generate anonymized data where the anonymizing of the first encrypted data includes segmenting the first encrypted data and the anonymizing of the first encrypted data preserving relationships among the first network data associated with the first tenant identifier, encrypt the anonymized data using a second cryptographic key to generate encrypted anonymized data, transmit the encrypted anonymized data, at least one analysis parameter, at least one security policy and instructions to analyze the encrypted anonymized data using the at least one analysis parameter, the at least one security policy and the second cryptographic key, receive analysis data resulting from the analysis of the encrypted anonymized data, and determine verification results from the received analysis data.

Abstract: A node including processing circuitry configured to: generate anonymized data based at least in part on a first cryptographic key and network data, calculate a coordination vector, generate initialized data based at least in part on the anonymized data, a second cryptographic key and the coordination vector, transmit the initialized data, the random vector, a security policy and instructions to analyze n iterations of the initialized data and the security policy using the random vector and the second cryptographic key, and receive results of the analysis of the n iterations of the initialized data and the security policy using the random vector and the second cryptographic key. The analysis of an m iteration of the n iterations correspond to an analysis of the initialized data with prefix preservation where the analysis of the remaining iterations of the n iterations fail to be prefixed preserved.

Abstract: A node includes processing circuitry configured to encrypt first network data including a first tenant identifier using a first cryptographic key to generate first encrypted data and anonymize the first encrypted data to generate anonymized data where the anonymizing of the first encrypted data includes segmenting the first encrypted data and the anonymizing of the first encrypted data preserving relationships among the first network data associated with the first tenant identifier, encrypt the anonymized data using a second cryptographic key to generate encrypted anonymized data, transmit the encrypted anonymized data, at least one analysis parameter, at least one security policy and instructions to analyze the encrypted anonymized data using the at least one analysis parameter, the at least one security policy and the second cryptographic key, receive analysis data resulting from the analysis of the encrypted anonymized data, and determine verification results from the received analysis data.

Abstract: A method, computing device and system are disclosed for evaluating security of virtual infrastructures of tenants in a cloud environment. At least one security metric may be calculated for virtual infrastructures of a tenant based on information associated with at least one virtual resource of the first tenant and at least one interaction of the at least one virtual resource of the first tenant with at least one virtual resource of at least one other tenant in a multi-tenant virtualized infrastructure. At least one security parameter may be evaluated for the first tenant based at least in part on at least one of the at least one calculated security metric for monitoring a security level of the first tenant relative to the at least one other tenant in the multi-tenant virtualized infrastructure.

Abstract: Systems and methods for verifying the validity of a network link are described herein. A verification packet and an associated packet handling flow can be generated and added to a network in order to investigate a link between network nodes (e.g. switches).

Abstract: Systems and methods for managing firewall rules in a distributed firewall system are provided. A first subset of rules is identified to be removed from a first firewall in a first domain and to be added to a second firewall in a second domain. A second subset of rules is identified to be duplicated from the first firewall to the second firewall. Usage statistics for the rules in the identified subsets are synchronized between the first and second firewalls and the second firewall can be configured accordingly.

Abstract: A node including processing circuitry configured to: generate anonymized data based at least in part on a first cryptographic key and network data, calculate a coordination vector, generate initialized data based at least in part on the anonymized data, a second cryptographic key and the coordination vector, transmit the initialized data, the random vector, a security policy and instructions to analyze n iterations of the initialized data and the security policy using the random vector and the second cryptographic key, and receive results of the analysis of the n iterations of the initialized data and the security policy using the random vector and the second cryptographic key. The analysis of an m iteration of the n iterations correspond to an analysis of the initialized data with prefix preservation where the analysis of the remaining iterations of the n iterations fail to be prefixed preserved.

Abstract: Providing security for one or more network flows may include a security deployment node decomposing one or more virtual security appliances (265) of a logical security architecture (255) into security modules (310). The security deployment node orders the security modules (310) into a sequence (320) that implements a selected workflow pattern (400). The selected workflow pattern (400) may be selected from a workflow pattern database, and may define the security to be provided for a flow, for example, according to known best practices. The sequence (320) is then divided into segments (330), and the segments (330) are assigned to different groups (220) of network nodes (230) in a network (200). For each segment (330), an assignment of each security module (310) in the segment (330) to a network node (230) within the group (220) to which the segment (330) is assigned is computed. The network (200) is then configured according to the assignments.