Abstract: Systems and methods for retrospective scanning of network traffic logs for missed threats using updated scan engines are provided. According to an embodiment, a network security device maintains a network traffic log that includes information associated with network activities observed within a private network. Responsive to an event, the network traffic log is retrospectively scanned in an attempt to identify a threat that was missed by a previous signature-based scan or a previous reputation-based scan of the observed network activities. When the threat is identified as a result of the retrospective scan, then remedial and/or preventive action is taken with respect to the threat.

Abstract: Methods and systems for process constraint include collecting system call information for a process. It is detected whether the process is idle based on the system call information and then whether the process is repeating using autocorrelation to determine whether the process issues system calls in a periodic fashion. The process is constrained if it is idle or repeating to limit an attack surface presented by the process.

Abstract: A system is provided for modeling and analysis of cybersecurity threats may include a data flow diagram (DFD) creator, threat indicator and threat analyzer. The DFD creator may identify elements of an information system, and compose a DFD including nodes and edges representing components and data flows of the information system. The threat indicator may identify a cybersecurity threat to a particular element of the information system, and add a secondary node representing the cybersecurity threat to the DFD to thereby produce a threat-model DFD for the information system. In metadata associated with the nodes, edges and secondary node, the DFD creator and threat indicator may provide structured information including attributes of the components, data flows and cybersecurity threat. And the threat analyzer may perform an analysis of the cybersecurity threat based on the threat-model DFD and metadata associated with the nodes, edges and secondary node thereof.

Abstract: Multi channel distributed behavioral analysis architecture provides a software solution to the major operational challenges faced with providing an early warning system for impending cyber security events. Most cyber security events are premeditated. However, many current cyber security defense technologies only address the real-time detection of a software vulnerability, the presence of malware (known or unknown “zero day”), anomalies from pre-established data points, or the signature of an active security event. The system and method of the multi channel distributed behavioral analysis architecture introduces a technique which provides the data collection, assessment, and alerting ability prior to the occurrence of an event based on threat actor behavior.

Abstract: A first node of a networked computing environment initiates each of a plurality of different man-in-the middle (MITM) detection tests to determine whether communications between first and second nodes of a computing network are likely to have been subject to an interception or an attempted interception by a third node. Thereafter, it is determined, by the first node, that at least one of the tests indicate that the communications are likely to have been intercepted by a third node. Data is then provided, by the first node, data that characterizes the determination. Related apparatus, systems, techniques and articles are also described.

Abstract: A method, and corresponding apparatus and system are provided for optimizing matching at least one regular expression pattern in an input stream by walking at least one finite automaton in a speculative manner. The speculative manner may include iteratively walking at least two nodes of a given finite automaton, of the at least one finite automaton, in parallel, with a segment, at a current offset within a payload, of a packet in the input stream, based on positively matching the segment at a given node of the at least two nodes walked in parallel, the current offset being updated to a next offset per iteration.

Abstract: A method and system for detecting network reconnaissance is disclosed wherein network traffic can be parsed into unidirectional flows that correspond to sessions. A learning module may categorize computing entities inside the network into assets and generate asset data to monitor the computing entities. If one or more computing entities address a flow to an address of a host that no longer exists, ghost asset data may be recorded and updated in the asset data. When a computing entity inside the network contacts an object in the dark-net, the computing entity may be recorded a potential mapper. When the computing entity tries to contact a number of objects in the dark-net, such that a computed threshold is exceeded, the computing entity is identified a malicious entity performing network reconnaissance.

Abstract: A system for monitoring and mitigating client-side exploitation of application flaws includes a server to operate a first application. The first application communicates with a client device operating a second application to execute an application flaw script. The application flaw script causes the client device to produce a first request associated with vulnerability of the first application. An application flaw service module, communicatively coupled to the server, receives the first request from the client device comprising transactional metadata based on the application flaw script and inspects the transactional metadata for malicious content within the first request.

Abstract: Systems and methods for software defined behavioral DDoS attack mitigation are provided. According to one embodiment, a method is provided for controlling multiple distributed denial of service (DDoS) mitigation appliances. A DDoS attack mitigation central controller configures attack mitigation policies for the DDoS attack mitigation appliances. The DDoS attack mitigation policies are sent to the DDoS attack mitigation appliances through a network connecting the DDoS attack mitigation central controller and the DDoS attack mitigation appliances.

Abstract: Disclosed are various embodiments for virtualized network honeypots. In one embodiment, client computing devices that are coupled to a network are each configured with both a primary host and a secondary virtualized host. The primary host provides workstation functionality for users having permission. The secondary virtualized host is configured to route network traffic to and from a honeypot server. The honeypot server is configured to provide a honeypot environment. In another embodiment, a network connection request for a requested service is received from a connecting device. If the connecting device is authorized, the network connection request is routed to the requested service. If the connecting device is not authorized, the network connection request is routed to a honeypot server.

Abstract: A client includes a security agent configured to create a client certificate that corresponds to one or more client identifiers. A server includes a server certificate and is in communication with the security agent. The server is configured to facilitate establishing an initial mutually authenticated transport layer security (TLS) session with the client based on the client certificate and the server certificate. The server is also configured to extract the client certificate from the security agent once the TLS session is established. The server is configured to store the certificate as being associated with only the corresponding client identifier(s) and to categorize the association between the client certificate and the corresponding client identifier(s) as being secure but not trusted for the client until the identity of the client has been verified. Moreover, the server is configured to receive an indication that the identity of the client has been verified.

Abstract: A plug-in software module of a DNS server helps to enforce a network security policy. The plug-in module scans communication packets at a DNS server computer and intercepts a request from a user computer to access a web site. The intercepted request is not received by the DNS service. The plug-in module initiates a security check of the user computer over a network connection to determine if the user computer has implemented the security policy of the computer network. If the user computer does not implement the security policy then the plug-in module returns an IP address to the user computer that is the IP address of a security web site. The security web site then displays on the user's browser an indication of a security policy to be applied. The security web site may also perform the security check.

Abstract: Using one or more externally defined objects to at least in part define a security policy is disclosed. In some embodiments, an external object list is obtained from an external list server, and a security policy comprising one or more rules based at least in part on one or more externally defined objects comprising the external object list and based at least in part on one or more locally defined objects is defined. The security policy is enforced with respect to one or more devices and periodically updated as the external object list is updated.

Abstract: Disclosed are various embodiments for management of third-party accounts for users in an organization. Network traffic between a client and a third-party network site under management is inspected. The client is associated with a user in an organization. It is determined whether the network traffic corresponds to a managed account with the third-party network site. It is determined whether the network traffic complies with a rule established by the organization. An action is implemented in response to determining that the network traffic does not comply with the rule.

Abstract: A social networking system allows entities to delegate actions performed on behalf of the entity to social networking system users by assigning one or more roles to social networking system users. Roles may be assigned based on information associated with the entity by the social networking system. Different roles are associated with sets of permissions specifying actions a user associated with a role is authorized to perform on behalf of the entity via the social networking system. Certain permissions of a role associated with the user may be associated with additional users by the user. A persona including a subset of information associated with a user by the social networking system may be created for a user assigned a role, allowing the user to limit information accessible to additional users connected to the persona.

Abstract: A security-function-design support device is provided.

Abstract: Computer systems and methods in various embodiments are configured for improving the security and efficiency of client computers interacting with server computers through an intermediary computer using one or more polymorphic protocols. In an embodiment, a computer system comprises a memory; a processor coupled to the memory; a processor logic coupled to the processor and the memory, and configured to: intercept, from a server computer, a first file and a second file, wherein the first file defines a first object with a first identifier and the second file comprises a reference to the first object by the first identifier; generate a second identifier; replace the first identifier with the second identifier in the first file; add one or more first instructions to the first file; remove the reference to the first identifier from the second file; add, to the second file, one or more second instructions, which when executed cause the one or more first instructions to be executed and produce the second identifier.

Abstract: A process capable of automatically establishing a secure overlay network (“SON”) across different clouds is disclosed. The process, in one aspect, receives a first request from a first node in a first cloud for establishing a SON. After receiving a second request for connecting to the SON from a second node in a second cloud, a first connection is established connecting between the first node and the second node utilizing a network security protocol such as Internet Protocol Security (“IPSec”). After receiving a third request for connecting to the SON from a third node in a third cloud, a second connection is used to connect between the first node and the third node. A third connection is used to connect between the second node and the third node. Each subsequent request for connecting to the SON from a new node results in new connections between the new node and each existing node in the SON forming a full-mesh.

Abstract: The present disclosure relates generally to techniques for automatically associating one or more access policies with an account. Specifically, these techniques enable one or more access policies to retroactively be associated with an account that is not associated with at least one access policy. By associating an access policy with an account, managing access to one or more resources provided by the account may be automated based on the associated access policy. An identity management system (IDM) system may manage access policies for determining access to resources of target systems. Accounts that are not associated with an access policies may be associated with the access policies governing access to resources identified by those accounts. Access to the resource(s) associated with those accounts may be updated based on the access granted by the access policies which are associated with those accounts.

Abstract: Several embodiments include a policy-bound token distribution system. The system can include a back-office server that issues policy-bound tokens to local main distribution servers. A local main distribution server can distribute a policy-bound token to a digital environment to authorize an operator to take advantage of a protected resource. The system can rely on a backup server to distribute the policy-bound tokens whenever the distribution service of the local main distribution server is unavailable. To prevent run-time leakage from the backup server, the backup server can synchronize its distribution state with the local main distribution server and the back-office server. The distribution state can include distribution transaction records between the backup server and client devices. Throughout the system, each distribution transaction record can be assigned unique transaction ID to prevent multiple accounting of the same distribution transaction record from different servers.

Abstract: A user-portable computing device configured as a smart card enables a user to carry identification information and to generate security tokens for use in authenticating the user to a service provider. The device includes memory for storing user identities as information cards that are exported to a host computer, presented to a user in visual form, and then selected for use in the authentication process. A security token service installed on the device issues a security token in response to a token request sent from the host computer that references the selected user identity. The security token service uses user attribute information stored on the user device to compose the claim assertions needed to issue the security token. The token is returned to the host computer and used to facilitate the authentication process.

Abstract: A method is provided in one example embodiment and it includes receiving a state request and determining whether a state exists in a translation dictionary for the state request. The method further includes reproducing the state if it is not in the dictionary and adding a new state to the dictionary. In more specific embodiments, the method includes compiling a rule, based on the state, into a given state table. The rule affects data management for one or more documents that satisfy the rule. In yet other embodiments, the method includes determining that the state represents a final state such that a descriptor is added to the state. In one example, if the state is not referenced in the algorithm, then the state is released. If the state is referenced in the algorithm, then the state is replaced with the new state.

Abstract: Systems, methods and machine-readable media for providing a security service are disclosed. The methods include receiving a modification of the application object code to allow the software application to transmit a request for the security service; retrieving the modified application object code corresponding to the software application from memory; receiving, via a processor, the request for the security service from the modified application object code; and providing, via the processor, the security service. The systems and machine-readable media performing operations according to the methods disclosed.

Abstract: Methods and systems for remediating a security policy violation on a computer system are provided. According to one embodiment, information regarding a program-code-based operational state of a host asset is collected by a light weight sensor (LWS) running on the host asset via a survey tool. The information is transmitted by the LWS to a remote server via an external network. Multiple security policies are enforced by the remote server with respect to the host asset based on the received information including determining whether the program-code-based operational state of the host asset represents a violation of one or more security policies, by evaluating, the received information with respect to the security policies, each of which define at least one parameter condition violation of which is potentially indicative of unauthorized activity on the host asset or manipulation of the host asset making the host asset vulnerable to attack.

Abstract: Presented are a method and a node in a Lawful Interception (LI) network, in which the node is configured to provide a Law Enforcement Agency with Intercept Related Information (IRI) and Content of Communications (CC) of data traffic in a digital communications network. The IRI and CC are forwarded to an Intercept Mediation and Delivery unit node (IMDU) of the LI network, wherein the IMDU is configured to sample the content of communications according a certain sampling rate to achieve one or more samples of the CC, and to forward the generated one or more samples to the Law Enforcement Agency.

Abstract: A method is provided for a user equipment (UE) to respond to an emergency-related message sent to the UE. The method comprises the UE receiving a first message containing an indicator indicating that an emergency-related request has been made, the UE recognizing the indicator as an indication that the emergency-related request is related to an emergency, and the UE sending a second message containing emergency-related information about itself.

Abstract: A method for implementing a VOIP call in a cloud computing environment and relates to the VOIP call field. By using an RDP proxy to implement bidirectional transmission of voice streams between a cloud desktop client and a communication peer end, and further implement a VOIP call, a communication delay and load of a cloud desktop virtual machine are reduced. The method is used for a VOIP call in a cloud computing environment.

Abstract: The system includes a device of a plurality of devices and a network entity for connecting the device to a communications network. The device is arranged for attempting to access the network while providing an identification of the device to the network entity. The network entity is arranged for receiving the access attempt from the device, and determining the identification of the device. The network entity determines an identification of a subscription associated with the device from a first database of the system. The network determines whether the identified subscription has the device associated therewith in a second database. The network entity allows the device to connect to the network entity or prevents the device from connecting to the communications network depending on the above determinations.

Abstract: Methods and apparatus are disclosed for a wireless transmit/receive unit (WTRU) to request collaborative session control transfer for transferring control of an Internet Protocol (IP) multimedia subsystem (IMS) collaborative session from a controller WTRU to another WTRU, such as a controllee WTRU. The collaborative session control transfer request is sent to an IMS Service Centralization and Continuity Application Server (SCC AS). Methods and apparatus are also disclosed for a WTRU to request inter device transfer (IDT) for transferring an IMS collaborative session media session flow from one WTRU to another WTRU.

Abstract: Disclosed herein are system, method, and computer program product embodiments for an access gateway control function server to convert between network-based call signaling messages and session initiation protocol messages. An embodiment operates by receiving in a first access gateway control function server, a first session initiation protocol (SIP) message sent from a first device and converting the SIP message in the first access gateway control function server to a first network-based call signaling (NCS) message to be received by a second device.

Abstract: A method includes determining, at a first computing device, whether data to be communicated to a second computing device includes media data or protocol data. The method also includes, in response to determining that the data includes media data, generating a message header and a message body based on the media data. The message header includes a header flags portion and a header fields portion, and the header flags portion includes at least one flag having a value that indicates a length of a corresponding field of a plurality of fields of the header fields portion. The method further includes encapsulating the message header and the message body into a message and inserting the message into a media stream to be transmitted from the first computing device to the second computing device in accordance with a media communication protocol.

Abstract: In one embodiment, a method includes supporting a participation of a first endpoint in a first session and identifying a first time when a second session is to begin, where the first endpoint is expected to participate in the second session. The method also includes determining whether the first endpoint is still participating in the first session at approximately the first time, identifying a first condition when it is determined that the first endpoint is still participating in the first session at approximately the first time, and determining when the first condition is met while supporting the participation of the first endpoint in the first session. Finally, the method includes causing the first endpoint to switch to participating in the second session when it is determined that the first condition is met.

Abstract: Contextual content is provided to a first conversation participant via a client device of the first conversation participant. Communication information associated with a conversation is received via the first client device interface. Context information associated with the conversation is retrieved from the received communication information. One or more concepts associated with the conversation are identified based on the context information. Content is selected for presenting on the client device based on the identified concepts. The selected content is then presented to the first conversation participant in a second client device interface.

Abstract: Methods, systems, and computer-readable and executable instructions for concurrent display of a masked view of an application between devices are described herein. One method for concurrent display of a masked view of an application between devices includes establishing a collaborative session with a first computing device and a second computing device, replicating a masked view of a first application on the first computing device, and concurrently displaying a view of the first application on a first user interface of the first computing device and the masked view of the first application on a second user interface of the second computing device in the collaborative session.

Abstract: An engine, system and method for a domain social network that interconnects Internet users with at least domains owned by or of interest to those Internet users, and that may obtain and/or forward obtained dynamic data regarding those domains automatically, such as by web service or email service. The dynamic data may be used to filter and protect content and data of the respective domains, to protect users by identifying low quality web pages or malicious software or pages, to isolate or improve search results regarding the domain, and/or to improve Internet-based transaction flow, such as the creation of advertising.

Abstract: A terminal apparatus has a first setting of displaying a portion of information designated by an information processing apparatus and a second setting of being able to display another portion. The terminal apparatus receives transmission information converted from the information by the information processing apparatus to include a portion to be displayed first and transmission information converted from the information to include another portion; stores the transmission information thus received; and displays, in a case of the first setting, the designated portion and displays, in a case of the second setting, a portion based on an operation performed on the terminal apparatus. The terminal apparatus receives, upon switching from the second setting to the first setting, the transmission information corresponding to the designated portion based on whether already receiving the transmission information corresponding to the designated portion.

Abstract: Machines, systems and methods for dynamic content filtering are provided. The method comprises receiving an indication for a preference for an approximate number of content to be delivered during an indicated time period; assigning a first score to the first content according to one or more factors, in response to receiving a first content at a first point in time during the first time period; delivering the first content, in response to determining that the first score is above a first dynamically calculated threshold, wherein the first dynamically calculated threshold is calculated based on: t: time of arrival of the first content, k(t): number of contents that has been delivered until the first point in time, K: the approximate number of events to be delivered during the indicated time period, and F: a distribution function calculated based on prior history of the content delivered.

Abstract: A system of this invention is a video processing system for determining details of a browsable video content. This video processing system includes a video fragment download unit that downloads data of a video fragments in a determination target video content via a network, and a first video content determination unit that determines the details of the video content based on the downloaded data of the video fragments. With this arrangement, it is possible to determine the details of a browsable video content while reducing the amount of data to be downloaded.

Abstract: Systems and methods are disclosed for providing selectable content creator controls in conjunction with sponsored media content items. In one implementation, a processing device receives a media content item of a content creator. The processing device provides the media content item to a content viewer based on a selection of the media content item by a content sponsor. The processing device provides, to the content viewer and in relation to the media content item, a first control, the first control being associated with the content sponsor. The processing device provides, to the content viewer and in relation to the media content item, a second control, the second control being associated with the content creator.

Abstract: System and method for storing digital content for display on a display device, comprising at least one digital content item, configured to be displayed on the display device, and a service cloud comprising a secure storage system, configured to store digital content, a communication controller, configured to communicate with the display device, a provisioning engine, configured to control the provisioning of digital content on the display device, a service management system, configured to collect data reflecting operational status of the display device, a server, configured to interface with an application running on a computer with memory and processor for selection and control of digital content for display, an ingestion engine, configured to control importation of digital content, an external content gateway, configured to transfer digital content from outside the service cloud to the display device, and a live data feed gateway, configured to provide over-the-top content to the display devices.

Abstract: A system for adaptive audio video (AV) stream processing may include at least one processor and a switch device. The switch device may be configured to route AV traffic to the processor, and to receive AV traffic from the processor and provide the AV traffic to a client device via one or more channels. The processor may monitor a transcoder buffer depth and depths of buffers associated with channels over which the AV traffic is being transmitted. The processor may adaptively modify one or more attributes associated with the AV traffic based at least on the monitored buffer depths. For example, the processor may adaptively adjust a bit rate associated with transcoding the AV traffic based at least on the transcoder buffer depth. The processor may utilize the depths of the buffers associated with the channels to adaptively adjust the amount of AV traffic provided for transmission over the channels.

Abstract: Telecommunications equipment may require network connectivity. On newer systems, an additional local management interface is provided for proprietary maintenance functions, typically via a shell-based Command Line Interface. This is not available on remote sites with only TDM connections. The invention provides a method of communicating between a management console and remote access equipment via a class 4 telecommunications switch, which comprises establishing an IP connection, establishing a synchronous telecommunications transport connection between the class 5 switch and the remote access equipment, setting up a voice call between the management console and the remote access equipment, passing the voice call over the IP connection as a VOIP call, passing the voice call over the synchronous telecommunications transport connection as a PCM encoded call, and encapsulating an IP data stream in the VOIP and PCM encoded call to establish an end-to-end IP.

Abstract: A content distribution system comprises a server, a plurality of clients and means for distributing a plurality of items of content to the plurality of clients, wherein each client is configured to transmit at least one message to the server representative of portions of the items of content that are present or not present at that client, and the distribution means is configured to determine from the messages portions of the items of content that are missing from at least one client, and to distribute the missing portions of content to the clients according to a multicast protocol.

Abstract: Codec selection and usage for calls includes identifying a call scheduled for a time in the future from an electronic calendar associated with a user and prior to the call, ordering a plurality of codecs used by an Internet Protocol (IP) phone of the user for the scheduled call. During the call and using a processor, a mean opinion score for the call is calculated and stored as part of call data for the call within a data storage device including historical call data.

Abstract: A method of implementing calls includes identifying a call scheduled for a time in the future from an electronic calendar associated with a user and prior to the call, ordering a plurality of codecs used by an Internet Protocol (IP) phone of the user for the scheduled call. The method further includes, during the call and using a processor, calculating a mean opinion score for the call and storing the mean opinion score as part of call data for the call within a data storage device comprising historical call data.

Abstract: A cluster of nodes, comprising: a plurality of nodes, each having a security policy, and being associated task processing resources; a registration agent configured to register a node and issue a node certificate to the respective node; a communication network configured to communicate certificates to authorize access to computing resources, in accordance with the respective security policy; and a processor configured to automatically dynamically partition the plurality of nodes into subnets, based on at least a distance function of at least one node characteristic, each subnet designating a communication node for communicating control information and task data with other communication nodes, and to communicate control information between each node within the subnet and the communication node of the other subnets.

Abstract: Provided are methods and systems for rendering and displaying an initial layout of a web application (e.g., calendar application), where the layout includes data specific to a time zone determined to be applicable to a user. Server-side rendering of the initial layout is utilized without compromising the correctness of the initial layout if the server-side heuristics fail. The methods and systems are designed such that it is not necessary to “know,” “fingerprint,” or “reverse engineer” the browser's local time zone in order to validate the time data to be displayed with the user's time-bound information (e.g., calendar data) in the web application. Furthermore, meaningful time data can be displayed to the user without the full web application having to execute in the browser.

Abstract: Systems and methods of the present invention provide for one or more server computers communicatively coupled to a network and configured to: monitor one or more social media accounts; identify a specific issue common to the social media account(s) (and possibly one or more recommended remedies for the common specific issue); and generate and transmit, to a user of the social media account(s), a report identifying the instance of the common specific issue and, where applicable, the one or more recommended remedies.

Abstract: Technologies are presented for distributing user interface elements and controls among devices. A user may select an element and/or control of a user interface (UI) of a first application displayed on a first device for shifting to one or more other devices. The additional display area at the first device freed up by the shift may be filled with additional application content or UI elements. The shifted element and/or control may remain usable on the one or more other devices the element and/or control shifted to. Overall, a user may be able to remove and redirect application control elements while viewing additional content on the first device in a fast and transparent process.

Abstract: The present invention is directed towards systems and methods for providing discovery of applications for classification of a network packet for performing QoS and acceleration techniques. Remote display protocol traffic associated with a new application not previously included in a list of predetermined applications may be parsed for application information, and the new application may be added to the application list. The remote display protocol traffic may then be classified according to the new application, and network performance may be enhanced and optimized by providing QoS and acceleration engines with packet- or data-specific information corresponding to the newly identified application.