Abstract: Methods, servers and mobile stations are provided to allow a sender mobile station which has transmitted a message toward a recipient mobile station via a first protocol to be notified that the message has been delivered to the recipient mobile station via a different protocol. The sender mobile station may be notified that the message was delivered to the recipient mobile station via a different protocol method via a disposition notification message comprising an indication that the message was delivered to the recipient mobile station via a different protocol.

Abstract: A messaging server system receives a message creation input from a first client device that is associated with a first user registered with the messaging server system. The messaging server system determines, based on an entity graph representing connections between a plurality of users registered with the messaging server system, that the first user is within a threshold degree of connection with a second that initiated a group story in relation to a specified event. The messaging server system determines, based on location data received from the first client device, that the first client device was located within a geo-fence surrounding a geographic location of the specified event during a predetermined event window, the geo-fence and event window having been designated by the second user, and causes the first client device to present a user interface element, that enables the first user to submit content to the group story.

Abstract: A communication system for automatically choosing a communication modality from a plurality of communication modalities for use for communication between distant communication entities is provided. The communication system includes a controller configured to: receive a message in the form of one of a first plurality of modalities from a message originator for transmission to a message recipient and select at least one modality for sending the message to the message recipient. To select the controller is configured to: determine the existence of any predetermined vehicle context requirements, predetermined static requirements, predetermined communication service provider requirements, communication context requirements, message recipient preferences, and message originator preferences; and make the selection based on those requirements and preferences. The controller is further configured to convert the received message to the selected modality and cause the message to be transmitted to the message recipient.

Abstract: Discovery of communication platform features or exposure of such features to the user may include generating embeddings for a variety of types of communication platform content and communications. These embeddings may be used to characterize and compare various communication platform features and ultimately expose these features to a user when the user may not have otherwise encountered them. Embeddings may be generated to characterize a user's interactions with a communication platform and/or characterize a channel and the embeddings may be used to expose methods of communicating with the user and/or over the channel.

Abstract: Address resolution information acquisition (ARIA) for a computing device is described. In some examples, ARIA includes a computing device (e.g., an Internet of things (IoT) node, a gateway, a server) determining, without use of an address resolution protocol (ARP), address resolution information of one or more other computing devices (e.g., a IoT node, a gateway, a server). In one example, the computing device uses data flowing to or from its application layer, transport layer, or network layer to determine address resolution information of another computing device. The address resolution information can comprise one or more of a link layer address (e.g., a media access control (MAC) address) and an Internet layer address (e.g., an Internet protocol (IP) address). Usage of a cache for storing or deleting address resolution information can also be part of ARIA.

Abstract: The present disclosure is related to the network communication technology field and relates to a method for the classification and recognition of the Domain Name System (DNS) server, using machine-learning techniques. The classification process assigns a given DNS server as belonging to a preset of classes. For example, it enables to label a DNS server as either benign or malicious. On the other hand, the recognition process seeks the identification of the DNS server behavioral profile, which, consequently, can be used to assess the DNS server trustworthiness before DNS responses can be reliably used, e.g. identification of well-known and trusted DNS servers. Hence, the present patent, by the means of detecting the DNS server RFC adherence improves user security through the classification and recognition of DNS characteristics. Therefore, security solutions can use the DNS server characteristics to assess its trustworthiness before DNS responses can be reliably used.

Abstract: Methods related to determining and utilizing one or more attributes to associate with an IP addresses. Attributes are determined based on request data provided with requests from an IP address and one or more available secondary information sources. Attributes may include physical locations and/or category designations for the IP address. One or more attributes may be assigned a likelihood value indicative of likelihood that the attribute is associated with the IP address. Some implementations are directed to utilizing the attributes and likelihood values to identify likely fraudulent information provided with requests. Some implementations are directed to utilizing the attributes and likelihood values to provide advertisements in response to requests from IP addresses.

Abstract: Methods, systems and computer readable storage medium for processing coherent data are provided. In an embodiment, a method for processing coherent data includes dividing the coherent data into two separate frames. Further, the method includes applying a same coherency number to the two separate frames and transmitting a signal including the two separate frames to a receiving module. The method also includes determining whether the two separate frames match based on the same coherency number. When the two separate frames match, the method outputs the two separate frames to downstream logic. The method may include adding the two separate frames to a buffer populated with a selected number of most recently received frames and, when the two separate frames do not match, identifying a selected frame from the two separate frames and searching the buffer for a matching frame from the most recently received frames.

Abstract: A technique for performing authentication to a hybrid-cloud service includes selectively applying varying authentication requirements based on whether a client device can be confirmed to be connected to a private intranet. The technique includes operating a set of local agents on one or more computing machines on the intranet. When a client device requests access to the hybrid-cloud service, the client device attempts to contact one or more of the local agents. If the client device succeeds in contacting a local agent, then the client device is confirmed to be connected to the private intranet and receives relatively trusting treatment during authentication. However, if the client device fails to contact at least one local agent, the client device is not confirmed to be connected to the private intranet and receives relatively less trusting treatment.

Abstract: Described herein are systems and methods to manage blacklists and duplicate addresses in software defined networks (SDNs). In one implementation, a method includes, in a control plane and data plane of an SDN environment, obtaining a blacklist for a logical port in the SDN environment. The method further includes deleting realized address bindings in a realized address list for the logical port that match the one or more address bindings in the blacklist and preventing subsequent address bindings that match the one or more address bindings in the blacklist from being added to the realized address list.

Abstract: At least initially blocking client download of certain content and injecting a user verification step for such downloads is disclosed. In some embodiments, client download of a response from a server to a client request is blocked, and instead a notification page with options to accept or decline the server response is provided to the client.

Abstract: An email validation system receives an email validation request from a requestor to validate an email, the email validation request indicating at least a sender domain indicating a domain of the sender of the email. The email validation system determines whether the sender domain is in a whitelist of known domains, wherein a known domain is a domain that is linked to an organization whose provenance is known, such that it can be linked to an identifiable entity in the real world. The email validation system generates, in response to determining that the sender domain is not in the list of known domains, a message indicating that the email is not valid. The email validation system generates, in response to determining that the sender domain is in the list of known domains, the message indicating that the email is valid, and transmits the message to the requestor.

Abstract: A method and system are disclosed. A first service engine among a plurality of service engines detects a traffic violation of a web application policy for an instantiation of a virtual service on the first service engine. The service engines maintain corresponding instances of a shared state of policy violations for the web application policy. In response to detecting the traffic violation, a first instance of the shared state on the first service engine is updated. The first service engine broadcasts the updated first instance of the shared state. Remaining service engines, which have instantiations of the virtual service, update their instances of the shared state in response to receiving the updated first instance. The instances of the shared state are aggregated to obtain an aggregated shared state. It is detected whether the aggregated shared state triggers an application policy rule for the web application policy.

Abstract: A novel method for managing firewall configuration of a software defined data center is provided. Such a firewall configuration is divided into multiple sections that each contains a set of firewall rules. Each tenant of the software defined data center has a corresponding set of sections in the firewall configuration. The method allows each tenant to independently access and update/manage its own corresponding set of sections. Multiple tenants or users are allowed to make changes to the firewall configuration simultaneously.

Abstract: A method at a system including a firewall and at least one application, the method including obtaining, at the at least one application, a new address for a service provider for the at least one application; triggering a firewall update; obtaining a new firewall configuration; and updating the firewall, wherein the updating the firewall allows a connection from the at least one application to the new address for the service provider.

Abstract: A computing device is configured to retrieve network security configuration information from a computer network and generate a security configuration map which readily enables a user to detect defects in the security configuration with respect to a security policy. The computing device retrieves firewall configurations from security appliances in the network which operate firewalls, and processes the firewall configurations to generate a set of corresponding standardized firewall configurations. These are processed to identify enclaves containing network nodes which are associated with respective security sensitivity values based on the security policy. The computing device monitors and detects inter-node network traffic.

Abstract: Apparatuses (e.g., systems and devices) and methods for remotely accessing a local (e.g., home, office, etc.) network of devices connected to a local router.

Abstract: A system for accessing at least one Virtual Private Network (VPN) includes a terminal, and can include at least one Security Policy Database (SPD). The terminal is capable of communicating with a VPN client and at least one application. The VPN client, in turn, is capable of defining at least one VPN access point, each VPN access point including an associated physical access point and VPN policy. Thereafter, the VPN client can access at least one VPN based upon the VPN access point(s) to thereby establish at least one data connection from at least one application across the at least one VPN. In addition, the VPN client can be capable of downloading at least one VPN policy from the SPD. A system for managing at least one Virtual Private Network (VPN) policy is also provided, where the VPN polic(ies) are for use in accessing at least one VPN.

Abstract: A VNF package signing system, comprises an orchestration unit sending an acknowledge of receiving a VNF package including the VNF image, in response to the receiving the VNF package from a sender, a storage unit storing the VNF package and generating a certificate for the VNF package using a private key for at least generating a certificate for signing the VNF package and a HISEE (Hardware Isolated Secured Execution Environment) unit providing the private key in response to the request from the storage unit. The orchestration unit sends the acknowledge of receiving a VNF package when the storage unit successes generating the certificate of the VNF package.

Abstract: An advancement over previous techniques uses push notifications to provide users with proxied communications to outside devices reachable using a security appliance or network gateway. Encrypted direct communication between a user device with the outside device is blocked and the user device is provided with a proxy URL at which indirect proxied communications can be provided. A proxy at the proxy URL can read the communications between the user device and the outside device. The proxy can thereby apply security policies to the indirect proxied communications. The security appliance can provide the proxy URL to the user device via a push server.

Abstract: Typically, a business desires to track and monitor all applications run on its servers. Nonetheless, one or more unauthorized applications may be running on the business's servers, exposing the business to potential regulatory liability and security breaches. Apparatus and methods are provided for isolating and disabling one or more unauthorized applications running on a server. The apparatus may comprise a system including a content-filtering web proxy server configured to filter outgoing requests and data associated with the requests. The system may also include a remediation framework configured to monitor request data in a proxy log stored by the proxy server. The remediation framework may be triggered to perform remedial action when the remediation framework determines that a request and associated data, as stored in the proxy log, meets predetermined conditions. The remediation framework, when triggered, may execute steps to truncate functionality of the unauthorized applications.

Abstract: A device is provisioned and authorized for use on a network. The device may generate a cryptographic key and provide a digital certificate the cryptographic key, a hardware identifier, and attribute information and provide such information to an authorization host as part of the provisioning process. The authorization host may use attribute information to determine whether to authorize the device for use on the network, and whether the generated cryptographic key should be trusted for use on the network.

Abstract: A method for requesting proof of delegation for delivery of content to a client terminal via an encrypted connection. The content is referenced on a content server, to which the client terminal emitted a request to obtain the content. The content server has delegated the delivery of the content to a primary delivery server. The method is implemented by a secondary delivery server, to which the primary delivery server has delegated the delivery of the content. The method includes: receiving a request to establish an encrypted connection, from the client terminal, including an identifier of the content server; emitting a request for proof of delegation of delivery, addressed to the content server; receiving of a message from the content server, including an encryption key; emitting a response for establishing an encrypted connection, addressed to the client terminal; and establishing the encrypted connection with the client terminal using the encryption key.

Abstract: Disclosed herein are systems and method for securely sending user data. In an exemplary aspect, a trusted party device may receive a request for user data and a first hash of the request stored in a distributed registry. In response to verifying that the first hash matches a hash of the request as calculated by the trusted party device, the trusted party device may generate and transmit both a confirmation request to send the user data and a second hash of the confirmation request to an authorized user device. The trusted party device may receive, from the authorized user device, both a confirmation message and a third hash of the confirmation message stored in the distributed registry. In response to verifying that the third hash matches a hash of the confirmation message as calculated by the trusted party device, the trusted party device may send the requested user data.

Abstract: An apparatus includes a non-volatile memory (NVM) device coupled to a host, the NVM device including a processing device to: receive a communication packet from a server via the host computing system that is coupled to the NVM device and communicatively coupled to the server, the communication packet comprising clear text data that requests to initiate secure communications; perform a secure handshake with the server, via communication through the host computing system, using a secure protocol that generates a session key; receive data, via the host computing system, from the server within a secure protocol packet, wherein the data is inaccessible to the host computing system; authenticate the data using secure protocol metadata of the secure protocol packet; optionally decrypt, using the session key, the data to generate plaintext data; and store the plaintext data in NVM storage elements of the NVM device.

Abstract: A computing device may receive a request to establish a virtualized environment to support a session for a client device in communication with the computing device over a network. The computing device may instantiate the virtualized environment in a trusted execution environment of the computing device, wherein the trusted execution environment may include one or more hardware resources that isolate the virtualized environment from a rich execution environment associated with the computing device. The computing device may cause a hardware security module associated with the computing device to obtain one or more cryptographic keys by communicating with a secure element of the client device, and the computing device may secure communication between a local operating system executing on the client device and the virtualized environment instantiated in the trusted execution environment using the one or more cryptographic keys.

Abstract: A network device may decrypt a record received from a source device and associated with an encrypted session. The network device may process the decrypted record. The network device may encrypt the record to generate an encrypted payload. The network device may store an entry in a retransmission mapping that includes a decryption key used to decrypt the record and an encryption key used to encrypt the record. The network device may transmit the encrypted payload in a first TCP packet toward the destination device. The network device may receive retransmitted data and may determine, based on the record entry, that the retransmitted data is associated with the record. The network device may decrypt, using the decryption key, the retransmitted data and may re-encrypt, using the encryption key, the decrypted record. The network device may transmit, toward the destination device, the encrypted payload in a second TCP packet.

Abstract: Embodiments perform write operations in a multi-tenant cloud system that includes a first data center adapted to authenticate a first plurality of registered clients and located in a first geographic area, and a second data center adapted to authenticate a second plurality of registered clients and located in a second geographic area that is different from the first geographic area. Embodiments receive a request from a first client to perform a first write for a resource at the second data center. Embodiments generate a call to the first data center including a second write for the resource at the first data center. Embodiments retrieve data corresponding to the first write and send the retrieved data to the first data center. Embodiments write on the data based on the first write, the writing on the data including changing the data to generate changed data.

Abstract: Embodiments of systems and methods as disclosed herein may determine that an initiator of a communication on a distributed computer network is an automated script or the like. More particularly, in one embodiment, a web page including a hidden field may be generated in response to a request for the web page. This hidden field is a field included in the web page that is not visible to a human user when the web page is rendered by a browser and presented to the user. By comparing a received value for such a hidden field with an associated value for the hidden field as provided in the web page, the use of an automated script may be detected.

Abstract: The invention relates to a method for carrying out a two-factor authentication between a client and a relying party, wherein, as the second factor, a data carrier is employed which carries out a communication with a token server.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for performing data management. One of the methods includes: obtaining authentication information of a login user; generating a digital abstract of the authentication information of the login user; and authenticating the login user based on a comparison between the digital abstract of the authentication information of the login user and one or more digital abstracts stored on a blockchain.

Abstract: The disclosed technology relates to a process of evaluating any number of different identity providers (IDPs) and their respective set of credentials that are used to authenticate corresponding users to assist with the onboarding of the different IDPs in connection with Wi-Fi identity federations. In particular, the process allows a person's electronic identity and attributes (stored across one or more IDPs) to be determined once using a standard. Once trust has been established for the user, that trust can then be utilized across a number of different systems (e.g., Single-sign on). The same trust determination can be used without the need for the authenticity of the user identity to be re-evaluated with each new access request.

Abstract: Methods and systems for securing a data connection for communicating between two end-points are described herein. One of the end-points may be a server and the other of the end-points may be a client that wants to communicate with the server. The data connection may be secured based on a previously-established secure connection and/or a self-signed or self-issued certificate. In some variations, by using the previously-established secure connection and/or a self-signed or self-issued certificate, the secure communication between the server and the client may be conducted without using a third-party authentication service and without requiring a third-party CA to issue a certificate for the server.

Abstract: In some examples, a target device determines that each device of a plurality of devices (i) includes a certificate that is provided to each device during provisioning, (ii) is within a predetermined distance from the target device, (iii) includes a beacon secret that is broadcast to each device at a predetermined time interval, and (iv) that either: (a) a privilege level associated with at least one device of the plurality of devices satisfies a particular privilege level specified by an access policy or (b) a number of the plurality devices with the determined distance from the target device satisfies a predetermined number specified by the access policy. The target device grants at least one device of the plurality of devices access to the target device, and receives a message from the at least one device. The target device initiates an action based at least in part on the message.

Abstract: A first user device can receive a communication certificate associated with a user of the first user device. The communication certificate can allow the first user device to exchange certain information with a second user device that also possesses the communication certificate. The first user device can receive a notification. The first user device can also determine that a second user device associated with the user did not receive the notification. The first user device can initiate a direct connection with the second user device. The first use device can verify that the second device possesses the communication certificate. After verification, the first user device can send the notification to the second user device.

Abstract: Disclosed in some examples are methods, systems and machine-readable mediums which allow for more secure authentication attempts by implementing authentication systems with credentials that include interspersed noise symbols in positions determined by the user. These systems secure against eavesdroppers such as shoulder-surfers or man-in-the middle attacks as it is difficult for an eavesdropper to separate the noise symbols from legitimate credential symbols.

Abstract: Approaches presented herein enable credentials to be revoked or otherwise modified while limiting the impact of inadvertent or unintended changes in access. In some embodiments, the revocation of a credential can occur over a period of time with the level of access being diminished over that period, in order to prevent an inadvertent denial of access while indicating to the requestor that there is an issue with the credential. When a new policy is created for a new credential, a prior policy can be retained for at least a period of time such that users with inadvertently revoked access can obtain a level of access per the previous policy. Various embodiments trace the calls for a credential throughout the system in order to determine which services, processes, or components might be affected by the revocation, such that an appropriate remedial action can be taken.

Abstract: Virtually every online account requires login credentials like username and password for access. Using different credentials for each account can reduce the likelihood of unauthorized access to these accounts. Remembering all the different credentials, however, can be a challenge and it is not uncommon for a user to mistakenly provide credentials to a site that are for another, sensitive site. Accordingly, a system for warning a user of such an error is provided. The system includes a browser plugin that responds to a user entering their credentials at a requesting site by looking up an identifier of a trusted site associated with the user's credentials. The identifiers of the requesting and trusted sites are compared, and if they do not match, the browser plugin blocks the user from submitting their credentials to the requesting site. Advantageously, the system reduces the likelihood that credentials to sensitive accounts are provided by accident.

Abstract: A multi-tenant system that provides cloud-based identity management receives a request to execute a job, where the job has a scheduled start time, or a timeframe to complete, that exceeds the validity time of a request access token. The system generates the request access token corresponding to the job, where the request access token has access privileges. The system schedules the job and persists the request access token. The system triggers the job at the scheduled start time and generates a derived access token based on the request access token, where the derived access token includes the access privileges. The system then injects the derived access token during runtime of the job and calls a service using the derived access token to execute the job.

Abstract: A computing device determines whether or not to authorize a network request. In particular, responsive to the computing device receiving the network request from a mobile device, the computing device controls a plurality of light fixtures to each optically transmit a respective challenge code. The computing device approves or rejects the network request based respectively on whether or not a group of the challenge codes is received from the mobile device, each challenge code in the group being optically receivable at a location authorized for approving the network request.

Abstract: Disclosed embodiments relate to systems and methods for automatically detecting and addressing security risks in code segments. Techniques include identifying a request from a network identity for an action involving a target network resource, wherein the action requires a temporary access token. Techniques further include performing, based on a security policy, at least one of: storing the temporary access token separate from the network identity and providing the network identity with a customized replacement token having an attribute different from the temporary access token; or creating a customized replacement role for the network identity, the customized replacement role having associated permissions that are customized for the network identity based on the request.

Abstract: A system for optimization of data transmission, comprising a content protection extraction system configured to operate on a remote processor and to extract content protection data associated with a data file and to transmit the content protection data to a central processor and a content protection confirmation system configured to operate on the central processor and to receive the content protection data and to verify whether the content protection data is associated with an authenticated data file.

Abstract: Systems and methods for verifying identifies of parties to a video conference call are disclosed. An example method includes storing a plurality of first facial encodings each associated with one or more images of a registered agent, receiving, during the video conference call, a second facial encoding associated with one or more images of a person participating in the video conference call, determining that a specified registered agent is scheduled as a party to the video conference call, comparing the second facial encoding to a selected first facial encoding associated with the specified registered agent, and determining, based at least in part on the comparing, whether or not the person is the specified registered agent.

Abstract: One embodiment of the invention includes a system comprising: a personal digital key and a computer readable medium that is accessible when authenticated by the personal digital key.

Abstract: The present disclosure is applied to the field of communication technology, and provides a method, device for authenticating an accessing terminal and a system. The method includes: receiving a connection request sent by the terminal, the connection request carrying first terminal operation information; obtaining pre-stored second terminal operation information, and matching the first terminal operation information with the pre-stored second terminal operation information according to a preset matching strategy; sending, when the terminal operation information matches the pre-stored second terminal operation information, authentication success information to the terminal, and establishing communication with the terminal.

Abstract: The invention discloses a managing system and managing method for managing authentication for a cloud service system. When a user operates a data processing apparatus to execute an unprotected start-up procedure to start up a browser application to access from an unprotected space of a data storage unit and transmits an authentication data including no characteristic data associated with a protected space of the data storage unit to the cloud service system through the browser application, the cloud service system redirects the authentication data to an authentication server. The authentication server judges if the authentication data has the characteristic data associated with the protected space, and if NO, the authentication server transmits an alert message representative of refusal of login to the cloud service system. The cloud service system redirects the alert message to the browser application.

Abstract: Example approaches for authenticating a device are described. In an example, a category, from a plurality of categories, is identified for a device, based on data packets exchanged between the device and a network element. The category is indicative of operational capabilities of the device. Based on the category identified for the device, an authentication order for the device is determined. The authentication order is indicative of a sequence in which a set of authentication tests is to be executed for authentication of the device.

Abstract: A system and process for operating a cybersecurity training platform, providing an immersive and hands-on learning experience through a secure virtual machine and simulated environment with real-world vulnerabilities, which is customized and provisioned on-demand using automation and artificial intelligence.

Abstract: A key-value store supporting GET, PUT and DELETE operations, serializes multiple clients using two locks, and that supports asynchronous resizing. The locking scheme includes an operation of holding two locks, one for the key involved in the operation, one for the page currently searched or updated. The store can either be a single volume holding keys and data or can be organized as a directory volume referencing a number of data volumes organized by data-size ranges. The scheme also supports asynchronous resizing of the directory while continuing to perform operations.

Abstract: Embodiments provide cloud based identity management by receiving a request from an application for a resource that includes an operation on a resource type out of a plurality of resource types and the request specifies a tenant out of a plurality of tenants, the resource type including a schema, and the schema includes a plurality of schema attributes and metadata for each of the schema attributes, the resource type including one of a user or a second application. Embodiments store multiple versions of the resource type, at least a first version of the resource indicating a deprecated attribute with respect to a first previous version of the resource type, and at least a second version of the resource type indicating an added attribute with respect to a second previous version of resource type, where the request indicates one of the multiple versions of the resource type.