Abstract: The present disclosure pertains to validation of runtime objects for a software deployment using a certificate. After creating the runtime objects during a build process, a certificate may be generated based on the runtime objects. The certificate may include a fingerprint of the runtime objects that may be used before deployment to determine whether the runtime objects have been changed. Before deployment, the runtime objects and the certificate may be obtained and the certificate may be validated. In addition, the runtime objects may be validated using the fingerprint included in the certificate. For instance, the fingerprint may be re-generating based on the runtime objects for deployment. The runtime objects may be validated by comparing the re-generated fingerprint to the fingerprint in the certificate. The runtime objects may be deployed if the certificate and the runtime objects are valid.

Abstract: A system for credential authentication includes and interface and a processor. The interface is configured to receive a request for authorization to access from an application. The processor is configured to determine a set of credentials that can enable authorization to access; generate a proof request challenge; receive a proof response; determine that the proof response is valid based at least in part on information stored in a distributed ledger; generate a token; and provide the token.

Abstract: A communication network employing a method and system for secure access from a security device at a local network location to a remote network location are disclosed. At the security device having a unique identifier (UID), processor, and memory, a security software is obtained from a remote network location, the security software obtaining a personal identification number (PIN) of a user, and the UID of the security device. The PIN, the UID and the private security software are forwarded to the remote network location for generating a credential code, including encrypting the credential code. At the security device, the credential code is obtained from the remote network location, and authenticity of the PIN and the UID is verified, without communicating over a network, including decrypting the credential code. Upon verifying the authenticity of the PIN and the UID, access credentials to the remote network location are retrieved.

Abstract: A method, computing device and computer program product generate a temporary password to control access to a record created in response to an electronic message. An electronic message is parsed to separately identify a plurality of fields that provide different types of information. Record(s) are accessed from a database that are associated with the information provided by at least one field. An action to be initiated by the electronic message is determined to either be taken or to be rejected based upon information provided by the field(s) of the electronic message and also based upon information from the record(s) accessed from the database. If the action is rejected, a record of the electronic message is created for transmission along with information regarding the rejection. A temporary password is also generated to control access to the record created regarding the electronic message and its rejection. The response includes the temporary password.

Abstract: Techniques for a service provider network to perform adaptive, step-up authentication for client devices that invoke privileged API calls for services. A client device may perform an initial authentication protocol with an identity service provider (ISP), and be provided with a JSON web token (token) that enables the user to interact with a service of the service provider network according to an access scope. When the service provider network receives an API call from the client device, the service provider network may determine that the API call is a privileged API call. The service provider network may further determine that the privileged API call is not permitted by the access scope of the token. The service provider network may then require that the client device perform a step-up authentication process with the ISP to obtain another token with an elevated access scope to invoke the privileged API call.

Abstract: Systems and methods are disclosed for performing location-based authentication using location-aware devices. One method includes: receiving an access request comprising authentication credentials and a first location from a first location-aware device; receiving a second location from a second location-aware device associated with the authentication credentials; and upon determining that the first location and second location are within a pre-determined distance, authenticating the authentication credentials.

Abstract: Access token scope limiting is provided. An access token of a client containing a list of scopes is presented to an authorization application programming interface of the computer. Each scope in the list of scopes defines a permission to access a particular protected resource hosted by a resource server. A new access token is returned to the client containing a decreased number of scopes using a scope alias in response to the authorization application programming interface requesting a decrease in a number of scopes in the list of scopes. The scope alias representing a plurality of specific scopes from the list of scopes contained in the presented access token.

Abstract: Disclosed embodiments relate to systems and methods for securing the use of temporary access tokens in network environments. Techniques include identifying a request for an action involving a target network resource requiring a temporary access token; receiving, from the target network resource, a temporary access token; storing the temporary access token separate from the network identity; generating a customized replacement token having an attribute different from the temporary access token such that the customized replacement token cannot be used directly with the target network resource; providing the customized replacement token to the network identity; monitoring use of the customized replacement token to detect an activity identified as being at least one of potentially anomalous or potentially malicious; receiving an access request to access the target network resource; and based on the detected activity, denying the access request from the network identity.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for receiving user input indicating a first user selection of a first form of biometric authentication from a plurality of forms of biometric authentication, providing a first interface for display on a user device, the first interface corresponding to the first form, receiving first biometric data, the first biometric data being provided using the first interface, and selectively enabling communication between the user device and a back-end system based on the first biometric data.

Abstract: A method is disclosed. The method includes constructing a table by encrypting a plurality of unencrypted match values using a public key to produce a plurality of encrypted match values. Each unencrypted match value being an indication of a degree of match between an input biometric template and an enrollment template. The method includes arranging each row so that each row has a match value and a corresponding encrypted match value. The method also includes storing, in a database, the table comprising the plurality of encrypted match values and the plurality of unencrypted match values. The server computer can be programmed to receive an encrypted biometric template and the table is used to determine a match value using the encrypted biometric template, and the match value is used to determine if a person is enrolling a biometric template associated with the encrypted biometric template more than once.

Abstract: The present disclosure relates to systems, methods, and computer-readable media for securely verifying an identity of a user of a client device based on a signal transmitted by the client device. For example, systems disclosed herein include registering a client device and facility device via a cloud computing system to enable the client device and facility device to securely communicate a signal via a wireless connection. The systems disclosed herein additionally include determining whether a trigger condition applies based on a position of the client device relative to the facility device. The systems disclosed herein further include maintaining and updating a subset of user verification information to include personal verification of a registered user of the client device. Using the subset of user verification information, a biometric scanning device may efficiently and accurately verify an identity of an individual associated with the client device.

Abstract: A system performs mobile biometric identification system enrollment using a known biometric. The system receives a digital representation of a first biometric for a person. Prior to using the digital representation of the first biometric to identify the person, the system compares a received digital representation of a second biometric for the person to known biometric data for the person. When the digital representation of the first biometric has been thus verified, the system is operative to identify the person using the digital representation of the first biometric.

Abstract: An authentication method for a user to access service providers through an online enabled device, an offline authentication device configured to authenticate a user to service providers through online enabled devices, and a user authentication system comprising a authentication device, an online enabled device and online service providers.

Abstract: A method includes: setting up, by a first network device, a MACSec channel to a second network device according to the MACSec protocol; and sending, by the first network device, an ACP packet to the second network device by using the MACSec channel, where the ACP packet is carried in a MACSec frame, and a frame header of the MACSec frame carries identification information used to identify the ACP packet. By means of the packet transmission method, MACSec channel is set up between adjacent nodes in a self-organizing network according to the MACSec protocol, and an ACP packet is transmitted between the adjacent nodes by using the MACSec channel and processed.

Abstract: A system and method for assigning a single use real-time privilege are disclosed. A processor validates credentials of a user based on comparing credentials data of the user with pre-stored reference data in response to receiving a request to access a target computer to execute a single process; creates a single use blockchain private key for the single process and generates the passcode in response to a successful validation of the credentials. The processor also writes request data corresponding to the private key and the passcode onto a blockchain. In response to receiving user login data and the passcode to access the target computer, the processor validates passcode by confirming that the passcode matches the request data wrote in the blockchain; and assigns a single use real-time privilege to the user for executing the single process in response to successful validation of both the passcode and the received request.

Abstract: Methods and systems for communicating information are disclosed. An example method can comprise receiving information at a first device based on a first protocol. The information can be translated, at the first device, for communication to a second device based on a second protocol. A determination can be made as to whether the information matches a criterion associated with a transportation device. The information can be provided to the second device based on the second protocol and a determination that the information matches the criterion.

Abstract: Detecting and restricting floods of unwanted messages is implemented by cluster analysis over time intervals. Application of streaming machine learning clustering algorithms enables finding clusters of messages (P2P text messages, WHATSAPP, tweets) sharing the same content. Such clusters may be analyzed for finding out offensive messages, unwanted or spam messages, and rumors and take corrective actions as needed. The solution enables visualization of data and/or messages and identification of clusters as the solution works on the data and aggregates data into clusters over time intervals. Corrective actions may be applied on selected clusters based on visualized data clusters or by automated application of defined rules.

Abstract: Systems and methods for end to end encryption are provided. In example embodiments, a computer accesses an image including a geometric shape. The computer determines that the accessed image includes a candidate shape inside the geometric shape. The computer determines, using the candidate shape, an orientation of the geometric shape. The computer determines a public key of a communication partner device by decoding, based on the determined orientation, data encoded within the geometric shape. The computer receives a message. The computer verifies, based on the public key of the communication partner device, whether the message is from the communication partner device. The computer provides an output including the message and an indication of the communication partner device if the message is verified to be from the communication partner device. The computer provides an output indicating an error if the message is not verified to be from the communication partner device.

Abstract: Systems and methods for detecting suspicious malware by analyzing data such as transfer protocol data or logs from a host within an enterprise is provided. The systems and methods include a database for storing current data and historical data obtained from the network and a detection module and an optional display. The embodiments herein extract information from non-encrypted transfer protocol metadata, determine a plurality of features, utilize an outlier detection model that is based on historical behaviors, calculate a suspiciousness score, and create alerts for analysis by users when the score exceeds a threshold. In doing so, the systems and methods of the present invention improve the ability to identify suspicious outliers or potential malware on an iterative basis over time.

Abstract: Systems and methods of determining file-access patterns in at least one computer network, the network comprising a file-access server, including training a first machine learning (ML) algorithm with a first training dataset comprising vectors representing network traffic such that the first ML algorithm learns to determine network characteristics associated with file-access traffic, determining, using the first ML algorithm, network characteristics based on highest interaction of traffic with the file-access server compared to other interactions in the at least one computer network, and determining file-access patterns in the at least one computer network based on the network characteristics associated with file-access traffic.

Abstract: An integrated vehicle health management (IVHM) system to resolve equipment-fault related anomalies detected by cyber intrusion detection system (IDS). A benefit of the present system is that it can result in fewer alerts that need manual analysis. A combination of cyber and monitoring with integrated vehicle health management (IVHM) may be a high value differentiator. As a solution gets more mature through a learning loop, it may be customized for different customers in a cost-effective manner, something that might be expensive to develop on their own for most original equipment manufacturers (OEMs). An IVHM symptom pattern recognition matrix may link a pattern of reported symptoms to known equipment failures. This matrix may be initialized from the vehicle design data but its entries may get updated by a learning loop that improves a correlation by incorporating results of investigations.

Abstract: Generally discussed herein are devices, systems, and methods for improving cloud resource security. A method can include obtaining a cloud resource management log that details actions performed by users of cloud resources in a cloud portal, the actions including entries comprising at least two of a user identification (ID) of a user of the users, an operation of operations performed on the cloud resource, a uniform resource identifier (URI) of a cloud resource of the cloud resources that is a target of the operation, or a time the operation was performed. The method can include determining a respective score for each action in the cloud resource management log, comparing the respective score to a specified criterion, and providing an indication of anomalous action in response to determining the respective score satisfies the specified criterion.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: Systems, methods, and computer-readable media for determine a neighborhood graph can include the following processes. A neighborhood graph system generates a neighborhood graph for a plurality of nodes in an enterprise network, the neighborhood graph representing a multi-hop connections between any two nodes of the plurality of nodes. A security score service determines a security score for each of the plurality of nodes to yield a plurality of scores. The neighborhood graph system updates the neighborhood graph of the plurality of nodes using the plurality of scores to provide a visual representation of securities of the plurality of nodes relative to each other.

Abstract: The disclosure generally relates to a vulnerability management system configured to implement an asset-based identification algorithm to identify, update, and otherwise reconcile assets in a network according to various identification attributes that are ordered on a spectrum from authoritative to speculative based on an ability that each identification attribute has to accurately link a host to a given asset. The identification algorithm may further enable an elastic asset-based licensing approach, wherein each asset that is scanned in a current licensing period consumes a single license and licenses are reclaimed from any old assets that are not scanned in a current licensing period (i.e., the old assets do not count towards a total licensed asset count. Furthermore, asset counts may be allowed to temporarily exceed the total licensed asset count without requiring license upsells, with true-up payments only required if and/or when asset counts reflect general expansion of a customer network.

Abstract: A system and method for determining a point in time compliance status of a computing system with a security guideline standard (SGS) wherein the computing system has a command line shell available through a native operating system, the method comprising inputting into a host computer of the computing system a SGS package that represents a scripted SGS that is a non-text file and is encrypted that provides instructions for an evaluation of a computing system's compliance with the SGS under consideration wherein the SGS package performs at least a portion of an automated evaluation of a compliance status at the point in time of the computing system under consideration when the SGS package is decrypted by the computing system; sending a command query from the decrypted SGS package to the selected device of the computer system; compiling in a locally hosted database of the host computer compliance results sent from the selected device of the computing system in response to the command query from the decrypted SGS

Abstract: Techniques for categorizing and prioritizing security issues is disclosed. A security management system is implemented to receive security events describing potential security issues from clients. The security events contain attributes describing the security issue, affected resources, and a risk score defining a level of security risk associated with the event. The security events may be aggregated into a set of recommendation categories based on the type of security issue to be remedied. Aggregated risk scores may be computed for each of the recommendation categories. The security management system causes displaying of a graphical user interface to display information representing the set of recommendation categories. User input may be received selecting a particular recommendation category. In response to selecting the particular recommendation category, recommendation instruction options are displayed for remedying the events within the particular recommendation category.

Abstract: The cyber security appliance can have at least the following components. A phishing site detector that has a segmentation module to break up an image of a page of a site under analysis into multiple segments and then analyze each segment of the image to determine visually whether a key text-like feature exists in that segment. A signature creator creates a digital signature for each segment containing a particular key text-like feature. The digital signature for that segment is indicative of a visual appearance of the particular key text-like feature. Trained AI models compare digital signatures from a set of key text-like features detected in the image of that page under analysis to digital signatures of a set of key text-like features from known bad phishing sites in order to output a likelihood of maliciousness of the unknown site under analysis.

Abstract: Systems and methods for detecting malicious or potenitally malicious script data are provided. Script data is extracted from a data stream at the network level and emulated in a controlled environment. Based upon a comparison of features extracted from emulation of the script to a set of heuristics, malicious script data can be identified for further analysis or processing.

Abstract: Techniques and solutions are described for detecting malicious database activity, such as SQL injection attempts. A first machine learning classifier can be trained by comparing processed and unprocessed user input, where a difference between the two can indicate suspicious or malicious activity. The trained classifier can be used to analyze user input before query execution. A second machine learning classifier is trained with a data set that includes call stack information for an application requesting execution of a dynamic query and query statistics associated with processing of the query at the database. The query of the application can be correlated with a corresponding database query by hashing the application query and the database query and comparing the hash values, where matching hash value indicate a common query. The trained classifier can monitor execution of future queries to identify queries having anomalous patterns, which may indicate malicious or suspicious activity.

Abstract: Systems and methods for detecting anomalous and malicious URL's by analyzing markup language structure, such as HTML, are provided. The systems and methods include the querying of a URL to obtain the markup language data. The markup language data their corresponding elements and their locations rows/depths are parsed into coordinates within a 2-dimensional grid and then processed into features. A color is assigned to each feature as a function of the type of feature. The three dimensions (x, y coordinates and color coordinate) of the features are used to generate an image. The generated images are then compressed to facilitate processing. The compressed images of common websites are analyzed using deep machine learning algorithms to generate a model that represents their structure. These generated models are then used to detect suspicious and/or anomalous websites.

Abstract: A honeypot file is cryptographically secured with a cryptographic key. The key, or related key material, is then placed on a central keystore and the file is placed on a data store within the enterprise network. Unauthorized access to the honeypot file can then be detecting by monitoring use of the associated key material, which usefully facilitates detection of file access at any time when, and from any location where, cryptographic access to the file is initiated.

Abstract: The present disclosure relates to methods, systems, and non-transitory computer readable media for generating an application protectability index for network applications and a corresponding protectability scheme. In one aspect, a method includes identifying, by a network controller, network layers associated with an application; determining, by the network controller, a corresponding security index for the application at each of the network layers to yield a plurality of security indexes, each of the plurality of security indexes providing an objective assessment of protectability of the application at a corresponding one of the network layers; determining, by the network controller, an application protectability index; and providing an application protectability scheme for protecting the application based on the application protectability index.

Abstract: A method for establishing network connections includes connecting a device to a first network, retrieving voice input of a user, sending a message including data related to the voice input to at least one gateway device on the first network, receiving configuration data for a second network via the first network in response to the message, and establishing a connection of the device to the second network using the configuration data received via the first network. Furthermore, an electronic device, a network gateway device and a system are defined.

Abstract: A technology is described for determining compliance with security technical implementation guide (STIG) standards. An example of the technology can include identifying a STIG standard that may be applicable to a system component included in a computer system. The STIG standard can be obtained from a security technical implementation guide which specifies security standards for securing computer systems against unauthorized access. A configuration compliance package can be generated to evaluate a configuration setting of the system component for compliance to the STIG standard, and the configuration compliance package can be output to enable a determination of compliance of the configuration setting with the STIG standard.

Abstract: A virtual computer application at a computing device may establish a secure communications channel between the computing device and a private network. The virtual computer application may determine one or more policies that specify one or more actions permitted to be performed by the computing device on documents in the private network based at least in part on context information associated with the computing device. The virtual computer application may determine whether to allow an action to be performed by the computing device on a document in the private network based at least in part on the one or more actions specified by the one or more policies. The virtual computer application may, in response to determining that the action to be performed on the document is not allowed, prevent the computing device from performing the action on the document.

Abstract: Embodiments of an application gateway architecture may include an application gateway server computer communicatively connected to backend systems and client devices operating on different platforms. The application gateway server computer may include application programming interfaces and services configured for communicating with the backend systems and managed containers operating on the client devices. The application gateway server computer may provide applications that can be centrally managed and may extend the capabilities of the client devices, including the ability to authenticate across backend systems. A managed container may include a managed cache and may provide a secure shell for applications received from the application gateway server computer. The managed container may store the applications in the managed cache and control access to the managed cache according to rules propagated from at least one of the backend systems via the application gateway server computer.

Abstract: To verify compliance with a data access policy, a query result including data specified by a requesting entity and a representation of a data access policy is received from a database. Based on the representation of the data access policy included in the query result, it is verified whether the requesting entity is permitted to access the data included in the query result. Transmission of the data included in the query result to the requesting entity is controlled responsive to the verification. Related methods, systems, and computer program products are also discussed.

Abstract: A system compares two network security specifications expected to implement the same network security policy for a network and identifies possible discrepancies between them. The system generates a representation of relations between subnetworks of the network for each network security specification. The representation efficiently stores permitted connections between subnetworks. The system compares the representations corresponding to the two network security specifications to identify discrepancies across the two network security specifications. If discrepancies are identified across the two network security specifications the system generating a report identifying the discrepancies.

Abstract: Mobile device security, device management, and policy enforcement are described in a cloud-based system where the “cloud” is used to pervasively enforce security and policy and perform device management regardless of device type, platform, location, etc. A method includes receiving one or more mobile profiles for one or more mobile devices each associated with a user from an enterprise; responsive to enrollment of a mobile device of the one or more mobile devices, communicating to the mobile device; determining an associated mobile profile of the one or more mobile profiles for the mobile device; and configuring the mobile device based on the associated mobile profile.

Abstract: Calls between a customer and an agent often require additional processing of the media in real time. Processing every call in such a manner is often unnecessary and the results deleted or ignored, or prohibited due to a policy for certain calls. Knowing if a call should be processed may be determined too late for the media to be forked. While the customer and agent may engage in the call as a peer-to-peer connection, additional processing requires holding the initial invite long enough, such as with a preservation message, that a session boarder controller may fork the call for subsequent processing without timing out.

Abstract: A network call method, a server, a call terminal, a network call system, and a storage medium are provided. The network call method includes: receiving a reservation request transmitted by a call reservation terminal, the reservation request including a first communication identifier of a first call terminal; generating a chat room identifier of a chat room in a social network application; generating a call reservation notification, the call reservation notification including an access link generated according to the chat room identifier; and transmitting the call reservation notification to a communication client of the first call terminal according to the first communication identifier of the first call terminal.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed. A non-transitory medium comprises instructions that, when executed, cause at least one processor to at least determine whether client circuitry has entered a power save mode, in response to a determination that the client circuitry has entered the power save mode, generate an association request for an access point, receive a connection approval frame, and in response to a determination that the access point has sent an acknowledge frame, generate an acknowledge response for the access point.

Abstract: A method of exchanging content between a User Equipment, UE, and an Application Server, AS, of an IP Multimedia Subsystem, IMS, or between the UE and a peer UE. The method comprises establishing a Session Initiation Protocol, SIP, session between said messaging resource function and the AS; establishing a Message Session Relay Protocol, MSRP, session between the UE and a messaging resource function of the IMS; and exchanging content between the first mentioned UE and the messaging resource function in messages sent over the established MSRP session.

Abstract: A computer-implemented method, a computer system and a computer program product reduce bandwidth requirements of a virtual collaboration session. The method includes capturing session data from a virtual collaboration session. The session data is selected from a group consisting of video data, audio data, an image of a screen of a connected device and text data. The method also includes connecting to a live blog platform. The method further includes transmitting a text transcription of the virtual collaboration session to the live blog platform. The text transcription is generated by scanning the audio data using a speech-to-text algorithm. In addition, the method includes classifying a topic in the virtual collaboration session based on importance. Lastly, the method includes transmitting a multimedia file related to the topic to the live blog platform in response to the topic being classified as important. The multimedia file is extracted from the session data.

Abstract: Data packets containing gaze data are streamed from an eyetracker to a client via a driver unit by receiving, repeatedly, gaze data packets in a first interface; and, providing, repeatedly, via a second interface, gaze data packets. The client sends a request message to the driver unit. The request message defines a delivery point in time in a first time frame structure at which delivery point in time in each frame of the first time frame structure the gaze data packet shall be provided to the client via the second interface. An offset is calculated between a reception point in time and the delivery point in time. The reception point in time indicates when a gaze data packet is received from the eyetracker relative to the first time structure. An adjusted data acquisition instance is assigned based on the offset. The adjusted data acquisition instance represents a modified point in time in a second time frame structure when at least one future gaze data packet shall be produced by the eyetracker.

Abstract: An example playback device includes programming for executing functions including, while connected to both (i) a local area network and (ii) an audio playback network configured separately from the local area network and arranged for playback of media content via at least the playback device, receiving from a network device via the local area network, a request for the network device to connect to the audio playback network. The functions also include, in response to the request, transmitting to the network device via the local area network, a message indicating an identifier of the audio playback network and a password for accessing the audio playback network. The functions also include exchanging one or more messages with the network device via the audio playback network to authenticate the network device for the audio playback network and receiving an audio playback command from the network device via the audio playback network.

Abstract: An apparatus for monitoring a multicast group is provided. The apparatus includes a storage, a receiver and an operation processor. The storage is configured to store first data including a first authenticated message authenticated as being published by a publisher of the multicast group to n-th data including an n-th authenticated message authenticated as being published by the publisher where n is a natural number of 2 or more. The receiver is configured to receive status data including a first propagation message to be delivered to the multicast group. Further, the operation processor is configured to generate monitoring information including status information of the multicast group by using the status data and the first to n-th data.

Abstract: A method of multicasting real-time video is described. The method begins by establishing a multicast network of machines capable of ingress, forwarding and broadcasting traffic, together with a mapping infrastructure. The multicast network preferably comprises a portion of an overlay network, such as a content delivery network (CDN). A video stream is published to the multicast network by (a) using the mapping infrastructure to find an ingress node in the multicast network, and then receiving the video stream from a publisher at the ingress node. One or more subscribers then subscribe to the video stream. In particular, and for subscriber, this subscription is carried out by (a) using the mapping infrastructure to find an egress node for the requesting client, and then delivering the video stream to the subscriber from the egress node. Preferably, the publisher and each subscriber use WebRTC to publish or consume the video stream, and video stream is consumed in a videoconference.