Abstract: A method may include receiving, via a secure deployment management (SDM) system, configuration data associated with an industrial device, identifying, via the SDM system, a presence of a secure deployment management (SDM) node associated with the industrial device, and establishing, via the SDM system, a secure communication channel between the SDM system and the SDM node using one or more security protocols. The method may also involve sending, via the SDM system, the configuration data to the industrial device via the secure communication channel. The industrial device may receive the configuration data without performing one or more security operations on the configuration data.

Abstract: A system and method for compiling and monitoring a list of operational aircraft components to determine if a threshold is met. Utilizing the list and the threshold can provide for monitoring the network of aircraft components to monitor both health and security of the aircraft network and components thereof. The system can then indicate or alert when a threshold is met or exceeded. Such an alert can be on a display to a pilot, for example, or to a remote monitoring station.

Abstract: Embodiments of the invention relates to the technical field of industrial networks and information security, in particular to an analysis device, method and/or system for an operational technology system and a storage medium. The device includes a parsing module configured to acquire first data related to the operational technology system from a data storage area, and parse out first features of the first data; an identifying module configured to identify an abnormal feature from the first features; and a model generation module configured to acquire second data related to the abnormal feature from the data storage area, and generate an algorithm model based on the second data, where the algorithm model is used for identifying an attack behavior related to the abnormal feature. The attack behavior can be automatically identified, and complementation of the advantages of human intelligence and the advantages of artificial intelligence is realized.

Abstract: An extraction apparatus includes processing circuitry configured to receive an input of information about a plurality of web pages including a hypertext markup language (HTML) element that is known to reach a malicious web page through browser operation and an HTML element that is known to reach a benign web page through browser operation, classify the plurality of web pages whose input is received into clusters, extract an HTML element that reaches the malicious web page and an HTML element that reaches the benign web page from a web page of each cluster that is classified to extract a first character string included in HTML elements that are extracted, and extract, as a keyword, a second character string that characterizes the HTML element that reaches the malicious web page from the first character string.

Abstract: In network security systems, graph-based techniques can be used to analyze data collected for a particular security incident, e.g., a command-and-control incident. In example embodiments, data extracted from data records of network activity and/or security alerts is used to generate a multipartite graph in which different entities (e.g., machines, processes, and domains or IP addresses) are represented as different types of nodes and relationships between the entities are represented as edges. The multipartite graph may be clustered, and the clusters be ranked according to some indicator of maliciousness (e.g., the number of associated security alerts or indicators of compromise (IoCs)). An output generated from the highest-ranking cluster(s) may serve, e.g., to identify new IoCs, or flow into mitigating actions taken in response to the incident.

Abstract: The present invention provides a log classification system configured to perform a hierarchical similarity analysis operation according to a plurality of activities records to generate a discrete space metric tree, and perform a clustering operation on the discrete space metric tree to generate one or more event clusters associated with one or more suspicious event categories. The log classification system includes an output device configured to output the one or more event clusters to an information security incident diagnosis system, and allow the information security incident diagnosis system to calculate similar feature information and differential feature information of a plurality of activities records in the one or more event clusters as auxiliary information for diagnosing whether there are intrusions or abnormalities in a target network system.

Abstract: Methods, systems and computer program products are provided for optimizing resources privately. An initial information gain corresponding to an initial client embedding dataset is computed and a machine learning model is trained based on the initial client embedding data set to generate at least one initial attack path in the initial graph data. A second information gain corresponding to a second client embedding data set is computed. A difference between the first information gain and the second information gain is computed. The machine learning model is trained if the difference between the first information gain and the second information gain meets a predetermined threshold to generate at least one new attack path in the second graph data.

Abstract: A system comprises an enterprise network system and engine. The engine has a discovery module coupled to a switch device, an AI and machine learning based monitoring and detection module coupled to the switch device, and a remediation module coupled to the switch device. The remediation module is configured to initiate a remediation process based upon the detection of at least one of the bot anomalies from the flow of data.

Abstract: There is set forth herein obtaining data traffic monitoring data, the data traffic monitoring data being in dependence on monitoring of traffic received by a container of a protected computing environment; obtaining data traffic monitoring data, the data traffic monitoring data being in dependence on monitoring of traffic received by a processing resource of a computing environment; obtaining a state of the processing resource and provisioning a utility processing resource to include the state of the processing resource; and configuring the computing environment to route data traffic to the utility processing resource.

Abstract: Systems and methods for performing a simulated phishing attack are provided. A simulated attack server can send a simulated attack email including a unique identifier to a target. The simulated attack server can receive a reply email including the unique identifier from the target. The simulated attack server can extract the unique identifier from the reply email. The simulated attack server can determine a match between the unique identifier and an identity of the target. The simulated attack server can record a target failure, responsive to determining the match between the unique identifier and the identity of the target.

Abstract: Systems and methods are disclosed to implement a cyberattack detection system that monitors a computer network for suspected lateral movement. In embodiments, the system employs multiple machine learning models to analyze connection data of a network to identify anomalies in the network's connection behavior. The models are updated incrementally using online machine learning methods that can be performed in constant time and memory. In embodiments, the system uses an incremental matrix factorization model and a connection count fitting model to generate anomaly scores for each connection. Connection paths are constructed for acyclic sequences of time-ordered connections observed in the stream. The paths are evaluated based on the anomalies scores of their individual connections. Paths that meet a detection criterion are reported to analysts for further review.

Abstract: A computer-implemented system implements a named entity recognition (NER) model trained for automatic dataset labeling and corpus generation for cybersecurity entities. The NER model includes a semantic similarity measure to determine which category an unclassified/unlabeled word such as an ambiguous keyword with more than one meaning should belong to based on the semantic similarity of an entire sentence.

Abstract: Systems, devices, and methods are discussed for automatically determining a risk-based focus in determining zero trust network access policy on one or more network elements.

Abstract: The present invention discloses a method operable by a discovery system comprising at least one computerized device connected to an internet-protocol based network, the computerized device configured to operate a scan on a range of internet-protocol addresses and detect open ports available for communication. The discovery system is configured to generate an open port list denoted as first open port list of the open ports available for communication in the given range of the internet-protocol addresses and send request headers over an application protocol to at least one port of the ports in the first open port list and receive response headers comprising header fields from open ports available for communication in the range of internet-protocol addresses.

Abstract: Enterprise cybersecurity systems and methods related to receiving or accessing a real-time cybersecurity request, automatically transmitting a live mode request to a first cybersecurity microservice to generate cybersecurity risk-scoring information, receiving a response to the live mode request, calculating a cybersecurity score, automatically populating cybersecurity response data based on the calculated cybersecurity score, and automatically transmitting the cybersecurity response data to the enterprise client electronic device. The enterprise cybersecurity system and method also includes, after the cybersecurity response data has been transmitted to the enterprise client electronic device, automatically transmitting a test mode request to at least one test mode cybersecurity microservice, wherein the test mode request includes real-time data extracted from the real-time cybersecurity request.

Abstract: A method includes: accessing an attack record defining actions representing a previous known attack on a second computer network; initializing an attack graph; for each action, defining a set of behaviors—analogous to the action and executable by an asset on a target network to emulate an effect of the action on the second computer network—and storing the set of behaviors in a node in the attack graph; connecting nodes in the attack graph according to an order of actions in the known attack; scheduling the asset to selectively execute analogous behaviors stored in the set of nodes in the attack graph; accessing alerts generated by a set of security tools deployed on the target network; and characterizing vulnerability of the target network based on alerts, in the set of alerts, indicating detection and prevention of behaviors executed by the asset according to the attack graph.

Abstract: Example embodiments of systems and methods for data transmission system between transmitting and receiving devices are provided. In an embodiment, each of the transmitting and receiving devices can contain a master key. The transmitting device can generate a diversified key using the master key, protect a counter value and encrypt data prior to transmitting to the receiving device, which can generate the diversified key based on the master key and can decrypt the data and validate the protected counter value using the diversified key. In an embodiment, the transmitting device can signal an attack or potential attack through the counter value. The attack signaling can further include information relating to the attack or potential attack.

Abstract: A method, computer program product, and system for detecting and mitigating ransomware using snapshot-based backups applied to a block-oriented storage device, by performing the following operations: (i) performing, in predetermined time-intervals, snapshot backups of data in a block-oriented storage device; (ii) determining at least one interval malware index value between a last snapshot backup and a next planned snapshot backup, wherein the interval malware index value is indicative of a changed block rate in stored data of storage blocks of the block-oriented storage device; and (iii) in response to determining that the interval malware index value is larger than a predefined interval malware index threshold value, triggering an emergency snapshot.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to determine mutex entropy for malware classification. An example apparatus includes interface circuitry to access a mutex associated with a software application, the mutex to include a mutex identifier string, normalizer circuitry to normalize the mutex identifier string, character probability circuitry to determine character probabilities of characters within the normalized mutex identifier string, the character probabilities based on a historical mutex character distribution, entropy calculator circuitry to calculate an entropy value for the mutex based on the character probabilities, classifier circuitry to classify the mutex as clean or malicious based on the entropy value, and protector circuitry to mitigate malicious attacks based on the classification.

Abstract: A processing application stored on a processing server receives a request to join an application server from a client device. The processing application identifies a targeted application server from a set of application servers, a private internet protocol (IP) address for the targeted application server, and a port number associated with the targeted application server. The processing application generates a token based at least in part on the private IP address for the targeted application server. The processing application maps the private IP address to a virtual IP (VIP) address. The processing application transmits the VIP address, the private IP address, the port number, and the token to the client device.

Abstract: Novel tools and techniques are provided for implementing web-based monitoring and detection of fraudulent or unauthorized use of voice calling service. In various embodiments, a computing system might receive, from a user device associated with an originating party, a request to initiate a call session with a destination party, the request comprising user information associated with the originating party and a destination number associated with the destination party; might query a database with session data (including user information) to access permission data and configuration data; and might configure fraud logic using received configuration data from the database. The computing system might analyze the session data and permission data using the configured fraud logic to determine whether the originating party is permitted to establish the requested call session with the destination party; if so, might initiate one or more first actions; and, if not, might initiate one or more second actions.

Abstract: A system and method for injecting network chaos between a client system and a server system within a network are disclosed. A processor implement a chaos controller DNS (Domain Name System) server and configures a client application running on the client system to utilize the chaos controller DNS server as a DNS server. The processor also selects the chaos controller DNS as the DNS server and implements a chaos controller application programming interface (API) and a chaos controller central server; and orchestrates a type and a duration of a network chaos injection by utilizing the chaos controller API and the chaos controller central server without modifying an application code of the client application.

Abstract: Techniques and systems for detecting malicious activity within a network are provided herein. A method for detecting malicious activity within a network may include receiving, by a network-based authentication system, a network transaction. The network-based authentication system may identify a first attribute of the network transaction. The method may also include selecting, by the network-based authentication system, a first learning statistical model and a second learning statistical model from a plurality of models for handling the network transaction. Each of the first learning statistical model and the second learning statistical model may create a likelihood that the network transaction is authentic. The first learning statistical model may calculate a first score and the second learning statistical score may calculate a second score. Based on a comparison of the first score to a first threshold and the second score to a second threshold, the network transaction may be authenticated.

Abstract: Provided herein are methods and systems for improved domain name system (DNS) security. A computing device of a DNS, such as a recursive DNS server, may cache previously processed (e.g., resolved) DNS requests. The DNS cache may be a target for cache poisoning and other cache manipulation attacks. The methods and systems described herein may employ artificial intelligence, machine learning, and/or pattern recognition techniques to provide improved security for the DNS cache.

Abstract: A method for over-the-top (OTT) management in a communication network is presented. The method is performed in an application client. The method comprises sending a request for activation of a policy for an application network interaction protocol (ANIP) service to a packet data network gateway (PGW) wherein the request indicates an address to a local ANIP server; receiving a set of rules related to the requested activation of the policy from the PGW, wherein the set of rules are defined for a packet data network (PDN) session applicable for the ANIP service; and communicating over the communication network based on the received set of rules. Methods, application clients, PGWs, ANIP servers, computer programs, and a computer program for OTT management in a communication network are also presented.

Abstract: A system and method for cryptographically securing data communications between a group of networked devices establishes and maintains an overlay network at the Application Layer, on top of a unicast routing service provided at the Internetworking Layer. The overlay network provides first, the routes that are used to deliver multicast datagrams and second, the cryptographic keys used to secure multicast datagrams. A common cryptographic key is established between all members of each group, and end-to-end encryption ensures that multicast datagrams can be accessed only by authorized group members. In other embodiments, keys are established between pairs of adjacent devices in the overlay network, and hop-by-hop encryption ensures that multicast datagrams can be accessed only by overlay network members.

Abstract: A process of filtering a wireless service provided to at least one wireless device from a wireless network includes receiving identification of the at least one wireless device in a filtering server from an administrator and receiving filtering instructions from the administrator in the filtering server. The process further including receiving a request for an internet resource from at least one wireless device, comparing the request for the internet resource to the filtering instructions to determine whether the requested internet resource is allowable in view of the filtering instructions or not allowed based on the filtering instructions. The disclosure also provides a system as well.

Abstract: A system and method for providing time-series geospatial data and a world-scale simulation platform used to generate simulated-world environments by rendering data-dense geographical regions corresponding to heterogenous sourced data and formats for highly scalable parallel simulations, and comprised of a multi-dimensional time-series database used for enabling query support across multiple simulations via individual simulation and entity swimlanes for cyber, physical and cyber-physical entities and regions.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a storage device, for securing a network associated with a property in response to the detection of a hacking drone within a vicinity of the property. In one aspect, a method includes obtaining sensor data from one or more sensors located at a property, detecting, based on the obtained sensor data, the presence of a drone, determining, based on the obtained sensor data, that the detected drone is an unauthorized drone, determining, by the monitoring system, that the unauthorized drone (i) is communicating or (ii) attempting to communicate with a network associated with the property, selecting one or more network adjustment policies, and transmitting one or more instructions to (i) one or more monitoring system components or (ii) one or more network components that are configured to adjust network parameters based on the one or more selected network adjustment policies.

Abstract: Apparatuses, methods, and systems are disclosed for indicating the IMS capability for EPS fallback. One apparatus in a mobile communication network includes a processor and a transceiver that transmits to an IMS network entity a first SIP message comprising a request for establishing a data session, where the first SIP message contains a first contact header field. The transceiver receives a second SIP message from the IMS network entity for establishing the data session, where the second SIP message contains an indicator. The processor determines an IMS network capability from a combination of the first contact header field and the indicator.

Abstract: A system is provided for establishing a shared media session for client devices that receives event data and media corresponding to a shared media session and previous shared media sessions from a recording client device communicably coupled to a distributed communication network. A persistent record of the event data and media is generated until the shared media session is terminated by at least one of a first client device or by abandonment of the distributed communication network by the first client device and by second client devices. A new disparate live media output stream is generated with multiple distinct channels based on augmentation of a disparate live media output stream in the shared media session. The augmentation is based on an interaction from a user on actions in the shared media session.

Abstract: A method for streaming media assets using a redundant cache managed by a media streaming server in a media streaming network may be provided. The method may include receiving, by a media streaming server, immersive media stream comprising one or more immersive media assets associated with one or more scenes, determining that a subset of the one or more immersive media assets are included for a plurality of times in the one or more scenes, storing a redundant copy of each of the subset of the one or more immersive media assets in a cache maintained by the media streaming network to ensure that the each of the subset is accessible to both the media streaming server and a client, and streaming at least one media asset of the subset of the one or more immersive media assets in response to a local cache of the client not storing the at least one media asset.

Abstract: Systems and methods for providing pronunciation services for video conferencing are described. A method includes receiving, by a video conference provider, an audio stream of a pronunciation of one or more words. The video conference provider may associate the audio stream of the pronunciation with a user of a first client device, in which the first client device is configured to join a video conference hosted by a video conference provider, the video conference having a plurality of participants using a plurality of client devices. The video conference provider then receives, from a second client device, a first indication to play back the pronunciation. Responsive to the first indication, the video conference may provide, to the second client device, the audio stream of the pronunciation. The video conference provider then outputs instructions to cause the second client device to play back the audio stream of the pronunciation.

Abstract: A method for triggering service logic execution recording of a call between a calling User Equipment, UE, and a called UE in a telecommunication network, wherein said service logic execution recording is to be triggered by nodes in a chain of nodes involved in establishing a call between said calling UE and said called UE, wherein said method comprises the step of inserting in a call establishment message, a service logic execution recording parameter, wherein said parameter indicates that nodes involved in said establishing of said call between said calling UE and said called UE should perform service logic execution recording, wherein said service logic execution recording is any of recording of log files and recording of trace files reflecting signalling between said nodes in said chain.

Abstract: An example may include receiving one or more data inputs from collaboration by one or more participant devices operated by a number of meeting participants of a meeting, identifying an initial context of the meeting based on the one or more data inputs, querying a databank of previously stored information to identify one or more additional contexts related to the initial context, linking the initial context and the one or more additional contexts by establishing one or more entity relationships, and forwarding the initial context and the one or more additional contexts as entities in a virtual collaboration space.

Abstract: Implementations for metering features of media conferences on the client-side are described. Initially, a participant joins a media conference. An identifier of a feature and an allotment associated with the feature is then received by the participant. The feature is used during the media conference and the allotment associated with the feature is decremented based on the use of the feature. It is then determined that an allotment refresh is needed. In response, additional allotment associated with the feature is requested and received by the participant until the maximum number of additional allotment requests or the maximum allotment is reached.

Abstract: One example method for controlling presentations in video conferences includes displaying, by a video conference application executing on a first client device, a first slide of a plurality of slides in a slide presentation as part of a visual display of a video conference on the first client device; receiving, by the video conference application executing on the first client device from the video conference application executing on a second client device, a first command to display a second slide, wherein the first command is issued by a first user of a plurality of users of the video conferencing application authorized to control the slide presentation; displaying, by the video conference application executing on the first client, the second slide in response to receiving the first command; receiving, by the video conference application executing on the first client device from the video conference application executing on a third client device, a second command to display a third slide, wherein the second

Abstract: Systems and methods of operation are disclosed for media delivery systems operable to deliver requested media content to a client device by accessing media resources and media processing elements available on a network to which the media delivery system and client devices are linked. The media delivery system is operable to use the media resources and media processing elements to provide the requested media content in a requested format. The media delivery system may implement network-based media processing, and may use Immersive Technologies Media Format. The media delivery system may implement, such as in, or between, the application layer and network layer according to the OSI model, two control planes: a media control plane and a network control plane, and a data plane: a media data plane.

Abstract: Embodiments of the present invention are directed to a Content Delivery Network (CDN) for broadcasting data streams. The CDN allows a streamer to stream live (in realtime) on a network(s), such as the Internet, for a live audience to view and to interact with the live entertainment. Each of the broadcast clients send data streams to the CDN via an input node, wherein the CDN output a selected media stream to one or more selected viewing clients via the output node. The architecture of the CDN contains one or more System Racks. Each of the System Racks contains multiple media channels. In operation, the data stream of a broadcasting client is sent to the CDN and distributed into selected channels. The data streams in each of the selected channels are outputted to viewing clients of a corresponding type.

Abstract: A method for monitoring and correcting playback performance for content player. The method includes detecting a content player request from a media player on a user device, the content player request corresponding to a content item request from a server, generating a playback identifier including data corresponding to the content item, detecting one or more playback events occurring during playback of the content by the content player, generating one or more playback packets including the playback identifier, a packet identifier, and the one or more playback events, and transmitting the one or more playback packets to a server.

Abstract: The present technology pertains to initiating and then sharing a capture session. According to at least one example, the present technology includes receiving, from a first device, a request to initiate a shared capture session. In response, the first device launches a capture session that receives audio, video, and screen data from the first device. The first device can then share the capture session with another user, via a link. After a second user selects the link at a second device, audio and video data from the second device are added to the capture session. The capture session aggregates and captures the audio, video, and screen data from both devices. After the capture session ends, a captured media object from the capture session can be stored at the first device, and sent to the second device, and the content management system.

Abstract: Systems, apparatus, articles of manufacture, and methods are disclosed to synchronize media playback at devices in a multicast environment. Disclosed is a system to synchronize media playback, the system comprising programmable circuitry, and a memory that stores executable instructions that, when executed or instantiated by the programmable circuitry, facilitate performance of operations, comprising transmitting, using a hypertext transfer protocol (HTTP), a first request in a first HTTP message to a first client device and to a second client device, receiving, from the first client device in response to the first request.

Abstract: A method and apparatus for transmitting a real-time media stream in a communications network. The method comprises separating an essential part of the media stream from a non-essential part of the media stream in said real-time media stream and transmitting the essential part of the media stream on a first bearer and the non-essential part of the media stream on a second bearer. Priority of the first bearer is higher than priority of the second bearer. The method also comprises performing adaptation of the essential part of the media stream in response to a change of traffic conditions on the second bearer.

Abstract: A method and apparatus for media decoding by a decoder include decoding a first indication indicative of a first conformance point of a coded video sequence. A second indication indicative of a second conformance point of the coded video sequence is decoded. It is determined whether the coded video sequence is decodable by the decoder based on at least one of the first indication and the second indication. The coded video sequence is selectively decoded based on determining whether the decoded video sequence is decodable by the decoder.

Abstract: Response delay associated with a state-based client-server application can be reduced with utilization of an application state server-side cache. A server caches data for a set of one or more possible states of a client-server application that may follow a current state of the application. The server rapidly responds to a client request with data that corresponds to an appropriate new state of the application in accordance with the application state server-side cache. The server determines that the application will transition to the appropriate new state from the current state of the application with the application state server-side cache based, at least in part, on an operation indicated by the client request.

Abstract: A system designed for increasing network communication speed for users, while lowering network congestion for content owners and ISPs. The system employs network elements including an acceleration server, clients, agents, and peers, where communication requests generated by applications are intercepted by the client on the same machine. The IP address of the server in the communication request is transmitted to the acceleration server, which provides a list of agents to use for this IP address. The communication request is sent to the agents. One or more of the agents respond with a list of peers that have previously seen some or all of the content which is the response to this request (after checking whether this data is still valid).

Abstract: A method may include: providing a browser extension to user devices that is configured to: monitor data associated with website pages visited by the user devices; and in response to detecting that data associated with a website page is indicative of a presence of a platform, transmit a notification to an entity system, the notification including an identification of the website page and an identification of the platform; and in response to receiving the notification: generating and/or updating a database indicative of operation of the platform on one or more website pages based on the identification of the website page and the identification of the platform; quantifying a number of website pages on which the platform is operated based on the database; and determining a level of traffic to the website page.

Abstract: Techniques for peer to peer sharing of files in a mobile environment are provided. In response to coming within communication range of a second device, a processing device may determine whether the second device will remain in communication range with a first device for at least a threshold amount of time. An amount of data that can be transferred between the first and second devices during a transfer window with the second device may be determined. Package manifests of the first and second devices may be compared to determine a set of packages of the first device that need to be updated. A number of chunks for a first package of the set of packages may be received from the second device, the number of chunks based on the amount of data that can be transferred between the first and second devices during the transfer window.

Abstract: This application provides an application sharing method, an electronic device, and a computer-readable storage medium. The method includes: receiving target application identification information and target device information; displaying, in a case that a first electronic device is connected to a target electronic device corresponding to the target device information, a running interface of a target application in a virtual screen; and sharing the running interface of the target application displayed in the virtual screen with the target electronic device.

Abstract: An application platform system and method. A data synchronization instance manages a reference state object for a data synchronization system (DSS) account. A first local state object is stored at a first application system. The first application system receives update notifications provided by the DSS. A second local state object is stored at a second application system. The second application system receives update notifications provided by the DSS. An application instruction of the first application system is transformed into a state update, and the first local state object is modified to include the state update. The state update is provided to the DSS via a local update notification. The reference state object is modified to include the state update. The state update is provided to the second application system via a reference update notification. The second local state object is modified to include the state update.