Abstract: Various implementations of the invention provide load balancing in a data storage system. A computing processor receives a request to create a new data storage container on a selected one of a plurality of data storage assets, where each of the plurality of data storage assets is configured to host a plurality of data storage containers. The computing processor determines which of the plurality of data storage assets is farthest away from an existing data storage container corresponding to the new data storage container and creates the new data storage container on the data storage asset that is farthest away from the existing data storage container.

Abstract: A device may determine that a first link of the device is active. The device may determine whether a Media Access Control Security (MACsec) session is established on the first link. The device may selectively enable or disable a second link of the device based on determining whether the MACsec session is established on the first link.

Abstract: Disclosed herein are systems and methods for query-attempt assignment in a database environment. In an embodiment, a database platform includes first and second database query managers respectively configured to manage external and internal tasks of the database platform. The first database query manager receives a query directed to database data in a client account of the database platform, and an attempt to execute the query is assigned to one or more execution nodes. Based on determining that the attempt was unsuccessful, the database platform transfers the query to the second database manager, which assigns a first retry attempt to execute the query to one or more execution nodes.

Abstract: Disclosed embodiments relate to systems and methods for analyzing and addressing least-privilege security threats on a composite basis. Techniques include identifying a permission associated with a secured resource, identifying attributes associated with the permission, weighting the attributes, and, based on the attributes and their weights, creating a normalized score corresponding to the risk presented by the permission. Further techniques include identifying attributes associated with the secured resource, identifying special risk factors, and creating weighted scores based on the resource attributes and special risk factors. Other techniques include aggregating the weighted scores and using the weighted scores to identify insecure areas within the system.

Abstract: Techniques for mobile equipment identity and/or IoT equipment identity and application identity based security enforcement in service provider networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for mobile equipment identity and/or IoT equipment identity and application identity based security enforcement in service provider networks includes monitoring network traffic on a service provider network at a security platform to identify a device identifier for a new session; determining an application identifier for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the device identifier and the application identifier.

Abstract: Techniques for emulating a configuration space by a peripheral device may include receiving a access request, determining that the access request is for an emulated configuration space of the peripheral device, and retrieving an emulated configuration from an emulated configuration space. The access request can then be serviced by using the emulated configuration.

Abstract: An example operation may include one or more of identifying a registered interest associated with a requestor on a blockchain, accessing a smart contract stored on the blockchain, determining a match between the registered interest and blockchain transaction information, determining the requestor associated with the registered interest has access permissions to access the blockchain transaction information based on access control rules, and creating a temporary bilateral smart contract including the requestor, and an owner of the blockchain transaction information, and the temporary bilateral smart contract provides permission for the requester to access the blockchain transaction information.

Abstract: Systems and methods for providing recommendations of healthcare service providers are provided. A method includes receiving search criteria from a computing device of a search user. The method also includes determining at least one group of users associated with the search user. The method additionally includes determining recommendations that satisfy the search criteria and that are associated with at least one user in the at least one group of users. The method further includes transmitting the determined recommendations to the computing device of the search user. The determining the at least one group of users and the determining the recommendations are performed by a recommendation tool running on a computing device.

Abstract: There is described a method for providing a Virtualized Network Function (VNF) according to Network Service (NS) requirements. The method comprises selecting an on-boarded VNF descriptor (VNFD) from a VNF catalogue, configuring parameters of the selected on-boarded VNFD according to the requirements of the NS and instantiating a VNF according to the configured on-boarded VNFD. There is also described a method for providing a Network Service (NS). The method comprises selecting an on-boarded NS Descriptor (NSD) from an NS catalogue, modifying NSD information of the selected on-boarded NSD and instantiating the NS according to the modified on-boarded NSD.

Abstract: This document describes among other things, network security systems that incorporate a feedback loop so as to automatically and dynamically adjust the scope of network traffic that is subject to inspection. Risky traffic can be sent for inspection; risky traffic that is demonstrated to have high rate of threats can be outright blocked without further inspection; traffic that is causing errors due to protocol incompatibility or should not be inspected for regulatory or other reasons can be flagged so it bypasses the security inspection system. The system can operate on a domain by domain basis, IP address basis, or otherwise.

Abstract: A method includes receiving from a transmitting data interface, a data stream mapping of a data input into data shards for transmission in a data stream over a data stream communication channel. Data capacity for a data producing software application from a plurality of data producing software applications is adjusted by increasing or decreasing a number of data shards in the data stream assigned to the data producing software application. An updated data stream mapping of the data input into the plurality of data shards is generated by updating a start hash key and an end hash key in a range for each of the data shards assigned to the data producing software application. The updated data stream mapping is sent to the transmitting data interface for adjusting the data capacity in the data stream transmitted over the data stream communication channel of the data producing software application.

Abstract: A system for using artificial intelligence to generate a computing network architecture diagram based on user inputs, applicable vulnerability/cyber threat data and internal/external compliance/audit regulation data. In addition, machine-learning techniques may be used that leverage previously implemented computing network architectures. The computing network architecture diagram may be generated absent a baseline diagram or the user inputs may define at least a portion of an initial/baseline network architecture diagram that is modified based on the vulnerability/cyber threat data, the internal/external compliance/audit regulation data and/or the previously implemented computing network architectures. In additional embodiments of the invention, new/emerging vulnerabilities and cyber threats are detected, and in real-time response, adjustments to the computing network infrastructure and determined and implemented.

Abstract: Disclosed are various examples for enrolling a client device and synchronizing user attributes for the client device across multiple directory services. A search request for user attributes can be sent to a first directory service with an identifier for a user account. The first directory service can query for the identifier and send back user attributes. If a global identifier is included in the attributes, another search request for user attributes can be sent to a second directory service with the global identifier. The second directory service can query for the global identifier and send back user attributes.

Abstract: According to examples, an apparatus includes a processor and a memory on which is stored machine readable instructions. The instructions may cause the processor to acquire technical characteristics of a client workload, access client policies, determine an infrastructure to implement the client workload based upon the acquired technical characteristics of the client workload, determine, based upon the determined server sizing and the accessed client policies, a recommended hosting provider that is to host the client workload, and output the determined server sizing and the recommended hosting provider.

Abstract: A method, apparatus and computer program product are provided for intelligently switching from public land mobile network (PLMN) assigned identification (ID) to UE manufacturer assigned ID. An example method includes receiving a registration request message comprising information related to location registration to an access and mobility management function (AMF) or a mobility management entity (MME) through a radio access network (RAN), obtaining an international mobile equipment identity (IMEI) or Permanent Equipment Identifier (PEI) of a user equipment and extracting from the IMEI or PEI a type allocation code (TAC). The method then obtains a user equipment radio capability ID associated with the user equipment and determines whether the UE shall use a user equipment manufacturer ID or PLMN assigned ID in order to determine an appropriate registration accept message having instructions to operate based on the user equipment manufacturer ID or the PLMN assigned ID.

Abstract: The disclosure relates to a method in a Lawful Intercept, LI, management system for removing redundant content of communication, CC flows. Said LI management system is capable of receiving and handling one or more CC flows generated from intercepted target communication sessions. Each CC flow comprises a flow of data packets, each data packet comprising a flow identity of the CC flow. The flow identity comprises an address of a sending intercept access point, IAP, at least one target identifier, TID, and a communication session Correlation Identifier, CI. The method enables the LI management system to forward only one CC flow of CC flows having identical TID and CI, respectively, but different sending intercept access points.

Abstract: In certain systems disclosed herein, a distributed data monitoring and management system is provided that can replicate a distributed storage environment. The distributed data monitoring and management system can intelligently and automatically configure data access nodes to form a structure that matches the distributed storage environment. By matching the structure of the distributed storage environment, the distributed structure of the data may be maintained, enabling the data to be backed up from and/or restored to the distributed storage environment and/or migrated to another distributed storage environment without altering the distribution of the data. Further, embodiments herein enable the monitoring of nodes within the system and transfer of data from a non-distributed environment to a distributed storage environment. Thus, in some cases, an entity can migrate data from a local storage structure to a network-based distributed storage structure.

Abstract: An enforcement module receives a DNS-based rule of a segmentation policy that controls access of a managed workload to workloads in a DNS domain in which the IP addresses of the workloads associated with a domain name are resolved by a DNS server. When the managed workload makes a connection request to the workload associated with the domain name, the enforcement module snoops on a DNS response from the DNS server to learn the IP address of the workload associated with the domain name. If a domain name of the DNS domain is in a whitelist of domain names permitted by the DNS-based rule, the enforcement module adds the learned IP address to a whitelist of IP addresses and configures a firewall associated with the managed workload to permit connections to the IP addresses in the whitelist.

Abstract: Techniques for improving communications efficiency between pairs of communication nodes running within a computer system are described herein. Potential locations for placing a communication node are evaluated using one or more fitness values wherein the fitness value is based at least in part on one or more system metrics associated with placing a communication node in the potential location. If an improved location is found based on the fitness value, the communication node may be migrated to the new location, thus improving system efficiency.

Abstract: A control means 111 sets, with respect to a packet transfer means 112, control information that defines an operation of the packet transfer means 112 according to header information of a packet. In a case of being set to a learning mode to learn a new record and in a case where an item corresponding to a condition that can be specified from an IP address is designated as an item a condition of which is to be learned, the control means 111 sets, in the packet transfer means 112, control information indicating permission for communication by a new packet when header information of the new packet is notified by the packet transfer means 112. Then, the control means 111 adds, to the list, a record in which a condition specified from an IP address in the header information is described in the designated item.

Abstract: This disclosure provides an apparatus and method for use in industrial control systems and other systems. A method includes detecting, by a primary node, that a backup node is available and unconfigured. The method includes automatically replicating, by the primary node, the primary node to the backup node, including replicating a personality of the primary node to the backup node.

Abstract: The present disclosure provides a method [400], a system [200], an edge device [204] and a computer program for routing user data traffic from an edge device [204] to a network entity [206]. The method encompasses receiving, at least one data packet of user data traffic relating to a request for availing a service, via an authenticated user device. The method thereafter comprises identifying, one or more parameters from the at least one data packet of user data traffic. Further the method comprises generating, one of a positive and a negative response based on the identified one or more parameters and a corresponding policy associated with each parameter. Thereafter, the method routes the user data traffic to an EoGRE tunnel to transmit said user data traffic to a network entity [206], based on the positive response.

Abstract: One or more data packets intended for a workload running on the server are received from an endpoint at a proxy associated with a server. The proxy associated with the server determines whether the one or more data packets intended for the workload are encrypted with a certificate associated with a policy group that includes the workload. The one or more data packets are provided to the workload based on whether the one or more data packets intended for the workload are encrypted with a certificate associated with a policy group that includes the workload.

Abstract: Described in this document, among other things, is an overload protection system that can protect data sinks from overload by controlling the volume of data sent to those data sinks in a fine-grained manner. The protection system preferably sits in between edge servers, or other producers of data, and data sinks that will receive some or all of the data. Preferably, each data sink owner defines a policy to control how and when overload protection will be applied. Each policy can include definitions of how to monitor the stream of data for overload and specify one or more conditions upon which throttling actions are necessary. In embodiments, a policy can contain a multi-part specification to identify the class(es) of traffic to monitor to see if the conditions have been triggered.

Abstract: A layered authentication process can use a first authentication layer to filter out invalid requests. The first layer can perform a lightweight authentication to determine requests that do not meet certain authentication criteria. This can include, for example, denying requests that have invalid credentials or that are received from unapproved locations or sources, or that lack the proper format. Requests that pass the initial authentication can be directed to a more robust authentication service that is capable for performing a full authentication of the request. Such an approach prevents various invalid requests from being delivered to the robust authentication service, thereby preventing the robust authentication service from being overwhelmed by a large number of requests, such as may correspond to a coordinated attack on the service.

Abstract: Methods are provided for extending sponsored Wi-Fi guest access capability to other enterprise tools and/or access technologies such as private access networks including private LTE and 5G networks. The methods include a controller detecting a user equipment (UE) that is connected to a guest access service provided by a wireless local access network (WLAN) and generating a profile for the guest access service. The methods further include the controller providing, to the UE, the profile to cause the UE to connect to the guest access service provided by another access network.

Abstract: Persistent storage may contain software models defining corresponding software packages and entitlements to a software package, wherein use of the entitlements is constrained by entitlement rules. One or more processors may be configured to: (i) determine, by querying computing devices, a first deployment of the software package; (ii) determine, by querying an interface of a public cloud platform, a second deployment of the software package, wherein use of the entitlements on the public cloud platform is constrained by platform rules; (iii) determine, based on the constraints, an assignment of the entitlements to the first deployment and the second deployment; (iv) determine that the assignment leaves one or more deployed instances of the software package not covered by the entitlements; and (v) determine a modification to the entitlements that: satisfies the constraints and facilitates a further assignment of the entitlements that covers all deployed instances of the software package.

Abstract: Methods and systems for communicating between nodes within computing clusters. In one embodiment, a method is provided that includes receiving, at a first node within a first cluster, a packet for transmission from a second node within the first cluster. The packet for transmission may be received via a local tunnel of the first cluster. A routing agent of the first node may identify a first destination address included within the packet for transmission and determine that the first destination address corresponds to a second cluster. The routing agent may also generate a second destination address corresponding to a third node of the second cluster and transmit the packet to the second destination address via an external tunnel between a plurality of clusters including the first cluster and the second cluster.

Abstract: Systems and methods for detecting and thwarting attacks on a computing system. The methods comprise: collecting timestamped data from different software products comprising a unified end point management product, an SBC/ADV product, an application delivery controller product, a content collaboration product, and/or a software defined WAN product; analyzing the collected timestamped data to determine if an observed user behavior matches a learned normal user behavior of an authorized user associated with a user account; determining a risk classification level associated with a credential used by a user to log into the user account, when the observed user behavior does not match the learned normal user behavior of the authorized user; and causing at least one security related action to be performed when the risk classification level is greater than a threshold level or the risk classification level is one of a top N highest risk classification levels.

Abstract: A reminder terminal apparatus and authentication method are disclosed. An example authentication method includes creating a table having letter strings contained in elements respectively, where the letter strings are created at random. The method also includes creating a registration letter string using the table and registering or newly registering the registration letter string as a password for a user name of the user at a resource server. The example method further includes prompting the user to use the access terminal to extract second elements from the table in accordance with the selection sequence, arrange second letter strings contained in the extracted second elements to obtain an authentication letter string, and apply the obtained authentication letter string as a password for requesting a utilization of a resource of the resource server under the user name.

Abstract: An authority configuration method and device are provided. The method includes: when a user logs in a system, a privacy information acquisition request is sent to the user; and an authority of the user is configured according to response information of the privacy information acquisition request. Prior to acquisition of privacy information of the user, the user chooses whether a system is permitted to collect the privacy information, and an authority of the user is configured according to the privacy information permitted by the user. A user is provided with a corresponding operation authority while privacy of the user can be protected from being infringed, and the privacy of the user can be prevented from being leaked.

Abstract: A content delivery method including the operations of receiving a uniform resource locator resolution request at an authoritative name server for a domain where the uniform resource resolution request is received based, at least in part, on a host name of the uniform resource resolution request where the host name is uniquely related to a resource associated with the uniform resource resolution request. The method further including the operation of tracking a popularity of the resource based on the host name uniquely related to the resource and providing a location within a network capable of delivering the resource where the provided location is based on the popularity of the resource.

Abstract: A method for patching a patchable function programmed in a read only memory (ROM) of a semiconductor device by using firmware loaded onto a first memory includes receiving an encrypted and digitally signed firmware image; generating a verification result by verifying the firmware image by using a public key; decrypting the firmware image by using a secret key depending on the verification result; loading firmware decrypted from the firmware image onto the first memory; and running a replacement function corresponding to an identifier of the patchable function included in the firmware, when the patchable function is called.

Abstract: A method and a system for controlling data response with the aid of at least one attribute of a transaction identifier (ID) are provided. The method includes: transmitting the at least one attribute in conjunction with the transaction ID from any master device within one or more master devices to a slave device; and according to the at least one attribute, determining whether to utilize a specific data path among multiple data paths for sending response data corresponding to the transaction ID from a memory device within the slave device to the aforementioned master device. More particularly, the specific data path is a data path having maximum transmission efficiency among the multiple data paths.

Abstract: The disclosure relates to an edge computing-based distributed network architecture. A central server in the architecture may include a client-location monitoring module for tracking a principle location of a client, which may be co-located with a remote hub institution. The central server may also include a client information packaging module, for packaging information associated with the client into a digital package; a natural-disaster monitor module, for monitoring for future natural-disasters; and a transmission module for transmitting a packaging instruction from the natural-disaster monitor module to the client information packaging module when the natural-disaster monitor module communicates that a natural-disaster is predicted to occur within a certain threshold distance and within a certain threshold amount of time.

Abstract: A system comprises a policy storage separately located relative to the user device, the policy database arranged to store information indicative of at least one usage policy set applicable to at least one respective user device. The system is arranged to store user device identification information for each user device associated with the system, the user device identification information being indicative of and unique to a user device associated with the system and being stored separately relative to the user device. The system is also arranged to associate a usage policy set with a user device using the device identification information unique to the user device. The system is also arranged to determine a usage request from a user device and to allow or deny the usage request based on the at least one usage policy set associated with the user device.

Abstract: A system operates to manage accessibility of media content items based on a user's performance of a repetitive motion activity. The system can generate rule data based on a rule designed to permit access to certain media content items. The rule data can include information about various conditions to be satisfied to make the media content items accessible for playback. Such conditions can be associated with a user's performance or status of a repetitive motion activity.

Abstract: A system and method for identifying specific locations where to attach or detach e-mail attachments based on e-mail storage locations is disclosed. The method allows to search in a mail-attachment connection table all the attachment locations that are in relation to the e-mail where the attachment is to be attached to or to be detached from and to present to a user all attachment locations that have a relevance for the attach/detach operation.

Abstract: Typically, a business desires to track and monitor all applications run on its servers. Nonetheless, one or more unauthorized applications may be running on the business's servers, exposing the business to potential regulatory liability and security breaches. Apparatus and methods are provided for isolating and disabling one or more unauthorized applications running on a server. The apparatus may comprise a system including a content-filtering web proxy server configured to filter outgoing requests and data associated with the requests. The system may also include a remediation framework configured to monitor request data in a proxy log stored by the proxy server. The remediation framework may be triggered to perform remedial action when the remediation framework determines that a request and associated data, as stored in the proxy log, meets predetermined conditions. The remediation framework, when triggered, may execute steps to truncate functionality of the unauthorized applications.

Abstract: A data transfer circuit includes: a one-time PROM storing first to m-th register addresses and first to m-th register data; first to n-th registers holding first to n-th data corresponding to first to n-th parameters controlling an operation of a functional element; and a data transfer control circuit acquiring the i-th register address and the i-th register data from the one-time PROM, transferring the i-th register data to the k-th register designated by the i-th register address, k being an integer equal to or greater than 1 and equal to or smaller than n, and updating the k-th data with the i-th register data.

Abstract: First data can be received at a memory sub-system. An operating temperature of the memory sub-system can be identified. An adjusted read voltage level can be determined in response to the operating temperature satisfying a threshold criterion pertaining to a threshold temperature. A read operation can be performed at the memory sub-system based on the adjusted read voltage level to retrieve second data. The first data can be stored at the memory sub-system based on the second data that was retrieved from the read operation that is based on the adjusted read voltage level.

Abstract: A medical device comprises a medical imaging, diagnostic, or therapeutic component (10), and an access point (30) operating as a hub for a wireless local area network (WLAN) complying with a wireless communication protocol having a defined set of WLAN channels. The access point includes a radio (32), an electronic processor (34), and a non-transitory storage medium (36) storing a list of one or more critical medical WLANs (40) and instructions executable by the electronic processor. Scan instructions (42) operate the radio to measure traffic on the WLAN channels generated by critical medical WLANs listed on the list (40). Channel selection instructions (44) select a channel based on at least the measured traffic on the WLAN channels generated by critical medical WLANs on the list (40). WLAN operating instructions (46) operate the access point as a hub for a medical device WLAN carrying traffic on the selected WLAN channel.

Abstract: The disclosed technology relates to a process of evaluating any number of different identity providers (IDPs) and their respective set of credentials that are used to authenticate corresponding users to assist with the onboarding of the different IDPs in connection with Wi-Fi identity federations. In particular, the process allows a person's electronic identity and attributes (stored across one or more IDPs) to be determined once using a standard. Once trust has been established for the user, that trust can then be utilized across a number of different systems (e.g., Single-sign on). The same trust determination can be used without the need for the authenticity of the user identity to be re-evaluated with each new access request.

Abstract: A cloud-based data governance system includes a processing unit, a network adapter, and memory for storing data and code. The network adapter establishes a connection with a remote data storage system associated with a remote file system over a wide-area network (WAN). The code includes an event collection interface, a data governance service, and an enforcement service. The event collection interface is configured to capture an event from the remote data storage system. The event is indicative of a file system operation executed on a data object of the remote file system. The data governance service is configured to receive the event from the event collection interface and to process the event to determine whether the file system operation conflicts with a governance policy of the data governance system. The enforcement service executes a set of remediation actions if the file system operation does conflict with the governance policy.

Abstract: In various exemplary embodiments, a system and an associated method for presenting a commerce application to an electronic device of an end-user. The method includes establishing electronic communications from the end-user to a first server (e.g., an electronic marketplace) in response to the end-user accessing a widget presented by the first server, and establishing electronic communications between the first server and a second server. The second server may be another electronic marketplace. The first server sends a chrome to the end-user. Substantially concurrent with the first server sending a chrome, the second server transmits electronically an Iframe to be placed within the chrome on a browser on an electronic device of the end-user. The blending of the chrome and the Iframe is transparent to the end user; thus, the end-user may be unaware that additional information (e.g., in terms of the Iframe and any accompanying metadata) is being received from the second server.

Abstract: A redundant key management system includes a key management system coupled to a plurality of server devices through a network. A first server device includes a managed device coupled to a first remote access controller device that receive a device locking key from the key management system and uses it to lock the managed device. The first remote access controller device then encrypts the device locking key, broadcasts the encrypted device locking key through the network to a second remote access controller device in a second server device, and erases the device locking key. Subsequently, the first remote access controller device transmits a request to retrieve the encrypted device locking key. When the first remote access controller receives the encrypted device locking key from the second remote access controller device, it decrypts the encrypted device locking key and uses the resulting device locking key to unlock the managed device.

Abstract: In one illustrative example, a multicast traceroute facility for a plurality of interconnected router nodes which are configured to communicate IP multicast traffic amongst hosts is described. The multicast traceroute facility may be for use in processing a multicast traceroute batch query packet which indicates a batch of multicast traceroute queries of a batch query, for identifying a plurality of traced paths for a batch of IP multicast traffic flows. Each identified traced path may be associated with one or more links, each of which has a link metric that satisfies a requested link metric (e.g. a link bandwidth). Resources for satisfying the requested link metric may be reserved for a predetermined or specified time period. The batch of IP multicast traffic flows may be established via at least some of the interconnected router nodes according to the plurality of traced paths identified from the query packet processing.

Abstract: An information processing system according to the present invention includes: an analysis device; and a control device. The analysis device performs first operations. The first operations includes: executing analysis, based on an analysis rule with respect to data to be input as an object of analysis; outputting an analysis result; managing the analysis rule; The analysis device store the analysis rule; and analysis state information indicating a state of the analysis to be generated or referred to by the first processor. The control device performs second operations. The second operations includes: monitoring a usage status of the first memory storing the analysis state information; acquiring and managing an evaluation result with respect to the analysis result; and controlling the analysis rule via the analysis device, based on a usage status of the first memory storing the analysis state information and the evaluation result.

Abstract: Systems and methods are provided for establishing a secure communication link between a first client and a second client. One exemplary computer-implemented method for establishing a secure communication link between a first client and a second client includes accessing, from a storage, identification information of a user of the first client. The method further includes receiving a Domain Name Service (DNS) request from the first client requesting a secure network address corresponding to a secure domain name associated with the second client. The method further includes authenticating the user based on the user identification information. The method also includes transmitting the secure computer network address in response to the DNS request based on a determination that the user has been authenticated. A secure communication link between the first client and the second client is established based on the secure computer network address.

Abstract: At an authorization manager, an indication is obtained that a request pre-processing tool has been designated as a validator for a category of requests directed to a network-accessible service. The authorization manager determines, based at least in part on a validation result set indicated in a request of the category, that the request pre-processing tool has verified that the request meets an authorization requirement. The authorization manager approves one or more operations indicated in the request.