Abstract: In some examples, a system includes a router device and a first adapter device in communication with the router device. The first adapter device includes processing circuitry configured to: communicate with the router device, wherein the router device is incapable of communicating in accordance with the MACsec protocol. The processing circuitry is further configured to establish an encrypted connection in accordance with the MACsec protocol between the first adapter device and a remote device, determine that the encrypted connection is offline, and output a message to the router device that the encrypted connection is offline. The router device is configured to communicate with the remote device via a second adapter device configured to communicate in accordance with the MACsec protocol and bypass the first adapter device.

Abstract: A system and method for notifying client devices in a subscriber account that the account is undersubscribed and no further client devices can stream media content until other client devices are no longer actively streaming media content is disclosed herein. The method comprises receiving a request to receive and play the media content from a requesting client device, the requesting client device being one of a plurality of client devices enabled to receive media content according to a subscriber account and determining if the subscriber account is undersubscribed; if the subscriber account is not undersubscribed. If the subscriber account is not undersubscribed, initiating transmission of the media content, and if the subscriber account is undersubscribed, information is transmitted to the requesting client device, the information including data indicating the subscriber account is undersubscribed without initiating the transmission of the media content.

Abstract: A method for dynamically establishing a communication path for a requestor by assessing an authenticity of the requestor and a communication request is provided. The method may include, in response to receiving the communication request, dynamically determining whether to establish a communication path for the requestor to a destination though a communication network by assessing the requestor based on one or more authentication rules, wherein the one or more authentication rules are based on first information associated the communication network, second information about the requestor, and third information from the requestor. The method may further include, in response to determining that the requestor satisfies the one or more authentication rules, dynamically establishing the communication path for the requestor on the communication network according to one or more communication attributes associated with the requestor.

Abstract: A device may receive client cipher information, associated with initiating a secure session, identifying at least one key exchange cipher supported by a client device associated with the secure session. The device may determine, based on the client cipher information, that a Diffie-Hellman key exchange is to be used to establish the secure session. The device may determine whether a server device, associated with the secure session, supports use of the Diffie-Hellman key exchange. The device may manage establishment of the secure session using a first decryption technique based on determining that the server device does not support the use of the Diffie-Hellman key exchange, or manage establishment of the secure session using a second decryption technique based on determining that the server device supports the use of the Diffie-Hellman key exchange or being unable to determine whether the server device supports the use of the Diffie-Hellman key exchange.

Abstract: A method, system, and computer-readable storage medium are disclosed for identifying binary signatures in a selected set of files and assigning at least one of the binary signatures to a file format name or file format type for use in a security policy generator. In certain embodiments, the method for generating an electronic security policy for a file format type, includes: identification of a plurality of files stored in electronic memory, where the plurality of files include files having the same file format type; providing a file format name that is to be associated with the file format type; accessing the plurality of files from the electronic memory; identifying a common binary signature for the file format type included in the plurality of files; correlating the file format type with the common binary signature; and generating the security policy for the file format type using the file format name.

Abstract: Devices and methods for device connectivity management are disclosed. According to one embodiment, a system for device connectivity management may include a plurality of client devices, each client device supporting a plurality of communication channels; and a broker in communication with each of the client devices over each supported communication channel, the broker comprising at least one computer processor. Each client may send a subscription message to the broker over each supported communication channel. The broker may send each subscribed client a keep alive message over each subscribed supported communication channel, and may broker publish a status message to each subscribed client over each subscribed supported communication channel for a non-responding client. One of the plurality of clients may execute an action in response to the status message.

Abstract: A method performed by a security system that can analyze a vulnerability or a risk applicable to a network entity to identify a cybersecurity threat and associated risk level. The security system can store indications of cybersecurity threats and risk levels in a database of a Domain Name System (DNS). The security system can monitor and resolve network traffic to determine IP addresses or URLs associated with the cybersecurity threats. The security system stores a map of the cybersecurity threats and IP addresses or URLs such that the security system can protect a network entity by processing network traffic to sources or destinations of network traffic that can harm particular network entities, and execute personalized security procedures to protect the network entities.

Abstract: A management method is described, the method implemented by a transmission device capable of communicating via a first wireless with a gateway device forming a node of a telecommunication network and configured to communicate with at least one server of the network via the gateway device. The method can include establishing a secure communication session with a terminal included in a list of terminals for which the transmission device has obtained management data. The method can also include receiving via the first communication link a request to end the management of the terminal, and removing the terminal from the list following the receipt of the request. A transmission device which can be used to implement the management method is also described.

Abstract: Methods, systems, and devices for wireless communications are described. A first user equipment (UE), such as a pedestrian UE, may perform a discovery procedure with a second UE in a vehicle-to-everything (V2X) wireless communications environment that includes multiple other UEs in addition to the first UE and the second UE. The second UE may, for example, be a roadside UE configured to aggregate V2X messages for the first UE. The first UE may determine, based on performing the discovery procedure, a schedule for the first UE to use to receive bundled V2X messages from the second UE. The first UE may receive, from the second UE based on the determined schedule, a message indicating bundled information from multiple V2X messages received at the second UE from the multiple UEs.

Abstract: A media exfiltration authorization system is provided. A computer device receives a request from an application on a remote device, wherein the request is to store data on an external storage device. The computing device validates that the application is running in protected space on the remote device and includes an established unique identifier. The computing device generates an encryption key for the external storage device based, at least in part, on the validating. The computing device sends the encryption key to the application with authorization for the application to reformat the external storage device, store the requested data on the external storage device, and encrypt the external storage device using the encryption key.

Abstract: This application provides a method and an apparatus for invoking an application programming interface (API), to determine a target exposing function network element used to invoke an API. The method includes: A first network element obtains routing information of an API, where the routing information is used to indicate a route for invoking the API, and the API is provided by a first exposing function network element and a second exposing function network element; the first network element obtains invocation parameter information of the API, where the invocation parameter information is used to handle the API; and the first network element determines a target exposing function network element in the first exposing function network element and the second exposing function network element based on the routing information and the invocation parameter information.

Abstract: A Protocol Analyzer is provided for monitoring and debugging a high-speed communications link between a local device and a remote device. The local device may include a communications protocol block for interfacing with the remote device. The Protocol Analyzer may include an embedded logic debugging circuit on the local device, where the logic debugging circuit is configured to capture link data based on user-defined events to create a corresponding database of signal capture in a local memory. The Protocol Analyzer is configured to import the database from memory and to decode the link data to display on a user interface that organizes key link sequencing events along with their timestamps to help the user more accurately and quickly debug any link bring-up issues.

Abstract: A radio communication device installed on a vehicle of this application comprises a radio communicator configured to perform a radio communication with a plurality of networks, a controller configured to perform location registration or a call origination via each of the plurality of networks, and a storage configured to store location registration results or call origination results for each of the plurality of networks. The controller is configured to select a network affording more favorable results than results of one of the plurality of networks based on the location registration results or call origination results stored in the storage, and perform location registration at a time of an emergency call origination by using the selected network.

Abstract: A service platform obtains order data of an order placed by a target user through a user interface and history data of the target user associated with one or more user interface operations for placing the order, where the history data includes page code of one or more pages of the user interface associated with the one or more user interface operations. The service platform generates, based on the history data and the order data, usage data of the target user. The service platform determines a digital digest of the usage data. The service platform sends the digital digest to a blockchain network associated with a blockchain, where the digital digest is verified by a blockchain node of the blockchain network, and where the digital digest is stored on the blockchain in response to a determination that the digital digest passes a verification.

Abstract: A novel and useful mechanism for providing security features to a wireless communications system that otherwise does not have such features. Security features including encryption and decryption of communications, secure key exchange, secure pairing, and secure re-pairing are provided. The invention is applicable to wireless communication systems such as IO-Link Wireless. The encryption/decryption mechanism uses AES-256 block cypher with counter mode to generate blocks of cypher bits used to encrypt and decrypt communications between the master and devices. Session keys are generated using a random salt and a counter value. The random salt is generated using a secure random number generator such as the CSPRNG algorithm. A master key (or device key) is also used in generating session keys. Session keys are not permanent and are used to encrypt/decrypt only a finite amount of data. Once exhausted, the session key is replaced by a new one and cypher bits are generated using the new session key.

Abstract: A method for authenticating a client terminal by a target server. The method includes: the client terminal authenticates itself with an authentication server; the target server authenticates itself with the authentication server; the authentication server and the target server share a password for the client terminal; the authentication server transmits the password to the client terminal; the client terminal transmits the password to the target server; and the target server determines whether or not there is a correspondence between the password shared with the authentication server and the password transmitted by the client terminal, and if the correspondence between passwords exists, the client terminal is authenticated by the target server.

Abstract: A method performed by a security system of a 5G network to protect against cyberattacks on a personalized basis. The security system can identify a cybersecurity threat to a wireless device based on contextual information relating to the wireless device, a user preference, or a call detail record. The security system can determine a one-time fee to charge the user in exchange for protecting the wireless device against the cybersecurity threat, generate an on-demand coupon to protect the wireless device against the cybersecurity threat, and send the on-demand coupon to the wireless device based at least in part on the contextual information relating to the wireless device and the user preference. When the security system receives an indication that the on-demand coupon was redeemed, responds by deploying a network asset to protect the wireless device against the cybersecurity threat.

Abstract: An improved backhaul protocol is provided, as well as computer-implemented systems and methods for autonomously broadcasting video data, audio data, or video and audio data during an event, wherein the broadcasting can be scheduled in advance and from a remote location (e.g., using a web browser), and wherein the video/audio data is streamed to a remote user over a network using the improved backhaul protocol.

Abstract: A user may securely access a remote virtual machine (RVM) by authenticating with a single sign-on portal (SSOP) connected to a request collector. The request collector is connected to a remote access helper (RAH) associated with the RVM. Upon a user request from the SSOP, a one-time password (OTP) is generated by the RVM and the RAH sends an acceptance notice to the request collector. The request collector generates a payload containing a URL which is sent to the SSOP and connects to the URL downloading a file containing the OTP. The user then connects to and accesses the RVM using the OTP contained in the file.

Abstract: Encryption operations using private and public cryptographic signature keys may be used to facilitate secure and uniquely identifiable audit records relating to website content classification. Blockchain may be used to facilitate collection, storage, and sharing of encrypted audit records. Based on shared encrypted information (e.g. from the blockchain or elsewhere) a content evaluation consensus may be formed. Collections of encrypted audit records may be processed and results of the processing may also be shared via the blockchain. Subsequent operations can include sharing of the processing results.

Abstract: A security device to support secure communication via a field bus, has a connecting apparatus for the direct coupling of the security device to a network interface of a field bus subscriber, which is formed for connecting to a field bus and which is not formed for secure communication via the field bus. In the coupled state, there is a link between the security device and the field bus subscriber such that, if the link is disconnected or damaged, proper operation of the security device is reversibly or irreversibly blocked. Further, a transmitting and receiving apparatus is provided which is formed to securely transfer data coming from a directly coupled field bus participant, which is not formed for secure communication, via the field bus according to a predetermined security protocol, and which is further formed to receive data transferred via the field bus and intended for the field bus participant according to the predetermined security protocol and to deliver them to the field bus participant.

Abstract: Systems, methods, and computer-readable media for discovering trustworthy devices through attestation and authenticating devices through mutual attestation. A relying node in a network environment can receive attestation information from an attester node in the network environment as part of a unidirectional push of information from the attester node according to a unidirectional link layer communication scheme. A trustworthiness of the attester node can be verified by identifying a level of trust of the attester node from the attestation information. Further, network service access of the attester node through the relying node in the network environment can be controlled based on the level of trust of the attester node identified from the attestation information.

Abstract: Methods, systems, and devices supporting active fingerprinting for transport layer security (TLS) servers are described. In some systems, a client device may transmit a same set of client hello messages to each TLS server. The client device may receive a set of server hello messages in response to the standard set of client hello messages based on the contents of each client hello message. For example, a server hello message may indicate a selected cipher suite, TLS protocol version, and set of extensions in response to the specific information included in a client hello message. The client device may generate a hash value (e.g., a fuzzy hash) based on the set of server hello messages received from a TLS server. By comparing the hash values generated for different TLS servers, the client device may determine whether the TLS configurations for the different TLS servers are the same or different.

Abstract: Embodiments of the invention are directed to the utilization of trust tokens to perform secure message transactions between two devices. A trust token transmitted in a message from one device may include first data that is digitally signed by a trust provider computer, and second data that is digitally signed by the device itself. Upon receipt of a message containing a trust token, the recipient may utilize the first data to verify with the trust provider computer that the sender of the message is a trusted party. The trust provider computer may provide the recipient device the public key of the sender. The recipient may utilize the second data and the provided public key to verify that the sender signed the message and that the message is unaltered. These techniques may increase detection of relay, replay, or other man-in-the-middle attacks, decreasing the likelihood that such attacks will be successful.

Abstract: An authentication method and system includes a computing device, such as a smart phone, which includes a display for presenting a graphical and interactive game board that is used for entering a user's passcode. During the authentication process, the user selects a game board (e.g. chess, checkers, poker, backgammon, etc.) and associated game pieces for presentation on the display. The user then moves one or more game pieces to locations on the game board. Together, the selected game board, selected game pieces, and the movements and/or locations which the game pieces are moved on the game board form an entered passcode. This generated passcode is then compared with a stored passcode to authenticate the user before granting access to the computing device.

Abstract: The present invention provides a mechanism capable of creating, in a simplified manner, a safety program in accordance with a safety use. A program creation assistance device assists in creation of the safety program to be executed by a safety controller. The program creation assistance device selects a safety use of the safety program to be created in accordance with user input, determines, based on the safety use selected, an input block to which a safety input signal from an input device is assigned and a functional block that implements a safety function suitable for the safety use selected, the input block and the function block making up the safety program, provides an unfinished safety program in a programmable manner, the unfinished safety program including the blocks determined, and supplements the unfinished safety program to create the safety program in accordance with user input.

Abstract: An image capture device for a secure industrial control system is disclosed. In an embodiment, the image capture device includes: an image sensor; a signal processor coupled to the image sensor; and a controller for managing the signal processor and transmitting data associated with processed image signals to at least one of an input/output module or a communications/control module via a communications interface that couples the controller to the at least one of the input/output module or the communications/control module, wherein the controller is configured to establish an encrypted tunnel between the controller and the at least one of the input/output module or the communications/control module based upon at least one respective security credential of the image capture device and at least one respective security credential of the at least one of the input/output module or the communications/control module.

Abstract: Disclosed herein are system, method, and computer program product embodiments for restoring an electronic device. An embodiment operates by receiving a request for restoring a portion of data from a point of time onto the electronic device. Thereafter, the portion of data is scanned for a virus. Based on the detection of the virus, a determination is made on whether to proceed with restoring the electronic device with the portion of data. If the determination is made to proceed with the restoring of the electronic device, the portion of data is subsequently transmitted to the electronic device. The portion of data is stored in a backup repository remote from the electronic device.

Abstract: This disclosure describes methods and systems to for a method for a first computing node to receive frequency information of a system clock. The first computing node receives the frequency information of the system clock from a second computing node at a physical layer of a connection between the first computing node and the second computing node. The first computing node also receives a message from the second computing node at above the physical layer of the connection between the first computing node and the second computing node. The message includes an attestation of the frequency information from which the first computing node may verify that the second computing node is a trusted source of the frequency information.

Abstract: A network connection between a server group of a data intake and query system and each of one or more source network nodes is established. Source data at the server group is received from at least one of the one or more source network nodes via the respective network connections and transformed, by the indexer server, to timestamped entries of machine data. A model management server detects data constraints for a security model. Using the timestamped entries, the data constraints are validated to obtain a validation result, where validating the data constraints includes determining whether the timestamped entries satisfy the availability requirement set for the data element. The model management server determines a data availability assessment of the security model based on the validation result.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: A runtime attack can be detected on a big data system while processes are executed on various nodes. A behavior profile can be maintained for tasks or processes running on different nodes. The existence of a call variance in one of the traces for one of the behavior profiles can be determined. A memory variance can also be detected in one of the behavior profiles. A runtime attack has occurred when both the memory variance and the call variance are determined to exist.

Abstract: A process for optimal query scheduling includes receiving in an information retrieval data processing system, a request to accelerate query execution of a specified query to a time prior to a scheduled time. A specific field corresponding to data in a database is then identified in the query and a freshness of data requirement for the specific field retrieved along with a frequency of change the data corresponding to the specific field. Then, if execution of the specific query at the time prior to the scheduled time instead of the scheduled time is determined not to violate the freshness of data requirement based upon the frequency of change of the data corresponding of the specific field, the specific query is scheduled for execution at the time prior to the scheduled time. But otherwise, the scheduled time may be maintained for executing the specific query.

Abstract: Security-enhancing devices, systems, methods, and non-transitory computer-readable media for performing non-interactive zero knowledge proof (NIZKP) authentication. In one embodiment, a computing device includes a memory and an electronic processor. The memory stores a NIZKP authentication program and a plurality of unique passwords. The electronic processor is configured to receive a first random value from an electronic source, generate a second random value by performing an exclusive disjunction operation on the first random value with a first password of the plurality of unique passwords, perform an extraction operation on the second random value, determine whether the extraction operation performed on the second random value extracted a non-random value from the second random value, and responsive to determining that the extraction operation performed on the second random value extracted the non-random value from the second random value, authenticate communications with the electronic source.

Abstract: Implementations of the present disclosure include providing, by a security platform, graph data defining a graph that is representative of an enterprise network, the graph comprising nodes and edges between nodes, a set of nodes representing respective assets within the enterprise network, each edge representing at least a portion of one or more lateral movement paths between assets in the enterprise network, determining, for each asset, a criticality of the respective asset to operation of a process, determining a lateral movement path between a first node represented by a first asset and a second node represented by second asset within the graph, determining a path value representative of a criticality in preventing an attack through the lateral movement path, and providing an indication of the path value representative of the criticality in preventing an attack through the lateral movement path.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to verify encrypted handshakes. An example apparatus includes a message copier to clone a client introductory message, the client introductory message is included in a first handshake for network communication between a client and a server, a connection establisher to initiate a second handshake between the apparatus and the server based on the cloned client introductory message, and a decrypter to, in response to the second handshake, decrypt a certificate sent by the server.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to aggregate telemetry data in an edge environment. An example apparatus includes at least one processor, and memory including instructions that, when executed, cause the at least one processor to at least generate a composition for an edge service in the edge environment, the composition representative of a first interface to obtain the telemetry data, the telemetry data associated with resources of the edge service and including a performance metric, generate a resource object based on the performance metric, generate a telemetry object based on the performance metric, and generate a telemetry executable based on the composition, the composition including at least one of the resource object or the telemetry object, the telemetry executable to generate the telemetry data in response to the edge service executing a computing task distributed to the edge service based on the telemetry data.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: Systems, methods, and computer-readable media are disclosed for systems and methods for using secure enclaves for decryption in unsecured locations. Example methods may include receiving, by a webserver, an encrypted session key from a device, where the encrypted session key is encrypted using a public key associated with the webserver, sending the encrypted session key to a key server for decryption, where the key server is configured to decrypt the encrypted session key in a secure enclave, determining, by the key server, a decrypted session key using a private key, where private key data for a number of private keys is stored at the secure enclave, receiving a decrypted session key from the key server, where the decrypted session key is the encrypted session key in decrypted form, and establishing a secure session with the device using the decrypted session key.

Abstract: Facilitating single node network connectivity for structure automation functionality is provided herein. A system can comprise a memory that stores executable components and a processor, operatively coupled to the memory, that executes the executable components. The executable components can comprise a management component that facilitates a communication with electronic devices within a structure and an initialization component that enables a streamlined security process based on an indication that the at least one electronic device is to be registered with the management component. Further, the executable components can comprise a negotiation component that performs a certificate authentication for the at least one electronic device. The certificate authentication can be automatically performed with a certificate authority during a backend process.

Abstract: Security-enhancing devices, systems, methods, and non-transitory computer-readable media for performing non-interactive zero knowledge proof (NIZKP) authentication. In one embodiment, a computing device includes a memory and an electronic processor. The memory stores a NIZKP authentication program and a plurality of unique passwords. The electronic processor is configured to receive a first random value from an electronic source, generate a second random value by performing an exclusive disjunction operation on the first random value with a first password of the plurality of unique passwords, perform an extraction operation on the second random value, determine whether the extraction operation performed on the second random value extracted a non-random value from the second random value, and responsive to determining that the extraction operation performed on the second random value extracted the non-random value from the second random value, authenticate communications with the electronic source.

Abstract: A method for a host to establish communication with a client comprising receiving a client-specific certificate and a pairing request message, verifying the client-specific certificate, verifying the pairing request message, sending a host-specific certificate and a first value, receiving a second value, verifying the second value; sending a third value, receiving an encrypted fourth value, decrypting the fourth value using a group key, determining the fourth value equals the third value, identifying the client received the group key correctly, and ending a verification message indicating successful establishment of communication.

Abstract: The CoAP base protocol can be enhanced to support CoAP streaming. Streaming can use a reserved “/streaming” URI and current CoAP methods can be used towards the “/streaming” location, which will trigger or terminate streaming operations. Streaming can use a new STREAM method. Alternately, the current Observe mechanism can be enhanced to support streaming. Streaming operation can be combined with existing CoAP block transfer operations.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: Technology related to risk-informed autonomous adaptive cyber controllers is disclosed. In one example of the disclosed technology, a method includes generating probabilities of a cyber-attack occurring along an attack surface of a network. The probabilities can be generated using sensor and operational data of a network as inputs to an attack graph. The risk scores can be determined using a plurality of fault trees and the generated probabilities from the attack graph. The respective risk scores can correspond to respective nodes of an event tree. The event tree and the determined risk scores can be used to determine risk estimates for a plurality of configurations of the network. The risk estimates for the plurality of configurations of the network can be used to reconfigure the network to reduce a risk from the cyber-attack.

Abstract: Embodiments of this application relate to the field of communications technologies, and disclose an application programming interface (API) topology hiding method, a device, and a system, to hide, from an API invoker, an API exposing function (AEF) that provides an API. The method includes: receiving, by a common API framework core function (CCF) from a topology hiding request entity, a request message that includes information about an API and that is used to request to hide an AEF that provides the API; determining, based on the request message, a topology hiding entry point used by an API invoker to invoke the API; and sending, to the topology hiding entry point, an identifier of the API and an identifier of the AEF that provides the API, so that the topology hiding entry point hides the AEF that provides the API.

Abstract: Systems and methods for key generation for secure communication between a first user computing device and a second user computing device without requiring direct communication during key generation. The method using a plurality of privacy providers and a first private table and a second private table. The method including: performing by the second user computing device: receiving indexes each associated with a value in the second private table, each index received from the respective privacy provider sharing those values, each index associated with a value that matches an indexed value in the first private table received by the respective privacy provider from the first user computing device; and generating a common key for the secure communication by combining the indexed values of the second private table.

Abstract: A method of establishing a secure communication channel between a first communication device and a second communication device. The secure communication channel is defined by one or more algorithm options and the one or more algorithm options are associated with one of one or more option categories. The method includes receiving a signal representing one or more selections. The method further includes, for the respective option categories, generating a sorted list of algorithm options based on the received selections and generating a security association proposal including one or more of the algorithm options from the respective sorted lists of algorithm options. The security association proposal is generated based on an order in the sorted list of algorithm options. The method further includes transmitting the security association proposal to the second communication device for establishing the secure communication channel.

Abstract: Embodiments are directed to monitoring communication between computers using network monitoring computers (NMCs). NMCs identify a secure communication session established between two of the computers based on an exchange of handshake information associated with the secure communication session. Key information that corresponds to the secure communication session may be obtained from a key provider such that the key information may be encrypted by the key provider. NMCs may decrypt the key information. NMCs may derive the session key based on the decrypted key information and the handshake information. NMCs may decrypt network packets included in the secure communication session. NMCs may be employed to inspect the one or more decrypted network packets to execute one or more rule-based policies.