Abstract: A network connection between a server group of a data intake and query system and each of one or more source network nodes is established. Source data at the server group is received from at least one of the one or more source network nodes via the respective network connections and transformed, by the indexer server, to timestamped entries of machine data. A model management server detects data constraints for a security model. Using the timestamped entries, the data constraints are validated to obtain a validation result, where validating the data constraints includes determining whether the timestamped entries satisfy the availability requirement set for the data element. The model management server determines a data availability assessment of the security model based on the validation result.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: A runtime attack can be detected on a big data system while processes are executed on various nodes. A behavior profile can be maintained for tasks or processes running on different nodes. The existence of a call variance in one of the traces for one of the behavior profiles can be determined. A memory variance can also be detected in one of the behavior profiles. A runtime attack has occurred when both the memory variance and the call variance are determined to exist.

Abstract: A process for optimal query scheduling includes receiving in an information retrieval data processing system, a request to accelerate query execution of a specified query to a time prior to a scheduled time. A specific field corresponding to data in a database is then identified in the query and a freshness of data requirement for the specific field retrieved along with a frequency of change the data corresponding to the specific field. Then, if execution of the specific query at the time prior to the scheduled time instead of the scheduled time is determined not to violate the freshness of data requirement based upon the frequency of change of the data corresponding of the specific field, the specific query is scheduled for execution at the time prior to the scheduled time. But otherwise, the scheduled time may be maintained for executing the specific query.

Abstract: Security-enhancing devices, systems, methods, and non-transitory computer-readable media for performing non-interactive zero knowledge proof (NIZKP) authentication. In one embodiment, a computing device includes a memory and an electronic processor. The memory stores a NIZKP authentication program and a plurality of unique passwords. The electronic processor is configured to receive a first random value from an electronic source, generate a second random value by performing an exclusive disjunction operation on the first random value with a first password of the plurality of unique passwords, perform an extraction operation on the second random value, determine whether the extraction operation performed on the second random value extracted a non-random value from the second random value, and responsive to determining that the extraction operation performed on the second random value extracted the non-random value from the second random value, authenticate communications with the electronic source.

Abstract: Implementations of the present disclosure include providing, by a security platform, graph data defining a graph that is representative of an enterprise network, the graph comprising nodes and edges between nodes, a set of nodes representing respective assets within the enterprise network, each edge representing at least a portion of one or more lateral movement paths between assets in the enterprise network, determining, for each asset, a criticality of the respective asset to operation of a process, determining a lateral movement path between a first node represented by a first asset and a second node represented by second asset within the graph, determining a path value representative of a criticality in preventing an attack through the lateral movement path, and providing an indication of the path value representative of the criticality in preventing an attack through the lateral movement path.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to verify encrypted handshakes. An example apparatus includes a message copier to clone a client introductory message, the client introductory message is included in a first handshake for network communication between a client and a server, a connection establisher to initiate a second handshake between the apparatus and the server based on the cloned client introductory message, and a decrypter to, in response to the second handshake, decrypt a certificate sent by the server.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to aggregate telemetry data in an edge environment. An example apparatus includes at least one processor, and memory including instructions that, when executed, cause the at least one processor to at least generate a composition for an edge service in the edge environment, the composition representative of a first interface to obtain the telemetry data, the telemetry data associated with resources of the edge service and including a performance metric, generate a resource object based on the performance metric, generate a telemetry object based on the performance metric, and generate a telemetry executable based on the composition, the composition including at least one of the resource object or the telemetry object, the telemetry executable to generate the telemetry data in response to the edge service executing a computing task distributed to the edge service based on the telemetry data.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: Systems, methods, and computer-readable media are disclosed for systems and methods for using secure enclaves for decryption in unsecured locations. Example methods may include receiving, by a webserver, an encrypted session key from a device, where the encrypted session key is encrypted using a public key associated with the webserver, sending the encrypted session key to a key server for decryption, where the key server is configured to decrypt the encrypted session key in a secure enclave, determining, by the key server, a decrypted session key using a private key, where private key data for a number of private keys is stored at the secure enclave, receiving a decrypted session key from the key server, where the decrypted session key is the encrypted session key in decrypted form, and establishing a secure session with the device using the decrypted session key.

Abstract: Facilitating single node network connectivity for structure automation functionality is provided herein. A system can comprise a memory that stores executable components and a processor, operatively coupled to the memory, that executes the executable components. The executable components can comprise a management component that facilitates a communication with electronic devices within a structure and an initialization component that enables a streamlined security process based on an indication that the at least one electronic device is to be registered with the management component. Further, the executable components can comprise a negotiation component that performs a certificate authentication for the at least one electronic device. The certificate authentication can be automatically performed with a certificate authority during a backend process.

Abstract: Security-enhancing devices, systems, methods, and non-transitory computer-readable media for performing non-interactive zero knowledge proof (NIZKP) authentication. In one embodiment, a computing device includes a memory and an electronic processor. The memory stores a NIZKP authentication program and a plurality of unique passwords. The electronic processor is configured to receive a first random value from an electronic source, generate a second random value by performing an exclusive disjunction operation on the first random value with a first password of the plurality of unique passwords, perform an extraction operation on the second random value, determine whether the extraction operation performed on the second random value extracted a non-random value from the second random value, and responsive to determining that the extraction operation performed on the second random value extracted the non-random value from the second random value, authenticate communications with the electronic source.

Abstract: A method for a host to establish communication with a client comprising receiving a client-specific certificate and a pairing request message, verifying the client-specific certificate, verifying the pairing request message, sending a host-specific certificate and a first value, receiving a second value, verifying the second value; sending a third value, receiving an encrypted fourth value, decrypting the fourth value using a group key, determining the fourth value equals the third value, identifying the client received the group key correctly, and ending a verification message indicating successful establishment of communication.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: The CoAP base protocol can be enhanced to support CoAP streaming. Streaming can use a reserved “/streaming” URI and current CoAP methods can be used towards the “/streaming” location, which will trigger or terminate streaming operations. Streaming can use a new STREAM method. Alternately, the current Observe mechanism can be enhanced to support streaming. Streaming operation can be combined with existing CoAP block transfer operations.

Abstract: Technology related to risk-informed autonomous adaptive cyber controllers is disclosed. In one example of the disclosed technology, a method includes generating probabilities of a cyber-attack occurring along an attack surface of a network. The probabilities can be generated using sensor and operational data of a network as inputs to an attack graph. The risk scores can be determined using a plurality of fault trees and the generated probabilities from the attack graph. The respective risk scores can correspond to respective nodes of an event tree. The event tree and the determined risk scores can be used to determine risk estimates for a plurality of configurations of the network. The risk estimates for the plurality of configurations of the network can be used to reconfigure the network to reduce a risk from the cyber-attack.

Abstract: Embodiments of this application relate to the field of communications technologies, and disclose an application programming interface (API) topology hiding method, a device, and a system, to hide, from an API invoker, an API exposing function (AEF) that provides an API. The method includes: receiving, by a common API framework core function (CCF) from a topology hiding request entity, a request message that includes information about an API and that is used to request to hide an AEF that provides the API; determining, based on the request message, a topology hiding entry point used by an API invoker to invoke the API; and sending, to the topology hiding entry point, an identifier of the API and an identifier of the AEF that provides the API, so that the topology hiding entry point hides the AEF that provides the API.

Abstract: A method of establishing a secure communication channel between a first communication device and a second communication device. The secure communication channel is defined by one or more algorithm options and the one or more algorithm options are associated with one of one or more option categories. The method includes receiving a signal representing one or more selections. The method further includes, for the respective option categories, generating a sorted list of algorithm options based on the received selections and generating a security association proposal including one or more of the algorithm options from the respective sorted lists of algorithm options. The security association proposal is generated based on an order in the sorted list of algorithm options. The method further includes transmitting the security association proposal to the second communication device for establishing the secure communication channel.

Abstract: Systems and methods for key generation for secure communication between a first user computing device and a second user computing device without requiring direct communication during key generation. The method using a plurality of privacy providers and a first private table and a second private table. The method including: performing by the second user computing device: receiving indexes each associated with a value in the second private table, each index received from the respective privacy provider sharing those values, each index associated with a value that matches an indexed value in the first private table received by the respective privacy provider from the first user computing device; and generating a common key for the secure communication by combining the indexed values of the second private table.

Abstract: Embodiments are directed to monitoring communication between computers using network monitoring computers (NMCs). NMCs identify a secure communication session established between two of the computers based on an exchange of handshake information associated with the secure communication session. Key information that corresponds to the secure communication session may be obtained from a key provider such that the key information may be encrypted by the key provider. NMCs may decrypt the key information. NMCs may derive the session key based on the decrypted key information and the handshake information. NMCs may decrypt network packets included in the secure communication session. NMCs may be employed to inspect the one or more decrypted network packets to execute one or more rule-based policies.

Abstract: A central authentication service is for authentication of a user operating a computing device requesting access to a service provider. The central authentication service stores a universal group that includes principals from different types of identity providers, with the user of the computing device included as one of the principals. An access token generated by an identity provider associated with the computing device is received by the central authentication service. The central authentication service generates a universal token that includes group membership information for the universal group, and exchanges the access token with the universal token. The universal token is provided to the service provider, with the group membership information on the universal token to allow the service provider to determine if the user of the computing device has permission to access desired services.

Abstract: A network-based appliance includes a mechanism to set-up and selectively use an “out-of-band” encryption channel. The mechanism comprises a packet parser, and a packet dispatcher, and it is integrated with an existing network layer stack that typically is not visible to host applications. In lieu of simply encrypting all data it receives, the mechanism instead analyzes one or more attributes, e.g., protocol type, application type, current encryption strength, content payload, etc., associated with a packet transmission to determine whether further encryption is required. The evaluation may include a deep packet inspection (DPI) when the information at the network layer (e.g., IP address, port number, etc.) is not sufficient to determine if the payload in the packet needs to be further encrypted. Based on the result of the analysis, packets are dispatched to the encryption channel as and when necessary.

Abstract: A first base station receives, from a first core network entity, one or more packets for a wireless device in a radio resource control inactive state. The first base station sends, to a second core network entity and in response to a failure of a radio access network (RAN) paging procedure for the wireless device, a first message indicating the failure of the RAN paging procedure. The first base station receives a second message comprising a tunnel endpoint identifier of a third base station. The first base station sends, to the third base station, the one or more packets based on the tunnel endpoint identifier.

Abstract: A computer-implemented method for discovering network attack paths is provided. The method includes a computer generating scoring system results based on analysis of vulnerabilities of nodes in a network configuration. The method also includes the computer applying Bayesian probability to the scoring system results and selected qualitative risk attributes wherein output accounts for dependencies between vulnerabilities of the nodes. The method also includes the computer applying a weighted-average algorithm to the output yielding at least one ranking of nodes in order of likelihood of targeting by an external attacker.

Abstract: Systems and methods for establishing a secure connection between a client computing device and a server hosted website. The method includes requesting an HTTPS connection with a server hosted website. The method further includes receiving a certificate from the server hosted website. The certificate is signed by a certificate authority and certificate validators. The method also includes delivering the certificate to each of the certificate validators. The method further includes receiving a certificate status for each of the certificate validators. Each certificate status indicates whether the certificate is valid or has been revoked. The method also includes determining a quantity of valid certificate statuses received from the certificate validators.

Abstract: A safeguarding method, a safeguarding apparatus, and a computer storage medium are provided. The method includes detecting a program operating on a terminal, and intercepting an operation performed by the program; identifying an object on which the program performs the operation; obtaining configuration information of the object on the terminal, and determining, based on the configuration information, that the object is a targeted monitored object. The method further includes determining, based on the configuration information of the targeted monitored object, whether the operation performed by the program on the object is a legitimate operation; and canceling intercepting the operation if the operation is a legitimate operation, and continuously intercepting the operation if the operation is an illegitimate operation.

Abstract: A resource transferring method and apparatus are provided. The method includes receiving a resource transferring request corresponding to a shared specified account sent by any client in multiple clients. The specified account is registered at the server as being associated with the multiple clients, and stores a preset resource. The method also includes determining rights of the multiple clients. The rights include an operation right and an ordinary right, and the operation right is capable of controlling a transfer of the preset resource. The method also includes respectively sending operation information to the multiple clients according to the rights of the multiple clients; and respectively receiving control instructions from at least two clients having the operation right. When a number of the received control instructions are greater than a preset value, the server transfers the preset resource, and returns transferring information of the preset resource to the multiple clients.

Abstract: The present disclosure includes secure device communication. An embodiment includes a processing resource, a memory, and a network management device communication component configured to, send public information to a network attached device communication component, and receive a network attached device public key and an encrypted random string value from the network attached device communication component. The network attached device public key and the random string value are received independent of a type of the network attached device communication component due to the public information. The network management communication component is further configured to decrypt the random string value from the network attached device communication component and send, to the network attached device communication component, a message and a signature to authenticate independent of the type of the network attached device communication component due to the public information.

Abstract: Described is an improved approach to ensure high availability for established sessions (e.g., application layer sessions) over network connections that negotiates and renegotiates encryption keys (e.g., TLS/SSL) at clean boundaries to ensure in-transit data are properly handled during migration of an application (e.g., a reverse proxy server instance). Connected TCP sessions may be handed off to another application (e.g., from existing proxy server to new/upgraded proxy server) and after establishing a new TLS session with a new encryption key, data transfer may be resumed between a client and a server using the new/upgraded application in a client-server architecture.

Abstract: A control circuit causes a first cryptographic module to perform a dummy operation in a command processing period and a data processing period in which a second cryptographic module performs a normal operation while the first cryptographic module does not perform a normal operation.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for computer network security risk assessment. One of the methods includes obtaining compromise likelihoods for user accounts. Information describing a network topology of a network is obtained, with the network topology being nodes each connected by an edge to other nodes, each node being associated with a compromise likelihood, and one or more nodes are high value nodes associated with a compromise value. Unique paths to each of the high value nodes are determined for a particular user account. An expected value for each path is determined based on the compromise likelihood of the particular user account, the compromise likelihood of each node included in the path, the communication weight of each edge included in the path, and the compromise value associated with the high value node. User interface data is generated describing at least one path.

Abstract: The invention introduces a method for executing host input-output (IO) commands, performed by a processing unit of a device side, at least including: in response to different types of host IO commands, using multiple stages of a generic framework to drive a frontend interface to interact with a host side for transmitting user data read from a storage unit to the host side, and receiving user data to be programmed into the storage unit from the host side.

Abstract: Formulating a security architecture for an information system is provided. A description of a target environment of the information system is received. The description includes a network zone architecture. A description of one or more security requirements for the information system is received. One or more reference architectures for the information system are selected from a plurality of reference architectures based on the description of the one or more security requirements for the information system. One or more selected reference architectures are adapted to the target environment for the information system.

Abstract: To authorize a transaction between a host and a server, a token is operationally connected to the host. The host receives an identification credential of a user. The identification credential is verified by the token and/or by the server. If the token detects a prescribed human action, the token generates token authentication data and the host sends the token authentication data to the server. Upon receiving the authentication data, the server authenticates the transaction. A device for authenticating a transaction includes a device interface for interacting with a host, a connector for reversibly operationally connecting the device to the host, and a controller that authenticates the transaction only once, contingent on detecting a prescribed anonymous human action. One such human action is providing one or more inputs at the host's user interface synchronously with outputs at the device's user interface.

Abstract: A system and method are disclosed for pairing computing devices using an authentication protocol that allows an initiating computing device to gain access to a secure, encrypted network of a target computing device.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for verifiable-claim issuance. One of the methods includes: receiving, from a first entity, a request for creating a verifiable claim (VC) for a decentralized identifier (DID) associated with a second entity; obtaining, in response to receiving the request, a digital signature associated with the first entity; and generating the VC based on the received request and the obtained digital signature.

Abstract: The disclosed system and methods herein are directed to a URL shortening service. The URL shortening service herein processes short URL links by using special scripts embedded into website HTML documents. The need to perform manipulations with DNS of the domain or use subdomains are obviated.

Abstract: A method of encryption of a message implemented by an electronic encryption device. The method includes: obtaining a current message; obtaining a current encryption key; determining, from a plurality of variants a basic encryption protocol, of a current variant of the encryption protocol; encrypting, by using the current variant and the encryption key, the message to be encrypted, delivering an encrypted message; and transmitting the encrypted key.

Abstract: Embodiments of a distributed caching system are disclosed that cache data across multiple computing devices on a network. In one embodiment, a first caching system serves as a caching front-end to a distributed cluster of additional caching systems. The caching systems may be spread over multiple partition groups. In one embodiment, cache writes at a cache system in one partition group are distributed to other partition groups. By propagating the cache writes across multiple partition groups, the caches at the different partition groups include more recently accessed data, thereby increasing the likelihood of cache hits.

Abstract: Method, apparatus and system for communicating between a machine to machine, M2M, device 110 and a device management, DM, server 420 over SMS, comprising: obtaining key material, the key material configured to protect data communicated between the M2M device 110 and the DM server 420. Protecting data to be communicated using the key material. Communicating the protected data between the M2M device 110 and the DM server 420 over SMS.

Abstract: Encrypted web traffic exchanged between a client device and a web server during a communication session and captured using a passive capture technique can be received. The encrypted web traffic can be encrypted using a shared secret generated for the communication session in accordance with an anonymous key agreement protocol. A TCP connection table, which includes a session identifier for the communication session, can be created for the communication session. At least one TCP connection can be built for the received encrypted web traffic using the TCP connection table. Using the session identifier, the shared secret can be accessed from a cache in which the shared secret is stored, at least temporarily, by the web server. Data from the encrypted web traffic can be extracted by using the shared secret to decrypt the encrypted web traffic. The extracted data can be stored to a data store.

Abstract: Techniques are provided for a multi-cloud operations center for function-based applications. One method includes obtaining source code for a function of multiple functions of an application, where the function is hosted in a first cloud environment of multiple distinct cloud environments, generating adapted source code from the source code to migrate the function to a second cloud having a different cloud environment; and deploying the function to the second cloud having the different cloud environment using the adapted source code. The source code may be automatically updated for the at least one function for the multiple distinct cloud environments. The function may have a corresponding network address that identifies the function across multiple distinct cloud environments, and network address redirection is performed based on a given cloud environment on which the function is deployed.

Abstract: Concepts and technologies disclosed herein are directed to a field-programmable gate array (“FPGA”)-based biometric sampling system for improving biometric data reusability. The system can include one or more FPGAs, each of which can include a plurality of configurable input/output (“I/O”) blocks, a plurality of configurable logic blocks, and a plurality of configurable interconnects that connect the plurality of configurable I/O blocks to the plurality of configurable logic blocks. The FPGA(s) can be configured based upon a hardware description language model to receive biometric input data associated with a user, to apply a sampling scheme to the biometric input data to extract, from the biometric input data, an enrollment biometric data sample, and to cause the enrollment biometric data sample to be stored in a database.

Abstract: Meta-Rules are a special set of business rules whose purpose is to enable business rules selection and subsequent rule invocation by a business rules manager. Contained within a Meta-Rule are business policy and other information that enables the selection of a business rule used by a business application. Meta-rules allow the system to dynamically select and identify specific business rules to be executed within a given business application. By enabling a higher level of abstraction, and relying on rules to resolve specific business rule selection and invocations, Meta-rules further separate the binding of business knowledge and practice from application programming logic. The application programmer is freed from having specific knowledge of the business rule; all that is required is an assertion that a rule is to be used.

Abstract: Systems and methods for analyzing content of encrypted traffic between processes are disclosed herein. According to one aspect, an exemplary method comprises rerouting traffic between a first process executing on a first computing device and a second process, to a server, to determine that there is a protected connection established between the first process and the second process, determining information related to an application pertaining to the first process, obtaining a session key for the protected connection by calling a function, wherein the information comprises an address of the function to call to obtain the session key, decrypting and analyzing the rerouted traffic on the server between the first process and the second process using the session key to determine whether the traffic contains malicious objects and in response to determining the traffic contains malicious objects, counteracting the malicious objects by blocking or rerouting the traffic.

Abstract: An Internet infrastructure delivery platform (e.g., operated by a service provider) provides an RSA proxy “service” as an enhancement to the SSL protocol that off-loads the decryption of the encrypted pre-master secret (ePMS) to an external server. Using this service, instead of decrypting the ePMS “locally,” the SSL server proxies (forwards) the ePMS to an RSA proxy server component and receives, in response, the decrypted pre-master secret. In this manner, the decryption key does not need to be stored in association with the SSL server.

Abstract: Methods, systems, and devices supporting network and container level traffic analysis and correlation are described. An application server may receive network traffic data from a network-level data capture system and receive container-level application traffic data from a container-level data capture system. The application server may then hash the destination addresses, the time stamp information, and the data amount information from the network traffic data to create a first set of hash values and hash the destination addresses, the time stamp information, and the data amount information from the application traffic data to create a second set of hash values. The application server may then identify matching hash values from the first set of hash values and the second set of hash values and then merge into a data queue the corresponding network traffic with metadata associated with the corresponding application traffic data to create a merged data set.

Abstract: In various embodiments, an organization may be required to comply with one or more legal or industry requirements related to the storage of personal data (e.g., which may, for example, include personally identifiable information) even when responding to and fulfilling Data Subject Access Requests. In particular, when responding to a DSAR, the system may compile one or more pieces of personal data for provision to a data subject. The system may store this compilation of personal data at least temporarily in order to provide access to the data to the data subject. As such, the system may be configured to implement one or more data retention rules in order to ensure compliance with any legal or industry requirements related to the temporary storage of the collected data while still fulfilling any requirements related to providing the data to data subjects that request it, deleting the data upon request, etc.

Abstract: A network device receives a device-specific connectivity restriction policy that specifies rules for exercising control over an identified first device's connectivity during communication using a brokered communication protocol, and receives, from the first device, a request to access the brokered communication protocol to enable communication with at least one second device. The network device connects, based on the access request, the first device to the at least one second device to allow the first device to read or write data using the brokered communication protocol. The network device monitors traffic associated with the first device during the first device's use of the brokered communication protocol to read data from, or write data to, the at least one second device, and controls the traffic associated with the first device based on the traffic monitoring and application of the device-specific connectivity restriction policy.