Abstract: In some examples, a system includes a router device and a first adapter device in communication with the router device. The first adapter device includes processing circuitry configured to: communicate with the router device, wherein the router device is incapable of communicating in accordance with the MACsec protocol. The processing circuitry is further configured to establish an encrypted connection in accordance with the MACsec protocol between the first adapter device and a remote device, determine that the encrypted connection is offline, and output a message to the router device that the encrypted connection is offline. The router device is configured to communicate with the remote device via a second adapter device configured to communicate in accordance with the MACsec protocol and bypass the first adapter device.

Abstract: According to one aspect of the technique of the present disclosure, there is provided a method for securely communicating data. The method includes: (a) establishing a first encryption scheme, a data integrity checking scheme, an encryption key and an authentication key through a communication connection with a receiver; (b) generating a random key; (c) generating secure data including random key information obtained by encrypting the random key using the encryption key and the first encryption scheme; authentication information generated based on the random key, the data integrity checking scheme and the authentication key; and data information obtained by encrypting data using the random key and a second encryption scheme whose operation load is lower than that of the first encryption scheme; and (d) transmitting the secure data to the receiver.

Abstract: A Software-Defined Networking (SDN)-based “upstream” approach is a controller-based solution that provides secure key distribution and management for multi-site data centers. The approach uses an SDN Multi-Site Controller (MSC) that acts as an intermediary between SDN controllers at sites in a multi-site data center and manages the distribution of keys to sites. The approach is not dependent upon any particular routing protocol, such as the Border Gateway Protocol (BGP), and is well suited for multicast stream encryption by allowing the same key to be used for all replicated packets sent to downstream sites from an upstream source site. The approach distributes keys in a secure manner, ensures that data transferred between sites is done in a secure manner, and supports re-keying with error handling.

Abstract: A content delivery system for delivering an audio and/or video content to a mobile terminal is deployed on top of a mobile network and includes plural edge cache servers arranged using a star or hierarchical topology. The edge cache servers are connected to respective aggregation nodes of the mobile network such that a configurable breakout function of the nodes enables routing thereto packets addressed to an anycast addressing associated with the servers. When receiving a request, from the mobile terminal, for obtaining a manifest file of the audio and/or video content, an edge cache controller of the content delivery system creates a session identifier including a unicast addressing part pointing to the controller, and redirects the mobile terminal to the anycast addressing of the servers. The servers then obtain the session identifier from the mobile terminal and use the unicast addressing contained therein to receive context information from the controller.

Abstract: A computer generates a first encrypted message by encrypting an unencrypted message for decryption at a receiving device. The computer couples the first encrypted message with addressing data associated with the receiving device to generate a coupled message. The computer generates a second encrypted message by encrypting the coupled message for decryption at a data transmission service. The computer transmits the second encrypted message via the data transmission service to enable the receiving device to read the unencrypted message.

Abstract: Techniques for messaging based on trust levels and resource limitations in a mesh network include receiving, by a first node of a mesh network, a message; determining, by the first node, a security key type based on a resource parameter associated with a neighbor node included in the mesh network; securing, by the first node, the message using a security key of the security key type; and transmitting, by the first node, the secured message to the neighbor node. The resource parameter associated with the neighbor node comprises at least one of an amount of memory used to decrypt the secured message at the neighbor node, an amount of power used to decrypt the secured message at the neighbor node, or an indication of an amount of power remaining at the neighbor node.

Abstract: A method for fetching a content from a web server to a client device is disclosed, using tunnel devices serving as intermediate devices. The tunnel device is selected based on an attribute, such as IP Geolocation. A tunnel bank server stores a list of available tunnels that may be used, associated with values of various attribute types. The tunnel devices initiate communication with the tunnel bank server, and stays connected to it, for allowing a communication session initiated by the tunnel bank server. Upon receiving a request from a client to a content and for specific attribute types and values, a tunnel is selected by the tunnel bank server, and is used as a tunnel for retrieving the required content from the web server, using standard protocol such as SOCKS, WebSocket or HTTP Proxy. The client only communicates with a super proxy server that manages the content fetching scheme.

Abstract: A pseudo-active/active firewall configuration handles firewall switchover events with minimized session disconnection. A passive firewall is set to an active state, and an active firewall is switched to a pseudo-active state wherein it continues to process ingress and egress traffic according to traffic handling protocols for its active state. During updating of a corresponding Network Address Translation (NAT) table to route traffic to the now-active firewall, the pseudo-active firewall enters a forwarding state wherein it forwards ingress network sessions to the now-active firewall and processes the ingress network sessions according to its active state. The now-active firewall receives the ingress network sessions and records session states prior to discarding them. After updating the NAT table, when traffic is routed to the now-active firewall, the recorded session states are used to maintain active sessions.

Abstract: Methods, systems, and computer readable media for processing QUIC communications in a network. An example system includes a first network interface for receiving a QUIC connection request from a first node in the network and, in response, establishing a first QUIC connection between the first node and the system. The system includes a QUIC processing module configured for receiving, via the first QUIC connection, encrypted QUIC data including a number of streams and decrypting the encrypted QUIC data, resulting in decrypted QUIC data. The QUIC processing module is configured for extracting each of the streams from the decrypted QUIC data, resulting in a plurality of extracted streams, and packaging at least one of the extracted streams into a non-QUIC protocol format, resulting in at least one packaged stream. The system includes a second network interface for transmitting the packaged stream to a second node in the network.

Abstract: Methods and systems to remotely operate robotic devices are provided. A number of embodiments allow users to remotely operate robotic devices using generalized consumer devices (e.g., cell phones). Additional embodiments provide for a platform to allow communication between consumer devices and the robotic devices. Further embodiments allow for training robotic devices to operate autonomously by training the robotic device with machine learning algorithms using data collected from scalable methods of controlling robotic devices.

Abstract: The present disclosure relates to system and techniques for receiving data from one or more sensors associated with a person and controlling the use and redistribution of that data so it is used in an intended manner. In particular, the data is related to a gait and/or mobility of the person.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Metrics may be determined based on monitoring network traffic associated with a plurality of entities each associated with a profile that includes the metrics for each entity. Beaconing metrics associated with beaconing activity may be determined based on the metrics. The profile of each entity may be compared with the beaconing metrics to determine the entities that may be engaged in beaconing activity. The entities may be characterized based on beaconing activity such that the beaconing activity includes communication with endpoints associated with the third parties, employing communication protocols associated with the third-parties, or exchanging payloads consistent with the beaconing activity. Reports that include information associated with the entities and its beaconing activity may be generated.

Abstract: Disclosed embodiments provide systems, methods, and computer-readable storage media for secure data communication between two devices. A disclosed system responds to a request from an originating communication device in a first network to connect with a communication device in a second network, for communication, by receiving a request from the communication device in the first network, the request including payload data and a destination network address in the second network. The system then transmits the received payload data to the destination address in the second network after analyzing the payload data for network intrusion. When the analysis does not indicate network intrusion, the system determines a route to the destination network address by looking up the destination address in a routing table and forwarding the payload data to the destination network address in the second network. If the analysis indicates network intrusion, the system discards the payload data.

Abstract: Systems and methods for secure peer-to-peer communications are described. Devices registered into trusted network may be capable of establishing a shared data encryption key (DEK). In embodiments, each device may be configured to obtain a share of a data encryption key (DEKi) that can be stored locally. The shares may be shares in an M of N Secret Sharing Scheme. This may involve a network that includes an integer, N, devices, and in which M devices may share a secret (i.e. the DEK) during communications, M being an integer less than or equal to N. To obtain the entire DEK during encryption/decryption, a requesting device may send requests to M of N devices for their shares of the DEK. Once M shares are obtained, they may be used generate the DEK for encrypting/decrypting data between the devices.

Abstract: A network node (700) of a radio access network (RAN) of a wireless communication network (10) provides user plane security by establishing a secure tunnel between first and second tunnel endpoints (160, 180, 370, 195, 220, 230) that will handle respective protocol layers of a same protocol stack for a Data Radio Bearer (DRB) (330, 340, 350, 360) that is dedicated to user plane traffic and has yet to be established. Establishing the secure tunnel comprises exchanging an inner Internet Protocol (IP) address and an outer IP address of each of the endpoints (160, 180, 370, 195, 220, 230) between the endpoints (160, 180, 370, 195, 220, 230).

Abstract: A device generates a biometric public key for an individual based on both the individual's biometric data and a secret S, in a manner that verifiably characterizes both while tending to prevent recovery of either. The biometric data has a Sparse Representation and is encoded in a manner to include a component of noise, such that it is challenging to identify which locations are actually encoded features. Accordingly, the biometric data are encoded as a vector by choosing marker at locations where features are present and, where features are not present, choosing noisy data. The noisy data may be chaff bit values selected collectively from a group of (a) random values and (b) independent and identically distributed values. The biometric public key may be later used to authenticate a subject purporting to be the individual, using a computing facility that need not rely on a hardware root of trust.

Abstract: An implementation of the present application provides a computer-implemented method to increase the security of a blockchain-implemented transaction, the transaction including participation from a plurality of participating nodes, each participating node participating as a message originator, selector, and propagator. The method, implemented at a participating node, includes: receiving ciphertext from a prior node and determining whether the participating node is a selector node for said ciphertext received from the prior node. When the participating node is the selector node for said ciphertext, the method includes selecting a subset of said ciphertext, decrypting the selected subset of said ciphertext to provide opted ciphertext and transmitting said opted ciphertext to the next node. When the participating node is other than the selector node for said ciphertext, the method includes decrypting said ciphertext received from the prior node and transmitting the decrypted ciphertext to the next node.

Abstract: A method and system for inter-domain data interaction are provided. The method includes: a management apparatus configures, in respective domains, one or more models in a model group; a data collection apparatus encapsulates collected data in a designated message, and sends the designated message to a forwarder corresponding to a model, wherein the designated message carries indication information for indicating an address of the forwarder; and after processing the collected data, the forwarder processes the designated message, and sends the processed designated message to a next forwarder.

Abstract: A method for providing consent for provisioning data in an opaque blockchain, includes: receiving, by a receiver of a processing server, a consent request for data associated with the processing server stored on a blockchain, the consent request including at least two digital signatures, where a first digital signature is generated by a regulating entity and a second digital signature is generated by a moderating entity in the blockchain network; validating, by a processing device of the processing server, the first digital signature and the second digital signature; digitally signing, by the processing device of the processing server, the received consent request using a private key of a first cryptographic key pair; and transmitting, by a transmitter of the processing server, the digitally signed consent request to the regulating entity.

Abstract: An apparatus to facilitate confidential computing in a heterogeneous compute environment including a network-connected hardware accelerator is disclosed. The apparatus includes a processor to provide a first trusted execution environment (TEE) to run an application, and to send, via the application to a user mode driver (UMD) hosted in first the TEE, a command to transfer data of the application to a hardware accelerator device that is connected via network to the application; encrypt and integrity-protect, via the UMD, the data using shared secret data keys and a destination buffer address of the hardware accelerator device to generate encrypted and integrity-protected data, the shared secret data keys established with a remote service in a second TEE operating on an accelerator platform connected to the application; and interface, via the UMD with a local network interface card (NIC), to cause a copy over the network of the encrypted and integrity-protected data.

Abstract: A networked data processing system that provides an application programming interface (API) for consumer-permissioned data, such as academic data, employment data and income data. In some implementations, the data processing system enables application developers to integrate consumer-permissioned data (such as academic data) into their applications. In some implementations, the API enables a developer to focus on other aspects of a given application, while leveraging the data processing system to handle aspects of gathering and processing the source data, such as authenticating the provenance of the source data, handling user permissions, extracting the source data, reviewing the source data, verifying the source data, generating one or more scores from the source data, analyzing the source data relative to a defined purpose, providing the information sought from the analyzed data, and the like.

Abstract: This disclosure describes various methods, systems, and devices related to identifying path changes of data flows in a network. An example method includes receiving, at a node, a packet including a first signature. The method further includes generating a second signature by inputting the first signature and one or more node details into a hash function. The method includes replacing the first signature with the second signature in the packet. The packet including the second value is forwarded by the node.

Abstract: A method for data security implemented as an application on a device includes generating a request for one or more secret shares needed to reconstruct a key. The device stores a first secret share in its memory. The method also includes signing the request with a certificate that identifies the request as valid without identifying the device, and sending the request, signed with the certificate, to at least one other device. The method further includes receiving, from the at least one other device, the one or more secret shares, determining whether the one or more secret shares received from the at least one other device is sufficient to reconstruct the key, and reconstructing the key using the first secret share and the one or more secret shares upon determining that the one or more secret shares are sufficient to reconstruct the key.

Abstract: A home appliance includes a first communication circuitry configured to communicate with a mobile terminal placed within a first communication range supporting a first communication method, a second communication circuitry configured to communicate with an external wireless access point apparatus placed within a second communication range supporting a second communication method, and at least one processor configured to control the first communication circuitry to detect the mobile terminal, the mobile terminal being executing an application for communicating with the home appliance, based on detecting the mobile terminal, obtain, via the first communication circuitry, network set-up information from the mobile terminal for connecting to the external wireless access point apparatus, control the second communication circuitry to establish a communication with the external wireless access point apparatus using the obtained network set-up information, and control the second communication circuitry to access an i

Abstract: A non-transitory computer readable medium stores instructions that, when executed by a processor, cause the processor to receive, from one or more processing nodes, data representative of usage and inventory of one or more software assets by one or more industrial automation devices of an industrial automation system that are communicatively coupled to the one or more processing nodes, determining a data delta for the industrial automation system that represents differences between the software asset data and a previous iteration of the software asset data, encrypt the data delta for the industrial automation system, and transmit the encrypted data delta for the industrial automation system to a remote server.

Abstract: A high assurance system provides for communication between trusted user devices with auxiliary adaptation for augmenting communication security across an untrusted environment. First and second main encrypting devices coupled to respective trusted user devices are cryptologically tethered to one another by a main communication link established across the untrusted environment between trusted user devices in cryptologically protected manner. An auxiliary encrypting device is cryptologically tethered to the first main encrypting device by an auxiliary communication link established across the untrusted environment between a trusted auxiliary device and one trusted user device in cryptologically protected manner. The main and auxiliary encrypting devices define portals traverse trust boundaries between trusted and untrusted environments, each including at least one encryption unit and a communication unit coupled thereto by a connectionless interconnect.

Abstract: Systems and methods for detecting attacks using a handshake request are provided. A plurality of devices can receive a plurality of handshake requests to establish TLS connections that include a respective application request. At least one of the plurality of handshake requests can include a first application request. The plurality of devices can record each of the respective application requests to a registry of application requests. A first device of the plurality of devices can receive a subsequent handshake request to establish a subsequent TLS connection that includes the first application request. The first device can query, prior to accepting the first application request, the registry for the first application request. The first device can determine whether to accept or reject the first application request responsive to identifying from the query that the first application request has not been or has been recorded in the registry.

Abstract: A robot apparatus is disclosed. The robot apparatus includes a main body; a display; a neck structure rotatably connected to the main body; a first driving device configured to rotate the neck structure such that the display is positioned in a first location, in which a display surface of the display faces toward an upper direction, or a second location, in which the display surface faces toward a front direction; a stopper structure provided on the main body to be adjacent to the neck structure; and a second driving device configured to move the stopper structure toward the front direction or a rear direction such that the stopper structure is positioned in a supporting location in which the stopper structure contacts a rear surface of the neck structure, or a separated location, in which the stopper structure is spaced apart from the neck structure.

Abstract: A virtual firewall configured with two interfaces assigned different security zones switches between Layer 3 routing and bump-in-the-wire (BITW) modes between sessions. After receiving a packet from a one-arm load balancer, an inner header is determined based on decapsulation which removes an outer header. A route lookup is performed based on the inner header to determine whether to communicate packets of the session with Layer 3 routing or according to the BITW model. The result of the route lookup indicates an egress interface. If the ingress and egress interfaces are the same, the firewall operates according to the BITW model for the session. If the egress and ingress interfaces are different, the firewall routes packets of the session with Layer 3 routing. Upon detection of subsequent packets, the firewall operates according to the determined mode for the session without performing additional inner header route lookups for operation mode determination.

Abstract: Among other things, we describe techniques for encoding data that is included in electronic communications. In one aspect, a first electronic communication system sends, to an entity, a first email message that includes a Message-ID field including data that identifies an action to be carried out by a second electronic communication system. The first electronic communication system receives, from the entity, a second email message that includes an In-Reply-To field containing the data that identifies the action to be carried out by the second electronic communication system. The first electronic communication extracts the data from the In-Reply-To field in a message header of the first electronic communication. The second electronic communication system may be the same as the first electronic communication system, or may be an electronic communication system other than the first electronic communication system.

Abstract: A communication device for performing wireless communication with another communication device, includes a wired communication interface configured to be connected to a wired communication line, a wireless communication interface configured to be connected to the other communication device by wireless communication, an antenna configured to transmit or receive a wireless signal related to the wireless communication, and a processor configured to, in a case that a destination of a first frame received by the wired communication interface indicates a broadcast address or a multicast address, wirelessly transmit a second frame to the other communication device with a modulation scheme and a coding rate set according to a wireless communication environment with the other communication device. The second frame includes the first frame and the second frame has a unicast address indicating a destination of the other communication device.

Abstract: Hybrid tables can be used in different use-case scenarios. Hybrid tables provide a flexible mechanism to support files and data in different formats while providing access to the different types of data as part of one table. This flexibility can allow the use of hybrid tables in data lake or other similar environments.

Abstract: A method for capturing VM resources for forensics includes receiving an indication of compromise (IoC). The indication of compromise indicates an attack is imminent against a virtual machine. The method also includes, in response to receiving the IoC and before the attack begins, snapshotting a memory state of memory used by the virtual machine and increasing a level of auditing of the virtual machine from a standard level of auditing to a heightened level of auditing. The heightened level of auditing generates data representative of all accesses to the memory used by the virtual machine. After the attack against the virtual machine has begun, the method includes maintaining the heightened level of auditing for a threshold period of time, notifying a user of the virtual machine of the indication of compromise, and storing the data in memory external to the virtual machine.

Abstract: Methods and apparatus for enhancement of authentication. A method performed by a communication device may comprise sending a first request to a communication equipment, wherein the request comprises a communication device identifier of the communication device. The method may further comprise receiving a first response from the communication equipment, the first response comprising one or more parameters. The method may further comprise generating a first key and a second key based on the received response; The method may further comprise sending a second request to the communication equipment, the second request comprising the first key and a message based on the second key.

Abstract: A method includes receiving, from a user device, a request to store data in a computer storage medium. The method includes generating a local encryption key for a user of the user device. The method includes providing the local encryption key to the user of the user device. The user maintains the local encryption key separate from the user device. The method includes generating a storage encryption key for encrypting the data for storage in the computer storage medium. The method includes encrypting the data with the storage encryption key to generate encrypted data. The method includes encrypting the storage encryption key with the local encryption key to generate an encrypted storage encryption key. The method includes transmitting the encrypted data and the encrypted storage encryption key to the computer storage medium. The method includes removing the storage encryption key and the encrypted storage encryption key from the user device.

Abstract: A secure translator is described herein for use with an insecure device. An insecure device is a computing device that either does not have the ability to or can no longer communicate at desired security levels. The secure translator is configured to act as a proxy for insecure devices, allowing for full translation of any inbound communication to be secured, with information scrubbed or otherwise manipulated, then translated over a direct connection to the insecure device.

Abstract: The present disclosure relates to systems and methods for cloud-based 5G security network architectures intelligent steering, workload isolation, identity, and secure edge steering. Specifically, various approaches are described to integrate cloud-based security services into Multiaccess Edge Compute servers (MECs). That is, existing cloud-based security services are in line between a UE and the Internet. The present disclosure includes integrating the cloud-based security services and associated cloud-based system within service provider's MECs. In this manner, a cloud-based security service can be integrated with a service provider's 5G network or a 5G network privately operated by the customer. For example, nodes in a cloud-based system can be collocated within a service provider's network, to provide security functions to 5G users or connected by peering from the cloud-based security service into the 5G service provider's regional communications centers.

Abstract: An example system includes a plurality of AP devices configured to provide a wireless network at a site, the plurality of AP devices including a first AP device configured to determine a set of roaming candidates within the site for client devices connected to the first AP device, wherein the set of roaming candidates includes one or more AP devices of the plurality of AP selected according to a selection criteria; in response to establishing a connection with a client device, cache a key associated with the client device in the memory of the first AP device; generate a packet with the key associated with the client device, and a list of APs that includes one or more identifiers of the one or more AP devices within the set of roaming candidates for the first AP device; and transmit the packet to the plurality of AP devices at the site.

Abstract: A system and methods include a negative certificate authority for distributed management of negative certificates. An authorization restriction is associated with an untrusted user. A negative certificate generated for the untrusted user includes a public key associated with the untrusted user and an authorization restriction. The authorization restriction includes at least one global restriction, which is applicable to each consortium member that subscribes to the negative certificate. The authorization restriction includes at least one local restriction, which allows individual consortium members to further define their own locally applicable restrictions using the negative certificate authority. The negative certificate is accessible to each member of the consortium to enforce the authorization restriction against a transaction request. A secure contributor record including a unique cryptographically generated address is generated for each contributor.

Abstract: Method for detecting data traffic in a communication network, wherein in order to detect data traffic in a communication network, at least one network infrastructure device to which at least one first communication terminal and one second communication terminal are connected provides a monitoring interface that is secured against unauthorized access, is assigned to the two communication terminals, and is intended for detecting data traffic between at least the first and the second communication device, where a device detecting apparatus determines available monitoring interfaces on network infrastructure devices as well as address information assigned to the monitoring interfaces and provides this interface information to at least one recording apparatus that is separate from the at least one network infrastructure device.

Abstract: A method for authenticating a transaction that requires the use of a personal identification number (PIN) is provided. The method includes obtaining chip information from a chip that is embedded in a card; receiving a user input that includes the PIN; combining the PIN with the chip information; performing a message authentication code (MAC) operation on the combination in order to generate an application request cryptogram (ARQC); and requesting an authentication of the transaction based on the generated ARQC.

Abstract: One or more computing devices, systems, and/or methods for managing security associated with applications are provided. In an example, a central security gateway may determine first security policy information associated with a first application. The central security gateway may establish a first encrypted connection with a first device of the first application. The central security gateway may manage, based upon the first security policy information and using the first encrypted connection, security associated with the first application. The central security gateway may determine second security policy information associated with a second application. The central security gateway may establish a second encrypted connection with a second device of the second application. The central security gateway may manage, based upon the second security policy information and using the second encrypted connection, security associated with the second application.

Abstract: Distributed firewalls in a network are disclosed. Example firewall controllers disclosed herein are to instruct a first network node of a software-defined network to implement a first firewall instance of a distributed firewall, the first network node to implement the first firewall instance with a first virtual machine. Disclosed example firewall controllers are also to configure a second network node of the software-defined network to route network traffic through the first firewall instance and, after at least some of the network traffic is dropped by the first firewall instance, instruct the second network node to implement a second firewall instance of the distributed firewall, the second network node to implement the second firewall instance with a second virtual machine.

Abstract: In one embodiment, an apparatus includes: an integrity circuit to receive data and generate a protection code based at least in part on the data; a cryptographic circuit coupled to the integrity circuit to encrypt the data into encrypted data and encrypt the protection code into an encrypted protection code; a message authentication code (MAC) circuit coupled to the cryptographic circuit to compute a MAC comprising a tag using header information, the encrypted data, and the encrypted protection code; and an output circuit to send the header information, the encrypted data, and the tag to a receiver via a link. Other embodiments are described and claimed.

Abstract: A response communication that includes one or more data packets is received at a broker associated with a storage node of a plurality of storage nodes via a virtual network associated with the plurality of storage nodes of a storage system. The one or more data packets are provided, via the virtual network associated with the storage nodes, to a tenant communication component associated with an intended destination. A connection between the broker and the tenant communication component associated with the intended destination is terminated. A new connection between the intended destination and the tenant communication component associated with the intended destination is established. The new connection is associated with a virtual network associated with a storage tenant. The one or more data packets are sent to the intended destination via the virtual network associated with the storage tenant.

Abstract: A testing method for verifying keys uses a dataset of integers, the dataset being previously split into subsets of the integers, each subset of the integers having a product data structure for a product of the integers in the subset. Each ordered pair of subsets in the dataset has a remainder data structure for factors of the integers in the subsets of the ordered pair. The method includes creating a subset including integers to be added to the dataset of integers, and generating a product data structure for the created subset, the product data structure based on computing a product of the integers in the created subset. The method also includes identifying distinct ordered pairs of subsets, each distinct ordered pair of subsets including a subset from the dataset and the created subset.

Abstract: Example methods are provided for a destination host to implement a firewall in a virtualized computing environment that includes the destination host and a source host. The method may comprise receiving, via a physical network interface controller (PNIC) of the destination host, an ingress packet sent by the source host. The ingress packet may be destined for a destination virtualized computing instance that is supported by the destination host and associated with a destination virtual network interface controller (VNIC). The method may further comprise retrieving a PNIC-level firewall rule associated with the destination virtualized computing instance, the PNIC-level firewall rule being applicable at the PNIC and generated by based on a VNIC-level firewall rule applicable at the destination VNIC. In response to determination that the PNIC-level firewall rule blocks the ingress packet from passing through, the ingress packet may be dropped such that the ingress packet is not sent to the destination VNIC.

Abstract: Systems comprising: a memory; and a hardware processor and configured to: execute a hypervisor having a first portion and a second portion, wherein the first portion of the hypervisor executes at a first exception level that allows the first portion to access data of a virtual machine in the hardware processor and the memory, and wherein the second portion of the hypervisor executes at a second exception level that prevents the second portion from accessing the data of the virtual machine in the hardware processor and the memory. Methods comprising: executing a first portion of a hypervisor at a first exception level that allows the first portion to access data of a virtual machine in a hardware processor and memory; and executing a second portion of a hypervisor at a second exception level that prevents the second portion from accessing the data in the hardware processor and the memory.

Abstract: A system for fully integrated collection of business impacting data, analysis of that data and generation of both analysis driven business decisions and analysis driven simulations of alternate candidate business actions has been devised and reduced to practice. This business operating system may be used to monitor and predictively warn of events that impact the security of business infrastructure and may also be employed to monitor client-facing services supported by both software and hardware to alert in case of reduction or failure and also predict deficiency, service reduction or failure based on current event data.

Abstract: Examples of enrollment of virtual devices for unprivileged users are described. In some examples, a virtual device includes an enrollment agent, encrypted enrollment credentials, and a user mode privilege elevation component that elevates privilege of the enrollment agent. A privilege elevated token is created to include an administrative privilege of a local security authority service, and a security context of an unprivileged user account logged in to the virtual device. The enrollment agent is launched using the privilege elevated token rather than a user token of a user that is logged in. The enrollment agent decrypts the encrypted enrollment credentials based on administrative privilege of the privilege elevated token, and enrolls the virtual device with a management service using decrypted enrollment credentials.