Abstract: A high assurance system provides for communication between trusted user devices with auxiliary adaptation for augmenting communication security across an untrusted environment. First and second main encrypting devices coupled to respective trusted user devices are cryptologically tethered to one another by a main communication link established across the untrusted environment between trusted user devices in cryptologically protected manner. An auxiliary encrypting device is cryptologically tethered to the first main encrypting device by an auxiliary communication link established across the untrusted environment between a trusted auxiliary device and one trusted user device in cryptologically protected manner. The main and auxiliary encrypting devices define portals traverse trust boundaries between trusted and untrusted environments, each including at least one encryption unit and a communication unit coupled thereto by a connectionless interconnect.

Abstract: A home appliance includes a first communication circuitry configured to communicate with a mobile terminal placed within a first communication range supporting a first communication method, a second communication circuitry configured to communicate with an external wireless access point apparatus placed within a second communication range supporting a second communication method, and at least one processor configured to control the first communication circuitry to detect the mobile terminal, the mobile terminal being executing an application for communicating with the home appliance, based on detecting the mobile terminal, obtain, via the first communication circuitry, network set-up information from the mobile terminal for connecting to the external wireless access point apparatus, control the second communication circuitry to establish a communication with the external wireless access point apparatus using the obtained network set-up information, and control the second communication circuitry to access an i

Abstract: A non-transitory computer readable medium stores instructions that, when executed by a processor, cause the processor to receive, from one or more processing nodes, data representative of usage and inventory of one or more software assets by one or more industrial automation devices of an industrial automation system that are communicatively coupled to the one or more processing nodes, determining a data delta for the industrial automation system that represents differences between the software asset data and a previous iteration of the software asset data, encrypt the data delta for the industrial automation system, and transmit the encrypted data delta for the industrial automation system to a remote server.

Abstract: Systems and methods for detecting attacks using a handshake request are provided. A plurality of devices can receive a plurality of handshake requests to establish TLS connections that include a respective application request. At least one of the plurality of handshake requests can include a first application request. The plurality of devices can record each of the respective application requests to a registry of application requests. A first device of the plurality of devices can receive a subsequent handshake request to establish a subsequent TLS connection that includes the first application request. The first device can query, prior to accepting the first application request, the registry for the first application request. The first device can determine whether to accept or reject the first application request responsive to identifying from the query that the first application request has not been or has been recorded in the registry.

Abstract: A robot apparatus is disclosed. The robot apparatus includes a main body; a display; a neck structure rotatably connected to the main body; a first driving device configured to rotate the neck structure such that the display is positioned in a first location, in which a display surface of the display faces toward an upper direction, or a second location, in which the display surface faces toward a front direction; a stopper structure provided on the main body to be adjacent to the neck structure; and a second driving device configured to move the stopper structure toward the front direction or a rear direction such that the stopper structure is positioned in a supporting location in which the stopper structure contacts a rear surface of the neck structure, or a separated location, in which the stopper structure is spaced apart from the neck structure.

Abstract: A virtual firewall configured with two interfaces assigned different security zones switches between Layer 3 routing and bump-in-the-wire (BITW) modes between sessions. After receiving a packet from a one-arm load balancer, an inner header is determined based on decapsulation which removes an outer header. A route lookup is performed based on the inner header to determine whether to communicate packets of the session with Layer 3 routing or according to the BITW model. The result of the route lookup indicates an egress interface. If the ingress and egress interfaces are the same, the firewall operates according to the BITW model for the session. If the egress and ingress interfaces are different, the firewall routes packets of the session with Layer 3 routing. Upon detection of subsequent packets, the firewall operates according to the determined mode for the session without performing additional inner header route lookups for operation mode determination.

Abstract: Among other things, we describe techniques for encoding data that is included in electronic communications. In one aspect, a first electronic communication system sends, to an entity, a first email message that includes a Message-ID field including data that identifies an action to be carried out by a second electronic communication system. The first electronic communication system receives, from the entity, a second email message that includes an In-Reply-To field containing the data that identifies the action to be carried out by the second electronic communication system. The first electronic communication extracts the data from the In-Reply-To field in a message header of the first electronic communication. The second electronic communication system may be the same as the first electronic communication system, or may be an electronic communication system other than the first electronic communication system.

Abstract: A communication device for performing wireless communication with another communication device, includes a wired communication interface configured to be connected to a wired communication line, a wireless communication interface configured to be connected to the other communication device by wireless communication, an antenna configured to transmit or receive a wireless signal related to the wireless communication, and a processor configured to, in a case that a destination of a first frame received by the wired communication interface indicates a broadcast address or a multicast address, wirelessly transmit a second frame to the other communication device with a modulation scheme and a coding rate set according to a wireless communication environment with the other communication device. The second frame includes the first frame and the second frame has a unicast address indicating a destination of the other communication device.

Abstract: Hybrid tables can be used in different use-case scenarios. Hybrid tables provide a flexible mechanism to support files and data in different formats while providing access to the different types of data as part of one table. This flexibility can allow the use of hybrid tables in data lake or other similar environments.

Abstract: A method for capturing VM resources for forensics includes receiving an indication of compromise (IoC). The indication of compromise indicates an attack is imminent against a virtual machine. The method also includes, in response to receiving the IoC and before the attack begins, snapshotting a memory state of memory used by the virtual machine and increasing a level of auditing of the virtual machine from a standard level of auditing to a heightened level of auditing. The heightened level of auditing generates data representative of all accesses to the memory used by the virtual machine. After the attack against the virtual machine has begun, the method includes maintaining the heightened level of auditing for a threshold period of time, notifying a user of the virtual machine of the indication of compromise, and storing the data in memory external to the virtual machine.

Abstract: The present disclosure relates to systems and methods for cloud-based 5G security network architectures intelligent steering, workload isolation, identity, and secure edge steering. Specifically, various approaches are described to integrate cloud-based security services into Multiaccess Edge Compute servers (MECs). That is, existing cloud-based security services are in line between a UE and the Internet. The present disclosure includes integrating the cloud-based security services and associated cloud-based system within service provider's MECs. In this manner, a cloud-based security service can be integrated with a service provider's 5G network or a 5G network privately operated by the customer. For example, nodes in a cloud-based system can be collocated within a service provider's network, to provide security functions to 5G users or connected by peering from the cloud-based security service into the 5G service provider's regional communications centers.

Abstract: Methods and apparatus for enhancement of authentication. A method performed by a communication device may comprise sending a first request to a communication equipment, wherein the request comprises a communication device identifier of the communication device. The method may further comprise receiving a first response from the communication equipment, the first response comprising one or more parameters. The method may further comprise generating a first key and a second key based on the received response; The method may further comprise sending a second request to the communication equipment, the second request comprising the first key and a message based on the second key.

Abstract: A method includes receiving, from a user device, a request to store data in a computer storage medium. The method includes generating a local encryption key for a user of the user device. The method includes providing the local encryption key to the user of the user device. The user maintains the local encryption key separate from the user device. The method includes generating a storage encryption key for encrypting the data for storage in the computer storage medium. The method includes encrypting the data with the storage encryption key to generate encrypted data. The method includes encrypting the storage encryption key with the local encryption key to generate an encrypted storage encryption key. The method includes transmitting the encrypted data and the encrypted storage encryption key to the computer storage medium. The method includes removing the storage encryption key and the encrypted storage encryption key from the user device.

Abstract: A secure translator is described herein for use with an insecure device. An insecure device is a computing device that either does not have the ability to or can no longer communicate at desired security levels. The secure translator is configured to act as a proxy for insecure devices, allowing for full translation of any inbound communication to be secured, with information scrubbed or otherwise manipulated, then translated over a direct connection to the insecure device.

Abstract: Method for detecting data traffic in a communication network, wherein in order to detect data traffic in a communication network, at least one network infrastructure device to which at least one first communication terminal and one second communication terminal are connected provides a monitoring interface that is secured against unauthorized access, is assigned to the two communication terminals, and is intended for detecting data traffic between at least the first and the second communication device, where a device detecting apparatus determines available monitoring interfaces on network infrastructure devices as well as address information assigned to the monitoring interfaces and provides this interface information to at least one recording apparatus that is separate from the at least one network infrastructure device.

Abstract: A method for authenticating a transaction that requires the use of a personal identification number (PIN) is provided. The method includes obtaining chip information from a chip that is embedded in a card; receiving a user input that includes the PIN; combining the PIN with the chip information; performing a message authentication code (MAC) operation on the combination in order to generate an application request cryptogram (ARQC); and requesting an authentication of the transaction based on the generated ARQC.

Abstract: An example system includes a plurality of AP devices configured to provide a wireless network at a site, the plurality of AP devices including a first AP device configured to determine a set of roaming candidates within the site for client devices connected to the first AP device, wherein the set of roaming candidates includes one or more AP devices of the plurality of AP selected according to a selection criteria; in response to establishing a connection with a client device, cache a key associated with the client device in the memory of the first AP device; generate a packet with the key associated with the client device, and a list of APs that includes one or more identifiers of the one or more AP devices within the set of roaming candidates for the first AP device; and transmit the packet to the plurality of AP devices at the site.

Abstract: A system and methods include a negative certificate authority for distributed management of negative certificates. An authorization restriction is associated with an untrusted user. A negative certificate generated for the untrusted user includes a public key associated with the untrusted user and an authorization restriction. The authorization restriction includes at least one global restriction, which is applicable to each consortium member that subscribes to the negative certificate. The authorization restriction includes at least one local restriction, which allows individual consortium members to further define their own locally applicable restrictions using the negative certificate authority. The negative certificate is accessible to each member of the consortium to enforce the authorization restriction against a transaction request. A secure contributor record including a unique cryptographically generated address is generated for each contributor.

Abstract: In one embodiment, an apparatus includes: an integrity circuit to receive data and generate a protection code based at least in part on the data; a cryptographic circuit coupled to the integrity circuit to encrypt the data into encrypted data and encrypt the protection code into an encrypted protection code; a message authentication code (MAC) circuit coupled to the cryptographic circuit to compute a MAC comprising a tag using header information, the encrypted data, and the encrypted protection code; and an output circuit to send the header information, the encrypted data, and the tag to a receiver via a link. Other embodiments are described and claimed.

Abstract: One or more computing devices, systems, and/or methods for managing security associated with applications are provided. In an example, a central security gateway may determine first security policy information associated with a first application. The central security gateway may establish a first encrypted connection with a first device of the first application. The central security gateway may manage, based upon the first security policy information and using the first encrypted connection, security associated with the first application. The central security gateway may determine second security policy information associated with a second application. The central security gateway may establish a second encrypted connection with a second device of the second application. The central security gateway may manage, based upon the second security policy information and using the second encrypted connection, security associated with the second application.

Abstract: Distributed firewalls in a network are disclosed. Example firewall controllers disclosed herein are to instruct a first network node of a software-defined network to implement a first firewall instance of a distributed firewall, the first network node to implement the first firewall instance with a first virtual machine. Disclosed example firewall controllers are also to configure a second network node of the software-defined network to route network traffic through the first firewall instance and, after at least some of the network traffic is dropped by the first firewall instance, instruct the second network node to implement a second firewall instance of the distributed firewall, the second network node to implement the second firewall instance with a second virtual machine.

Abstract: A testing method for verifying keys uses a dataset of integers, the dataset being previously split into subsets of the integers, each subset of the integers having a product data structure for a product of the integers in the subset. Each ordered pair of subsets in the dataset has a remainder data structure for factors of the integers in the subsets of the ordered pair. The method includes creating a subset including integers to be added to the dataset of integers, and generating a product data structure for the created subset, the product data structure based on computing a product of the integers in the created subset. The method also includes identifying distinct ordered pairs of subsets, each distinct ordered pair of subsets including a subset from the dataset and the created subset.

Abstract: A response communication that includes one or more data packets is received at a broker associated with a storage node of a plurality of storage nodes via a virtual network associated with the plurality of storage nodes of a storage system. The one or more data packets are provided, via the virtual network associated with the storage nodes, to a tenant communication component associated with an intended destination. A connection between the broker and the tenant communication component associated with the intended destination is terminated. A new connection between the intended destination and the tenant communication component associated with the intended destination is established. The new connection is associated with a virtual network associated with a storage tenant. The one or more data packets are sent to the intended destination via the virtual network associated with the storage tenant.

Abstract: A computing system may receive a schema of user interface comprising an arrangement of interface elements, each element configured to display data from cells of a database. The system may receive a user permission for the user interface and an element permission for an interface element. The system may generate a policy object for the user interface based on the user permission and the element permission. The policy object specifies which cells of the database can be accessed by the user interface. The system may receive a query from a client device associated with a user to implement a local instance of the user interface. The system may serve the query according to the policy object, where serving the query includes providing data from the database that the user interface provides access to without providing other data from the database that should not be accessible according to the policy object.

Abstract: The present description concerns a method or device wherein an untraceability feature of a first near-field communication device is deactivated by an action on a hardware switch.

Abstract: Disclosed embodiments relate to systems and methods for securely and privately auditing web sessions. Techniques include receiving encrypted browser session data; storing the encrypted browser session data at a server; receiving an audit request associated with the stored encrypted browser session data; retrieving the stored encrypted browser session data based on the audit request; and transmitting the encrypted browser session data to an auditor endpoint device to enable access to the browser session data by the auditor endpoint device.

Abstract: An event graph can be generated, and, upon malware detection, traversed backward to identify a root cause associated with the malware detection. Using this information, rules for earlier malware detection can be created by analyzing the event graph proximal to the root cause rather than proximal to the malware detection trigger.

Abstract: Example methods are provided for a destination host to implement a firewall in a virtualized computing environment that includes the destination host and a source host. The method may comprise receiving, via a physical network interface controller (PNIC) of the destination host, an ingress packet sent by the source host. The ingress packet may be destined for a destination virtualized computing instance that is supported by the destination host and associated with a destination virtual network interface controller (VNIC). The method may further comprise retrieving a PNIC-level firewall rule associated with the destination virtualized computing instance, the PNIC-level firewall rule being applicable at the PNIC and generated by based on a VNIC-level firewall rule applicable at the destination VNIC. In response to determination that the PNIC-level firewall rule blocks the ingress packet from passing through, the ingress packet may be dropped such that the ingress packet is not sent to the destination VNIC.

Abstract: Systems comprising: a memory; and a hardware processor and configured to: execute a hypervisor having a first portion and a second portion, wherein the first portion of the hypervisor executes at a first exception level that allows the first portion to access data of a virtual machine in the hardware processor and the memory, and wherein the second portion of the hypervisor executes at a second exception level that prevents the second portion from accessing the data of the virtual machine in the hardware processor and the memory. Methods comprising: executing a first portion of a hypervisor at a first exception level that allows the first portion to access data of a virtual machine in a hardware processor and memory; and executing a second portion of a hypervisor at a second exception level that prevents the second portion from accessing the data in the hardware processor and the memory.

Abstract: A system for fully integrated collection of business impacting data, analysis of that data and generation of both analysis driven business decisions and analysis driven simulations of alternate candidate business actions has been devised and reduced to practice. This business operating system may be used to monitor and predictively warn of events that impact the security of business infrastructure and may also be employed to monitor client-facing services supported by both software and hardware to alert in case of reduction or failure and also predict deficiency, service reduction or failure based on current event data.

Abstract: Examples of enrollment of virtual devices for unprivileged users are described. In some examples, a virtual device includes an enrollment agent, encrypted enrollment credentials, and a user mode privilege elevation component that elevates privilege of the enrollment agent. A privilege elevated token is created to include an administrative privilege of a local security authority service, and a security context of an unprivileged user account logged in to the virtual device. The enrollment agent is launched using the privilege elevated token rather than a user token of a user that is logged in. The enrollment agent decrypts the encrypted enrollment credentials based on administrative privilege of the privilege elevated token, and enrolls the virtual device with a management service using decrypted enrollment credentials.

Abstract: The present disclosure provides a hierarchical method of identifying unauthorized network traffic in a network by applying, at one of a first plurality of nodes of a network, a first level of network traffic analysis to identify received network traffic as one of authorized or suspicious network traffic, the one of the first plurality of nodes having a first path for traffic routing and a second path to one of a second plurality of nodes of the network, the second path being used for forwarding the suspicious network traffic to the one of the second plurality of nodes; tagging the received network traffic as the suspicious network traffic; and sending the suspicious network traffic to the one of the second plurality of nodes over the second path, the second network node applying a second level of network analysis to determine if the received network traffic is authorized, unauthorized or remains suspicious.

Abstract: Disclosed is a calculation device. The present calculation device includes: a memory for storing a plurality of homomorphic ciphertexts for an approximate message including an error; and a processor for sorting the plurality of homomorphic ciphertexts by using a 5-way sorter which can sort five homomorphic ciphertexts in a single stage.

Abstract: Described herein are systems, methods, and software to manage the approval of new computing elements for a private network. In one implementation, an administrator computing device in a private network is configured to receive a notification for a computing element to join the private network, wherein the notification includes a public key for the computing element and supplemental information for the computing element. The administrator computing device further identifies input indicating that the computing element is approved for the private network and, in response to the input, signs at least the public key. Once signed, the administrator computing device distributes the signed public key to one or more other computing elements in the private network.

Abstract: A reliable video streaming method using blockchain technology resisting cyber-attacks such as external and DDOS, malware, virus, and bandwidth reduction during video streaming of mobile devices connected over a same network is provided. The reliable video streaming method enables mobile devices connected to each other over a network to stream video over a reliable network.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, apparatuses, and processes that dynamically manage consent, permissioning, and trust between computing systems and unrelated, third-party applications operating within a computing environment. By way of example, the apparatus may receive a request for an element of data that includes an access token and first credential data associated with an application program. When the first credential data corresponds to second credential data associated with the application program, may determine that the requested data element is accessible to the application program and perform operations that validate the access token. Further, and based on the validation of the access token, that apparatus may obtain and encrypt the requested data element, and may transmit the encrypted data element to a device via the communications interface.

Abstract: A security server device, method, non-transitory computer readable medium and security system that receives request data for a request from a client to a web server system where the request comprises a session identifier (ID) for a session between an authenticated user and the web server system. A determination is made whether the client is a single-user device based on the request data and multi-domain data. Another determinations is made on whether the client is compromised based on the request data. In response to the determinations that the client is a single-user device and is not compromised an extension of the session between the authenticated user on the client and the web server system is caused.

Abstract: A system includes at least one processor to receive a second public key, a first random number, and a second random number, and store the second public key, the first random number, and the second random number in an installation record, perform key agreement with a first private key and the second public key to determine a MasterSecret, perform key expansion with the MasterSecret, the first random number, and the second random number to generate a client authentication key, a server authentication key, a client encryption key, and a server encryption key, and store the client authentication key, the server authentication key, the client encryption key, and the server encryption key and delete the MasterSecret.

Abstract: A method for providing an enterprise distribution platform to facilitate software distribution over a public computer network is disclosed. The method includes receiving, via a network interface, a request from the public computer network, the request relating to a solicitation for a software package; determining, by using a network security system, whether the request is forwarded from the public computer network to a private computer network based on a predetermined security rule; authenticating, via a web proxy, the request based on a result of the determining; identifying, based on a result of the authentication, the software package corresponding to the request; retrieving, from a memory, the identified software package; and transmitting, via the network interface, the retrieved software package in response to the request.

Abstract: A system and method for advanced document redaction are disclosed. According to one embodiment, a system comprises a parser that analyzes documents to identify structured, semi-structured, and unstructured data from a document. A candidates generator generates a list of words for redaction from the structured, semi-structured, and unstructured data. A replacement engine replaces one or more words from the list of words with one or more of a replacement word, random characters, and random numbers.

Abstract: A method for distributing an electronic content item for consumption with advertisements is provided. In one embodiment, a content provider creates a license identifying one or more slots within an electronic content item at which advertisements are to be inserted. The license specifies one or more types of advertisements that are not permitted to be inserted into the slots, and also specifies criteria for dynamically selecting advertisements to insert into the one or more slots. The content provider securely associates the electronic license with the electronic content item and distributes the electronic content item and the electronic license to a third party for consumption or subsequent transfer to an end user.

Abstract: A method, system, and computer program product generate, with a payment network, a first value (a) and a second value (ga), the second value (ga) generated based on the first value (a) and a generator value (g); generate, with the payment network, a plurality of random merchant numbers (mi) for a respective plurality of merchant banks; determine, with the payment network, a merchant product (M) based on a product of the plurality of random merchant numbers (mi); generate, with the payment network, a public key (pki) based on the second value (ga), the merchant product (M), and the random merchant number (mi) and a random key (rki) based on the merchant product (M) and the random merchant number (mi) for each respective merchant bank; and communicate, with the payment network, the public key (pki) and the random key (rki) to at least one respective merchant bank.

Abstract: A system can register, by a replication component and with a notification component, for notifications to changes in a group of data in data storage, wherein the notification component is configured to write respective changes in the group of data to a replication stream. The system can retrieve, by the replication component, a change of the changes in the group of data from the replication stream. The system can, in response to determining that the change corresponds to a replication policy, replicate, by the replication component, data of the group of data that corresponds to the change to a target system, wherein the replication component is configured to perform a replication on target systems having respective different storage types.

Abstract: In one embodiment, a method comprises: generating and maintaining, by a network device in a secure peer-to-peer data network, a secure private key and a corresponding secure public key; establishing, by the network device, a two-way trusted relationship with a second network device in the secure peer-to-peer data network; generating by the network device a temporal key, and encrypting a data packet payload using the temporal key into an encrypted payload; encrypting, by the network device, the temporal key into an encrypted temporal key using a second secure public key of the second network device; and generating and outputting a secure data packet comprising the encrypted temporal key and the encrypted payload, enabling a receiving network device to verify the secure data packet is not a copy based on a determined absence of a prior prescribed hash of at least a portion of the encrypted temporal key.

Abstract: Systems and methods for supporting dynamic disk growth within a virtual storage appliance are provided. According to one embodiment, a portion of a logical size of respective hyperscale disks provided by a hyperscaler are provisioned for use by a virtual storage system as backing for respective file system disks. To accommodate growth, block numbers for the file system disks are pre-allocated within a sparse space of a contiguous sequence of block numbers corresponding to a number of blocks represented by the logical size. Metadata is maintained for the file system disks regarding a range of the pre-allocated block numbers that are available for use. Responsive to a triggering condition, the provisioned portion of a hyperscale disk is increased and subsequently, responsive to detecting a change in a size of the hyperscale disk by the virtual storage system, a size of the corresponding file system disk is updated within the metadata.

Abstract: A secure data exchange system permits device to exchange secure message keys and securely transmit messages between devices. The devices may initially exchange temporary message keys that are used to encrypt permanent message keys. In addition, devices may have pairing managed that authenticates devices. Devices may be associated with an address ledger that maintains address information and is accessible with a public ledger key, which may provide different access to address information to different paired devices. Data within the system may also be encrypted with user device keys that prevents unauthorized access to data while permitting recreation of the user device key for data backup and migration.

Abstract: Various embodiments include implementing an interceptor for application security testing. The interceptor may intercept traffic, including one or more traffic items, between a scan engine and a target application. The traffic item(s) may include a request directed to the target application from a scan engine implementing application security testing or a response from the target application responsive to request(s) from the scan engine. The interceptor may determine that a particular traffic item satisfies a particular traffic trigger associated with a particular traffic action comprising a manipulation to the traffic between the scan engine and the target application. The particular traffic action is one of a plurality of predefined traffic actions that the interceptor is configured to perform across different scan engine versions, different scan configurations, or both.

Abstract: In one embodiment, a method is disclosed for mobile device security that includes receiving a label ID from a low power mobile device via a first access point, wherein the label ID is a randomized value that substitutes a device address of the low power mobile device during wireless communication. The method includes mapping the label ID to the device address, and transmitting the device address to the first access point, and responsive to the transmitting, causing the first access point to pair with the low power mobile device.

Abstract: Embodiments of the disclosure relate to proxying at least one email resource from at least one email service to at least one client device, determining whether the email resources are accessible to the client devices via at least one unauthorized application on the client devices, and modifying the email resources to be inaccessible via the unauthorized applications on the client devices in response to a determination that the email resources are accessible via the unauthorized applications on the client devices.

Abstract: An example method of operation may include exchanging data between a client device and a server at a first transmission rate via at least one of a first channel and a second channel, monitoring an amount of data exchanged, comparing the amount of data exchanged to a first data amount threshold and a second data amount threshold for at least one time period, partially limiting subsequent transfers of data between the client device and the server when the first data amount threshold is reached in the at least one time period, and further partially limiting the subsequent transfers of data or ending transfer of data between the client device and the server when the second data amount threshold is reached in the at least one time period.