Abstract: A method may include establishing a transport layer session between a gateway appliance and at least one virtual delivery appliance, establishing a presentation layer session between the gateway appliance and the at least one virtual delivery appliance via the transport layer session, and establishing a connection lease exchange tunnel between the gateway appliance and the at least one virtual delivery appliance via the presentation layer session. The method further include receiving, at the at least one virtual delivery appliance, a connection lease from a client device via the gateway appliance through the connection lease exchange tunnel and validating the connection lease, and issuing a resource connection ticket at the at least one virtual delivery appliance to the client device through the connection lease exchange tunnel responsive to the validation.

Abstract: A computing system may include a client device configured to remotely access virtual computing sessions, and a virtual delivery appliance configured to connect the client device to the virtual computing sessions. The client device and the virtual delivery appliance may share a symmetric encryption key and encrypt data communications exchanged therebetween with the symmetric encryption key. The system may further include a gateway appliance configured to relay the encrypted communications between the client device and the virtual delivery appliance, the gateway appliance not having the symmetric key and being unable to decrypt the encrypted communications relayed between the virtual delivery appliance and the client device.

Abstract: Provided herein are system, apparatus, device, method and/or computer program product embodiments, and/or combinations and sub-combinations thereof, for identifying second products in an inventory of a second ecommerce site that are at least similar to a first product currently being displayed to an user by a first ecommerce site, and displaying the second products for viewing and purchase by the user at the first ecommerce site.

Abstract: A method of transmitting entitlement messages to content consumption devices in a access control system, the method comprising periodically transmitting entitlement messages to content consumption devices in a access control system and periodically extending an expiry time comprised in the entitlement messages. The entitlement messages comprise indicator data indicating to the content consumption devices that subsequent entitlement messages loaded into a content consumption device after a first entitlement message is loaded into the content consumption device shall not be used by the content consumption device to access protected media content.

Abstract: A method for fetching a content from a web server to a client device is disclosed, using tunnel devices serving as intermediate devices. The client device accesses an acceleration server to receive a list of available tunnel devices. The requested content is partitioned into slices, and the client device sends a request for the slices to the available tunnel devices. The tunnel devices in turn fetch the slices from the data server, and send the slices to the client device, where the content is reconstructed from the received slices. A client device may also serve as a tunnel device, serving as an intermediate device to other client devices. Similarly, a tunnel device may also serve as a client device for fetching content from a data server. The selection of tunnel devices to be used by a client device may be in the acceleration server, in the client device, or in both.

Abstract: A method for disrupting a detected cyberthreat can include receiving a request, the request identifying suspected malicious content; identifying one or more indicators of compromise (IOCs) associated with the content; enriching the request with the IOCs; verifying the request; and reporting the verified request and the one or more IOCs to a disruption network.

Abstract: A device generates a biometric public key for an individual based on both the individual's biometric data and a secret S, in a manner that verifiably characterizes both while tending to prevent recovery of either. The biometric data has a Sparse Representation and is encoded in a manner to include a component of noise, such that it is challenging to identify which locations are actually encoded features. Accordingly, the biometric data are encoded as a vector by choosing marker at locations where features are present and, where features are not present, choosing noisy data. The noisy data may be chaff bit values selected collectively from a group of (a) random values and (b) independent and identically distributed values. The biometric public key may be later used to authenticate a subject purporting to be the individual, using a computing facility that need not rely on a hardware root of trust.

Abstract: An apparatus, and a method, performed by one or more processors are disclosed. The method may comprise receiving a build request associated with performing an external data processing task on a first data set, the first data set being stored in memory associated with a data processing platform to be performed at a system external to the data processing platform. The method may also comprise generating a task identifier for the data processing task, and providing, in association with the task identifier, the first data set to an agent associated with the external system with an indication of the data processing task, the agent being arranged to cause performance of the task at the external system, to receive a second data set resulting from performance of the task, and to provide the second data set and associated metadata indicative of the transformation.

Abstract: Domain name system (DNS) configuration during virtual private network (VPN) connection includes establishing a VPN tunnel between a client device and a VPN system entry server, which includes configuring a first DNS server as an operative DNS server for the VPN tunnel, and obtaining first content by transmitting to the VPN entry server, a first request that identifies a first external source for the first content, receiving from the VPN entry server a DNS configuration message indicating a second DNS server, configuring the second DNS server as the operative DNS server, and receiving from the VPN entry server, via the VPN tunnel, the first content, wherein the VPN entry server obtained the first content from the first VPN system exit server identified by the VPN entry server using the second DNS server, and the first VPN system exit server obtained the first content from the first external source.

Abstract: In some aspects, a cryptography method includes executing, by operation of a first computing device associated with a first entity, a first handshake process with a second entity according to a first handshake protocol to establish a first symmetric encryption key for a first encryption protocol; executing, by operation of the first computing device, a second handshake process with the second entity to establish a second symmetric encryption key for a second encryption protocol. Executing the second handshake process includes: generating second handshake data according to a second handshake protocol; encrypting the second handshake data using the first symmetric encryption key with the first encryption protocol; and sending the encrypted second handshake data to a second computing device associated with the second entity; and using the second symmetric encryption key and the second encryption protocol for single-encrypted communication over a communication channel between the first and second entities.

Abstract: A system and method is provided for service level agreement (SLA) based data storage and verification. According to one exemplary aspect, a method includes receiving, from a client device, a request to perform data verification of data relating to a file stored on a remote storage computer; accessing, by a processor, at least one SLA to determine a fault tolerance for the file stored on the remote storage computer; sending, by the processor to the remote storage computer, a request to store k derivatives of the file in the remote storage computer; and transmitting, to the client device, an indication of a location of the k derivatives of the file in the remote storage computer.

Abstract: One example method includes contacting, by a client, a service, receiving a credential from the service, obtaining trust information from a trust broker, comparing the credential with the trust information, and either connecting to the service if the credential and trust information match, or declining to connect to the service if the credential and the trust information do not match. Other than by way of the trust information obtained from the trust broker, the client may have no way to verify whether or not the service can be trusted.

Abstract: A system includes at least one processor to receive a second public key, a first random number, and a second random number, and store the second public key, the first random number, and the second random number in an installation record, perform key agreement with a first private key and the second public key to determine a MasterSecret, perform key expansion with the MasterSecret, the first random number, and the second random number to generate a client authentication key, a server authentication key, a client encryption key, and a server encryption key, and store the client authentication key, the server authentication key, the client encryption key, and the server encryption key and delete the MasterSecret.

Abstract: A method includes capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data, capturing second data associated with a second packet flow originating from the first host from a second capture agent deployed on a second host to yield second flow data and comparing the first flow data and the second flow data to yield a difference. When the difference is above a threshold value, the method includes determining that the second packet flow was transmitted by a component that bypassed an operating stack of the first host or a packet capture agent at the device to yield a determination, detecting that hidden network traffic exists, and predicting a malware issue with the first host based on the determination.

Abstract: Disclosed are a messaging system, apparatuses circuits and methods of operation thereof. A messaging client device is adapted to receive an impermanent message and to manage the received message in accordance with a message management policy associated with the message. An impermanent messaging server is adapted to validate said messaging client device as complying with message management policies prior to authorizing transmission of the message to said messaging client device.

Abstract: Mechanisms are provided for identifying risky user entitlements in an identity and access management (IAM) computing system. A self-learning peer group analysis (SLPGA) engine receives an IAM data set which specifies user attributes of users of computing resources and entitlements allocated to the users for accessing the computing resources. The SLPGA engine generates a user-entitlement matrix, performs a machine learning matrix decomposition operation on the user-entitlement matrix to identify excessive entitlement allocations, and performs a conditional entropy analysis of the user attributes and entitlements in the IAM data set to identify a set of user attributes for defining peer groups. The SLPGA engine performs a commonality analysis of user attributes and entitlements for each of one or more peer groups defined based on the set of user attributes, and identifies outlier entitlements based on the identification of the excessive entitlement allocations and results of the commonality analysis.

Abstract: A method for identifying an encrypted data stream, a device, a readable storage medium and a system are provided.

Abstract: A method is provided that includes reading data in a storage medium, detecting, during the reading of the data in the storage medium, by a controller a change in an encryption/decryption scheme used to read and write the data in the storage medium, in response to detecting the change in encryption/decryption scheme in the data, causing, by the controller, a logical block address to return an indication of being written in zeros when a physical block address associated with the logical block address encrypted using an first encryption/decryption scheme, and causing, by the controller, a write channel to write zeroes using a second encryption/decryption scheme to the physical block address.

Abstract: A system for providing network data processing, comprising a processor operating one of more algorithms that are configured to interface with one or more clients to receive a client hello data message. A transport layer security extension extraction system operating on the processor and configured to extract an extension from the client hello data message. A transport layer security extension identification system operating on the processor and configured to process the extension from the client hello data message and to identify a data networking session using the extension.

Abstract: In some embodiments, a secure local connection between a network node of a network and an edge device attached to the network node is provided by extending the security of the network to this local connection. The edge device attached to the network node communicates with a network manager of the network to obtain security keys and security credentials for the edge device. Using the security keys and the security credentials, the edge device can establish a secure channel between the network node and the edge device over the local connection. The edge device further communicates with the network manager to exchange routing information and to obtain a network address for the edge device. The edge device can then communicate, through the network node, with other network nodes in the network using the security keys, the security credentials, and the network address.

Abstract: A method for fetching a content from a web server to a client device is disclosed, using tunnel devices serving as intermediate devices. The client device accesses an acceleration server to receive a list of available tunnel devices. The requested content is partitioned into slices, and the client device sends a request for the slices to the available tunnel devices. The tunnel devices in turn fetch the slices from the data server, and send the slices to the client device, where the content is reconstructed from the received slices. A client device may also serve as a tunnel device, serving as an intermediate device to other client devices. Similarly, a tunnel device may also serve as a client device for fetching content from a data server. The selection of tunnel devices to be used by a client device may be in the acceleration server, in the client device, or in both.

Abstract: This disclosure describes techniques that include performing cryptographic operations (encryption, decryption, generation of a message authentication code). Such techniques may involve the data processing unit performing any of multiple modes of encryption, decryption, and/or other cryptographic operation procedures or standards, including, Advanced Encryption Standard (AES) cryptographic operations. In some examples, the security block is implemented as a unified, multi-threaded, high-throughput encryption and decryption system for performing multiple modes of AES operations.

Abstract: Systems and methods are provided for merchant mobile acceptance of user device data. For example, a method comprises receiving encrypted user device data and reader metadata from a merchant mobile device, determining a device reader API and device reader encryption scheme using the device reader metadata, parsing the encrypted user device data using the device reader API to determine encrypted personal information, and decrypting the encrypted personal information using the reader encryption scheme.

Abstract: Temporal link encoding, including: identifying a data type of a data value to be transmitted; determining that the data type is included in one or more data types for temporal encoding; and transmitting the data value using temporal encoding.

Abstract: A lateral movement path detector is disclosed. Data is gathered via programmatic access to a management service director through a REST API endpoint. The data is grouped into a graph having nodes of users, groups, and devices. The nodes coupled together via edges. A visualization of the graph is provided to illustrate lateral paths of the management service directory.

Abstract: The resolving of a decentralized identifier to a corresponding data structure using multiple resolvers. This allows for the use of a consensus of resolvers to improve trust in the resolution process. In order to resolve, a decentralized identifier is sent to multiple resolvers. In response, each of at least some of those resolvers will return a data structure of a particular type (e.g., a decentralized identifier document) that is associated with the decentralized identifier. Then, it is determined whether the data structure for at least some number of resolvers matches each other. That is, it is determined whether at least some predetermined threshold of resolvers is returning the same data structure (e.g., the same decentralized identifier document). If so, then it is determined that the matching data structure is indeed associated with the decentralized identifier. Otherwise, the resolution process has failed.

Abstract: A computing system may include a plurality of Point of Presence computing devices (PoPs) configured to provide access to a computing network(s), and a plurality of gateway appliances. The gateway appliances may be configured to relay communications between client devices and virtual delivery appliances to provide the client devices with access to virtual sessions. The gateway appliances may route client device communications through the PoPs based upon gateway connection tickets, and may also generate the gateway connection tickets including a payload encrypted with a symmetric encryption key, and a plurality of different versions of the symmetric key encrypted with different public encryption keys of the PoPs. The PoPs may be further configured to use their private encryption keys to decrypt the encrypted symmetric key, use the decrypted symmetric key to decrypt the payload, and permit routing of the client communications based upon the decrypted payload of the gateway connection tickets.

Abstract: According to one aspect, methods and systems are provided for modifying an encryption scheme in a database system. The methods and systems can include at least one internal database key; at least one database configured to be encrypted and decrypted using the at least one internal database key; a memory configured to store a master key; a key management server interface configured to communicate with a key management server; and a database application configured to receive, into the memory, the master key from the key management server via the key management server interface, and encrypt and decrypt the at least one internal database key using the master key.

Abstract: Systems and methods for anonymously transmitting data in a network are provided, in which a request data structure is received by a network node from a client device. A first substructure containing personal data (PD) and a second substructure not containing PD are identified in the request data structure, by the network node. The first substructure is encrypted, by the network node, and is transmitted along with the second substructure to a server. A response data structure is received, by the network node, from the server. The first encrypted substructure and a third encrypted substructure are identified, by the network node, in the response data structure. The first encrypted substructure is decrypted, by the network node, and is transmitted along with the third encrypted substructure to the client device. The third encrypted substructure can be decrypted and viewed by the client device.

Abstract: A first wireless access device, associated with a wireless service provider, establishes a wireless local area network connection with a second wireless access device and receives a certificate including a unique identifier associated with the second wireless access device. The first wireless access device determines whether the second wireless access device is authorized to connect to the first wireless access device. For example, if the certificate is signed by a certificate authority associated with the wireless service provider and the unique identifier appears in a whitelist stored at the first wireless access device, the first wireless access device and the second wireless access device perform a mutual authentication procedure based on one or more ephemeral keys. The first wireless access device provides the second wireless access device with access to a wide area network based on successful completion of the mutual authentication procedure.

Abstract: A method for fetching a content from a web server to a client device is disclosed, using tunnel devices serving as intermediate devices. The client device accesses an acceleration server to receive a list of available tunnel devices. The requested content is partitioned into slices, and the client device sends a request for the slices to the available tunnel devices. The tunnel devices in turn fetch the slices from the data server, and send the slices to the client device, where the content is reconstructed from the received slices. A client device may also serve as a tunnel device, serving as an intermediate device to other client devices. Similarly, a tunnel device may also serve as a client device for fetching content from a data server. The selection of tunnel devices to be used by a client device may be in the acceleration server, in the client device, or in both.

Abstract: The present disclosure relates to methods and apparatus for flexible, security context management during AMF changes. One aspect of the disclosure is a mechanism for achieving backward security during AMF changes. Instead of passing the current NAS key to the target AMF, the source AMF derives a new NAS key, provides the new NAS key to the target AMF, and sends a key change indication to the UE, either directly or through some other network node. The UE can then derive the new NAS key from the old NAS key. In some embodiments, the AMF may provide a key generation parameter to the UE to use in deriving the new NAS key. In other embodiments, the target AMF may change one or more security algorithms.

Abstract: A node system implements a method for node relay communication. A description of a flow entry including an address in a flow and a private key is received. The flow entry and the private key are stored in a database indexed to a flow ID. A packet comprising an authentication code and packet data including packet sequence information and a Flow ID is received. A look up in the database of a flow entry corresponding to the Flow ID of the packet is performed. The packet is either ignored or forwarded to the address in the flow, depending on the result of the look-up.

Abstract: A game controller includes a first handle body. The first handle body includes a first operation interface, a first connection portion, a first control circuit, a first battery, and a first communication module. The first operation interface is electrically connected to the first connection portion. The first communication module includes a first wireless communication circuit and a first wired communication circuit. The first control circuit is electrically connected to the first communication module, the first battery, the first operation interface and the first connection portion. The first mobile device is disposed at a side of the first handle body. When the first mobile device is electrically connected to the first connection portion of the first handle body, the first control circuit turns on the first wired communication circuit of the first communication module to communicate with the first mobile device by the first connection portion.

Abstract: The disclosure relates generally to methods, systems, and apparatuses for managing network connections. A system for managing network connections includes a storage component, a decoding component, a rule manager component, and a notification component. The storage component is configured to store a list of expected connections for a plurality of networked machines, wherein each connection in the list of expected connections defines a start point and an end point for the connection. The decoding component is configured to decode messages from the plurality of networked machines indicating one or more connections for a corresponding machine. The rule manager component is configured to identify an unexpected presence or absence of a connection on at least one of the plurality of network machines based on the list of expected connections. The notification component is configured to provide a notification or indication of the unexpected presence or absence.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, apparatuses, and processes that dynamically manage consent, permissioning, and trust between computing systems and unrelated, third-party applications operating within a computing environment. By way of example, the apparatus may receive a request for an element of data that includes an access token and first credential data associated with an application program. When the first credential data corresponds to second credential data associated with the application program, may determine that the requested data element is accessible to the application program and perform operations that validate the access token. Further, and based on the validation of the access token, that apparatus may obtain and encrypt the requested data element, and may transmit the encrypted data element to a device via the communications interface.

Abstract: A method and system for delivering encoded content are provided. A holdback representing a portion of the encoded content is extracted, thereby damaging the encoded content. The damaged encoded content is distributed. The holdback is transmitted to enable reintegration of the holdback with the damaged encoded content to restore the encoded content.

Abstract: An ingress network element obtains data from a source endpoint associated with the ingress network element. The data identifies a destination endpoint remote from the ingress network element. The ingress network element provides a map request identifying the destination endpoint to a mapping server. The ingress network element obtains a map reply including a network address of an egress network element associated with the destination endpoint and a security association. The ingress network element encrypts the data for the destination endpoint with the security association according to a cryptographic policy based on the source endpoint, the destination endpoint, and the availability of cryptographic resources on the network. The ingress network element provides the encrypted data to the egress network element.

Abstract: A method for analyzing vulnerabilities may include: an analysis target URL receiving step of receiving a plurality of analysis target uniform resource locator (URL) addresses extracted from the analysis target server; an identification key setting step of setting respective identification keys corresponding to the plurality of analysis target URL addresses; a vulnerability analyzing step of performing a simulated attack so as to access the external server by the analysis target server by inserting an analysis hypertext transfer protocol (HTTP) request sentence including a URL address of an external server and the identification key into the analysis target URL address; an access record checking step of requesting an access record of the analysis target server to the external server; and a vulnerability extracting step of extracting a vulnerability of the analysis target server by using the identification key included in the access record.

Abstract: Disclosed herein are systems and methods for secure authentication of a managed application. In one aspect, an exemplary method comprises receiving, by a cloud platform, a request from a managed application to connect to a middleware service, determining that the managed application is authenticated to use the middleware service based on the secret, obtaining a secret associated with the managed application and the middleware service from a secret store, connecting to the middleware service using the secret to establish a secure connection, and delegating, to the managed application, the secure connection between the managed application and the middleware service.

Abstract: Aspects include receiving a request from a user to access data that was acquired by a third-party from a data owner, the data in an encrypted format unreadable by the user. In response to receiving the request from the user to access the data, a third-party key from the third-party is requested and a data owner key from the data owner is requested. The third-party key and the data owner key are applied to the data in the encrypted format to generate the data in an unencrypted format readable by the user. The user is provided with access to the data in the unencrypted format.

Abstract: A method for execution by an access layer of an object storage system includes In various embodiments, a processing system of an access layer of an object storage system includes at least one processor and a memory that stores operational instructions, that when executed by the at least one processor cause the processing system to receive a request message from a requesting entity via a network, where the request message includes a pre-signed URL. A set of custom policy parameters are extracted from the pre-signed URL. Policy verification data is generated by comparing each attribute of a determined set of attributes of the access request to a corresponding custom policy parameter of the set of custom policy parameters. An access indicated in the request message is executed in response to the policy verification data indicating that each attribute compares favorably to the corresponding custom policy parameter.

Abstract: A method and system for fulfilling in-application product redemption requests is described. A fulfillment system receives a product search application programming interface (API) call from an application. The product search API includes a set of at least one product criterion received from an application. An aggregated catalog is searched based on the set of at least one product criterion. A set of product metadata is returned. The set of product metadata corresponds to at least one product that matches the set of at least one product criterion. A redemption API call that includes product information and a physical address is also received from the application. A fulfillment request is sent to an online retail platform separate from the fulfillment system via a fulfillment API call that includes the product information and the physical address for the online retail platform to deliver a corresponding product to the physical address.

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes initiating, by a non-secure entity that is executing on a host server, a secure entity, the non-secure entity prohibited from directly accessing any data of the secure entity. The method further includes injecting, into the secure entity, an interrupt that is generated by the host server. The injecting includes adding, by the non-secure entity, information about the interrupt into a portion of non-secure storage, which is then associated with the secure entity. The injecting further includes injecting, by a secure interface control of the host server, the interrupt into the secure entity.

Abstract: A communication system includes a transmitting apparatus and a receiving apparatus that communicates with the transmitting apparatus over a telephone line. The transmitting apparatus includes a first facsimile transmitting section, a first voice-information transmitting section that transmits first voice information that is voice information on a first user, and a first control section. The receiving apparatus includes a second facsimile receiving section, a second voice-information communication section that receives the first voice information, and a second control section. The second control section permits or rejects reception of the image information from the transmitting apparatus via the second facsimile receiving section based on a result of authentication of the first user performed based on the received first voice information and second voice information on a user who is permitted in advance to use the receiving apparatus.

Abstract: Described embodiments provide systems and methods for selectively encrypting and decrypting portions of a network flow by intermediary devices. A first device may identify a protocol used by a network flow traversing the first device via one or more packets of the protocol. The first device may determine that a level of encryption for the network flow meets a predetermined threshold. The first device may receive networks packets to be communicated between a sender and a receiver. The packets may include a first portion that is encrypted and a second portion that has clear text information. The first device may encrypt the second portion of the one or more packets. The first device may forward the network packets with the first portion and the encrypted second portion via a tunnel to a second device for decryption of the encrypted second portion for forwarding to the receiver.

Abstract: A key generation device generates a decryption key dkx having a tag-added decryption key and a decryption key adkx. The tag-added decryption key includes a decryption key tdkx in which a key attribute x is set and a tag tg? required to decrypt a ciphertext with the decryption key tdkx. In the decryption key adkx, the key attribute x is set. An encryption device generates an original ciphertext octy in which a ciphertext attribute y corresponding to the key attribute x is set and which can be decrypted with the tag-added decryption key. A re-encryption key generation device encrypts the decryption key tdkx by an attribute-based encryption scheme using a ciphertext attribute y?, so as to generate a re-encryption key rkx,y? which is a key for generating a re-encrypted ciphertext rcty? which can be decrypted with a decryption key adkx? in which a key attribute x? corresponding to the ciphertext attribute y? is set.

Abstract: The secure IoT registry and associated provisioning method simplifies the IoT cloud provider operations with respect to managing mobile IoT eSIM credential provisioning/certificate key management. The secure IoT Registry enables network operators such as a Mobile Network Operator (MNO) to understand and map the IoT device ownership in relationship to cloud providers to facilitate business functions like charge back mechanisms. The secure IoT registry integrates a next generation registry based Certificate Authority (CA) system enabling trusted and simpler mechanisms to validate certificates and their state.

Abstract: In one embodiment, a method comprises: receiving, by a root network device providing a DAG topology in a low power and lossy network (LLN), one or more multicast registration messages from an LLN device and identifying distinct properties of the LLN device; receiving, by the root network device, one or more multicast address group identifiers of one or more multicast streams to which the LLN device has subscribed, and associating the one or more multicast address group identifiers with the distinct properties; receiving a multicast message specifying one of the multicast address group identifiers; and generating, by the root network device, a directed multicast message having a multi-dimensional addressing data structure comprising a selected one of the distinct properties and the one multicast address group identifier, causing parent network devices in the DAG topology to selectively retransmit based on determining a child network device has the selected one distinct property.

Abstract: According to some embodiments, a method performed by a classification scanner comprises receiving an electronic message and determining a classification that applies to the electronic message. The classification is determined based on an express indication from a user. The method further comprises providing a machine learning trainer with the electronic message and an identification of the classification that applies to the electronic message. The machine learning trainer is adapted to determine a machine learning policy that associates attributes of the electronic message with the classification.