Abstract: A streaming one time pad cipher using rotating ports for data encryption uses a One Time Pad (OTP) and an Exclusive Or (XOR) (or other cipher) with a public key channel to encrypt and decrypt OTP data. There is no method in cryptography to thwart the OTP/XOR method and it is proven impossible to crack. The method also rotates the ports of the channels periodically to increase communication obfuscation. Through pre-fetching and cache of OTP data, latency increases from encryption are kept to an absolute minimum as the XOR for encryption and decryption is done with a minimal number of instructions.

Abstract: Systems and methods for configuring security policies based on security parameters stored in a public or private cloud infrastructure are provided. According to one embodiment, security parameters associated with a first network security device of an enterprise are shared by the first network security device with other network security devices associated with the enterprise by logging into an shared enterprise cloud account. The shared security parameters are retrieved by a second network security device by logging into the shared enterprise cloud account. A Virtual Private Network (VPN) client configuration is automatically created by the second network security device that controls a VPN connection between the first and second network security devices based at least in part on the shared security parameters. The VPN connection between the first and second network security devices is dynamically established based at least in part on the shared security parameters.

Abstract: In general, techniques are described for reducing impact of network attacks in access networks. A network device including an interface in a forwarding plane of the network device, and a policer configured in a packet forwarding engine of the forwarding plane may be configured to perform the techniques. The interface may receive a packet from a subscriber access device positioned at an edge of sub-network of an access network. The packet may include trusted information inserted by an intermediate network device positioned between the network device and the subscriber access device. The policer may determine, based on the trusted information, whether the packet is associated with the network attack. Based on the determination of whether the packet is associated with the network attack, the policer may forward the packet for subsequent protocol-specific processing.

Abstract: One embodiment relates to a method of updating, by an electronic device of a first user of a tree of data files and/or folders of the first user stored in a storage server configured to implement a re-encryption mechanism, this tree comprising at least one target folder that the first user has authorized a second user to access by providing the storage server with a re-encryption key for this target folder from the first user to the second user.

Abstract: A method and apparatus for an automated classification of data in a data stream as private data includes receiving a data stream, parsing the data stream to determine parameter labels and parameter values; statistically analyzing the parameter labels and parameter value, and determining parameter labels corresponding to private data based on the analysis.

Abstract: A server communicates with a network appliance. The server includes an agent. The network appliance sends a request to the agent. The request includes an identification of a port. The agent negotiates a secured communication channel with the network appliance on the identified port to retrieve further instructions from the network appliance. The instructions includes one or more commands. The server reports the results of the executed command to the network appliance on the initial channel.

Abstract: A system includes programmable systolic cryptographic modules for security processing of packets from a data source. A first programmable input/output interface routes each incoming packet to one of the systolic cryptographic modules for encryption processing. A second programmable input/output interface routes the encrypted packets from the one systolic cryptographic module to a common data storage. In one embodiment, the first programmable input/output interface is coupled to an interchangeable physical interface that receives the incoming packets from the data source. In another embodiment, each cryptographic module includes a programmable systolic packet input engine, a programmable cryptographic engine, and a programmable systolic packet output engine, each configured as a systolic array (e.g., using FPGAs) for data processing.

Abstract: A communication apparatus including: a plurality of physical ports to be coupled to different terminals via a network; a plurality of authentication processing units configured to execute an authentication process; and a controller configured to determine which one of the physical ports on which a packet was received from a terminal, to specify a preset authentication process corresponding to the determined physical port on which a packet was received, and to distribute the specified authentication process of the packet from the terminal to an authentication processing unit for executing.

Abstract: A monitoring apparatus determines a monitoring mode of a network device which is not registered in a central management apparatus based on capability information of the relevant network device and registers the relevant network device in the central management apparatus. When monitoring information is not yet transmitted from a network device of which a monitoring function is enabled to the central management apparatus or invalid, the central management apparatus is requested to start communication with the relevant network device. Based on a result of the communication, a registration state, communication information, and device information of the relevant network device managed by the monitoring apparatus are updated.

Abstract: A set of redundant industrial control system communications/control modules includes at least a first communications/control module and a second communications/control module.

Abstract: The various technologies presented herein relate to determining a network attack is taking place, and further to adjust one or more network parameters such that the network becomes dynamically configured. A plurality of machine learning algorithms are configured to recognize an active attack pattern. Notification of the attack can be generated, and knowledge gained from the detected attack pattern can be utilized to improve the knowledge of the algorithms to detect a subsequent attack vector(s). Further, network settings and application communications can be dynamically randomized, wherein artificial diversity converts control systems into moving targets that help mitigate the early reconnaissance stages of an attack. An attack(s) based upon a known static address(es) of a critical infrastructure network device(s) can be mitigated by the dynamic randomization.

Abstract: The invention relates to a method for monitoring a security network interface unit (23), for example a firewall, which receives a stream of data packets via a first interface (21), checks said data stream with respect to filtering rules, and outputs said data stream to a second interface (22). The method has the steps of duplicating and outputting the data stream to the second interface (22), checking the output data stream for inadmissible data traffic, transmitting a warning message to the security network interface unit if inadmissible data traffic is detected in the data stream, and restricting the data stream by means of the security network interface unit if the warning message is received in the security network interface unit (23). The device or the system according to the invention comprises units which are designed to carry out the aforementioned method.

Abstract: The invention relates to the field of a security framework for transmitting communication messages between a Substation LAN and packet-switched WAN, in particular, a network interface for transmitting protection data in a power network. The present invention provides a network interface for transmitting communication data including protection data of a power communication network, between a Substation Ethernet LAN and a packet-switched WAN usually in Layer 2. The network interface comprises: a firewall and a Layer 3 router being connected with each other and adapted to transmit the communication data excluding the protection data; and a Layer 2 bypass being in parallel with the firewall and the Layer 3 router, and adapted to transmit the protection data. According to a further aspect, the present invention also provides a method for transmitting such communication data.

Abstract: A bridge device at a first tier receives a geographic addressing packet destined for a target region containing a plurality of devices. The bridge device applies a bridging function using the geographic address packet to determine whether to transmit the geographic addressing packet. The bridging function utilizes certain information based on the geographic addressing packet. The bridge device determines to transmit the geographic addressing packet to a second tier based on the bridging function indicating that the geographic addressing packet should be transmitted to the second tier.

Abstract: Aspects of the disclosure provide a method that includes receiving a first packet through a network at a first device. The first packet includes a first message generated according to a precision time protocol and a first encapsulation that encapsulates one or more fields of the first message. Further, the method includes security-verifying the first packet based on the first message and the first encapsulation, and processing the first message according to the precision time protocol after the first packet is security-verified.

Abstract: Methods and systems for implementing single sign on (SSO) and/or conditional access for client applications are described herein. The system may comprise an identity provider gateway, and the system may authenticate a user of the client application using the identity provider gateway. In some aspects, a secure communication tunnel may be established between the client application and the identity provider gateway, and the secure communication tunnel may use, for example, a client certificate. The identity provider gateway may grant or deny the client application access to one or more resources based on information associated with the client certificate.

Abstract: Disclosed is a system and method for processing a connection request in an online service by a server corresponding to the online service. A connection request message that originates from a personalized account for a first user is sent to a personalized account for a second user and a certain threshold of access to posts related to the personalized account for the first user is provided to the personalized account for the second user for a certain period of time. An access to the posts related to the personalized account for the first user is otherwise accorded to authorized contacts of the personalized account for the first user on the online service.

Abstract: A method, communication device and computer program product communicate between the communication device and a second communication device using an instant messaging application. The first device receives contact information identifying the second communication device and determines a contact type for the second communication device from the contact information. If the contact type is a first contact type, the contact information is stored in a first partition of a memory of the communication device. If the contact type is a second contact type, the contact information is stored in a second partition of the memory. The partitions may employ different encryption schemes or one partition may be is unencrypted. A third party has access and control over the second partition. The device communicates with the second communication device using a security policy associated with the contact type.

Abstract: Method, system and product for automatic performance of user interaction operations on a computing device. A method comprising: obtaining an identifier of an operations sequence; obtaining the operations sequence by searching a repository of operations sequences using the identifier, wherein the repository of operation sequences comprises operations sequences defined based on a previous execution of one or more operations by another computing device other than the computing device on behalf of another user other than the user; and automatically executing the operations sequence or portion thereof on the computing device. Another method comprises: identifying elements in a layout of a GUI, displaying in visible proximity to each of the elements an assigned unique label; recognizing speech by a user vocally indicating a selected element by referring to the assigned label; and, automatically performing a user interaction operation on the selected element.

Abstract: Methods, systems, and computer-readable media for managing enterprise data movement using a heuristic data movement detection engine are presented. In some embodiments, a computer system may receive one or more data packets associated with a movement of enterprise data intercepted by a filtering engine. Subsequently, the computer system may evaluate the one or more data packets associated with the movement of enterprise data intercepted by the filtering engine based on at least one predefined data movement pattern. Then, the computer system may detect at least one variation from the at least one predefined data movement pattern based on the evaluating of the one or more data packets associated with the movement of enterprise data intercepted by the filtering engine. Thereafter, the computer system may send at least one alert message based on the detecting of the at least one variation from the at least one predefined data movement pattern.

Abstract: Computer systems and methods for improving security or performance of one or more client computers interacting with a plurality of server computers. In an embodiment, a computer system comprises a first server computer and a second server computer; wherein the first server computer is configured to: generate a challenge nonce, wherein the challenge nonce corresponds to a challenge state; generate the challenge state based on the challenge nonce, wherein the challenge state corresponds to a response state; send, to a first client computer, the challenge nonce and the challenge state, but not the response state; wherein the second server computer is configured to: receive, from the first client computer, a test nonce and a test response state; determine whether the test response state matches the response state based on the test nonce, without: receiving the challenge state from the first server computer; receiving the challenge state from the first client computer.

Abstract: Among other things, embodiments of the present disclosure can collect and analyze asset and network data from multiple sources, and use such data to present a more complete and accurate representation of the network connections between various systems and software applications and the policies dictating the operation of security controls on a network compared to conventional systems.

Abstract: System and methods are provided for admission in a network comprising at least one node providing network controller (NC) functionality. A first node in the network, which is capable of generating SALTs, may assume NC functionality, and may distribute the SALT to at least one other node within the network. The first node may receive from the at least one other node, during admission to the network, a request for a dynamic encryption key, with the request being encrypted using a static encryption key unique to the at least one other node, and the static encryption key being determined based on the SALT.

Abstract: The present disclosure provides techniques for translating input camera commands to device-specific commands. Camera commands may be translated by a translation engine located separately from the camera and then transferred to the camera. The translated commands may be less complex than input commands. By translating the commands, older cameras may be capable of supporting newer commands which are not natively supported.

Abstract: Methods and systems are provided for proxying data between an application server and a client device. One exemplary application system includes an application server to generate a virtual application and a proxy server coupled to the application server over a network to provide the virtual application to a client device. The proxy server receives input data from the client device and provides the input data to the application server, wherein the application server encodes the input data for an action in response to authenticating the proxy server and provides the data encoded for the action to the proxy server. The proxy server performs the action on the data and provides the result to the client device.

Abstract: In one embodiment, a method includes, upon receiving a first message from a device, updating a table stored in a memory with a state of the device contained in the first message. The method further includes associating the state of the device stored in the table with a timestamp. The method additionally includes, in response to a request for the state of the device, generating a second message that includes from the table the state having an earliest associated timestamp, the second message being previously unseen by the application module.

Abstract: A cloud storage system supporting user agnostic encryption and deduplication of encrypted files is described. Further the cloud storage system enables users to share a file, a group of files, or an entire file system with other users without a user sending each file to the other users. The cloud storage system further allows a client device to minimize the utilization of bandwidth by determining whether the encrypted data to transfer is already present in the cloud storage system. Further the cloud storage system comprises mechanisms for a client device to inform the cloud storage system of which data is likely to be required in the future so that the cloud storage system can make that data available with less latency one the client device requests the data.

Abstract: Provided are systems and methods for using an existing management server infrastructure to deliver video-on-demand or streaming content, including real-time live streaming. Existing client content playback devices, such as IPTVs, may be employed to stream content items, obtain advertisements, track user's viewing behaviors, and the like. By reusing existing client devices, there is no need for additional hardware purchases on the user side. By reusing existing management server infrastructures, capital expenses are also reduced. In such a system, a user can watch both video-on-demand and streaming audiovisual content.

Abstract: Techniques presented herein provide an approach for sharing folders and files across devices. In one embodiment, folder redirection is employed to permit a device running a virtual infrastructure (VDI) client which connects to a remote agent to access folders and files shared by other devices. To enable such folder redirection, a folder redirection management module generates, for each shared folder, a redirection mapping that associates an original folder path with a uniform naming convention (UNC) scheme. When a device attempts to launch a remote desktop in a remote agent using the same username as that associated with other devices that share folders/files, the folder redirection management module transmits redirection mappings for those devices to the remote agent and opens permissions of the corresponding UNC schemes, the remote agent mounts the shared folders as virtual drives, and the shared folders are then accessible through folder redirection based on the redirection mappings.

Abstract: A method and apparatus is shown for provision of a secure connection via a public network. In a particular implementation, a communication session may be established between an apparatus and a client device to enable the client device to receive access to one or more portions of a public network via one or more communication links. In response to receipt of a request message received from the client device, access may be established to the one or more portions of the public network using one or more identifiers from the client device to emulate the client device on the one or more portions of the public network. In response to detection of the established access to the one or more portions of the public network, an encrypted virtual private network (VPN) communication session may be established to one or more remote devices via the one or more portions of the public network.

Abstract: An improved method and system for processing network metadata is described. Network metadata may be processed by dynamically instantiated executable software modules which make policy-based decisions about the character of the network metadata and about presentation of the network metadata to consumers of the information carried by the network metadata. The network metadata may be type classified and each subclass within a type may be mapped to a definition by a unique fingerprint value. The fingerprint value may be used for matching the network metadata subclasses against relevant policies and transformation rules. For template-based network metadata such as NetFlow v9, an embodiment of the invention can constantly monitor network traffic for unknown templates, capture template definitions, and informs administrators about templates for which custom policies and conversion rules do not exist.

Abstract: A system software unit performs a first authentication operation with an external device using a first key that is registered in advance. A secure software unit determines whether or not system software satisfies a soundness condition. A dedicated memory unit is used to store a second key. While performing a reregistration operation for reregistering the first key, a system software unit requests the secure software unit to read the second key. When the system software satisfies the soundness condition, the secure software unit generates verification data using the second key. When a second authentication operation performed with the external device using the verification data is successful, the system software unit performs the reregistration operation.

Abstract: Embodiments of the present invention are directed to generating and delivering data elements out of the context of an application installation. Each data element generated by an application is transmitted to a collection server after a networked computing device has connected back to a network, and even after the application has been removed from the networked computing device. Each data element is associated with a globally unique transaction identifier. Each data element and its corresponding transaction identifier are packaged together for transmission to the collection server via one or more of a plurality of transmission pathways, including a messaging pathway. The collection server uses the transaction identifier to check whether a corresponding data element is already stored by the collection server. The data element is stored by the collection server, if not already stored.

Abstract: An exemplary security key bootstrapping system determines an application layer session security keyset uniquely associated with a client device and based on a subscriber identity master security credential. The subscriber identity master security credential is permanently stored within a component of the client device and is also stored on a subscriber identity management server associated with a provider network by which the client device is communicatively coupled with an application server system. The security key bootstrapping system uses the application layer session security keyset as a credential to provide end-to-end security for an application layer session between the client device and the application server system over the provider network. Neither the component of the client device nor the subscriber identity management server obtains the subscriber identity master security credential from an exchange of the subscriber identity master security credential over the provider network.

Abstract: Methods, devices, and systems are provided for selecting and ordering the firing of application modules based on parameters determined during communication initialization including call type, originator of the call, etc. The module invocation sequence is determined based on criteria determined when a connection is received, which then becomes an attribute of that connection such that subsequent messages belonging to that connection have the same module sequencing applied thereto without re-determining the optimal sequence for each message by analyzing the properties of each message every time.

Abstract: A method includes retrieving a plurality of secure data packages from storage units. The method further includes separating the secure data packages into masked keys and encrypted data units in accordance with a data intermingling pattern. The method further includes generating deterministic values from the encrypted data units and generating encryption keys based on the masked keys and the deterministic values. The method further includes decrypting the encrypted data units using the encryption keys to produce data units. The method further includes recovering a first portion of the data from a threshold number of the data units.

Abstract: A document service may be provided by many document service packages, each presenting a particular set of service characteristics (e.g., the performance achievable on various storage device types; the available indexing models; and the types of transactions, scripts, and queries supported by the document service). For a particular project, an administrator may endeavor to select a document service package exhibiting characteristics that match some criteria of the project and to configure or adapt the document service for other criteria, but the range of adaptability for each document service package may be limited. Presented herein are architectures for document services involving a composable set of components respectively providing a service feature with a service characteristic.

Abstract: A method is implemented by a node for implementing computational transformations conveyed in a content centric networking (CCN) request by a computation engine. The method includes receiving a CCN request containing a unique resource identifier (URI) and a computation field, decoding the computation field to determine a computation pipeline, retrieving a first content object identified by the URI, executing the computation pipeline with the first content object as input, and encoding a result of the computation pipeline as a second content object.

Abstract: The described embodiments relate to methods, systems, and products for providing verification code recovery and remote authentication for a plurality of devices configured for electronic communication with a server. Specifically, in the methods, systems, and products, the user entrusts information about the user's verification code to the service provider, and only with cooperation between the user and the service provider can a lost verification code be recovered. The service provider can further authenticate the user before cooperating in the recovery process by way of a time-sensitive authentication sequence that involves the user device.

Abstract: A network intrusion detection system and method is configured to receive off-line network traffic. The off-line network traffic with a predefined format, PCAP file, is capable of indicating existence of a plurality of covert channels associated with a corresponding plurality of covert channel signatures. Each covert channel comprises a tool that communicates messages by deviating from a standard protocol to avoid detection. A plurality of covert channel processors are configured to analyze off-line network traffic. The analysis determines whether the off-line network traffic deviates from the standard protocol based on one or more covert channel signatures. The covert channels are employed in at least one standard layer of the standard protocol stack and the off-line network data traffic comprises at least one standard protocol stack having multiple standard layers.

Abstract: Disclosed is an RFID tag configured to store a plurality of data and selectively provide a predetermined data of the plurality of data to an RFID reader. The RFID tag includes a radio frequency (RF) interface, a memory, an input unit, and a control unit. The RF interface include an antenna for communication with an RFID reader. The memory is configured to store a plurality of data. The input unit is configured to receive a selection for provision data to be provided to the RFID reader among the plurality of data stored in the memory. The control unit is configured to control the selected data to be provided to the RFID reader through the RF interface when a request for data is received from the RFID reader.

Abstract: A system and non-transitory computer program product for preserving data redundancy in a data deduplication system in a computing environment is provided. A selected data segment, to be written through the data deduplication system, is encrypted such that the selected data segment is not subject to a deduplication operation. Copies of the data segment that are to be precluded from data deduplication are determined and identified. A unique encryption key is used to encrypt the selected data segment to be written through the data deduplication system such that the selected data segment is not subject to a deduplication operation. The data deduplication system is tricked to recognize the encrypted, selected data segment as new, undeduplicated data by the encrypting thereby skipping steps of the deduplication operation that includes fingerprint generation and matching. The encrypted, selected data segment is directly written to a new physical storage location.

Abstract: In some aspects, an encryption method comprises encrypting a first portion of a message using a first secret key. The first secret key is generated based on the public key of an entity. A one-way function is used to generate a second secret key from the first secret key, and the first secret key is subsequently discarded. A second portion of the message is encrypted using the second secret key. The encrypted first portion of the message and the encrypted second portion of the message are provided to the entity.

Abstract: A re-encryption key generator according to an embodiment generates a re-encryption key to obtain re-encrypted data that can be decrypted by a second private key of a second user device by re-encrypting ciphertext obtained by encrypting plaintext by a first public key of a first user device without decryption. The re-encryption key generator stores a first private key corresponding to the first public key. The re-encryption key generator stores a second re-encryption key generation key of the second user device that is different from a second public key corresponding to the second private key. The re-encryption key generator generates the re-encryption key based on the first private key and the second re-encryption key generation key.

Abstract: Virtual machines in a network may be isolated by encrypting transmissions between the virtual machines with keys possessed only by an intended recipient. Within a network, the virtual machines may be logically organized into a number of community-of-interest (COI) groups. Each COI may use an encryption key to secure communications within the COI, such that only other virtual machines in the COI may decrypt the message. Virtual machines may further be isolated through a virtual gateway assigned to handle all communications between a virtual machine and a device outside of the virtual machine's COI. The virtual gateway may be a separate virtual machine for handling decrypting and encrypting messages for transmission between virtual machines and other devices.

Abstract: The disclosed system and method enhances security of people, organizations, and other entities that use what has been termed “social media.” Recent trends have shown that information posted to social media may cause tremendous damage to individuals and other entities. This includes information that was posted deliberately or unintentionally, including social security numbers, financial data and other sensitive information. Further, information that previously may have been viewed as innocuous, such as location data, has caused harm on certain occasions and may need to be protected. The disclosed system provides a novel method of screening, identifying, and preventing certain information from being posted on social media and other public locations. In addition, the disclosed system and method improves security by motivating people to use security software by offering rewards for its use.

Abstract: Techniques and mechanisms described herein facilitate the encryption of content using content-based encryption keys. According to various embodiments, data stream may include one or more data chunks. A client machine may apply a hash function to a data chunk to determine a fingerprint value. A cryptographic protocol shared with a remote server may be applied to the fingerprint value to determine a data chunk encryption key. The data chunk encryption key may be used to encrypt the data chunk, and the encrypted data chunk may be sent to the remote server for storage.

Abstract: The embodiments relate to a method and a digital circuit area for securely providing a key using a request unit and a provision unit. In this case, a key is derived from parameters, at least one of which is used for the key derivation in a non-predefinable manner by the request unit. In this case, the key derivation is carried out in a digital circuit area in which the request unit and the provision unit are implemented.

Abstract: A fast-accessing method may comprise: establishing a first security connection between a first network node and a user equipment; obtaining first information from a second network node, wherein the first information comprises at least one of system information of the second network node and an identifier of a security algorithm selected by the second network node for the user equipment; providing second information to the second network node, in response to an indication of the second network node from the user equipment, wherein the second information comprises security information related to the user equipment; and sending the first information to the user equipment for establishing a second security connection between the user equipment and the second network node.

Abstract: The present invention provides a method for processing a service connection in a communication network, comprising: A) determining, in response to a establishment request for the service connection from a UE, whether the service corresponding to the establishment request is a sponsored service, wherein the sponsored service is provided by a third party application provider; B) sending a validating request for the sponsored service to the third party application provider, if the service corresponding to the establishment request is a sponsored service; and C) controlling the sponsored service connection according to the information related to the sponsored service, if receiving a successful acknowledgement corresponding to the validating request. And a device corresponding to the method is provided. With the above method, the data connection of the sponsored application service may be dynamically controlled and configured, moreover the requirement of QoS control service can be dynamically met.