Abstract: Technologies are generally described to send distributed user interface elements to a customer. In some examples, a virtualization server may receive an application to be provided to a customer. The virtualization server may separate the application into multiple user interface elements and encapsulate each user interface element with virtualization components for individual delivery to the customer. Subsequently, the virtualization server may then forward the encapsulated element(s) to one or more customer devices.

Abstract: Methods and systems are provided for validating a signature in a multi-tenant environment. A server or other computing device that is part of a distributed network may request a certificate collection from an identified tenant store. The requested certificate collection may be loaded in a virtual store that is accessible by the server or other computing device. The sever or other computing device may then access one or more certificates from the virtual store to validate a signature.

Abstract: Systems, methods, and computer program products related to transaction application security are disclosed. In a particular embodiment, application nodes are randomly selected for requiring re-authentication of a user traversing nodes of the application. These and other embodiments are more fully disclosed herein.

Abstract: At least a portion of a transmission of an outgoing first email from a first email account to at least a second email account is encrypted. Second email address data is changed corresponding to the second email account to cause replies to the first email intended for the second email account to be sent to an intermediate device prior to being routed to the second email account. Replies to the first email are then sent to the intermediate device and sent over one or more encrypted channels. Replies to the first email including the changed email address data are decoded to identify the second email address data associated with the second email account. A reply to the first email is then sent to the second email account based on the identified second email address data.

Abstract: A method and system for managing data security in a computing environment. A processor at the gateway server receives, from a user device, at least one message. Each message requests that an encryption key be downloaded to the user device. The gateway server interfaces between the user device and a cloud that includes interconnected computing systems external to the user device. In response to the received at least one message, the processor generates at least one unique encryption key for each message and sends the at least one generated encryption key to the user device, but does not store any of the generated encryption keys in the cloud. For each encryption key having been sent to the user device, the processor receives each encryption key returned from the user device. For each encryption key received from the user device, the processor stores each received encryption key in the cloud.

Abstract: In an exemplary method, a computer-implemented media service system provides a graphical user interface view associated with a first functional area of the media service for display on a display screen, detects a peek request input while the graphical user interface view is displayed, and provides, in response to the peek request input and for display with the graphical user interface view, an activity indicator indicating a tracked activity associated with the second functional area of the media service. Corresponding systems and methods are also described.

Abstract: A first media packet from a first endpoint of an access network behind a NAPT device is received by a media device between a core network and the access network. The first media packet includes a first source IP address and port combination identifying the first endpoint. An UPDATE request or a reINVITE request is transmitted by the media device. A second IP address and port combination for the media device to receive future media packets from the first endpoint is negotiated. The media device compares a first IP address of the first source IP address and port combination to a second IP address of a second source address and port combination for a second media packet received on the second IP address and port combination. If the first and second IP addresses match, the media device relays media packets from the core network to the first endpoint.

Abstract: According to one embodiment, a transparent security gateway is coupled between a client end station (CES) and a web application server (WAS). The security gateway monitors an encryption protocol handshake between the CES and the WAS to capture, using a provided private key of the WAS, a generated symmetric key to be used for an encryption layer connection. Using the captured symmetric key, the security gateway receives an encrypted connection record of the encryption layer connection, decrypts the encrypted connection record to yield a plaintext connection record, modifies the plaintext connection record, encrypts the modified plaintext connection record using the symmetric key, and transmits one or more packets carrying the encrypted modification plaintext connection record instead of the received encrypted connection record such that neither the CES or WAS is aware of the modification of the encrypted data.

Abstract: A system, machine readable medium and method for utilizing protocol conversions in policy changing enforcement is disclosed. A message, in a first protocol, is received from a network gateway device including identifying information unique to a client attempting to access a resource from a server. The message is processed using one or more portions of the client identifying information as a unique key identifier. A policy access request is generated, in a second protocol, and includes at least the unique key identifier. The policy access request is sent to a policy server, wherein the policy server is configured to provide policy enforcement information of the client associated with the policy access request. The policy enforcement information is received and one or more policies from the policy enforcement information are enforced to network traffic between the client and the server.

Abstract: Embodiments of the Message Retransmission Mechanism Apparatuses, Methods and Systems (“MRM”) transform application requests for message journals via MRM components into expedited access to segmented message streams. In one implementation, the MRM may obtain message journal of messages written by applications during system operations and divide up the message obtained from the complete message journal into message segments. In some implementations, the MRM may provide recovering applications access to said message segments for expedited message consumption.

Abstract: A network protection service for providing protective assistance to a subscribing host is presented. The network protection service is configured determine a set of rules for filtering network traffic for a subscribing host. The network protection service is further configured to receive network traffic on behalf of the subscribing host, filter the received network traffic according to the set of rules, and forward a portion of the filtered network traffic to the subscribing host. Still further, the network protection service is configured to analyze the received network traffic via the analysis server, and refine the set of rules for filtering the received network traffic based on the analysis of the received network traffic by the analysis server.

Abstract: A plurality of security events is detected in a computing system, each security event based on at least one policy in a plurality of security policies. Respective interactive graphical representations are presented in a graphical user interface (GUI) of either or both of the security events or security policies. The representations include interactive graphical elements representing the respective security events or security policies. User selection of a particular event element via the interactive GUI causes a subset of the security policies to be identified, each security policy in the subset serving as a basis for at least one particular security event represented by the particular event element. User selection of a particular policy element via the interactive GUI causes a subset of the security policies to be identified, each security event in the subset based at least in part on a particular security policy represented by the particular policy element.

Abstract: In an aspect, a wireless communication between a transmitter and a receiver involves determining updated keys according to a key management process for MAC layer encryption. Such key is propagated to a transmitter MAC and though a receiver key management process to a receiver MAC. After a delay, transmitter MAC device begins using the updated key, instead of a prior key, for payload encryption. Receiver MAC continues to use the prior key until a packet that was accurately received fails a message integrity/authentication check. Then, the receiver MAC swaps in the updated key and continues to process received packets. The packet data that failed the message integrity check is discarded. Transmitter MAC retries the failed packet at a later time, and if the packet was accurately received and was encrypted by the transmitter MAC using the updated key, then the receiver will determine that the message is authentic and will receive it and acknowledge it.

Abstract: According to an embodiment, a generating device includes a first key generator, a second key generator, an output unit, and an update unit. The first key generator is configured to generate a first key that is a sequence of bits according to a first key rule on the basis of a random number. The second key generator is configured to generate multiple second keys that are sequences of bits partially having correlation with one another according to a second key rule on the basis of the first key. The output unit is configured to output the first key and at least one of the second keys. The update unit is configured to generate update information for updating a second key by updating a partial sequence of the second key, the partial sequence having no correlation with the other second keys not to be updated.

Abstract: The subject technology discloses configurations for receiving a request from a user to log into a communications server in which the request includes user credentials. The user is authenticated based on the included user credentials in the request. The user is then permitted to log into the communications server if the user is successfully authenticated. An input selecting a person of interest is received. The subject technology retrieves information associated with the selected person of interest. A dossier of information including the retrieved information associated with the selected person of interest is generated. The subject technology transmits the generated dossier to the user or an indicated recipient.

Abstract: This disclosure describes systems, methods, and computer-readable media related to an incident response tool using data exchange layer. In some embodiments, a data collector may be generated by an incident response server. The incident response server may transmit a data collector to multiple broker servers, where each broker server may transmit the data collector to multiple user devices associated with the broker server. The incident response server may receive data from the data collectors executing on the user devices and may analyze the received data.

Abstract: A computer-implemented method for obscuring network services may include (1) identifying a local network comprising at least one client and at least one host, where the host provides a service that is not bound to any routable address on the local network and the client is expected to send messages to the service, (2) provisioning the client with a proxy that intercepts the messages directed to the service by the client, identifies the host that provides the service, and adds at least one layer of encryption to the messages, (3) configuring the proxy to route the messages through an onion routing network within the local network that comprises at least one onion routing node, and (4) configuring the onion routing network to remove the at least one layer of encryption from the messages before forwarding the messages. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Various arrangements for providing authentication information to a user are presented. A single-point authentication manager executed by a computer system may receive a request to access a resource from a remote client computer system. The single-point authentication manager may manage access to a plurality of resources including the resource. The single-point authentication manager may perform authentication using an authentication plug-in. In response to performing authentication of the user, the authentication plug-in may generate a parameter having a value that is a message to be transmitted to the remote client computer system. In response to receiving the parameter and the value from the authentication plug-in, the single-point authentication manager may transmit the value of the parameter to the application if the authentication is successful and to a credential collector if the authentication of the user failed.

Abstract: Various arrangements for encrypting multiple television channels are presented. A first television channel of a plurality of television channels to be protected via a first entitlement control message (ECM) using a first encryption scheme may be designated. The plurality of television channels may be transmitted using a single transponder stream. A second television channel of the plurality of television channels to be protected via a second ECM encrypted using a second encryption scheme while the first television channel of the plurality of television channels is protected using the first encryption scheme may be designated. The first and second ECMs may be transmitted to a plurality of television receivers. Data from the first ECM may be used for descrambling of the first television channel by the plurality of television receivers. Data from the second ECM may be used for descrambling of the second television channel by the plurality of television receivers.

Abstract: Security in wireless communication networks that employ relay stations to facilitate communications between base stations and mobile stations is enhanced. In one embodiment, resource information provided to one or more relay stations from a base station or another relay station is encrypted prior to being delivered to the one or more relay stations. Only authorized relay stations are allocated an appropriate key necessary to decrypt the resource information. As such, only appropriate relay stations are able to access and use the resource information to effect communications directly or indirectly between the base stations and the mobile stations. In certain embodiments, the resource information is delivered between the various base and relay stations using either unicast or multicast delivery techniques.

Abstract: A network device receives a message that identifies a relationship between a wireless user device and a client device, the relationship allowing text messages, intended for the wireless user device, to be sent to the client device. The network device stores the information identifying the relationship. The network device receives a text message intended for the wireless user device. The network device determines to send the text message to the client device, based on the information identifying the relationship stored by the network device; and the network device sends the text message to the client device for display on a display device associated with the client device.

Abstract: A method begins by a dispersed storage (DS) processing module encrypting a plurality of data segments of the data using a plurality of encryption keys to produce a plurality of encrypted data segments and generating a plurality of deterministic values from the plurality of encrypted data segments. The method continues with the DS processing module establishing a data intermingling pattern and generating a plurality of masked keys by selecting one or more of the plurality of deterministic values in accordance with the data intermingling pattern and performing a masking function on the plurality of encryption keys and the selected one or more of the plurality of deterministic values. The method continues with the DS processing module appending the plurality of masked keys to the plurality of encrypted data segments to produce a plurality of secure data packages and outputting the plurality of secure data packages.

Abstract: A method for network security includes monitoring traffic exchanged over a computer network. A failed attempt to communicate with a target computer by an initiating computer is identified in the monitored traffic. The identified failed attempt is revived by establishing an investigation connection with the initiating computer while impersonating the target computer. Verification is made as to whether the failed attempt was malicious or innocent, by communicating with the initiating computer over the investigation connection.

Abstract: The present invention relates to a method and apparatus for transmitting information to a terminal of a specific group using multicast transmission equipment in a mobile communication system. The method of the present invention comprises: an information receiving step of receiving, from an information provider, information to be transmitted to the terminal; a selection step of selecting either a cell broadcasting service multicast transmission scheme or a multimedia broadcast multicast service multicast transmission scheme in accordance with the size of the received information; and a multicast transmission step of multicast transmitting the information to the terminal of the specific group in accordance with the selected transmission scheme.

Abstract: A method of preauthenticating a mobile node in advance of a switch from a current point of attachment (CPoA) to a next point of attachment (NPoA) is disclosed. One or more preauthentication requests are received at the CPoA. The one or more preauthentication requests include a proxy assignment from the mobile node. Each of the one or more preauthentication requests corresponds to one of one or more possible points of attachment (PPoAs). Using the CPoA, the mobile node is preauthenticated with the one or more PPoAs using a transitivity of trust between the mobile node, the CPoA, and one or more authentication servers.

Abstract: Various embodiments provide an approach to classifying security events based on the concept of behavior change detection or “volatility.” Behavior change detection is utilized, in place of a pre-defined patterns approach, to look at a system's behavior and detect any variances from what would otherwise be normal operating behavior. In operation, machine learning techniques are utilized as an event classification mechanism which facilitates implementation scalability. The machine learning techniques are iterative and continue to learn over time. Operational scalability issues are addressed by using the computed volatility of the events in a time series as input for a classifier. During a learning process (i.e., the machine learning process), the system identifies relevant features that are affected by security incidents. When in operation, the system evaluates those features in real-time and provides a probability that an incident is about to occur.

Abstract: A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator's parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving nodes.

Abstract: According to an example a Dynamic Virtual Private Network (D-VPN) large-scale networking method includes establishing, by a Spoke, a DVPN channel with a Hub; issuing, by the Spoke, subnet information about the Spoke to the Hub; and obtaining, by the Spoke, subnet information about the Hub and another Spoke as well as corresponding private network address of a next hop sent by the Hub.

Abstract: According to one embodiment, a transparent security gateway is coupled between a client end station (CES) and a web application server (WAS). The security gateway monitors an encryption protocol handshake between the CES and the WAS to capture, using a provided private key of the WAS, a generated symmetric key to be used for an encryption layer connection. Using the captured symmetric key, the security gateway receives an encrypted connection record of the encryption layer connection, decrypts the encrypted connection record to yield a plaintext connection record, modifies the plaintext connection record, encrypts the modified plaintext connection record using the symmetric key, and transmits one or more packets carrying the encrypted modification plaintext connection record instead of the received encrypted connection record such that neither the CES or WAS is aware of the modification of the encrypted data.

Abstract: A computer-implemented method for validating self-signed certificates may include (1) identifying a self-signed certificate associated with an application, (2) identifying a publisher allegedly responsible for publishing the application, (3) identifying a website associated with the publisher allegedly responsible for publishing the application, (4) determining that the website references the application, (5) determining that a website certificate associated with the website has been signed by a certificate authority, and (6) validating the self-signed certificate in response to determining both that the website references the application and that the website certificate associated with the website has been signed by the certificate authority. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A multi-router system is described in which hardware and software components of one or more standalone routers can be partitioned into multiple logical routers. The multiple logical routers are isolated from each other in terms of routing and forwarding functions yet allow network interfaces to be shared between the logical routers. Moreover, different logical routers can share network interfaces without impacting the ability of any of the logical routers to be independently scaled to meet the bandwidth demands of the customers serviced by the logical router.

Abstract: Systems for providing vulnerability scanning within distributed microservices are provided herein. In some embodiments, a system includes a plurality of microsegmented environments that each includes a hypervisor, an enforcement point that has an active probe device, and a plurality of virtual machines that each implements at least one microservice. The system also has a cloud data center server coupled with the plurality of microsegmented environments over a network. The cloud data center server has a security controller configured to provide a security policy to each of the plurality of microsegmented environments and an active probe controller configured to cause the active probe device of the plurality of microsegmented environments to execute a vulnerability scan.

Abstract: Aspects of the subject matter described herein relate to clusters. In aspects, an image is created to install software onto nodes of the cluster. A root secret of the cluster is injected into the image. After installing the software of the image onto a node of the cluster, the node may boot into a secure mode, detect that individualization is needed for the node to join a cluster, create an identity for authenticating with other nodes of the cluster, chain the identity via the root secret, and then securely erase the root secret from the node prior to assuming node duties. Among other things, this allows a single image to be used for installing software on all nodes of a cluster without the compromise of a single node compromising the entire cluster.

Abstract: Techniques for handshake-free encrypted communication are described. An apparatus may comprise a key component, a message component, and a network component. The key component may be operative to retrieve a first symmetric encryption key from a key store and to store a second symmetric encryption key in the key store. The message component may be operative to construct a message comprising a data section, the data section encrypted using the first symmetric encryption key. The network component may be operative to transmit the message to a device and to receive a response to the message, the response comprising the second symmetric encryption key. Other embodiments are described and claimed.

Abstract: A data switching system is disclosed that allows for switching of packets through a plurality of top of rack switches utilizing a logical switching fabric that includes a local TOR switching fabric on a TOR switch and a Core switching fabric on a Core switch. A method of processing packets according to some embodiment can include receiving a packet from a source port into a top of rack switch, the source port being one of a plurality of ports on the top of rack switch, processing a packet header of the packet to determine a destination port; and switching the packet through a logical switching fabric that includes a local switch fabric on the top of rack switch and a Core switching fabric on a Core switch.

Abstract: Several novel features pertain to a hybrid transformer formed within a semiconductor die having multiple layers. The hybrid transformer includes a first set of windings positioned on a first layer of the die. The first layer is positioned above a substrate of the die. The first set of windings includes a first port and a second port. The first set of windings is arranged to operate as a first inductor. The hybrid transformer includes a second set of windings positioned on a second layer of the die. The second layer is positioned above the substrate. The second set of windings includes a third port, a fourth port and a fifth port. The second set of windings is arranged to operate as a second inductor and a third inductor. The first set of windings and the second set of windings are arranged to operate as a vertical coupling hybrid transformer.

Abstract: Systems and techniques for granting of network access to a new network device are described. Specifically, various techniques and systems are provided for connecting a new network device to a network and limiting access of the network device while authenticating the new network device. Exemplary embodiments of the present invention include a computer-implemented method.

Abstract: The canonicalization of input messages having application specific data into a canonical message format, regardless of whether those native messages are well-formed. When a message is accessed, as long as the message is processable, the message is canonicalized. If the native message is well-formed, then a canonical message is generated that includes the application specific data in a schema understood by the application. On the other hand, if the native message is not well-formed, the canonical message is generated in a manner that the canonical message may be used to access the raw bits of the message, and that includes sufficient information for some downstream processing to determine that the message was not well-formed. That downstream processing may optionally then perform compensatory actions to regain access to the application specific data, and may potentially use information from the canonicalized message to do so.

Abstract: Secure network systems and methods are provided. In an aspect of the invention, a secure network system is provided that includes a computing system that comprises a client system and a specialized NIC (network interface controller) system equipped with the capability to form a secure connection with an endpoint system and encrypt and decrypt communications between the client system and the network to which it is connected. This trusted network interface (TNI), which may present itself as a physical peripheral connected to a physical client system or a virtual peripheral connected to a virtual client system, takes the place of a client system's standard NIC, and the connection that it forms with the trusted network is negotiated and enforced externally to and independent of the client system.

Abstract: In one implementation, a hub and spoke network is made up of hub network devices and spoke network devices. A security protocol channel is established between the hub and at least a first spoke. The hub receives a resolution request from the first spoke via the security protocol channel. The resolution request includes data indicative of a second endpoint. The hub queries a next hop client database for a WAN address of the second endpoint. The first endpoint and the second endpoint are geographically separated nodes of the same enterprise network. The hub sends a resolution reply to the first endpoint including the WAN address for the second endpoint. The hub also sends a message to the second endpoint including a WAN address of the first endpoint and a summary of the data packet received at the first endpoint.

Abstract: Embodiments are provided to enable graphic processing unit (GPU) virtualization for high bandwidth or rate demanding applications, such as 3D gaming, where a client communicates with a host via a virtual desktop infrastructure (VDI). The distributed GPU virtualization allows one or more VMs or comparable hosts or components without GPU access to communicate with a GPU at a different component or physical machine in a data center or a network using remote direct memory access (RDMA). A first physical machine that excludes a GPU starts a remote display driver function to handle a request to render graphics from a client via gateway. A second physical machine that comprises a GPU is instructed to start a render function for the client using the GPU. The render function communicates with the remote display driver function at the first physical machine. The rendered graphics is then sent to the client via the gateway.

Abstract: A set top box or like device utilizing virtualization techniques to isolate secure device resources from an untrusted software framework incorporated in the device. In one implementation, a first virtual machine container is provided for secure execution of a traditional set top box application, while a second virtual machine container is utilized to host a software framework or untrusted portions of a software framework. A secure access client/server interface is provided to support interactions between the first and second virtual machine containers. The software framework may comprise, for example, an Android framework supported by an underlying Linux operating system environment and isolated in a Linux resource container. Virtual container constructs in various embodiments may employ varying levels of hardware sandboxing, including use of dedicated processing resources in multi-processor environments.

Abstract: The concept of a secure call indicator is introduced. In general, the secure call indicator is capable of inspecting the security of signaling associated with Session Initiation Protocol (SIP) messages and comparing the security with media descriptions of the actual media path of the SIP messages. Furthermore, the secure call indicator may be configured to indicate the security associated with a communication session via a physical or virtual notification system.

Abstract: Data sessions are established based in part on services. When establishing a data session for a communication device, the desired mobility gateway can be dynamically assigned via a specified policy mechanism or provisioned using a predefined service policy table, where particular services are linked with respective identifiers associated with respective mobility gateways. A communication device can reference the service policy table to locate a service that is to be used for the data session and can identify an identifier(s) linked to the service(s) and associated with a mobility gateway(s). The identifier(s) can be received and used to facilitate selecting one or more respective mobility gateways for the data session(s). The service policy table can be automatically pushed to the communication device or the communication device can initiate a download of the service policy table when the default data connection is established.

Abstract: One embodiment provides a system that facilitates facilitate secure synchronization of manifests using exact network names. During operation, the system generates an interest of advertisement comprising a name of a content object of the system. This name represents a collection of objects of the system and includes a first hash that is based on a key of the system. The first hash corresponds to a respective content object hash of one or more segments of a manifest representing the collection of objects. The system also determines a request for the content object based on the name in an interest of data from a remote node.

Abstract: A system comprises a first storage resource, a second storage resource, a hosted application, a proxy engine, and a proxy interface. The first storage resource stores first data and uses a first program interface for communicating the first data. The second storage resource stores second data and uses a second program interface for communicating the second data. The hosted application uses application data, the first data and/or the second data including the application data. The proxy engine directs application data requests by the hosted application to the first storage resource or to the second storage resource. The proxy interface uses the first program interface to communicate with the first storage device and the second program interface to communicate with the second storage device to respond to the application data requests.

Abstract: The disclosed system and method enhances security of people, organizations, and other entities that use what has been termed “social media.” Recent trends have shown that information posted to social media may cause tremendous damage to individuals and other entities. This includes information that was posted deliberately or unintentionally, including social security numbers, financial data and other sensitive information. Further, information that previously may have been viewed as innocuous, such as location data, has caused harm on certain occasions and may need to be protected. The disclosed system provides a novel method of screening, identifying, and preventing certain information from being posted on social media and other public locations. In addition, the disclosed system and method improves security by motivating people to use security software by offering rewards for its use.

Abstract: A method, system and apparatus for authenticating a communication request sent from a client computing device. The communication request is initially blocked by a firewall preventing delivery to a server. A first logging event corresponding to the communication request is created. The communication request and the logging event are stored in a firewall. The server is notified of the first logging event. The communication request corresponding to the first logging event is authenticated. A port in the firewall is enabled if the communication request is authenticated.

Abstract: A system, method, and computer-readable medium, is described that enables a registry recovery service to retrieve zone files from a target registry, archive the zone files, publish the zone files to a managed DNS server, reconcile ownership of the zone files, and publish the zone files to a provisioning DNS server. The registry recovery service may also implement a WHOIS server for the zone and ownership information and may also implement zone specific features particular to the target registry's TLD. The registry recovery service may also enable DNSSEC extensions on the recovered registry DNS services.

Abstract: A method and system are disclosed for detecting interference with a remote visual interface, such as a HTML webpage, at a client computer, particularly to determine if a malicious attack such as at HTML attack has occurred. When the web server receives a request for a page, a script is embedded in the page, and as a consequence the client computer requests at least one session key and at least one one time password from an enterprise server. The client computer also performs a check of the HTML interface present on the client computer, which an attack of this type would change. The result of the interface check, encrypted with the session key and one time password, is sent to the enterprise server, so that a comparison with the expected value for the website can be performed.