Abstract: A method for capturing VM resources for forensics includes receiving an indication of compromise (IoC). The indication of compromise indicates an attack is imminent against a virtual machine. The method also includes, in response to receiving the IoC and before the attack begins, snapshotting a memory state of memory used by the virtual machine and increasing a level of auditing of the virtual machine from a standard level of auditing to a heightened level of auditing. The heightened level of auditing generates data representative of all accesses to the memory used by the virtual machine. After the attack against the virtual machine has begun, the method includes maintaining the heightened level of auditing for a threshold period of time, notifying a user of the virtual machine of the indication of compromise, and storing the data in memory external to the virtual machine.

Abstract: A method includes receiving, from a user device, a request to store data in a computer storage medium. The method includes generating a local encryption key for a user of the user device. The method includes providing the local encryption key to the user of the user device. The user maintains the local encryption key separate from the user device. The method includes generating a storage encryption key for encrypting the data for storage in the computer storage medium. The method includes encrypting the data with the storage encryption key to generate encrypted data. The method includes encrypting the storage encryption key with the local encryption key to generate an encrypted storage encryption key. The method includes transmitting the encrypted data and the encrypted storage encryption key to the computer storage medium. The method includes removing the storage encryption key and the encrypted storage encryption key from the user device.

Abstract: A secure translator is described herein for use with an insecure device. An insecure device is a computing device that either does not have the ability to or can no longer communicate at desired security levels. The secure translator is configured to act as a proxy for insecure devices, allowing for full translation of any inbound communication to be secured, with information scrubbed or otherwise manipulated, then translated over a direct connection to the insecure device.

Abstract: Methods and apparatus for enhancement of authentication. A method performed by a communication device may comprise sending a first request to a communication equipment, wherein the request comprises a communication device identifier of the communication device. The method may further comprise receiving a first response from the communication equipment, the first response comprising one or more parameters. The method may further comprise generating a first key and a second key based on the received response; The method may further comprise sending a second request to the communication equipment, the second request comprising the first key and a message based on the second key.

Abstract: The present disclosure relates to systems and methods for cloud-based 5G security network architectures intelligent steering, workload isolation, identity, and secure edge steering. Specifically, various approaches are described to integrate cloud-based security services into Multiaccess Edge Compute servers (MECs). That is, existing cloud-based security services are in line between a UE and the Internet. The present disclosure includes integrating the cloud-based security services and associated cloud-based system within service provider's MECs. In this manner, a cloud-based security service can be integrated with a service provider's 5G network or a 5G network privately operated by the customer. For example, nodes in a cloud-based system can be collocated within a service provider's network, to provide security functions to 5G users or connected by peering from the cloud-based security service into the 5G service provider's regional communications centers.

Abstract: A system and methods include a negative certificate authority for distributed management of negative certificates. An authorization restriction is associated with an untrusted user. A negative certificate generated for the untrusted user includes a public key associated with the untrusted user and an authorization restriction. The authorization restriction includes at least one global restriction, which is applicable to each consortium member that subscribes to the negative certificate. The authorization restriction includes at least one local restriction, which allows individual consortium members to further define their own locally applicable restrictions using the negative certificate authority. The negative certificate is accessible to each member of the consortium to enforce the authorization restriction against a transaction request. A secure contributor record including a unique cryptographically generated address is generated for each contributor.

Abstract: An example system includes a plurality of AP devices configured to provide a wireless network at a site, the plurality of AP devices including a first AP device configured to determine a set of roaming candidates within the site for client devices connected to the first AP device, wherein the set of roaming candidates includes one or more AP devices of the plurality of AP selected according to a selection criteria; in response to establishing a connection with a client device, cache a key associated with the client device in the memory of the first AP device; generate a packet with the key associated with the client device, and a list of APs that includes one or more identifiers of the one or more AP devices within the set of roaming candidates for the first AP device; and transmit the packet to the plurality of AP devices at the site.

Abstract: A method for authenticating a transaction that requires the use of a personal identification number (PIN) is provided. The method includes obtaining chip information from a chip that is embedded in a card; receiving a user input that includes the PIN; combining the PIN with the chip information; performing a message authentication code (MAC) operation on the combination in order to generate an application request cryptogram (ARQC); and requesting an authentication of the transaction based on the generated ARQC.

Abstract: Method for detecting data traffic in a communication network, wherein in order to detect data traffic in a communication network, at least one network infrastructure device to which at least one first communication terminal and one second communication terminal are connected provides a monitoring interface that is secured against unauthorized access, is assigned to the two communication terminals, and is intended for detecting data traffic between at least the first and the second communication device, where a device detecting apparatus determines available monitoring interfaces on network infrastructure devices as well as address information assigned to the monitoring interfaces and provides this interface information to at least one recording apparatus that is separate from the at least one network infrastructure device.

Abstract: One or more computing devices, systems, and/or methods for managing security associated with applications are provided. In an example, a central security gateway may determine first security policy information associated with a first application. The central security gateway may establish a first encrypted connection with a first device of the first application. The central security gateway may manage, based upon the first security policy information and using the first encrypted connection, security associated with the first application. The central security gateway may determine second security policy information associated with a second application. The central security gateway may establish a second encrypted connection with a second device of the second application. The central security gateway may manage, based upon the second security policy information and using the second encrypted connection, security associated with the second application.

Abstract: Distributed firewalls in a network are disclosed. Example firewall controllers disclosed herein are to instruct a first network node of a software-defined network to implement a first firewall instance of a distributed firewall, the first network node to implement the first firewall instance with a first virtual machine. Disclosed example firewall controllers are also to configure a second network node of the software-defined network to route network traffic through the first firewall instance and, after at least some of the network traffic is dropped by the first firewall instance, instruct the second network node to implement a second firewall instance of the distributed firewall, the second network node to implement the second firewall instance with a second virtual machine.

Abstract: In one embodiment, an apparatus includes: an integrity circuit to receive data and generate a protection code based at least in part on the data; a cryptographic circuit coupled to the integrity circuit to encrypt the data into encrypted data and encrypt the protection code into an encrypted protection code; a message authentication code (MAC) circuit coupled to the cryptographic circuit to compute a MAC comprising a tag using header information, the encrypted data, and the encrypted protection code; and an output circuit to send the header information, the encrypted data, and the tag to a receiver via a link. Other embodiments are described and claimed.

Abstract: A testing method for verifying keys uses a dataset of integers, the dataset being previously split into subsets of the integers, each subset of the integers having a product data structure for a product of the integers in the subset. Each ordered pair of subsets in the dataset has a remainder data structure for factors of the integers in the subsets of the ordered pair. The method includes creating a subset including integers to be added to the dataset of integers, and generating a product data structure for the created subset, the product data structure based on computing a product of the integers in the created subset. The method also includes identifying distinct ordered pairs of subsets, each distinct ordered pair of subsets including a subset from the dataset and the created subset.

Abstract: A response communication that includes one or more data packets is received at a broker associated with a storage node of a plurality of storage nodes via a virtual network associated with the plurality of storage nodes of a storage system. The one or more data packets are provided, via the virtual network associated with the storage nodes, to a tenant communication component associated with an intended destination. A connection between the broker and the tenant communication component associated with the intended destination is terminated. A new connection between the intended destination and the tenant communication component associated with the intended destination is established. The new connection is associated with a virtual network associated with a storage tenant. The one or more data packets are sent to the intended destination via the virtual network associated with the storage tenant.

Abstract: The present description concerns a method or device wherein an untraceability feature of a first near-field communication device is deactivated by an action on a hardware switch.

Abstract: Systems comprising: a memory; and a hardware processor and configured to: execute a hypervisor having a first portion and a second portion, wherein the first portion of the hypervisor executes at a first exception level that allows the first portion to access data of a virtual machine in the hardware processor and the memory, and wherein the second portion of the hypervisor executes at a second exception level that prevents the second portion from accessing the data of the virtual machine in the hardware processor and the memory. Methods comprising: executing a first portion of a hypervisor at a first exception level that allows the first portion to access data of a virtual machine in a hardware processor and memory; and executing a second portion of a hypervisor at a second exception level that prevents the second portion from accessing the data in the hardware processor and the memory.

Abstract: A system for fully integrated collection of business impacting data, analysis of that data and generation of both analysis driven business decisions and analysis driven simulations of alternate candidate business actions has been devised and reduced to practice. This business operating system may be used to monitor and predictively warn of events that impact the security of business infrastructure and may also be employed to monitor client-facing services supported by both software and hardware to alert in case of reduction or failure and also predict deficiency, service reduction or failure based on current event data.

Abstract: Disclosed embodiments relate to systems and methods for securely and privately auditing web sessions. Techniques include receiving encrypted browser session data; storing the encrypted browser session data at a server; receiving an audit request associated with the stored encrypted browser session data; retrieving the stored encrypted browser session data based on the audit request; and transmitting the encrypted browser session data to an auditor endpoint device to enable access to the browser session data by the auditor endpoint device.

Abstract: Examples of enrollment of virtual devices for unprivileged users are described. In some examples, a virtual device includes an enrollment agent, encrypted enrollment credentials, and a user mode privilege elevation component that elevates privilege of the enrollment agent. A privilege elevated token is created to include an administrative privilege of a local security authority service, and a security context of an unprivileged user account logged in to the virtual device. The enrollment agent is launched using the privilege elevated token rather than a user token of a user that is logged in. The enrollment agent decrypts the encrypted enrollment credentials based on administrative privilege of the privilege elevated token, and enrolls the virtual device with a management service using decrypted enrollment credentials.

Abstract: An event graph can be generated, and, upon malware detection, traversed backward to identify a root cause associated with the malware detection. Using this information, rules for earlier malware detection can be created by analyzing the event graph proximal to the root cause rather than proximal to the malware detection trigger.

Abstract: A computing system may receive a schema of user interface comprising an arrangement of interface elements, each element configured to display data from cells of a database. The system may receive a user permission for the user interface and an element permission for an interface element. The system may generate a policy object for the user interface based on the user permission and the element permission. The policy object specifies which cells of the database can be accessed by the user interface. The system may receive a query from a client device associated with a user to implement a local instance of the user interface. The system may serve the query according to the policy object, where serving the query includes providing data from the database that the user interface provides access to without providing other data from the database that should not be accessible according to the policy object.

Abstract: Example methods are provided for a destination host to implement a firewall in a virtualized computing environment that includes the destination host and a source host. The method may comprise receiving, via a physical network interface controller (PNIC) of the destination host, an ingress packet sent by the source host. The ingress packet may be destined for a destination virtualized computing instance that is supported by the destination host and associated with a destination virtual network interface controller (VNIC). The method may further comprise retrieving a PNIC-level firewall rule associated with the destination virtualized computing instance, the PNIC-level firewall rule being applicable at the PNIC and generated by based on a VNIC-level firewall rule applicable at the destination VNIC. In response to determination that the PNIC-level firewall rule blocks the ingress packet from passing through, the ingress packet may be dropped such that the ingress packet is not sent to the destination VNIC.

Abstract: Disclosed is a calculation device. The present calculation device includes: a memory for storing a plurality of homomorphic ciphertexts for an approximate message including an error; and a processor for sorting the plurality of homomorphic ciphertexts by using a 5-way sorter which can sort five homomorphic ciphertexts in a single stage.

Abstract: The present disclosure provides a hierarchical method of identifying unauthorized network traffic in a network by applying, at one of a first plurality of nodes of a network, a first level of network traffic analysis to identify received network traffic as one of authorized or suspicious network traffic, the one of the first plurality of nodes having a first path for traffic routing and a second path to one of a second plurality of nodes of the network, the second path being used for forwarding the suspicious network traffic to the one of the second plurality of nodes; tagging the received network traffic as the suspicious network traffic; and sending the suspicious network traffic to the one of the second plurality of nodes over the second path, the second network node applying a second level of network analysis to determine if the received network traffic is authorized, unauthorized or remains suspicious.

Abstract: Described herein are systems, methods, and software to manage the approval of new computing elements for a private network. In one implementation, an administrator computing device in a private network is configured to receive a notification for a computing element to join the private network, wherein the notification includes a public key for the computing element and supplemental information for the computing element. The administrator computing device further identifies input indicating that the computing element is approved for the private network and, in response to the input, signs at least the public key. Once signed, the administrator computing device distributes the signed public key to one or more other computing elements in the private network.

Abstract: A reliable video streaming method using blockchain technology resisting cyber-attacks such as external and DDOS, malware, virus, and bandwidth reduction during video streaming of mobile devices connected over a same network is provided. The reliable video streaming method enables mobile devices connected to each other over a network to stream video over a reliable network.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, apparatuses, and processes that dynamically manage consent, permissioning, and trust between computing systems and unrelated, third-party applications operating within a computing environment. By way of example, the apparatus may receive a request for an element of data that includes an access token and first credential data associated with an application program. When the first credential data corresponds to second credential data associated with the application program, may determine that the requested data element is accessible to the application program and perform operations that validate the access token. Further, and based on the validation of the access token, that apparatus may obtain and encrypt the requested data element, and may transmit the encrypted data element to a device via the communications interface.

Abstract: A security server device, method, non-transitory computer readable medium and security system that receives request data for a request from a client to a web server system where the request comprises a session identifier (ID) for a session between an authenticated user and the web server system. A determination is made whether the client is a single-user device based on the request data and multi-domain data. Another determinations is made on whether the client is compromised based on the request data. In response to the determinations that the client is a single-user device and is not compromised an extension of the session between the authenticated user on the client and the web server system is caused.

Abstract: A method for providing an enterprise distribution platform to facilitate software distribution over a public computer network is disclosed. The method includes receiving, via a network interface, a request from the public computer network, the request relating to a solicitation for a software package; determining, by using a network security system, whether the request is forwarded from the public computer network to a private computer network based on a predetermined security rule; authenticating, via a web proxy, the request based on a result of the determining; identifying, based on a result of the authentication, the software package corresponding to the request; retrieving, from a memory, the identified software package; and transmitting, via the network interface, the retrieved software package in response to the request.

Abstract: A system includes at least one processor to receive a second public key, a first random number, and a second random number, and store the second public key, the first random number, and the second random number in an installation record, perform key agreement with a first private key and the second public key to determine a MasterSecret, perform key expansion with the MasterSecret, the first random number, and the second random number to generate a client authentication key, a server authentication key, a client encryption key, and a server encryption key, and store the client authentication key, the server authentication key, the client encryption key, and the server encryption key and delete the MasterSecret.

Abstract: Systems and methods for supporting dynamic disk growth within a virtual storage appliance are provided. According to one embodiment, a portion of a logical size of respective hyperscale disks provided by a hyperscaler are provisioned for use by a virtual storage system as backing for respective file system disks. To accommodate growth, block numbers for the file system disks are pre-allocated within a sparse space of a contiguous sequence of block numbers corresponding to a number of blocks represented by the logical size. Metadata is maintained for the file system disks regarding a range of the pre-allocated block numbers that are available for use. Responsive to a triggering condition, the provisioned portion of a hyperscale disk is increased and subsequently, responsive to detecting a change in a size of the hyperscale disk by the virtual storage system, a size of the corresponding file system disk is updated within the metadata.

Abstract: In one embodiment, a method comprises: generating and maintaining, by a network device in a secure peer-to-peer data network, a secure private key and a corresponding secure public key; establishing, by the network device, a two-way trusted relationship with a second network device in the secure peer-to-peer data network; generating by the network device a temporal key, and encrypting a data packet payload using the temporal key into an encrypted payload; encrypting, by the network device, the temporal key into an encrypted temporal key using a second secure public key of the second network device; and generating and outputting a secure data packet comprising the encrypted temporal key and the encrypted payload, enabling a receiving network device to verify the secure data packet is not a copy based on a determined absence of a prior prescribed hash of at least a portion of the encrypted temporal key.

Abstract: Various embodiments include implementing an interceptor for application security testing. The interceptor may intercept traffic, including one or more traffic items, between a scan engine and a target application. The traffic item(s) may include a request directed to the target application from a scan engine implementing application security testing or a response from the target application responsive to request(s) from the scan engine. The interceptor may determine that a particular traffic item satisfies a particular traffic trigger associated with a particular traffic action comprising a manipulation to the traffic between the scan engine and the target application. The particular traffic action is one of a plurality of predefined traffic actions that the interceptor is configured to perform across different scan engine versions, different scan configurations, or both.

Abstract: A system and method for advanced document redaction are disclosed. According to one embodiment, a system comprises a parser that analyzes documents to identify structured, semi-structured, and unstructured data from a document. A candidates generator generates a list of words for redaction from the structured, semi-structured, and unstructured data. A replacement engine replaces one or more words from the list of words with one or more of a replacement word, random characters, and random numbers.

Abstract: A method, system, and computer program product generate, with a payment network, a first value (a) and a second value (ga), the second value (ga) generated based on the first value (a) and a generator value (g); generate, with the payment network, a plurality of random merchant numbers (mi) for a respective plurality of merchant banks; determine, with the payment network, a merchant product (M) based on a product of the plurality of random merchant numbers (mi); generate, with the payment network, a public key (pki) based on the second value (ga), the merchant product (M), and the random merchant number (mi) and a random key (rki) based on the merchant product (M) and the random merchant number (mi) for each respective merchant bank; and communicate, with the payment network, the public key (pki) and the random key (rki) to at least one respective merchant bank.

Abstract: A method for distributing an electronic content item for consumption with advertisements is provided. In one embodiment, a content provider creates a license identifying one or more slots within an electronic content item at which advertisements are to be inserted. The license specifies one or more types of advertisements that are not permitted to be inserted into the slots, and also specifies criteria for dynamically selecting advertisements to insert into the one or more slots. The content provider securely associates the electronic license with the electronic content item and distributes the electronic content item and the electronic license to a third party for consumption or subsequent transfer to an end user.

Abstract: A secure data exchange system permits device to exchange secure message keys and securely transmit messages between devices. The devices may initially exchange temporary message keys that are used to encrypt permanent message keys. In addition, devices may have pairing managed that authenticates devices. Devices may be associated with an address ledger that maintains address information and is accessible with a public ledger key, which may provide different access to address information to different paired devices. Data within the system may also be encrypted with user device keys that prevents unauthorized access to data while permitting recreation of the user device key for data backup and migration.

Abstract: A system can register, by a replication component and with a notification component, for notifications to changes in a group of data in data storage, wherein the notification component is configured to write respective changes in the group of data to a replication stream. The system can retrieve, by the replication component, a change of the changes in the group of data from the replication stream. The system can, in response to determining that the change corresponds to a replication policy, replicate, by the replication component, data of the group of data that corresponds to the change to a target system, wherein the replication component is configured to perform a replication on target systems having respective different storage types.

Abstract: Embodiments of the disclosure relate to proxying at least one email resource from at least one email service to at least one client device, determining whether the email resources are accessible to the client devices via at least one unauthorized application on the client devices, and modifying the email resources to be inaccessible via the unauthorized applications on the client devices in response to a determination that the email resources are accessible via the unauthorized applications on the client devices.

Abstract: In one embodiment, a method is disclosed for mobile device security that includes receiving a label ID from a low power mobile device via a first access point, wherein the label ID is a randomized value that substitutes a device address of the low power mobile device during wireless communication. The method includes mapping the label ID to the device address, and transmitting the device address to the first access point, and responsive to the transmitting, causing the first access point to pair with the low power mobile device.

Abstract: An example method of operation may include exchanging data between a client device and a server at a first transmission rate via at least one of a first channel and a second channel, monitoring an amount of data exchanged, comparing the amount of data exchanged to a first data amount threshold and a second data amount threshold for at least one time period, partially limiting subsequent transfers of data between the client device and the server when the first data amount threshold is reached in the at least one time period, and further partially limiting the subsequent transfers of data or ending transfer of data between the client device and the server when the second data amount threshold is reached in the at least one time period.

Abstract: A smart home system such a smart security system includes at least one controlled module capable of performing monitoring and/or control functions, and a controller that is in communication with the controlled module and a user device such as a smart phone or computer tablet. The system is operable to configure the user device with a first set of user interfaces and control functionalities in response to selection of a first operating mode, and to configure the user device with a second set of user interfaces and control functionalities in response to selection of a second operating mode. The first mode may be a master-controller mode in which the user device's graphics are displayed in portrait orientation, and the second mode may be a panel mode in which the user device's graphics are displayed in landscape orientation.

Abstract: A method for managing data availability includes making a first determination by a first security module (FSM) that a first storage area network (SAN) infrastructure in a first data center has experienced a failure. The method also includes generating a secure string based on a first configuration parameter. Further, the method includes appending the secure string to a SAN failure notification to generate a secure string-appended request. In addition, the method includes sending the secure string-appended request to a second data center, wherein the second data center is selected based on a second configuration parameter. Moreover, the method includes making a second determination that the encrypted secure string-appended request is valid. Further, the method includes offloading processing of requests sent to the first data center using the second data center.

Abstract: A user accesses a remote session, the connection to which is managed by a connection broker, according to a single sign-on (SSO) process. The SSO process includes the user entering his or her credentials and being authenticated to the connection broker. In addition to user authentication, the SSO process includes connection broker authentication to confirm that the connection broker is trustworthy. When the connection broker is authenticated, the user credentials are transmitted to the connection broker in a secure manner and the connection broker forwards them onto a machine hosting the remote session so that the user can be logged into the remote session without entering his or her credentials again.

Abstract: A computer-implemented method, according to one approach, includes: determining whether a destination for a domain name system (DNS) query corresponds to an existing source network address translation (SNAT) port in response to receiving the DNS query. In response to determining that the destination for the DNS query corresponds to an existing SNAT port, the DNS query is modified to incorporate the existing SNAT port. A map entry corresponding to the existing SNAT port is also updated, and the modified DNS query is satisfied. Other systems, methods, and computer program products are described in additional approaches.

Abstract: The present disclosure relates to a method, apparatus, and computer program for setting an encryption key in a wireless communication system; and a recording medium for same. According to one embodiment of the present disclosure, a method for setting an encryption key size in a wireless communication system may comprise: a step in which a first controller of a first device receives a first message containing information on a minimum value of a first encryption key size from a first host of the first device; and a step in which the first controller transmits, to the first host, a second message indicating an encryption change. The second message may contain information on the first encryption key size.

Abstract: Techniques for leveraging a distributed Domain Name System (DNS) infrastructure for preserving Personally Identifiable Information (PII) data for distributed resolvers using a hash to policy pair (HPP) database are described. A DNS security service receives metadata including PII associated with a client. A cryptographic hash function is applied to the metadata including PII associated with the client to generate a client hash value. A client HPP is created by mapping the client hash value to a set of DNS policy instructions associated with the client. The client HPP is stored in a HPP database. A distributed resolver is authorized to provide DNS services to the client. Finally, the HPP database is published to the distributed resolver.

Abstract: Some embodiments provide a method for authorizing application programming interface (API) calls on a host computer in a local cluster of computers. The method is performed in some embodiments by an API-authorizing agent executing on the host computer in the local computer cluster. From a remote cluster of computers, the method receives (1) a set of API-authorizing policies to evaluate in order to determine whether API calls to an application executing on the host computer are authorized, and (2) a set of parameters needed for evaluating the policies. With the remote cluster of computers, the method registers for notifications regarding updates to the set of parameters. The method then receives notifications, from the remote cluster, regarding an update to the set of parameters, and modifies the set of parameters based on the update.

Abstract: Systems, computer program products, and methods are described herein for establishing secure communication channels for peripheral hardware devices. The present invention is configured to receive, via a computing device system comprising at least one peripheral hardware device, a request to begin a virtual interaction between the computing device system and a virtual network system configured to establish connections and transmit information across or between systems. The invention may then establish the virtual interaction via a first communication channel and then receive a request to establish a second communication channel, where the second communication channel comprises a direct communication channel between the at least one peripheral hardware device and the virtual network system that is separate and distinct from the first communication channel.

Abstract: Apparatus and methods disclosed herein provide technical solutions improving the security of email messages. An email message may be encrypted so that a predetermined passcode is not required to access the email message. Apparatus and methods may route email messages through a remote portal. The email message may only be transmitted to the recipient via the portal. In some instances, the contents of an email message may not be transmitted from the portal to the recipient. Rather, the recipient may only access the email message from within the portal. Such restricted access may be preferably less complex because the recipient's computer terminal may automatically connect to the portal.