Abstract: Example methods are provided for a destination host to implement a firewall in a virtualized computing environment that includes the destination host and a source host. The method may comprise receiving, via a physical network interface controller (PNIC) of the destination host, an ingress packet sent by the source host. The ingress packet may be destined for a destination virtualized computing instance that is supported by the destination host and associated with a destination virtual network interface controller (VNIC). The method may further comprise retrieving a PNIC-level firewall rule associated with the destination virtualized computing instance, the PNIC-level firewall rule being applicable at the PNIC and generated by based on a VNIC-level firewall rule applicable at the destination VNIC. In response to determination that the PNIC-level firewall rule blocks the ingress packet from passing through, the ingress packet may be dropped such that the ingress packet is not sent to the destination VNIC.

Abstract: A user tracking method includes collecting cookies in a log according to a user action on the Internet and collecting chain information by Internet communication as third information different from the cookie, and grouping cookies based on the chain information.

Abstract: Efficient data transfer is disclosed. A server provides an endpoint for a client. The client can communicate with a cloud storage system through the server rather than connect directly to the cloud storage system. The server is configured to perform requests in a manner that reduces the amount of data transferred to and from the cloud storage system.

Abstract: In one embodiment, a device in a network receives traffic sent from a first endpoint. The device sends a padding request to the second endpoint indicative of a number of padding bytes. The device receives a padding response from the second endpoint, after sending the padding request to the second endpoint. The device adjusts the received traffic based on the received padding response by adding one or more frames to the received traffic. The device sends the adjusted traffic to the second endpoint.

Abstract: A cloud-based security system includes a plurality of enforcement nodes connected to one another; a central authority connected to the plurality of enforcement nodes; and a Data Loss Prevention (DLP) service executed between the plurality of enforcement nodes, wherein the DLP service includes one or more DLP rules based on one or more DLP engines for a tenant, and wherein, for the DLP service, a first enforcement node is configured to monitor traffic of a user of the tenant, detect a DLP rule violation based on the one or more DLP rules, and forward DLP incident information to a second enforcement node, and the second enforcement node is configured to transmit the DLP incident information to a server for the tenant, including both DLP triggering content that cause the DLP rule violation and DLP scan metadata.

Abstract: This disclosure relates to personalized and dynamic server-side searching techniques for encrypted data. Current so-called ‘zero-knowledge’ privacy systems (i.e., systems where the server has ‘zero-knowledge’ about the client data that it is storing) utilize servers that hold encrypted data without the decryption keys necessary to decrypt, index, and/or re-encrypt the data. As such, the servers are not able to perform any kind of meaningful server-side search process, as it would require access to the underlying decrypted data. Therefore, such prior art ‘zero-knowledge’ privacy systems provide a limited ability for a user to search through a large dataset of encrypted documents to find critical information.

Abstract: A relay device includes a communicator configured to transmit and receive a message to and from the communication device, and a processor configures to acquire a public key of a communication device that is a transmission source of the message from the node and authenticates a signature included in the message with the acquired public key, wherein the processor causes, when receiving a communication message including communication data to be transmitted to a second communication device by a first communication device, the processor to perform authentication on the communication message, and the communicator transmits the communication message to the second communication device when the authentication is successful.

Abstract: A Secure/Multipurpose Internet Mail Extensions (S/MIME) key material publication system that converts cryptographic material extracted from digitally signed and validated S/MIME messages it receives into key material formats suitable for populating email address books. Publication of the address book contents both internal and external to an organization is done using the standard address book lightweight database access protocol (LDAP). The wide availability and coordination of such automated address books distributing key material across the Internet allows the large installed base of S/MIME email clients to immediately send secure encrypted email across organizational boundaries. The system serves the role of public key server thus removing a barrier to ubiquitous secure encrypted email by simplifying global key management.

Abstract: Embodiments are disclosed for a quantum key distribution enabled intra-datacenter network. An example system includes a first vertical cavity surface emitting laser (VCSEL), a second VCSEL and a network interface controller. The first VCSEL is configured to emit a first optical signal associated with data. The second VCSEL is configured to emit a second optical signal associated with quantum key distribution (QKD). Furthermore, the network interface controller is configured to manage transmission of the first optical signal associated with the first VCSEL and the second optical signal associated with the second VCSEL via an optical communication channel coupled to a network interface module.

Abstract: Systems and methods related to ensuring the integrity of data stored in a memory by using a watermark are described. An example method in a system including a processor and a memory may include receiving data for storage at an address in the memory. The method may further include after encoding the data with an error correction code to generate intermediate data having a first number of bits, reversibly altering the intermediate data with a watermark to generate watermarked data for storage in the memory, where the watermark is generated by applying a cryptographic function to a user key and the address, and where the watermarked data has a second number of bits equal to the first number of bits.

Abstract: A distributed system, such as a distributed storage system in a virtualized computing environment and having storage nodes arranged in a cluster, is provided by management server with a transition period between non-encryption and encryption modes of operation. The transition period enables all of the nodes to complete a transition from the non-encryption mode of operation to the encryption mode of operation, without loss of data-in-transit (DIT). An auto-remediation feature is provided by the management server to the cluster, so as to fix inconsistent state(s) of one or more nodes in the cluster.

Abstract: Aspects of the subject disclosure may include, for example, receiving, by a processing system including a processor that is operative in a first communication network, a certificate from a communication device that is operative in a second communication network, extracting, by the processing system, an identifier of the communication device from the certificate, authenticating, by the processing system, the communication device in accordance with the identifier, comparing, by the processing system, the identifier with a plurality of identifiers to determine that the communication device is authorized to access data, resulting in an authorization determination, and transmitting, by the processing system, the data to the communication device based on the authorization determination. Other embodiments are disclosed.

Abstract: A remote browsing session is initiated between a remote browser client executing on a client device and a remote browser host executing on a remote browser server. The remote browser host receives from the client device, encrypted remote browser data of remote browser data that affects the remote browser session. The remote browser client does not have access to a decryption key for the encrypted remote browser data. The encrypted remote browser data is decrypted to reveal the remote browser data including data for one or more cookies. The remote browser host is configured with the remote browser data. The remote browser host manages updates to the remote browser data during the remote browsing session including updates to one or more cookies. Periodically, updates to the remote browser data are encrypted and transmitted to the remote browser client for storage.

Abstract: Disclosed are various embodiments for searching encrypted data. A search query containing a plaintext key can be received from a client device or other application. A request can then be sent to a storage engine for a ciphertext key of a node of a binary tree, the node representing an encrypted key-value pair that includes the ciphertext key. The ciphertext key can be decrypted using a cryptographic key to generate a decrypted ciphertext key. Then, the decrypted ciphertext key can be compared to the plaintext key. A determination can then be made as to whether the encrypted key-value pair represented by the node of the binary tree satisfies the search query based at least in part on a comparison of the decrypted ciphertext key to the plaintext key.

Abstract: A system and method enabling enterprises to engage in cyber threat information sharing in a privacy-enhanced fashion. The invention reduces the enterprise's risk to sensitive information leakage by inducing a state in the information it shares such that, when an enterprise's shared data attributes are interdependent, the sensitive features (those to be kept private to the enterprise) are not deducible by another enterprise. This state is accomplished by employing rough set theory to undermine the deductive route to the data's sensitive features.

Abstract: A method for encrypting data when a device is offline is disclosed. In the method, a determination is made as to whether a successful connection with a remote server computer can or cannot be made. If a connection cannot be made, then data can be encrypted with an ephemeral public key. Later, then a connection is available, the encrypted data can be transmitted to the remote server computer for processing.

Abstract: An information processing system includes: a service system, a plurality of agent machines, and a plurality of encryption machines. The plurality of agent machines and the plurality of encryption machines are divided into a plurality of groups, and each group includes at least two encryption machines and a plurality of agent machines communicatively connected to the at least two encryption machines. The encryption machine is configured to encrypt and decrypt data from the service system and to perform signature verification on the data when the service system performs a security call on the encryption machine via the agent machine in the group containing the encryption machine. The service system is configured to perform service processing and to perform the security call on the encryption machine via the agent machine in the group containing the encryption machine.

Abstract: Disclosed are hybrid authentication systems and methods that enable users to seamlessly sign-on between cloud-based services and on-premises systems. A cloud-based authentication service receives login credentials from a user and delegates authentication to an on-premises authentication service proxy. The login credentials can be passed by the cloud-based authentication service to the on-premises authentication service proxy, for instance, as an access token in an authentication header. The access token can be a JavaScript Object Notation (JSON) Web Token (JWT) token that is digitally signed using JSON Web Signature. Some embodiments utilize a tunnel connection through which the cloud-based authentication service communicates with the on-premises authentication service proxy. Some embodiments leverage an on-premises identity management system for user management and authentication.

Abstract: In one implementation, a system for the prevention of malicious attack on a computing resource includes one or more processor; computer memory storing instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including: observing traffic flow of a network; altering a SYN threshold value based on the observing of the traffic flow of the network; comparing a metric of SYN messages submitted to the network; and based on the comparison of the metric of SYN messages submitted, selectively engaging corrective action with the network.

Abstract: Biometric keystroke measure data derived from a computer-implemented long form examination taken by an examinee is received. Features are the extracted from the biometric keystroke measure data for the examinee. A similarity value is then determined, using one or more of a direct distance approach or a machine learning approach, for the extracted features relative to features extracted from biometric keystroke measure data derived from each of a plurality of other examinees while taking the long form examination. At least one of the determined similarity values is then identified having a value above a pre-defined threshold. The pre-defined threshold indicates a likelihood of the examinee being the same as one of the other examinees. Data can then be provided that characterizes the identification. Related apparatus, systems, techniques and articles are also described.

Abstract: A network device includes at least one port, a memory, data-path circuitry, and a processor. The at least one port is to exchange packets with a network. The data-path circuitry is to process the packets. The memory is to store signatures of traffic patterns according to a locality-sensitive signature function., and corresponding parameter settings for the data-path circuitry. The processor is to assess a current traffic pattern of the packets, to calculate a current signature over the current traffic pattern using the locality-sensitive signature function, to query the memory using the current signature, to configure the data-path circuitry, in response to finding a stored signature that is within a specified distance from the current signature, with a parameter setting that corresponds to the found signature, and take an alternative action in response to finding that no stored signature is within the specified distance from the current signature.

Abstract: An information processing system capable of processing the encrypted data efficiently is provided. The information processing system of the present invention includes: a key management unit configured to manage a system key; a storage unit configured to store an encryption data encrypted by the system key; and a processing execution unit configured to temporarily construct a virtual execution environment protected from a standard execution environment and decrypt the encryption data in the virtual execution environment based on the system key acquired from the key management unit.

Abstract: The technology includes a method performed by a security system of a 5G network. The security system is instantiated to sort incoming or outgoing network traffic at a perimeter of the 5G network into one of multiple groups that are each uniquely associated with one of multiple functions or applications and one of multiple security levels. The system can inspect portions of incoming network traffic that contain addressing information required for the network traffic to reach an intended application or function, sorting the incoming network traffic into the groups based in part on the inspection of the portions of the network traffic, and dynamically directing the network traffic for the 5G network based on a particular security level associated with a particular application or a particular function of each of the groups.

Abstract: In a messaging server, processing circuitry receives a network packet that encapsulates a user message from a wireless User Equipment (UE) over a wireless communication network. In response to the network packet, the processing circuitry transfers the user message to ledger circuitry in the messaging server. The ledger circuitry executes a distributed ledger transaction based on a source domain and a destination domain in the user message. The ledger circuitry transfers the user message to the processing circuitry after the distributed ledger transaction. The processing circuitry receives the user message from the ledger circuitry and generates a new network packet for delivery to the destination domain that encapsulates the user message. The ledger circuitry transfers the new network packet that encapsulates the user message for delivery to the destination domain.

Abstract: A network address translation device or similarly situated network device can cooperate with endpoints on a subnet of an enterprise network to secure endpoints within the subnet. For example, the network address translation device may be configured, either alone or in cooperation with other network devices, to block traffic from a compromised endpoint to destinations outside the subnet, and to direct other endpoints within the subnet to stop network communications with the compromised endpoint.

Abstract: The present disclosure provides computing systems and techniques for providing a certificate to sue to securely connect to a server. More particularly, the present disclosure provides a computing device certificate rotation server arranged to provide certificates to the computing device for use by an application executing on the computing device to securely connect to a server.

Abstract: A technique provides cohesive and secure access to management services of a distributed storage architecture deployed on compute and storage nodes of a cluster. The management services are organized as a platform that encompasses a plurality of underlying individual services each having an applications programming interface (API) that are together securely accessible via an API gateway. The gateway is configured to support a “browsable” directory of the APIs that enables a client to identify various underlying services available within the cluster. In an embodiment, the underlying services “self-register” at the gateway to provide a single, unified location for the client to access the services. The API gateway includes a reverse-proxy server that is configured to provide a single point of entry for clients interacting with the individual services underlying the management services platform.

Abstract: Many hybrid cloud topologies require virtual machines in a public cloud to use a router in a private cloud, even when the virtual machine is transmitting to another virtual machine in the public cloud. Routing data through an enterprise router on the private cloud via the internet is generally inefficient. This problem can be overcome by placing a router within the public cloud that mirrors much of the routing functionality of the enterprise router. A switch configured to intercept address resolution protocol (ARP) request for the enterprise router's address and fabricate a response using the MAC address of the router in the public cloud.

Abstract: Disclosed herein are system, method, and computer program product embodiments for restoring an electronic device. An embodiment operates by receiving a request for restoring a portion of data from a point of time onto the electronic device. Thereafter, the portion of data is scanned for a virus. Based on the detection of the virus, a determination is made on whether to proceed with restoring the electronic device with the portion of data. If the determination is made to proceed with the restoring of the electronic device, the portion of data is subsequently transmitted to the electronic device. The portion of data is stored in a backup repository remote from the electronic device.

Abstract: A communication device stores a first secret key and a first public key, and the on-vehicle authentication device stores a second secret key, a second public key and a signature verification key. The on-vehicle authentication device acquires the first public key, verifies the authenticity of the electronic signature using a signature verification key, encrypts the second public key using the authentic first public key and transmits the encrypted second public key. The communication device receives the encrypted second public key, decrypts the encrypted second public key using the first secret key, encrypts the first public key using the decrypted second public key. The on-vehicle authentication device receives the encrypted first public key, decrypts the encrypted first public key using the second secret key, and authenticates that the communication device is an authentic device when the decrypted first public key has been determined to be authentic.

Abstract: A method is disclosed of secure data transmission comprising sending a data request from a client device to a server device, the data request comprising a first share of a first encryption key, and a first location in the database at which is located desired double-encrypted data; receiving the sent data request at the server device; extracting, at the server device, the first share and the first location from the received data request; obtaining, at the server device, the desired double-encrypted data from the database using the extracted first location; generating, at the server device, the first encryption key using the extracted first share and one or more additional shares of the first encryption key held by the server device; and decrypting, at the server device, the obtained desired double-encrypted data using the generated first encryption key to form single-encrypted data.

Abstract: An intelligent electronic device (IED) includes memory and a processor operatively coupled to the memory. The processor is configured to establish, over a communication network of a power system, a communication link according to a media access control security (MACsec) Key Agreement (MKA). The TED receives a plurality of access control secure association keys (SAKs) via the communication link. The TED receives one or more checked-out SAKs indicating a request to access the TED The TED allows access based on the one or more checked-out access control SAKs matching at least one of the plurality of access control SAKs.

Abstract: The devices and methods relate to web categorization of web requests. The devices and methods may perform a two-step classification of the web requests. The first classification may provide potential web categories for web request based on a fully qualified domain name (FQDN) of the web request. The first classification may be used to determine whether transport layer security (TLS) termination may be performed on the web request. The second classification may provide a web category for a uniform resource locator (URL) of the web request after performing the TLS termination. The web category may be used by a firewall in filtering web traffic for the web request.

Abstract: A method, implemented in a cloud-based system, includes, responsive to a client device having a Subscriber Identity Module (SIM) card therein connecting to a mobile network from a mobile network operator, receiving authentication of the client device based on the SIM card; receiving forwarded traffic from the client device; and processing the forwarded traffic according to policy, wherein the policy is determined based on one of a user of the client device and a type of the client device, each being determined based on the SIM card.

Abstract: In some examples, a system may determine a mountpoint included in a first filesystem for mounting a userspace filesystem. For instance, the userspace filesystem may be executable in a userspace provided by an operating system. The system may determine a bind mount path for a mount path corresponding to the mountpoint. The system may bind mount, to the determined bind mount path, at least a portion of a second filesystem associated with the mount path corresponding to the mountpoint. In addition, the system may mount the userspace filesystem at the mountpoint, and may incorporate data from the second filesystem into the userspace filesystem through the bind mount path.

Abstract: A method includes receiving code for computer programming, analyzing the code and extracting a plurality of configuration properties from the code. In the method, one or more configuration files are generated from the extracted plurality of configuration properties, and microservice code is generated from the one or more configuration files. The microservice code is configured for deployment on one or more cloud computing platforms.

Abstract: Apparatus and method for local authentication of a collection of processing devices, such as but not limited to storage devices (e.g., SSDs, etc.). In some embodiments, an edge computing device is coupled between the collection of processing devices and an external network. The edge computing device performs a network authentication over the external network with a remote server using an edge token. The edge computing device further performs a local authentication of the collection using storage tokens of the respective processing devices, with the local authentication not utilizing the external network or the remote server. Both the edge token and the storage tokens may be generated from a client token of a client device.

Abstract: An automatically predetermined credential system for a remote administrative operating system (OS) authorization and policy control is disclosed. Administrative activities are packaged in single-use downloaded software program. When executed, the administrative access to the OS is activated before completing the administrative activities. The single-use downloaded software program has policies that performs checks on a user computer executing the software program. The policies include checking firewall settings, confirming virus checking, interrogating software to confirm patches or updates have been performed, checking for key loggers or other surveillance software or devices The single-use downloaded software is protected with a passcode to prevent activation in an unauthorized way.

Abstract: Systems and methods are provided for automated retrieval, processing, and/or distribution of cyber-threat information using a cyber-threat device. Consistent with disclosed embodiments, the cyber-threat device may receive cyber-threat information in first formats from internal sources of cyber-threat information using an accessing component of the cyber-threat device. The cyber-threat device may receive cyber-threat information second formats from external sources of cyber-threat information using an accessing component of the cyber-threat device. The cyber-threat device may process the received cyber-threat information in the first formats and the second formats into a standard format using a processing component of the cyber-threat device. The cyber-threat device may provide the processed items of cyber-threat information to a distributor using a distributing component of the cyber-threat device.

Abstract: Systems and methods for evaluating security risks using a manufacturer-signed software identification manifest are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: receive a request to perform attestation of a client device; retrieve, from an agent executed by the client device, a manifest comprising: (i) a signature portion encrypted with a first key, and (ii) a software identification (SWID) portion encrypted with a second key; retrieve the first key from a manufacturer database; retrieve the second key from a customer database; decrypt the signature and the manifest with the first and second keys; and perform the attestation using the decrypted manifest.

Abstract: Malicious attacks by certain devices against a radio access network (RAN) can be detected and mitigated, while allowing communication of priority messages. A security management component (SMC) can determine whether a malicious attack against the RAN is occurring based on a defined baseline that indicates whether a malicious attack is occurring. The defined baseline is determined based on respective characteristics associated with respective devices that are determined based on analysis of information relating to the devices. In response to determining there is a malicious attack, SMC determines whether to block connections of devices to the RAN based on respective priority levels associated with respective messages being communicated by the devices.

Abstract: A model-based industrial security policy configuration system implements a plant-wide industrial asset security policy in accordance with security policy definitions provided by a user. The configuration system models the collection of industrial assets for which diverse security policies are to be implemented. An interface allows the user to define zone-specific security configuration and event management policies for a plant environment at a high-level based on a security model that groups the industrial assets into security zones. When new industrial devices are subsequently installed on the plant floor, the system determines whether a security policy defined by the model is applicable to the new device and commissions the new device to comply with any relevant security policies. This mitigates the necessity for a system administrator to manually configure individual devices to comply with plant-wide security policies.

Abstract: A communication control method which performs route control in a communication system comprising: a specific network constituting the Internet; a first network configured to accommodate a specific device connected to the specific network; a second network provided between the specific network and the first network; and a processing device configured to perform predetermined processing on the basis of a packet transmitted between the specific network and the first network, the communication control method comprising: causing a path setting device in the communication system to execute a communication route-setting process comprised of, in accordance with first routing information defining a path leading from the first network to the specific network to be branched in the second network, controlling a path so that a first path of the branched path is set as a path via the processing device, and a second path of the branched path is set as a path leading to the specific network.

Abstract: Methods and systems for assessing internet exposure of a cloud-based workload are disclosed. A method comprises accessing at least one cloud provider API to determine a plurality of entities capable of routing traffic in a virtual cloud environment associated with a target account containing the workload, querying the at least one cloud provider API to determine at least one networking configuration of the entities, building a graph connecting the plurality of entities based on the networking configuration, accessing a data structure identifying services publicly accessible via the Internet and capable of serving as an internet proxy; integrating the identified services into the graph; traversing the graph to identify at least one source originating via the Internet and reaching the workload, and outputting a risk notification associated with the workload. Systems and computer-readable media implementing the above method are also disclosed.

Abstract: A device management service of a provider network maintain a device repository that is accessible to a remote managed network. The device management service assigns different service credentials for different edge devices indicated by the device repository. For a particular edge device, the device management service provides, based on the service credentials assigned for the edge device, secure transmission of a message between the device management service and a network manager of the managed network. The network manager of the managed network provides secure transmission of the message between the network manager and the edge device based on local credentials assigned for the edge device.

Abstract: Generally described, the presently disclosed technology utilizes managed Wi-Fi networks pre-installed throughout an MDU property to provide user-specific passphrases that can be used to access the single-SSID wireless network at the property and to provide a cloud portal that can enable convenient access to the functionalities (both by the resident and the manager) provided by the Wi-Fi controller and the Wi-Fi access points. By doing so, the Wi-Fi network management solutions described herein allow the users to experience the benefits of a shared Wi-Fi infrastructure, such as not having to set up and maintain their own Wi-Fi routers, while also allowing them to easily change their Wi-Fi settings from their connected devices.

Abstract: Techniques are provided for enforcing policies at a sub-logical unit number (LUN) granularity, such as at a virtual disk or virtual machine granularity. A block range of a virtual disk of a virtual machine stored within a LUN is identified. A quality of service policy object is assigned to the block range to create a quality of service workload object. A target block range targeted by an operation is identified. A quality of service policy of the quality of service policy object is enforced upon the operation using the quality of service workload object based upon the target block range being within the block range of the virtual disk.

Abstract: A method for preventing duplicate processing of a payment transaction includes: generating a first data structure with a first predetermined time interval and generating a second data structure with a second predetermined time interval. A first overlap region and second overlap region of the first and second predetermined time interval are defined by a same time interval. The method includes receiving first transaction data associated with a first payment transaction, receiving second transaction data associated with a second payment transaction, and determining based on a first transaction ID and a second transaction ID, that the second payment transaction is a duplicate of the first payment transaction. A computer program product and system for preventing duplicate processing of a payment transaction are also disclosed.

Abstract: Described herein are systems, methods, and software to manage private networks for computing elements. In one example, a computing element may obtain credential information associated with a user and generate a public-private key pair for the computing element. The computing element may further communicate the public key from the pair with metadata to a coordination service to register the computing element at the coordination service. Once registered, the computing element may receive communication information associated with one or more other computing elements that permit the computing element to communicate with the other computing elements.

Abstract: Systems, methods, software and apparatus enable end-to-end encryption of group communications by implementing a pairwise encryption process between a pair of end user devices that are members of a communication group. One end user device in the pairwise encryption process shares a group key with the paired end user device by encrypting the group key using a message key established using the pairwise encryption process. The group key is shared among group members using the pairwise process. When a transmitting member of the group communicates with members, the transmitting member generates a stream key, encrypts stream data using the stream key, encrypts the stream key with the group key, then transmits the encrypted stream key and encrypted stream data to group members. The group key can be updated through the pairwise encryption process. A new stream key can be generated for each transmission of streaming data such as voice communications.