Abstract: Disclosed are hybrid authentication systems and methods that enable users to seamlessly sign-on between cloud-based services and on-premises systems. A cloud-based authentication service receives login credentials from a user and delegates authentication to an on-premises authentication service proxy. The login credentials can be passed by the cloud-based authentication service to the on-premises authentication service proxy, for instance, as an access token in an authentication header. The access token can be a JavaScript Object Notation (JSON) Web Token (JWT) token that is digitally signed using JSON Web Signature. Some embodiments utilize a tunnel connection through which the cloud-based authentication service communicates with the on-premises authentication service proxy. Some embodiments leverage an on-premises identity management system for user management and authentication.

Abstract: Methods, non-transitory computer readable media, network traffic manager apparatuses, and systems that assist with allocating a traffic load through heterogenous topology of a network includes extracting a header of each of a plurality of received packets of a traffic flow. Each of the headers comprises fields. Next, the network traffic manager apparatus executes a hashing function over the fields of each of the headers, applies a load balancing function to determine one of a plurality of endpoints to send each of the received packets based on one or more endpoint characteristics, and maps the index for each corresponding one of the received packets to the corresponding selected one of the endpoints. The received packets are not evenly divided among the plurality of endpoints. Lastly, the network traffic manager apparatus sends the received packets selected endpoint based on the mapping from the load balancing policy.

Abstract: Collaborative multiparty homomorphic encryption comprising receiving a linear common public key collaboratively generated by a plurality of parties as a sum of linear public key shares associated with the respective plurality of parties. Each of two ciphertexts may be encrypted with the linear common public key and the two ciphertexts may be combined by a non-linear computation to generate a result ciphertext encrypted by a non-linear public key. The result ciphertext may be re-encrypted with a re-linearization key to swap encryption keys from the non-linear public key to a linear public key. The re-encrypted result ciphertext may be distributed to the plurality of parties to each partially decrypt the re-encrypted result ciphertext by a linear secret key share associated with the party, which in combination fully decrypts the result by a linear common secret key that is a sum of the secret key shares of the respective plurality of parties.

Abstract: In an embodiment, a computer-implemented method for enabling multitenancy for service machines is disclosed. In an embodiment, the method comprises detecting a packet by a service insertion module implemented in a hypervisor. Based on metadata received along with the packet, the service insertion module determines a tenant identifier of a tenant that sent the packet. The service insertion module also determines a plurality of attributes of the packet. Based on the tenant identifier and the plurality of attributes of the packet, an action for the packet is retrieved from a rule table. Based on the action, the service insertion module determines whether at least one service is to be applied to the packet. In response to determining that at least one service is to be applied to the packet, an encapsulated packet is generated by encapsulating the packet with the tenant identifier, and the encapsulated packet is redirected to a service machine that is configured to provide the at least one service to the packet.

Abstract: Techniques described herein relate to a method for performing data protection of file system data on a host. The method includes obtaining a data access request for a file corresponding to a placeholder file from an application during a backup access session; obtaining, in response to the data access request, file system data associated with the file from a backup storage using backup metadata associated with the placeholder file; providing the file system data associated with the file to the application; making, after the providing, a determination that the file is modified by the application; and in response to the determination: flagging the placeholder file.

Abstract: In one embodiment, a scheme is disclosed for supporting wireless access network service request capability in a user equipment (UE) device that is operable in wide area cellular network (WACN) bands as well as in wireless access network bands (e.g., GAN bands and/or UMA bands). The UE device includes capability for gaining Internet Protocol (IP) connectivity with a wireless access network node (e.g., a GAN controller (GANC) or UMA network controller (UNC)). Thereafter, the UE device is operable to initiate a registration request message towards the wireless access network node, wherein the registration request message includes at least one information element pertaining to wireless access network services required by the UE device.

Abstract: Digital data processing systems of the type in which a server digital data device (“server”) is coupled to a client digital data device (“client”) over a network, e.g., the Internet, include web server software executing within an application layer on the server that responds to a request from the client by (i) validating a key received from the client with that request, (ii) generating a result code indicative of a success of that validation, (iii) initiating processing of the request, including invoking server resource software executing outside the application layer. The server resource software, which checks the result code upon invocation and before performing a protected operation required for processing the request, responds to a result code indicating that the result did not validate by exiting before executing the protected operation.

Abstract: A system may be configured to prepare and use prediction models for predicting existence of fingerprints among encrypted traffic. Some embodiments may: obtain a machine learner configured to identify statistical differences between pseudo-randomness associated with encrypted user data and higher-entropy randomness associated with a set of other data; determine at least a portion of a path traversed by the encrypted user data in the network based on the identification; and secure the network based on the determination.

Abstract: Described is a data transmission method, comprising: a first terminal negotiating a shared key with a second terminal by means of a handshake message; and the first terminal transmitting application data to the second terminal by means of a content message, the content message being encrypted and decrypted by using the shared key, wherein the handshake message and the content message have the same message format, the message format comprises a message serial number and a message load, the message serial number comprises a key epoch identifier and a message seq identifier, and the key epoch identifier is characterized by bit information less than a first number of bits, and the message seq identifier is characterized by bit information less than a second number of bits.

Abstract: A vehicle electronic control system includes a mode determination unit that is configured to determine whether a customization mode for a screen display related to an approval to a program update is set through a user's customization operation, and a screen display instruction unit that is configured to instruct the display terminal to display a progress screen of the program update according to a current update phase and a setting of the customization mode when the mode determination unit determines that the customization mode is set and instruct the display terminal to display the progress screen of the program update according to the current update phase and an initial setting when the mode determination unit determines that the customization mode is not set. The display terminal is configured to display the progress screen of the program update as instructed by the screen display instruction unit.

Abstract: Systems and methods include establishing a control channel of a tunnel utilizing a first encryption technique, wherein the tunnel is between a local node including one or more processors and a remote node, and wherein the control channel includes a session identifier; establishing a data channel of the tunnel utilizing a second encryption technique, wherein the data tunnel is bound to the control channel based on the session identifier; performing, over the control channel, device authentication and user authentication of one or more users associated with the remote node, wherein each of the one or more users includes a user identifier; and, subsequent to the device authentication and the user authentication, exchanging data packets over the data channel with each data packet including a corresponding user identifier. The first encryption technique can be one of TLS and SSL, and the second encryption technique can be one of TLS and DTLS.

Abstract: A system includes a computer processor, a computer memory, and a user interface. The system receives a plurality of tasks, data relating to conditions and environments associated with the plurality of tasks, and a plurality of goals relating to planning and scheduling of the plurality of tasks. The goals are received from a plurality of sources, and the goals are addressed as a function of the conditions and environments. The system displays on the user interface, as a function of the plurality of goals, an analytical view of the conditions and environments relating to the plurality of tasks and an analytical view of a status of the plurality of tasks.

Abstract: Embodiments of this application disclose a communication method and a communications apparatus, and are used in the field of communications technologies, to resolve a problem of how to notify an access network device of an NR PC5 QoS parameter of a terminal. The method in one embodiment includes a home V2XCF that obtains an NR PC5 QoS parameter of a terminal, and the home V2XCF sends the NR PC5 QoS parameter to an access network device, such as a first network element that is in an EPS. The first network element receives the NR PC5 QoS parameter and sends the NR PC5 QoS parameter to an MME. After receiving the NR PC5 QoS parameter, the MME sends the NR PC5 QoS parameter to an access network device. The first network element may be an HSS or a PCRF.

Abstract: Restoring a storage system from a replication target, including: receiving, by a first storage system from a computing device, data to be stored on the first storage system; reducing, by the first storage system, the data using one or more data reduction techniques; sending, from the first storage system to the second storage system, the reduced data, wherein the reduced data is encrypted; and retrieving, by the first storage system from the second storage system, the reduced data, wherein the reduced data is encrypted.

Abstract: A computer network security manager device connects to a first wireless router and then connects to a plurality of devices (e.g., a plurality of IoT devices). The computer network security manager device then performs device agnostic activation of the plurality of devices to enable the plurality of devices to perform respective functions of each device. The security manager device prevents the plurality of devices from connecting directly to the first wireless router and only allows other devices on the Internet to communicate with the plurality of devices according to specific firewall rules. In response to receiving an indication that the first wireless router to which the network security manager device is connected is out of service or no longer exists, the network security manager device prevents other devices on the Internet from being able to communicate with the plurality of devices.

Abstract: A method includes allocating an identifier to each of a plurality of policies each comprising a network-isolation identifier associated with a VXWAN directive and transmitting each of the plurality of policies to one or more devices in a network.

Abstract: Upon receiving a copy of upstream communication from a first switch, a second switch specifies an NF apparatus serving as a transmission source of the upstream communication, based on apparatus information indicating a MAC address of each apparatus and a transmission source MAC address contained in the copy of the upstream communication. The second switch refers to the apparatus information, and MAC address information indicating, for each port of the switch, a MAC address of an apparatus connected via the port, thereby specifying a port of the second switch connected to the NF apparatus, and a MAC address of the transmission source via the port. The second switch stores session information in which information on the specified port and MAC address is associated with header information set for the copy of the upstream communication. Upon receiving downstream communication, the second switch transfers the downstream communication to the NF apparatus.

Abstract: A router includes processing circuitry configured to send a request to a web server to access a website hosted by the web server. Additionally, the processing circuitry is configured identify a pathway between a client device and the web server as well as determine whether the pathway is encrypted or unencrypted. In response to determining that the pathway is unencrypted, the processing circuitry is configured to determine whether an alternative pathway between the client device and the web server via a web host of the web server is available and, in response to determining that the alternative pathway is available, cause the alternative pathway to be established in lieu of the pathway.

Abstract: An indication of a key generation function may be received from a server. A random value may be received based on a volatile memory of a device. A cryptographic key may be generated based on the key generation function from the server and the random value that is based on the volatile memory of the device. The cryptographic key may be stored at a non-volatile memory of the device.

Abstract: A method and computer readable software for providing randomized Security Parameter Index (SPI) for distributed Internet Protocol security (IPsec) are disclosed. In one embodiment a method includes designating each IPsec node with a unique node identifier, the IPsec node; performing a hash function on a random SPI to provide a randomized SPI; and assigning the randomized SPI to an IPsec tunnel associated with an IPsec node.

Abstract: An information processing device includes a first communication unit, a second communication unit, an information processing unit, and a switching unit. The information processing unit is configured to encrypt information which is received from a terminal device and to transmit the encrypted information to a network and configured to decrypt information which is received from the network and to transmit the decrypted information to the terminal device. The information processing device includes a switching unit configured to directly connect a communication line between the first communication unit and the terminal device to another communication line between the second communication unit and the network, when the information processing unit comes into an inoperable state including at least electric power supply stop state, and to switch into a pass-through mode in which the terminal device and the network communicate directly with each other without through the information processing unit.

Abstract: Malicious attacks by certain devices against a radio access network (RAN) can be detected and mitigated, while allowing communication of priority messages. A security management component (SMC) can determine whether a malicious attack against the RAN is occurring based on a defined baseline that indicates whether a malicious attack is occurring. The defined baseline is determined based on respective characteristics associated with respective devices that are determined based on analysis of information relating to the devices. In response to determining there is a malicious attack, SMC determines whether to block connections of devices to the RAN based on respective priority levels associated with respective messages being communicated by the devices.

Abstract: Systems and methods include receiving a request for a path in a network including a plurality of network elements interconnected to one another via links, wherein the request includes values for a plurality of criteria, wherein the plurality of criteria include one or more of trust, privacy, and secrecy; utilizing a multi-criteria path selection process to determine the path through the plurality of network elements over the links based on the plurality of criteria and the associated values; and providing a display of the determined path in a network map. The trust quantifies trustworthiness of each link in the network and the values of trust are any of a rating and a selection for inclusion or exclusion, the privacy quantifies a number of the links the network path is routed over for network obfuscation, and the secrecy quantifies a level of encryption utilized on the links.

Abstract: Systems and methods for authenticating a user are disclosed.

Abstract: In an approach for multifactor authorization on hardware calls of resources, a processor receives a request for a hardware resource from a plurality of hardware resources being monitored. A processor calculates a risk level associated with the hardware resource of the request based on a respective risk level data repository. A processor, in response to a determination the risk level requires multifactor authorization, determines that a user associated with the request is logged in. A processor identifies a mechanism used by the user to log in. A processor determines whether a challenge associated with the multifactor authorization based on the mechanism is successful. A processor, in response to a determination the challenge associated with the multifactor authorization is successful, enables access to the hardware resource of the request.

Abstract: A method and device (1) for transferring electronic information between a lesser trusted network (7) and a trusted network (8) is disclosed. The method comprises the steps of: receiving original electronic information from a lesser trusted network (7) in a first electrical zone (2); permitting the original electronic information to be transferred between the first electrical zone (2) and the second electrical zone (4) in one direction only; verifying the original electronic information for at least one predetermined characteristic within the second electrical zone (4) so as to provide a verifier output status and verified electronic information; forwarding the verified electronic information to a third electrical zone (3).

Abstract: Where a single networked security service supports multiple enterprises, this security service can operate as a shared source of trust so that security devices associated with one enterprise can provide authenticated, policy-based management of computing devices associated with another enterprise. For example, an enterprise firewall can advantageously manage network access for a new device based on a shared and authenticated relationship with the networked security service.

Abstract: In one embodiment, a computing platform features a controller, one or more transit virtual private cloud networks (VPCs), and a plurality of spoke VPCs. Communicatively coupled to the transit virtual VPCs, the spoke VPCs include (i) a first spoke VPC associated with a first security region and (ii) a second spoke VPC associated with a second security region. Herein, the first security region is configured to permit spoke gateways of the first spoke VPC to communicate with each other while precluding communications with spoke gateways associated with another security region absent a connectivity policy being a set of rules established by the administrator/user of the network concerning permitted connectivity between different security regions.

Abstract: Various embodiments include implementing an interceptor for application security testing. The interceptor may intercept traffic, including one or more traffic items, between a scan engine and a target application. The traffic item(s) may include a request directed to the target application from a scan engine implementing application security testing or a response from the target application responsive to request(s) from the scan engine. The interceptor may determine that a particular traffic item satisfies a particular traffic trigger associated with a particular traffic action comprising a manipulation to the traffic between the scan engine and the target application. The particular traffic action is one of a plurality of predefined traffic actions that the interceptor is configured to perform across different scan engine versions, different scan configurations, or both.

Abstract: An illustrative fraud deterrent method includes presenting an identity verification option for a first website displayed in a web-browser, the option including offering a login to a third-party website, unrelated to the first website. The method further includes receiving login information for a first user account on the third-party website and verifying the login information through a verification service associated with the third-party website, to verify that the login information is valid for the first user account, identified by the login information. The method additionally includes verifying an identity at the first website, responsive to the verification.

Abstract: A wireless distribution system (WDS) is configured for transmitting a downlink signal or for receiving an uplink signal. A computing device configured to serve as a client device to the WDS includes a memory; a multiple applications processor in communication with the memory and configured to execute one or more mobile applications; and a wireless service processor in communication with the multi applications processor for communicating via a corresponding wireless service with the WDS. The multi applications processor is configured to execute an instance of a data service to establish a connection with the WDS for a specified application process utilizing the wireless service to provide at least one datum on the WDS. In the method, an instance of a data service is executed to establish a connection with a WDS for a specified application process utilizing a wireless service to provide at least one datum on the WDS.

Abstract: A method and system are provided which facilitate synchronization of client IP binding databases across an extended network by leveraging the BGP control plane. During operation, a switch configures a first synchronization identifier indicating validated Internet Protocol (IP) binding information of an associated client. The switch receives a Border Gateway Protocol (BGP) update message associated with a first client, wherein the BGP update message includes a second synchronization identifier.

Abstract: A method includes determining a corresponding level of a security model associated with each device of a plurality of devices connected to a network, each level of the security model having a corresponding tag; applying, to each of the plurality of devices, the corresponding tag based on the corresponding level of the security model with which each of the plurality of devices are associated; receiving, over a network connection, network traffic from at least one of the plurality of devices and the corresponding tag; analyzing the corresponding tag associated with the network traffic; determining a destination for the network traffic; applying one or more security measures to the network traffic based on the corresponding tag for the at least one device and a corresponding tag of the destination for the network traffic; and sending the network traffic to the destination with the corresponding tag of the destination.

Abstract: Apparatus and associated methods relate to providing secure gatekeeping of communication from a remote internet-based website having an Internet-Protocol (IP) address to an implantable biomedical device. A gatekeeping device receives the communication transmitted by the remote internet-based website. The communication received is encoded using a first encoding algorithm. The gatekeeping device decodes the communication received. The gatekeeping device then encodes the communication decoded using a second encoding algorithm. The gatekeeping device wirelessly relays the communication encoded using the second encoding algorithm to the implantable biomedical device.

Abstract: The application discloses Systems and methods for a data synchronization. The system may include a receiving module, an instruction generating module and a sending module. The receiving module may be configured to receive the first instruction. The first instruction may be used to instruct the start of data acquisition of the system. In response to receiving the first instruction, the instruction generating module may be configured to generate a second instruction. The second instruction may be used to trigger at least two sensors to acquire data. The sending module may be configured to send second instruction to at least two sensors respectively based on the first delay. The first delay causes the time difference between at least two sensors starting to acquire data less than the first preset threshold.

Abstract: A computer-implemented method according to one embodiment includes identifying a node within a clustered system, determining a role of the node, based on one or more characteristics of the node, and setting one or more firewall parameters for the node within the clustered system, based on the role of the node.

Abstract: A method and a device for device network configuration and registration are disclosed. The method includes: a first device receives a first network configuration parameter from a second device, where the first network configuration parameter includes a local area network identifier of a local area network, an access password of the local area network, and a device identifier, a security parameter, or an access token of the second device. The first device requests to access a server by using the first network configuration parameter. The server assigns a device parameter to the first device, where the device parameter includes a device identifier, a security parameter, and an access token of the first device. The first device requests to access the server by using the device parameter. This method can simplify a network configuration and registration process of a smart device, and implement fast network configuration and registration.

Abstract: An example method of secure attestation of a workload deployed in a virtualized computing system is described. The virtualized computing system includes a host cluster and a virtualization management server, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts. The method includes storing, in a trust authority, a pre-defined attestation report for a workload executing in a virtual machine (VM) managed by the virtualization layer, the pre-defined attestation report including a hash of at least a portion of an image of the VM; receiving, at the trust authority from a security module of a host in which the VM executes, an attestation report generated by measuring memory of the VM; comparing the attestation report with the pre-defined attestation report; and generating an indication of validity for the workload based on a result of the comparison.

Abstract: Device initialization by an access-restricted virtual machine, including: restricting access by a first operating system to a device during one or more device initialization operations, wherein the first operating system is executing in a first virtual machine supported by a hypervisor; determining, by a second operating system executing in a second virtual machine supported by the hypervisor, one or more modifications attempted by the first operating system to the device; and performing, by the second operating system, the one or more modifications to the device.

Abstract: One or more data packets at a storage node of a storage cluster system is received via a virtual network associated with a storage tenant. A connection between the storage tenant and a tenant communication component of the storage cluster system is terminated. A new connection is established between the tenant communication component of the storage cluster system and a destination associated with the one or more data packets. The one or more data packets are provided to the destination associated with the one or more data packets using a virtual network associated with storage nodes of the storage cluster system.

Abstract: A method protects a computer asset by identifying a particular signature, which is software that causes a particular gateway to block an intrusion from reaching a particular computer asset, and installs the particular signature on the particular gateway, thus protecting the computer asset from the intrusion.

Abstract: A data transmission method includes establishing, by a first apparatus in a distributed system, a connection to a target end; sending, by the first apparatus, connection information of the connection to a second apparatus that is in the distributed system and that transmits data to the target end; transmitting, by the second apparatus, the data to the target end based on the connection information and using a stream of the connection.

Abstract: Methods are systems are provided for onboarding network equipment to managed networks. An onboarding controller of a managed network may generate a challenge for network equipment to be onboarded into the managed network, and may send the challenge to a communication device different from the equipment network. The challenge may include information relating to a configuration change to be made to the network equipment. Further, the challenge is sent over a connection that is different than a connection used in communicating with the network equipment. The onboarding controller may verify, based on handling of the configuration change, an identity and/or a network location of the network equipment. Handling the configuration change may include applying the configuration change.

Abstract: An illustrative embodiment disclosed herein is a non-transitory computer readable medium. The medium includes instructions for providing a mobile user monitoring solution that, when executed by a processor, cause the processor to identify a user database record associated with a user equipment (UE) using a mobile identity (ID), associate a Next Generation application protocol (NGAP) session with the user database record using an NGAP ID, capture a ciphered message associated with the NGAP session, decipher the ciphered message associated with the NGAP session, extract, from the deciphered message, session details associated with the UE, and store the session details in a session detail record.

Abstract: A method may include providing a multi-access interface for network traffic, comprising: receiving information regarding topology of a virtual private network and storing the topology in the form of a routing table. A method may include providing an interface for network traffic, comprising: in a virtual private network comprising a plurality of tunnels delivering only information associated with OSI Level 3, receiving a network communication and performing multicast forwarding among the plurality of tunnels using multicast forwarding from OSI Level 2. A method may include providing an interface for network traffic, comprising, in a virtual private network: establishing a connection between a first node of the virtual private network and a second node serving as a virtual private network broker and fetching, by the first node from the virtual private network broker, information regarding one or more other nodes of the virtual private network.

Abstract: A device is configured to receive a data request that includes an encrypted data element. The device is further configured to identify a data source device associated with the data request, to identify a first encryption key associated with the data source device, and to decrypt the encrypted data element using the first encryption key. The device is further configured to identify a first data processor device associated with receiving the data request, to identify a second encryption key associated with the first data processor device, wherein the second encryption key is different from the first encryption key, and to re-encrypt the decrypted data element. The device is further configured to identify routing instructions associated with the first data processor device and to send the re-encrypted data element to the first data processor device in accordance with the routing instructions.

Abstract: A non-transitory computer-readable medium may include computer-executable instructions that, when executed, cause a processor to collect a portion of data associated with an asset from one or more sources based on a request received from a digital representation associated with the asset. The digital representation may perform a first set of simulations related to one or more operations of the asset over time. The processor may then generate a plurality of aligned datasets based the portion of the data, the one or more sources, and an identity of the asset. The processor may also aggregate the plurality of aligned datasets into a single dataset and transmit the single dataset to the digital representation to perform a second set of simulations based on the single dataset.

Abstract: Exemplary embodiments relate to techniques for transmitting ephemeral content messages. A sending client may establish an end-to-end encrypted session with possible recipients of the message, using a first decryption key during initial session setup. The client may send an ephemeral content message, including encrypted content and a second key, to the recipients through a server. The server may be unable to retrieve the encrypted content due to a lack of the second key. The server may filter a list of intended recipients, and may forward the ephemeral content message to the recipients on the filtered list. The recipients may retrieve the second key from the message, and use the first and second keys to decrypt the encrypted content. The sending client may change the second key each time the recipient list changes from the perspective of the sending client, as determined at the time the ephemeral content message is transmitted.

Abstract: A request is received from a client device over a Virtual Private Network (VPN) tunnel. The request is received at a first one of a plurality of edge servers of a distributed cloud computing network. A destination of the request is determined and an optimized route for transmitting the request toward an origin server is determined. The optimized route is based at least in part on probe data between edge servers of the distributed cloud computing network. The request is transmitted to a next hop as defined by the optimized route.

Abstract: According to an embodiment, a communication control device includes a first communication system connected between a first device and a network communication network, and a second communication system connected between the first device and the network communication network separately from the first communication system. The first communication system and the second communication system each include a controller. The controller executes switching such that one of the communication systems executes communication in the first communication mode, and when a problem is detected in the communication system that is executing communication in the first communication mode, the other communication system executes communication in the first communication mode.