Abstract: A method for displaying an attack vector available to an attacker of a networked system including a plurality of network nodes. One or more penetration tests of the networked system are carried out, by a penetration testing system. Based on results of the penetration tests, the attack vector available to an attacker of the networked system is identified. A critical path of the attack vector is determined, and is displayed by displaying the network nodes included in the critical path as a continuous ordered sequence of network nodes. In some embodiments, one or more auxiliary paths of the attack vector may be determined, and may be displayed.

Abstract: A management apparatus includes a memory, a unification policy setting unit, and a security level setting unit. The memory stores, for each of a user belonging to a first group and a user belonging to a second group, an authentication level of a domain assigned to a corresponding one of the users. The unification policy setting unit sets a unification policy that specifies a relationship between the authentication level and a security level for a state after unification. The security level setting unit sets the security level in a case where the first group and the second group undergo the unification into a third group. The security level is set for each of the users belonging to the third group by using the authentication level and the unification policy.

Abstract: Methods and systems for performing a Mapping of Address and Port using translation (MAP-T) data plane verification. A method for performing a MAP-T data plane verification includes initiating, by a diagnostic server provisioned with at least MAP-T diagnostic rules, a MAP-T diagnostic on a border relay provisioned with MAP-T rules, generating, by the diagnostic server, a diagnostic packet per the MAP-T diagnostic rules, sending, by the diagnostic server, the diagnostic packet to the border relay, performing, by the border relay, a translation on the diagnostic packet per the provisioned MAP-T rules, analyzing, by the diagnostic server to generate a report, at least a translation accuracy of a received translated diagnostic packet, and configuring at least one device based on a received report.

Abstract: A method for characterizing network traffic is provided. The method includes maintaining a database identifying a plurality of digital certificates and a number of Internet Protocol addresses associated with each of the plurality of digital certificates, capturing network traffic over a network connection at a network connected device, analyzing the network traffic by determining the digital certificates associated with Internet Protocol addresses associated with the network traffic and a number of Internet Protocol addresses associated with each of the digital certificates and updating the database, and characterizing at least one of the Internet Protocol addresses associated with one of the digital certificates based on the number of Internet Protocol addresses associated with the one of the digital certificates.

Abstract: A packet-filtering system configured to filter packets in accordance with packet-filtering rules may receive data indicating network-threat indicators and may configure the packet-filtering rules to cause the packet-filtering system to identify packets comprising unencrypted data, and packets comprising encrypted data. A portion of the unencrypted data may correspond to one or more of the network-threat indicators, and the packet-filtering rules may be configured to cause the packet-filtering system to determine, based on the portion of the unencrypted data, that the packets comprising encrypted data correspond to the one or more network-threat indicators.

Abstract: A computer network security manager device connects to a first wireless router and then connects to a plurality of devices (e.g., a plurality of IoT devices). The computer network security manager device then performs device agnostic activation of the plurality of devices to enable the plurality of devices to perform respective functions of each device. The security manager device prevents the plurality of devices from connecting directly to the first wireless router and only allows other devices on the Internet to communicate with the plurality of devices according to specific firewall rules. In response to receiving an indication that the first wireless router to which the network security manager device is connected is out of service or no longer exists, the network security manager device prevents other devices on the Internet from being able to communicate with the plurality of devices.

Abstract: To reduce overhead generated by maintaining a full mesh network with static spoke-to-spoke tunnels while providing the efficiency of spoke-to-spoke communication, BGP configuration is automated to provide for dynamic establishment of spoke-to-spoke tunnels. A virtual Internet Protocol (VIP) address is assigned to each spoke in the network. Spokes advertises their VIP address to the hub for communication to the other spokes. A spoke sets the route next hop in its routing table for a remote spoke to the VIP of the remote spoke. Establishment of a tunnel between spokes is initiated after detecting data is to be communicated between the spokes while data is temporarily routed through the hub. Data is routed directly to the receiving spoke through the dynamic tunnel once the tunnel is active. Tunnels between spokes are terminated dynamically after a period of inactivity to reduce overhead caused by consistent maintenance of dynamic tunnels with low use.

Abstract: The present disclosure relates to network security software cooperatively configured on plural nodes to monitor, alert, authenticate, and authorize devices, applications, users, and data protocol in network communications by exchanging nonpublic identification codes, application identifiers, and data type identifiers via pre-established communication pathways and comparing against pre-established values to provide authorized communication and prevent compromised nodes from spreading malware to other nodes.

Abstract: A system for securing a data set include a computing device that provides access to portions of a data set to different users, and can encrypt the portions by generating encryption keys for each portion using a single mathematical function. The keys are generated by applying a starting point and length to a solution of the mathematical function. The process to generate the decryption keys are provided to the authorized users so that they can view and manipulate only the data set portions they are authorized to access.

Abstract: A system and method for implementation of transaction security on a distributed ledger-based Mobility-as-a-Service (MaaS) platform is provided. The system includes a message broker device which receives a transaction request associated with a transport service from a publisher node of a transportation provider. The message broker device routes, via an API gateway hosted on the message broker device, the transaction request to a subscriber node of the transportation provider. The API gateway validates the transaction request based on application of a set of security rules on the transaction request. The subscriber node is associated with a first node of a distributed ledger node that stores a first state object. The first state object includes transaction data associated with the transport service. The distributed ledger node receives the validated first transaction request from the API gateway, via the subscriber node and updates the transaction data based on the received transaction request.

Abstract: A method for providing data to a client computing device from an edge computing device is discussed herein. The method may include performing a network proximity check regarding the client computing device associated with a request for data captured by the wideband sensor. The method may further include determining, based on at least one proximity metric associated with the client computing device, a route for data responsive to the request for data associated with the network proximity check, where the route is one of a route including the cloud storage or a route that does not include the cloud storage. The method may also include receiving the request for data captured by the wideband sensor associated with the network proximity check. The method may also include transmitting the data responsive to the request for data captured by the wideband sensor associated with the network proximity check to the client computing device through the determined route.

Abstract: Examples provided herein describe a method for providing security for Internet of Things (IoT) devices. For example, a data packet from an IoT device may be received at an edge device. A signature associated with the IoT device may be accessed at the edge device, where the signature includes network layer information about the IoT device. A set of rules may be applied by the edge device to validate the IoT device based on the accessed signature. Responsive to the IoT device being validated based on the accessed signature, received data packet, and the applied set of rules, the edge device may process the data packet from the IoT device.

Abstract: A method of remotely initializing at least one device is disclosed. The method includes initializing at a local host a cryptographic authorization sequence after receiving a secure input value. The method further includes receiving at a local host cryptographic controller a first authorization request from a first remote device. After a challenge-response authentication protocol, the first remote device is authenticated and receives a public key infrastructure certificate. The method includes receiving at a first remote cryptographic controller a second request from a second remote device. After a challenge-response authentication protocol, the first remote device is authenticated, but does not receive a public key infrastructure certificate. A system for remotely initiating at least one device is also disclosed.

Abstract: In accordance with an embodiment, described herein is a system and method for autonomous firewall rule management, for use with cloud computing environments or other types of network environments. A firewall rule management automation framework provides rule management for firewalls deployed across availability domains. The system is adapted to automatically determine firewalls that can receive network traffic from a given source subnet or destination subnet; configure the firewalls with required firewall rules; monitor the firewall rules through collection of metrics snapshots and rule hit counts; and purge underused or potentially obsolete firewall rules, for example those having zero hits over a particular period of time or number of snapshots. The system provide generic support for different types of firewall devices, and autonomous management of firewall rules within large heterogeneous computer networks that may include several types of firewalls.

Abstract: Security configuration optimizer system and methods create optimized access control policies. The systems and methods analyze constraints on the secured system and produce a plurality of proposals for an updated security configuration. The proposals are analyzed and filtered. A resulting set of proposals are graded or ranked according to a variety of desirable outcomes. A proposal is selected according to criteria based on the balance of security and complexity. The security configuration is updated according to the selected proposal.

Abstract: Techniques are provided to use a trusted identity and location to select the most appropriate point of interconnect to edge application execution environments as well as a specific edge application execution environment. The techniques may involve obtaining, on behalf of a wireless mobile device, an access identifier that indicates an access location of the wireless mobile device that is wirelessly connected to wireless network infrastructure equipment operated by an access network provider that is associated with, and a member of, a federation of access network providers. The access location for the wireless mobile device is derived based on the access identifier, and the access location is used to select an edge resource to be used by the wireless mobile device.

Abstract: The system may include a method comprising requesting, by a computer, a receiver identifier associated with a receiver; receiving, by the computer, the receiver identifier in association with content; constructing, by the computer, a URL link comprising access to DICOM viewer code, DICOM data for the selected images, a sender identifier and the receiver identifier; generating, by the computer, a notification to the receiver, wherein the notification includes the URL link; and transmitting, by the computer, the notification to a receiver based on the receiver identifier.

Abstract: Access to a shared library API is restricted for a customer application by a security system. A profile for each of a plurality of trusted applications is generated and stored in a security database. When a customer application attempts to access the shared library API, the customer application is verified by extracting a customer application profile for the customer application, comparing the customer application profile with each stored trusted application profile, and verifying that the customer application can access the shared library API based on the comparison. Based on the verification, the customer application may be allowed to or access to the shared library API or may be prevented from accessing the shared library API.

Abstract: Embodiments of the present disclosure provide a method and device for implementing gateway cooperation, a gateway and a storage medium. The method for implementing the gateway cooperation includes: selecting, from gateways in an IoT network, at least one cooperative gateway for a target gateway; notifying the target gateway of the at least one cooperative gateway, wherein the at least one cooperative gateway is used for establishing cooperation with the target gateway and performing cooperative management.

Abstract: Systems and methods for sampling a set of block IDs to facilitate estimating an amount of data stored in a data set of a storage system having one or more characteristics are provided. According to an example, metadata (e.g., block headers and block IDs) may be maintained regarding multiple data blocks of the data set. When one or more metrics relating to the data set are desired, an efficiency set, representing a subset of the block IDs of the data set, may be created to facilitate efficient calculation of the metrics by statistically sampling the block IDs of the data set. Finally, the metrics may be estimated based on the efficiency set by analyzing one or more of the metadata (e.g., block headers) and the data contained in the data blocks corresponding to the subset of the block IDs and extrapolating the metrics for the entirety of the data set.

Abstract: A method includes establishing a session between a first client device and a host device to run an application on the first client device. The method includes receiving an indication to transfer the session from the first client device to a second client device. The method includes storing, in response to receiving the indication, state information of the application for the session. The method includes generating a pointer associated with the session. The method includes generating a scannable code including the pointer. The method includes scanning the displayed scannable code using an imaging element associated with the second client device. The method includes transferring, using the pointer, the session from the first client device to the second client device using the stored state information so that a second display associated with the second client device displays a most recently updated instance of the application from the first client device.

Abstract: A load balancing system, a load balancing method, and a non-transitory recording medium. The load balancing system includes a first client apparatus and a second client apparatus each of which communicates with a particular server among a plurality of servers through a load balancer that distributes load of the plurality of servers. The first client apparatus transmits to the load balancer, a request to the server to acquire identification information for identifying the particular server selected by the load balancer from among the plurality of servers, notifies the second client apparatus of the identification information of the particular server, the second client apparatus requesting the load balancer to connect to the particular server, and requests the load balancer to connect to the particular server using the identification information.

Abstract: The disclosed systems and methods are directed for detecting and resolving write-write conflicts among a plurality of transactions received from master nodes of a multi-writer database system. The method includes receiving a plurality of REDO logs and storing the plurality of REDO logs in a buffer, each REDO log associated with the one of the plurality of transactions, selecting one REDO log of the plurality of REDO logs; persisting the transaction associated with the one REDO log in a local storage when a write-write conflict is detected between the one REDO log and at least one other REDO log of the plurality of REDO logs prior to committing the transaction associated with the one REDO log; and transmitting a status of the transaction associated with the one REDO log to a global transaction manager (GTM).

Abstract: Embodiments establish a pool of tunnel connections using a secure protocol. A pool of tunnels can be initiated from endpoint connection managers to cloud connection managers, where a request is received from the endpoint connection managers by the cloud connection managers. A request from a cloud client to communicate with a secure computing device using a first of the endpoint connection managers is received at a first of the cloud connection managers. One of the pool of tunnels that is connected to the first endpoint connection manager is identified. The identified tunnel is configured to connect the cloud client and the first endpoint connection manager.

Abstract: When a system receives sensitive data, it can request an encryption key from an encryption/decryption unit. A central processing unit (CPU) of the system can encrypt the sensitive data using the encryption key before writing the sensitive data to memory. Thus, the sensitive data is encrypted when written to memory.

Abstract: A key distribution host determines a trust level of a user authentication server, wherein the trust level is based, at least in part, on one or more attributes of the user authentication server and provides one or more authentication keys to the user authentication server only if the trust level of the user authentication server is above a threshold value.

Abstract: A data protection application creates backups of assets. Each asset is mapped in a directory service to one or more asset owners. The directory service is separate from the data protection application. A search query from a user seeking to search the backups is received at the data protection application. The directory service is consulted to identify assets having the user as an asset owner. A search filter is generated including a list of the identified assets. The search filter is applied to the search query to exclude from a search result backups of assets not having the user as the asset owner. The search result is returned to the user, the search result thereby including backups of assets having the user as an asset owner and excluding other backups of other assets not having the user as the asset owner.

Abstract: Provided is a method for disabling encryption of data in motion in response to an event. The method includes a service processing data. The service may process the data while in a public mode, in which the service is configured to encrypt data in motion. The method further comprises detecting an event that triggers the service to go into a protected mode. The method further comprises isolating the service from one or more public systems in response to detecting the event. The method further comprises deactivating encryption of data in motion, and processing the data without encrypting the data while in motion.

Abstract: A first set of one or more tenant communication components are configured to communicate with a first separate system component of a first storage tenant via a first virtual network. A second set of one or more tenant communication components are configured to communicate with a second separate system component of a second storage tenant via a second virtual network. The second virtual network is separate from the first virtual network. A plurality of tenant communication components of the storage cluster system including the first set of one or more tenant communication components and the second set of one or more tenant communication components are configured to communicate internally in the storage cluster system via a third virtual network separate from the first virtual network and the second virtual network.

Abstract: Various techniques for processing sensitive data in an isolated incubator system within a service-provider network are described. The incubator system, for instance, is isolated from a client system in the service-provider network. In an example method, the incubator system receives an indication of an operation, and first encrypted data, from the client system. The incubator system converts the first encrypted data to plaintext and performs the operation. The incubator system converts the processed data into second encrypted data and provides the second encrypted data to the client system. Thus, the incubator system performs the operation on the data without exposing the data to the client system in the plaintext format.

Abstract: A network security system provides portals which enable automatic creation of a dynamic one-time port forwarding rule for an authorized user's current IP address following two factor authentication of the authorized user. Such a dynamic one-time port forwarding rule is utilized to set up a connection, at which point the dynamic one-time port forwarding rule is removed, preventing any attacker from subsequently taking advantage of it. Such a methodology is advantageous as compared to conventional port forwarding in that it is much more secure. Such a methodology is advantageous as compared to traditional port forwarding with access control both in that a user does not always have to utilize the same device with a static IP address, and in that the port forwarding rule representing or exposing a potential vulnerability is deleted after a connection is established.

Abstract: Apparatus to enforce network policy based on identity authentication at a network endpoint device by offloading the authentication to a network attached authentication devices is disclosed. The authentication device may use Statistical Object Identification to perform the authentication. The present disclosure greatly reduces the resources needed by the network endpoint device to perform the authentication and eliminates the topological restrictions found in traditional network appliance based approaches.

Abstract: A network device may receive a first data packet. The network device may determine that a level of available computing resources satisfies a threshold level. The network device may perform a secure socket layer (SSL) proxy function based on the level of available computing resources satisfying the threshold level. The network device may receive a second data packet. The network device may determine that the level of available computing resources fails to satisfy the threshold level. The network device may determine a security characteristic associated with the second data packet. The network device may determine a security rating associated with the second data packet based on the security characteristic. The network device may selectively perform the SSL proxy function based on the security rating.

Abstract: Aspects of the invention include receiving a request from a responder channel on a responder node to initiate a secure communication with an initiator channel on an initiator node. The request includes an identifier of a shared key, and a nonce and security parameter index generated by the initiator node for the secure communication. The receiving is at a local key manager (LKM) executing on the responder node. A security association is created at the LKM between the initiator node and the responder node. The shared key is obtained based at least in part on the identifier of the shared key. Based on obtaining the shared key, a message requesting initialization of the secure communication between the responder channel and the initiator channel is built. The message includes an initiator nonce and an initiator security parameter index generated by the LKM for the secure communication.

Abstract: A system for detecting and responding to an anomaly in a chaotic environment, comprising one or more autonomous agent devices and a central server comprising a processor and non-transitory memory.

Abstract: A method of fault-tolerant process control includes providing a network process control system in an industrial processing facility (IPF) including a plant-wide network coupling a server to computing platforms each including computing hardware and memory hosting a software application for simultaneously supporting a process controller and another process controller or an I/O gateway. The computing platforms are coupled together by a private path redundancy network for providing a hardware resource pool. At least some of the computing platforms are directly coupled by an I/O mesh network to a plurality of I/O devices to field devices that are coupled to processing equipment. Upon detecting at least one failing device in the hardware resource pool, over the private path redundancy network a backup is placed into service for the failing device from the another process controller or I/O gateway that is at another of the computing platforms in the hardware resource pool.

Abstract: A hardware security accelerator includes a configurable parser that is configured to receive a packet and to extract from the packet headers associated with a set of protocols. The security accelerator also includes a packet type detection unit to determine a type of the packet in response to the set of protocols and to generate a packet type identifier indicative of the type of the packet. A configurable security unit includes a configuration unit and a configurable security engine. The configuration unit configures the configurable security engine according to the type of the packet and to content of at least one of the headers extracted from the packet. The configurable security engine performs security processing of the packet to provide at least one security result.

Abstract: Apparatus and methods are disclosed for implementing bandwidth throttling to regulate network traffic as can be used in, for example, vulnerability scanning and detection applications in a computer network environment. According to one embodiment, a method of routing network packets in a networked device having plural network interfaces combines applying traffic class and network interface throttling for marking network packets with a differentiated service code based on input received from a profiler application, throttling the bandwidth of network packets based on a threshold for a designated network interface for the packet, throttling the bandwidth of the bandwidth-throttled packets based on a threshold for its respective differentiated service code, and emitting network packets on each respective designated network interface.

Abstract: A method and system for rendering electronic content is provided. The method includes: receiving a request for electronic content; retrieving browser data associated with a browser configured to render the electronic content; determining a nature of the electronic content; reviewing the browser data in relation to the nature of the electronic content to determine whether the browser supports the electronic content; and if the browser supports the electronic content, transmitting the electronic content supported by the browser. The system includes: a connection module configured to receive a request for electronic content; a browser module configured to retrieve browser data; a content module configured to determine a nature associated with the electronic content; a rendering module configured to review the browser data in relation to the nature of the electronic content to determine whether the browser supports the electronic content.

Abstract: Aspects of the subject disclosure may include, for example, a network API service makes multiple APIs available for guidance and control. The network API service may collect low-level network data related to network elements in access networks and core networks and analyze the low-level network data to create application-level metrics in response to API requests. Other embodiments are disclosed.

Abstract: The present embodiments relate to systems and methods for using a blockchain to record information related to the lifecycle of a vehicle associated with a Vehicle Identification Number (VIN). For example, the VIN lifecycle process may be used to develop safety-feature based insurance models. The systems and methods may include calculating a safety rating for a safety feature based upon data accessed at a blockchain. The safety rating may be used to generate a product associated with a new vehicle type, such as an insurance product covering the new vehicle type. The systems and methods described herein may allow for using a blockchain which gives the option for private information, and permissioned participants in the blockchain. In particular, the systems and methods may allow for a distributed consensus amongst businesses, consumers, and authorities, as to the validity of information and transactions stored on the blockchain.

Abstract: A key management protocol (such as KMIP) is extended to provide an extended credential type that enables an initiating (first) client device to create a credential dynamically and that can then be selectively shared with and used by other (second) client devices. Using a dynamically-created credential of this type, the other (second) devices are able to fetch the same key configured by the initiating (first) device. In this manner, multiple devices are able to create and share one or more keys among themselves dynamically, and on as-needed basis without requiring a human administrator to create a credential for a device group in advance of its usage.

Abstract: Technologies for processing network packets a compute device with a network interface controller (NIC) that includes a host interface, a packet processor, and a network interface. The host interface is configured to receive a transaction from the compute engine, wherein the transaction includes latency-sensitive data, determine a context of the latency-sensitive data, and verify the latency-sensitive data against one or more server policies as a function of the determined context. The packet processor is configured to identify a trust associated with the latency-sensitive data, determine whether to verify the latency-sensitive data against one or more network policies as a function of the identified trust, apply the one or more network policies, and encapsulate the latency-sensitive data into a network packet. The network interface is configured to transmit the network packet via an associated Ethernet port of the NIC. Other embodiments are described herein.

Abstract: Technologies include a network switch configured to perform packet replication. The network switch includes a network communicator, an entity manager, and a tag manager. The network communicator is to receive a data packet, and the entity manger is to identify an entity associated with the data packet and determine a tag associated with the entity. Additionally, the tag manager is to determine a packet replication configuration associated with the tag, and perform one or more per-port forwarding actions based on the packet replication configuration. The packet replication configuration includes one or more destination ports to be masked and a number of copies to be replicated to be sent out on of at least one destination port.

Abstract: An example method includes initializing, by an obfuscation computing system, communications with nodes in a distributed computing platform, the nodes including one or more compute nodes and a controller node, and performing at least one of: (a) code-level obfuscation for the distributed computing platform to obfuscate interactions between an external user computing system and the nodes, wherein performing the code-level obfuscation comprises obfuscating data associated with one or more commands provided by the user computing system and sending one or more obfuscated commands to at least one of the nodes in the distributed computing platform; or (b) system-level obfuscation for the distributed computing platform, wherein performing the system-level obfuscation comprises at least one of obfuscating system management tasks that are performed to manage the nodes or obfuscating network traffic data that is exchanged between the nodes.

Abstract: An electronic device including a secure Integrated Circuit (IC) is provided. The electronic device includes a secure IC configured as a System-on-Chip (SoC) and configured to provide a general environment and a security environment, wherein the secure IC includes a main processor configured to operate in the general environment, a secure processor configured to operate in the security environment and control security of data using a first security key, and a secure memory configured to be operatively connected to the secure processor and store a second security key corresponding to the first security key. Various other embodiments are possible.

Abstract: This disclosure provides enhanced management of access rights for dynamic groups of users sharing secret data. Instead of relying on traditional administrative techniques for modifying access rights for stored data, the techniques disclosed herein allow a storage service to communicate with a group management system to verify membership of user groups, e.g., channels, chat session, or meetings, and automatically change access rights to stored data as users leave or join a group. Encrypted data can be stored within a storage vault. The storage vault can be dedicated to storing encrypted data shared between a user group, e.g. a channel. A server managing the storage vault can receive membership data from a group management service. As users join the group or leave a group managed by the group management service, each user's access permissions to the storage vault can be added, removed or modified.

Abstract: A computing system may include a client device configured to remotely access virtual computing sessions, and a virtual delivery appliance configured to connect the client device to the virtual computing sessions. The client device and the virtual delivery appliance may share a symmetric encryption key and encrypt data communications exchanged therebetween with the symmetric encryption key. The system may further include a gateway appliance configured to relay the encrypted communications between the client device and the virtual delivery appliance, the gateway appliance not having the symmetric key and being unable to decrypt the encrypted communications relayed between the virtual delivery appliance and the client device.

Abstract: A method may include establishing a transport layer session between a gateway appliance and at least one virtual delivery appliance, establishing a presentation layer session between the gateway appliance and the at least one virtual delivery appliance via the transport layer session, and establishing a connection lease exchange tunnel between the gateway appliance and the at least one virtual delivery appliance via the presentation layer session. The method further include receiving, at the at least one virtual delivery appliance, a connection lease from a client device via the gateway appliance through the connection lease exchange tunnel and validating the connection lease, and issuing a resource connection ticket at the at least one virtual delivery appliance to the client device through the connection lease exchange tunnel responsive to the validation.

Abstract: A device generates a biometric public key for an individual based on both the individual's biometric data and a secret S, in a manner that verifiably characterizes both while tending to prevent recovery of either. The biometric data has a Sparse Representation and is encoded in a manner to include a component of noise, such that it is challenging to identify which locations are actually encoded features. Accordingly, the biometric data are encoded as a vector by choosing marker at locations where features are present and, where features are not present, choosing noisy data. The noisy data may be chaff bit values selected collectively from a group of (a) random values and (b) independent and identically distributed values. The biometric public key may be later used to authenticate a subject purporting to be the individual, using a computing facility that need not rely on a hardware root of trust.