Abstract: A method for securely connecting to a remote server that provides improved Internet security. In the method, a client receives a request to connect to a remote server associated with a domain name. The client, when resolving the domain name, determines whether the remote server supports at least one predetermined IP layer security protocol. The client performs a key exchange protocol with the remote server to generate at least one shared secret in response to determining that the remote server supports the at least one predetermined IP layer security protocol. The client connects to the remote server using the at least one shared secret in the IP layer security protocol.

Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine readable instructions to cause the processor to access network traffic traces including a plurality of timestamps, the plurality of timestamps having an order with respect to each other. The instructions may also cause the processor to encrypt the plurality of timestamps to anonymize the plurality of timestamps while preserving the order of the plurality of timestamps with respect to each other and to store the encrypted plurality of timestamps in a data store.

Abstract: Technologies are provided in embodiments including a memory element to store a payload indicating an action to be performed associated with a remote action request (RAR) and a remote action handler circuit to identify the action to be performed, where the action includes invalidating one or more entries of a translation lookaside buffer (TLB), determine that the logical processor entered an enclave mode during a prior epoch, perform one or more condition checks on control and state pages of the enclave mode, and based on results of the one or more condition checks, adjust one or more variables associated with the logical processor to simulate the logical processor re-entering the enclave mode. Specific embodiments include the remote action handler circuit to invalidate an entry of the TLB based, at least in part, on the results of the one or more condition checks.

Abstract: A proxy server mitigates security risks of user credentials sent across a network in clear text. The proxy server encrypts user credentials within a client application request destined for an application server. The proxy server forwards the client application request to the application server. The application server sends the encrypted user credentials to the proxy server where the proxy server decrypts the user credentials and authenticates the user credentials with an authentication server.

Abstract: Methods, systems, and devices for mass encryption management are described. In some database systems, users may select encryption settings for storing data records at rest. A database may receive a request to perform an encryption process on multiple data records corresponding to a user, for example, based on a user input or a change in encryption settings. A database server may partition the data records for encryption (e.g., encryption, decryption, key rotation, or scheme modification) into one or more data record groups of similar sizes, and may perform the encryption process on one record group at a time (e.g., to reduce overhead in the system). The database server may additionally support restricting user access to the data records being actively processed, estimating resources needed for the processing, determining data record encryption statuses to be displayed by a user device, or some combination of these features.

Abstract: A method for encrypting data when a device is offline is disclosed. In the method, a determination is made as to whether a successful connection with a remote server computer can or cannot be made. If a connection cannot be made, then data can be encrypted with an ephemeral public key. Later, then a connection is available, the encrypted data can be transmitted to the remote server computer for processing.

Abstract: For secure transport, when receiving a plurality of packets from a root complex where contents of each packet from the plurality of packets organized in accordance with a first protocol, a sequence number is added to each packet and a packet type is identified. Every packet in the first plurality of packets is encrypted and encapsulated into at least one packet organized in accordance with a second protocol to form a second plurality of packets organized in accordance with the second protocol. All the packets from the second plurality of packets are sent via a plurality of connections so that each connection from the plurality of connections only transports packets from the second plurality of packets that encapsulate packets from the first plurality that have a same packet type.

Abstract: A method for performing policy-based configuration of IPSec for a VPN is provided. According to one embodiment, a request for a VPN connection to be established between a network device and a peer network device is received by the network device from the peer network device. Responsive to receipt of the request, the VPN connection is established by the network device in accordance with a policy associated with the request without requiring manual entry of VPN settings by a network administrator of the network device. The policy includes multiple VPN settings for the VPN connection and is configured by a network administrator of the peer network device via a policy page displayed to the network administrator via a user interface of the peer network device.

Abstract: Some embodiments provide a method for a forwarding element (FE) operating in a network of FEs. The method receives a data message with an access control list (ACL) rule and a first digest for the ACL rule appended to the data message. The ACL rule specifies that the packet is allowed to be sent through the network. The method verifies the ACL rule by computing a second digest from the ACL rule using a secret key and comparing the first digest to the second digest. The method determines whether the packet matches the ACL rule by comparing values in headers of the data message to values specified in the ACL rule. The method only forwards the data message if the ACL rule is verified and the packet matches the ACL rule.

Abstract: A default pre-shared key is provided from a first device to a second device. The first device is configured to control network access to a network. A first authentication request is obtained at the first device from a third device. The first authentication request includes data indicative of the second device. A first response to the first authentication request is provided from the first device to the third device. The first response includes the default pre-shared key. A second authentication request containing a private pre-shared key and the data indicative of the second device is obtained at the first device from the third device. Stored data at the first device is updated in response to the second authentication request with the private pre-shared key and the data indicative of the second device to provision the first device to provide network access to the network to the second device.

Abstract: Data are transmitted by radio between a terminal and a data collector. The data collector is intermittently or constantly in receive mode. The terminal attempts, from an idle phase, to set up a communication with the data collector in order to send all or some of the data to the data collector and/or to receive them from the data collector. Alternatively, the data collector attempts to set up a communication with the terminal in order to send all or some of the data to the terminal and/or to receive them from the terminal. The setup of the communication is followed by the terminal sending a message to the data collector and the data collector, after receiving the message, continuing, interrupting and/or terminating the transmission of the data during communication on a basis of the content of the message.

Abstract: A method and system for providing unencrypted access to encrypted data that may be stored on a device, sent as a message, or sent as a real-time communications stream. The method may include using public key cryptography to securely enable accessing the encrypted data stored on a device or communicated by a device. For instance, the method may include using a device vendor's public key to securely enable that vendor to enable only authorized parties to themselves decrypt previously-encrypted device storage, messages, or real-time communications streams. As an added layer of cybersecurity, the method may include a proof of possession verification process that authenticates the identity of an authorized party before any decryption data is provided.

Abstract: Embodiments include a method, computer program product, and system for grouping electronic devices into roll-call channel access (RCCA) groups to reduce the number of devices contending for a wireless channel. Devices within RCCA groups are represented a host device during a channel contention process. Once a channel is granted access to a host device, its respective RCCA group has control of the channel for a predetermined period of time during which devices of the RCCA group take turns transmitting data on the channel.

Abstract: A mobile network operator (MNO) may control WiFi QoS. 3GPP has specified control mechanisms for various levels of quality of service (QoS) over the cellular access and core network. Embodiments described herein provide differentiation of WiFi QoS based on MNO requirements. In particular, extensible authentication protocol (EAP) and diameter messages may be extended to include a wireless local area network QoS parameter. This may be used by user equipment to set the uplink 802.11e User Priority (UP) for offloaded or evolved packet core-routed WiFi traffic.

Abstract: Described embodiments provide systems and methods for provisioning disk images on remote devices. Described is a device configured to connect to a pre-configured network upon device start-up, transmit a request to a server at a pre-configured network address, receive a response containing a disk image for the device, and populate a memory component of the device with the disk image received. Described is a server configured to, responsive to receiving a request from a device, authenticate the request, identify a disk image corresponding to the device, and transmit the disk image to the device. These systems and methods are well suited for improving security and integrity of deployed special-purpose devices, e.g., as may be used for an “Internet of Things” deployment.

Abstract: The present embodiments relate to systems and methods for using a blockchain to record information related to the lifecycle of a vehicle associated with a Vehicle Identification Number (VIN). For example, the VIN lifecycle process may be used to develop safety-feature based insurance models. The systems and methods may include calculating a safety rating for a safety feature based upon data accessed at a blockchain. The safety rating may be used to generate a product associated with a new vehicle type, such as an insurance product covering the new vehicle type. The systems and methods described herein may allow for using a blockchain which gives the option for private information, and permissioned participants in the blockchain. In particular, the systems and methods may allow for a distributed consensus amongst businesses, consumers, and authorities, as to the validity of information and transactions stored on the blockchain.

Abstract: A communication network encrypts a first portion of a transaction associated with point-to-point communications using a point-to-point encryption key. A second portion of the transaction associated with end-to-end communications is encrypted using an end-to-end encryption key.

Abstract: A server system implements an encryption service, in connection with a proxy service that enables a client computer to utilize the third-party network service.

Abstract: Some embodiments are directed to a cryptographic device (100) arranged to compute a block cipher on an input message (110). The device computes a plurality of intermediate block cipher results by computing and re-computing a first intermediate block cipher result (151) of the plurality of intermediate block cipher results by applying the plurality of block cipher rounds sequentially to the input message followed by one or more additional block cipher rounds. A plurality of averaging functions are applied to the plurality of intermediate block cipher results, the results of which are added, after which the inverse of the one or more additional block cipher rounds is applied.

Abstract: A camera auxiliary device for privacy protection and a privacy protection method using the camera auxiliary device. The camera auxiliary device for privacy protection includes a processor for splitting an input light beam that is reflected from a capturing target into a first input beam for detecting a privacy protection area and a second input beam to be transferred to a camera connected to a user terminal, detecting a privacy protection area in an image signal generated based on the first input beam, and converting the second input beam and then transferring a converted second input beam to the camera so that personal information included in the privacy protection area is not visually identified, and a memory for storing the image signal and the privacy protection area.

Abstract: Systems and methods are described that relate to authentication and/or binding of multiple devices with varying security profiles. In one aspect, a first device with a higher security profile may vouch for the authenticity of a second device with a lower security profile when the second device requests access for content from a content provider. The vouching process may be implemented by allowing the first device to overlay its digital signature on a registration request that has been signed and transmitted by the second device. The second device with the lower security profile may access content from the content provider or source for a predetermined time period, even when the second device does not access content through the first device.

Abstract: A key distribution host determines a trust level of a user authentication server, wherein the trust level is based, at least in part, on one or more attributes of the user authentication server and provides one or more authentication keys to the user authentication server only if the trust level of the user authentication server is above a threshold value.

Abstract: A network security platform (NSP) device and interaction method are disclosed. The interaction method provides network packet analysis for secure transmission protocols using ephemeral keys or keys that are negotiated dynamically. The NSP may be part of an Intrusion Protection System, or firewall. The disclosed approach does not use man-in-the-middle proxy. Instead, it includes monitoring connections ends: client and/or server, to intercept the required data or negotiated (or changed) encryption keys. Decrypted data may be sent to an NSP sensor in a secure manner for analysis. Alternatively, intercepted keys used for the encrypt/decrypt operations may be sent to an NSP sensor in a secure manner every time they are changed. The NSP sensor may then use the obtained keys to decrypt traffic prior to providing it to the inspection engines. Embodiments focused on inbound traffic to a web server may coordinate between a web server and an NSP.

Abstract: Presented herein are techniques in which one or more network devices can use information provided by a special purpose network connected device to retrieve a usage profile (i.e., configuration file) associated with the special purpose network connected device. The retrieved usage profile, which includes/describes preselected (predetermined) usage descriptions associated with the special purpose network connected device, can then be used to configure one or more network devices. For example, the predetermined usage descriptions associated with the special purpose network connected device can be instantiated and enforced at a network device or the predetermined usage descriptions can be used for auditing the special purpose network connected device (e.g., monitoring of traffic within the network).

Abstract: Systems and methods for providing encrypted storage within application sandbox are disclosed. Embodiments may secure data at rest on mobile device within application sandbox. The data may be stored in a manner that is resistant to attacks intended to reveal the data, and situations in which unintentional disclosures could occur. In embodiments, data may not be unintentionally lost, and it may be used with data that may be classified as Personally Identifiable Information.

Abstract: Devices, computer-readable media, and methods are disclosed for establishing a secure tunnel having a path that includes an untrusted link between a wireless access point and a gateway device. For example, a processor may detect a security event associated with a wireless access point that is in communication with a gateway device of the telecommunication network via a trusted link, establish a secure tunnel between the gateway device and an endpoint device that is accessing the telecommunication network via the wireless access point and the gateway device, and transport payload traffic between the endpoint device and the gateway device via the secure tunnel. A path of the secure tunnel may include an untrusted link between the wireless access point and the gateway device. In addition, the payload traffic that is transported via the secure tunnel may be indecipherable by the wireless access point.

Abstract: A system includes terminating, at a reverse proxy, a mutual authentication handshake with a client computing system, the handshake including reception by the reverse proxy of a public key certificate associated with the client computing system, generating, by the reverse proxy, of an authentication token based on the public key certificate, receiving, at the reverse proxy, a request to access an application from the client computing system, forwarding the request and the authentication token from the reverse proxy to the application, receiving the request and the authentication token at the application, requesting, by the application, of an authorization token from an OAuth server based on the authentication token, receiving the authorization token from the OAuth server, storing the authorization token in association with a session identifier associated with the request received from the client computing system, and transmitting a response to the client computing system based on the authorization token and th

Abstract: Techniques for fingerprinting and aggregating a virtual private cloud (VPC) flow log stream are provided. Each VPC flow log event in the VPC flow log is first determined to be a request event or a response event. A fingerprint is then generated for each VPC flow log event. The fingerprint for a VPC flow log event is generated based on the determination whether the VPC flow log event is a request event or a response event and by concatenating and encoding data contained in a set of data fields corresponding to the VPC flow log event. Based on the fingerprint generated for each VPC flow log event, related events can be detected and aggregated to form an aggregated event. Information stored with each aggregated event can then be used to better monitor the VPC.

Abstract: A multilevel security fabric with address management units communicatively coupled to ports of a communication fabric and nodes of a multilevel security system are disclosed. The communication fabric facilitates communication between the nodes. An address management unit associated with a particular node extracts address maps contained in data requests associated with the particular node and regulates communication of that node any other nodes within the system across the communication fabric based on whether the extracted address maps are within an allowable address access range specified for the particular node. In the event that an extracted address map fails to fall within the allowable address access range, the address management unit may block the communication with the particular node. Accordingly, the address management unit may enforce multilevel communication across the communication fabric with high assurance.

Abstract: A method for transforming a wrapped key token into a protected key may be provided. The protected key is protected by a volatile master key kept in the firmware of a virtual server. The method comprises creating an isolated virtual server that maintains a master key. The virtual server and the isolated virtual server share parts of same hypervisor's firmware. The method further comprises configuring an association—using a shared secret—between the virtual server and the isolated virtual server. The method further comprises establishing a secure communication channel between the virtual server and the isolated virtual server, based on the secret, and providing to the virtual server the wrapped key token comprising a random key wrapped by the isolated virtual server master key, and providing to the virtual server, in response to submitting the wrapped key token, via a second service, the protected key.

Abstract: A technique to establish a secure session to a network-accessible application from a mobile device executing a native app. Initially, the network-accessible application is provisioned for access by an enterprise associating a set of one or more of its enterprise users with the network-accessible application. Thereafter, access to the application is enabled via an identity provider. In operation, the identity provider receives a request to validate that an enterprise user seeking access to the network-accessible application is associated with the application. The request is generated by the application in response to a login request initiated from the native app from a mobile device, wherein a certificate for the application is not available to the native app.

Abstract: A system for network mapping includes an interface and a processor. The interface is configured to receive an indication to scan a set of addresses using a fingerprint. The processor is configured to for an address of the set of addresses: receive a response associated with the address; determine whether the response matches the fingerprint; and store the address in a client network database in the event the response matches the fingerprint.

Abstract: In an example, there is disclosed a monolithic reputation update on a data exchange layer (DXL). According to one embodiment, designating a set of objects as good or bad can be achieved via a single administrative action by leveraging persistent client initiated connections to the DXL framework. This may enable communication of the reputation updates across a heterogeneous infrastructure, including systems potentially unreachable by the server, such as those behind a firewall or NAT.

Abstract: A device includes memory and a processor. The memory is configured to store a transaction identifier corresponding to merchant identification information, customer identification information, and transaction information for a transaction. The processor is communicatively coupled to the memory. The processor is configured to receive, from a merchant computing device, a transaction request that includes the customer identification information and the transaction information. The transaction request does not include payment information. The processor is also configured to generate the transaction identifier. The transaction identifier is unique to the merchant identification information, the customer identification information, and the transaction information. The processor is further configured to transmit to a customer computing device an authorization request comprising the transaction identifier and merchant identification information.

Abstract: A method for operating a first access node in a dual connectivity (DuCo) handover includes receiving an event trigger for a combined event from a user equipment (UE), sending to a second access node, a combined instruction for primary secondary cell (PSCell) addition and a role change with the second access node in accordance with the event trigger, adding as the second access node as a PSCell, and indicating to the UE, a role change between the first access node and the second access node.

Abstract: A method is disclosed for providing first data and a first secret key to a cipher processor for ciphering. The first data is ciphered in accordance with a first cipher process and the first secret key to provide output data. Before ciphering of the first data, extra data is inserted within the cipher processor for ciphering in accordance with at least a portion of said first cipher process. The extra data is inserted within a sequence of cipher processor operations for obfuscating the output data.

Abstract: In an embodiment of the present disclosure, there is provided a computer-implemented method, wherein the computer is operable between a management server and at least one cloud server providing a cloud service, the method comprising: collecting management data related to the cloud service through a standard protocol for network management, wherein the standard protocol allows communication of the management data via a designated port; and sending at least part of the management data to the management server.

Abstract: The invention relates to a TEE (Trusted Environment Execution) structure which comprises: (a) a main domain defining a domain of operation for a main OS; (b) a privileged trusted domain defining a domain of operation for a trusted domain OS; and (c) a low level hypervisor which is separated from both of said main OS and said trusted domain OS, said hypervisor is used for: (c. 1) receiving packets from a network; (c.2) examining an address included in each of said received packets; and (c.3) based on the determined address in each of said packets, targeting respectively the packet to either said main OS or to said trusted domain OS, while in the latter case any interaction between the received packet and said main OS is eliminated.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Two or more network segments coupled by bridge devices may be monitored by NMCs. The bridge devices may modify network traffic passed from one network segment to another network segment. Flows in network segments may be determined based on monitored network traffic associated with the network segments. Other flows in other network segments may be determined based on other monitored network traffic associated with the other network segments. A correlation score for two or more flows in different network segments may be provided based on a correlation model. Two or more related flows may be determined based on a value of the correlation score of the two or more related flows located in different network segments. A report that includes information about the two or more related flows may be provided.

Abstract: Embodiments of the present disclosure can present information on services hosted and used by various assets on a network, and allow users to control access to such services. In particular, embodiments of the disclosure may be used to present one or more services hosted by a network asset, and control access to such services by other network assets based on user input.

Abstract: An image processing apparatus includes circuitry to store, in a memory, primary address information indicating an address of a primary mail server and alternate address information indicating one or more addresses of corresponding one or more alternate mail servers. The circuitry performs authentication of a user and transmits, after the authentication succeeds, the e-mail using the primary mail server based on the primary address information, in response to a first transmission request for transmission using the primary mail server. When transmission using the primary mail server fails, the circuitry controls display of a selection screen for selecting one from the one or more alternate mail servers, based on the alternate address information and transmits, in response to a second transmission request for transmission using the alternate mail server, the e-mail using the one selected from the one or more alternate mail servers on the selection screen.

Abstract: Configuring security settings, including: receiving a request to join a security group from a first terminal device; obtaining security setting information for the security group; and sending a response to the first terminal device, the response instructing the first terminal device to join the security group and to configure security settings according to the security setting information.

Abstract: A method of obfuscating a source of a multicast packet is provided. The method includes receiving a plurality of multicast packets at a first device from one or more second devices, the multicast packets received over one or more network links. A source internet protocol (IP) address of each multicast packet of the plurality of multicast packets is an IP address of the one or more second devices that sent the multicast packet. The source IP address of each of the plurality of multicast packets is changed to an IP address other than an IP address of the first device or an IP address of the one or more second devices. The plurality of multicast packets can then be sent.

Abstract: A traffic feature information extraction method including a regular expression process, a clustering process, and a feature information extraction process. The regular expression process extracts an item set in advance from a traffic log and represents a partial character string included in the item in a regular expression based on a predetermined rule. The clustering process clusters an entry of the traffic log represented in the regular expression. The feature information extraction process extracts, as traffic feature information of each of clusters, an entry having a minimum total sum of distances among entries included in the clustered traffic logs.

Abstract: A cloud storage system supporting user agnostic encryption and deduplication of encrypted files is described. Further the cloud storage system enables users to share a file, a group of files, or an entire file system with other users without a user sending each file to the other users. The cloud storage system further allows a client device to minimize the utilization of bandwidth by determining whether the encrypted data to transfer is already present in the cloud storage system. Further the cloud storage system comprises mechanisms for a client device to inform the cloud storage system of which data is likely to be required in the future so that the cloud storage system can make that data available with less latency one the client device requests the data.

Abstract: A first information comprising an identification of an encryption algorithm supported by a first component from the first component of a software defined network (SDN) is received at a controller of the SDN. A set of policies and a set of encryption algorithms are sent to the first component. A policy determines a cryptographic operation applicable to a path in the SDN between the first component and a second component of the SDN. The first component comprises an originating point of the path and the second component comprises a destination point of the path.

Abstract: Enterprise users' mobile devices typically access the Internet without being protected by the enterprise's network security policy, which exposes the enterprise network to Internet-mediated attack by malicious actors. This is because the conventional approach to protecting the mobile devices and associated enterprise network is to tunnel all of the devices' Internet communications to the enterprise network, which is very inefficient since typically only a very small percentage of Internet communications originating from an enterprise's mobile devices are communicating with Internet hosts that are associated with threats. In the present disclosure, the mobile device efficiently identifies which communications are associated with Internet threats, and tunnels only such identified traffic to the enterprise network, where actions may be taken to protect the enterprise network.

Abstract: A method of determining a distance between a first and a second device in a wireless data exchange protocol is presented. The method includes sending an advertising channel Protocol Data Unit (PDU) from the first device; receiving the advertising channel PDU at the second device and responsively sending a scan request scanning PDU from the second device to the first device; receiving the scan request scanning PDU at the first device and responsively sending a scan response scanning PDU from the first device to the second device; calculating a time of flight (TOF) for at least one of the sent PDUs; and determining the distance between the first and second devices using the calculated TOF.

Abstract: An electronic network device (200) and an electronic configurator device (300) for provisioning the network device. The network device is configured to send a public key to configurator device (300) over an established first wireless (231) connection, and to receive encrypted credentials wirelessly from the configurator device. The configurator device is configured to receiving the public key over the established first wireless connection, to send credentials wirelessly encrypted with the public key to the network device over the established first wireless connection.

Abstract: A secret cryptographic key is stored in a protected state. While in the protected state, the secret cryptographic key is encrypted with a plurality of cryptographic keys, each of which is used to re-create the plaintext version of the secret cryptographic key. A service operated by an online service provider creates an isolated network environment containing a bastion computer system in communication with an HSM. After establishing the isolated network environment, the online service provider provides a service provider key to the HSM. An HSM key is present on the HSM, and an administrator key is provided by one or more key administrators. Using the HSM key, the service provider key, and the administrator key, the HSM performs cryptographic operations using the secret cryptographic key. When complete, the isolated network environment is deconstructed and the secret cryptographic key is returned to online storage in a protected state.