Abstract: A first network device configured for cryptographically protected communication with a second network device. The cryptographically protected communication comprising at least a handshake protocol, a cryptographic protection of bulk data protocol, and a resumption protocol. A session handling system obtains from the handshake protocol a first bulk cryptographic protection key and a resumption key. The first cryptographic protection key is forwarded to the host system but not the resumption key.

Abstract: Systems and methods disclosed herein improve on current technology for block-level data replication to cloud computing environments. A new system architecture deploys one or more replication tail proxies in a cloud computing environment, locally (at the cloud) tracks replicated data and determines which replicated data meet criteria for reconstructing a desired point-in-time in the cloud, and persists data blocks received at the replication tail proxy until they are processed as recovery points. The disclosed approach presents resiliency and performance advantages. First, the resiliency of block-level data replication to cloud is improved by deploying the replication tail proxy in the destination cloud. Second, a Recovery Time Objective (RTO) is reduced by enabling faster cloud deployment of virtual machines for disaster recovery, failover, and/or test purposes based on the replicated data.

Abstract: A method of encrypting data, in particular encrypting data in dependence on a user verification confidence level. An encryption algorithm is provided, data is input into the encryption algorithm, along with a public key and an access structure comprising the user verification confidence level. The encryption algorithm is run to output a cypher text of encrypted data, whereby the access structure is embedded into the cypher text such that only an entity satisfying the access structure can decrypt the cypher text.

Abstract: Systems and methods for in-line TCP processing using a systolic array. For example, data received for storage is processed in-line prior to encryption and/or sending to a remote storage device (e.g., cloud storage or server).

Abstract: Systems and methods for communication of electronic data in which one or more memory-coupled entity processors programmed to execute a stateless application that persists no data except configuration data in the stateless application and causes the at least one entity processor to receive data in a first format from a data source to which the stateless application executing on the at least one entity processor is loosely coupled; translate the received data to a second format for a data destination; and submit the data in the second format to the data destination to which the stateless application executing on the at least one entity processor is also loosely coupled.

Abstract: An IPSec tunnel request for establishing an IPSec tunnel from a customer router to an anycast IP address of a distributed cloud computing network is received. The same anycast IP address is shared among compute servers of the distributed cloud computing network. A handshake is performed with the customer router from a first compute server including generating security associations for encrypting and decrypting IPSec traffic. The security associations are propagated to each compute server and are used for encrypting and decrypting traffic.

Abstract: Embodiments described include a method for implementing a privacy policy by a device intermediary to a plurality of clients and one or more servers. The method can include identifying, by a device intermediary to a plurality of clients and one or more servers, network traffic of a user that has not selected an option of a plurality of options of a privacy policy managed by the device. The method can include receiving, by the device, an indicator of a selection by the user of the option from the plurality of options of the privacy policy. The method can include handling, by the device, network traffic of the user according to the selected option of the privacy policy.

Abstract: Particular embodiments described herein provide for a system that can be configured to receive a notification that a client device is requesting, to modify original data associated with an online application, wherein the original data is stored in encrypted format in a cloud; decrypt the original data using a first client encryption key; store the decrypted data in a location accessible by the online application; enable editing capability of the decrypted data; receive a notification that the client device is finished modifying the data in decrypted format; determine whether the original data in decrypted format was modified; encrypt, based on a determination that the original data was modified, the modified data using a second client encryption key; and upload the modified data in encrypted format to the cloud.

Abstract: A method for managing engagement and presentation content of an electronic document involves providing container metadata identifying engagement containers within the electronic document, providing engagement data linked to the engagement containers, the engagement data comprising parameters of an engagement based on the segments of content in the linked engagement containers, executing a procedure to traverse engagement containers identified in the container metadata. The procedure includes accepting, based on user input, data responsive to the engagement, and assigning a score for the current engagement container based on the received data and the parameters defined in the engagement metadata.

Abstract: A method including receiving, by a first server from a second server, an encrypted authentication packet to enable the first server and the second server to conduct an authentication process, the encrypted authentication packet including a crypted code field indicating that a portion of the encrypted authentication packet is encrypted and a crypted payload including an encrypted initial authentication packet; and transmitting, by the first server to the second server, a response based at least in part on determining that the portion of the encrypted authentication packet is encrypted and on decrypting the encrypted initial authentication packet. Various other aspects are contemplated.

Abstract: Embodiments of the present application provide a data processing method, a data processing apparatus, an electronic device and a storage medium, and relate to the technical field of mobile communication network. The method includes: acquiring first data from a network element interface, the first data being business-related data; acquiring first target data by processing the first data; and transmitting the first target data to a second functional entity, for the second functional entity to generate a control instruction based on the first target data and second target data and to send the control instruction to the network element related to the control instruction. In embodiments of the present application, the collection and processing tasks of the business data are undertaken by the first functional entity, and the network element is freed from the collection and processing of the business data contributing a larger proportion of data.

Abstract: Systems, methods, and computer-readable media are provided for performing secure frame encryption as a service. For instance, a network device can receive a first request for encrypting a first media stream associated with a first endpoint. In response to the first request, the network device can obtain a first encryption key for encrypting the first media stream associated with the first endpoint. The network device can receive, from the first endpoint, a first plurality of media frames corresponding to the first media stream and encrypt each of the first plurality of media frames using the first encryption key to yield a first plurality of encrypted media frames. The network device can packetize the first plurality of encrypted media frames into a first plurality of data packets for transmission to a second endpoint.

Abstract: A system has an intelligent electronic device (TED) and a switch configured to perform operations that include obtaining a rule associating a media access control security (MACsec) port identifier (PI) of the TED with a data flow, receiving a frame comprising data and the MACsec PI, and transmitting the data of the frame based on the data flow associated with the rule.

Abstract: Systems and methods are provided for sending and receiving encrypted submessages. A method for sending and receiving encrypted submessages includes generating a first submessage comprising a first portion of content stored onto a first computer, generating a second submessage comprising a second portion of the content, encrypting the first submessage and the second submessage, transmitting the encrypted first submessage to a second computer via a first path, transmitting the encrypted second submessage to the second computer via a second path, wherein the first submessage and the second submessage are transmitted to the second computer in a batched manner, transmitting an encryption key to the second computer, wherein the encryption key is transmitted to the second computer in real time, wherein the encryption key indicates a decrypting algorithm to decrypt the encrypted first submessage, and wherein the second computer recreates the content by decrypting the encrypted first submessage.

Abstract: A method performed by a network node for routing data packets is disclosed. The method includes receiving a data packet that includes an abstract destination address in a shipping specification of the data packet. The abstract destination address indicates one or more network resource requirements of a destination. The method also includes determining whether a server satisfies the one or more network resource requirements of the destination specified by the abstract destination address. The method also includes forwarding the data packet to the server according to the determination.

Abstract: An identity verification system may include a contactless card comprising a processor and a memory, and one or more applications comprising instructions for execution on one or more devices. The contactless card may be associated with a first user. A first application may be configured to transmit, after entry of the contactless card into a communication field, identity data. A second application may be configured to receive a notification based on an identity verification process. The notification may comprise an option indicative of requested access to specified information about the first user, the option further including a choice to accept or decline access to the specified information about the first user. The first application may be configured to receive the requested access to specified information about the first user based on selection of the option.

Abstract: A network function virtualization (NFV) compute element installs an image supporting a virtualized network function (VNF) on the element. The image includes instructions/data to initiate a TCP connection between the element and a Software Defined Network (SDN) controller upon reboot of the element. Upon rebooting, the element establishes, as client in accordance with the instructions/data, a TCP connection with the controller. The element then accepts, as a cryptographic network protocol server, a connection via the TCP connection from the controller as a client in accordance with the instructions. Next, the element accepts, as a network management protocol server, a connection via the cryptographic network protocol connection from the controller as network management protocol client.

Abstract: Technologies for providing a multi-tenant local breakout switching and dynamic load balancing include a network device to receive network traffic that includes a packet associated with a tenant. Upon a determination that the packet is encrypted, a secret key associated with the tenant is retrieved. The network device decrypts a payload from the packet using the secret key. The payload is indicative of one or more characteristics associated with network traffic. The network device evaluates the characteristics and determines whether the network traffic is associated with a workload requesting compute from a service hosted by a network platform. If so, the network device forwards the network traffic to the service.

Abstract: A method including determining, by a first server, an encrypted authentication packet, the determining including, determining a crypted code field to indicate a type associated with the encryption authentication packet and that at least a portion of the encryption authentication packet is encrypted, and determining a crypted payload based at least in part on encrypting an initial authentication packet. The method may also include transmitting, by the first server to a second server, the encrypted authentication packet to enable the first server and the second server to conduct an authentication process. Various other aspects are contemplated.

Abstract: A vehicle-user interaction system for a vehicle includes: an editor configured to receive one or more inputs from a user of the vehicle and edit the one or more inputs into a rule script, the rule script including a user-defined rule based on the one or more inputs, the user-defined rule defining a trigger condition and a vehicle operation performed when the trigger condition is satisfied; a parser configured to create a list of monitoring elements and a list of functional elements based on the rule script, the list of monitoring elements including sensor elements that directly or indirectly describe the trigger condition, and the list of functional elements including functional elements that are associated with the vehicle operation; and an actuator configured to monitor sensor detection information associated with the sensor elements, determine whether the trigger condition is satisfied, and execute the functional elements to implement the user-defined rule in the vehicle.

Abstract: An illustrative data storage management system uses a control layer that controls information content presented to users and ensures information privacy between diverse tenants and/or resellers who share the system. The system populates a relationship database as transactions roll in (intake processing), and uses information in the relationship database later when processing responses (output processing). The relationship database comprises associations between e.g., a company ID and any number of entities that were created by or on behalf of the company or that are related to the company's service in the system. The control layer parses raw results that are responsive to requests for information and prevents others' information from being included in the responsive message(s). The techniques disclosed herein are not limited to shared systems managed by service providers, and may be implemented in fully owned and operated systems to add security and privacy among diverse users and/or departments.

Abstract: A method including configuring a first server to determine an encrypted authentication packet, the configuring including, configuring the first server to determine a crypted code field to indicate a type associated with the encryption authentication packet and that at least a portion of the encryption authentication packet is encrypted, and configuring the first server to determine a crypted payload based at least in part on encrypting an initial authentication packet. The method may also include configuring the first server to transmit, to a second server, the encrypted authentication packet to enable the first server and the second server to conduct an authentication process. Various other aspects are contemplated.

Abstract: A system includes an intelligent electronic device (IED) configured to perform operations that include receiving a first user input and deriving a first connectivity association key (CAK) based on the first user input. The system also includes a gateway configured to perform operations that include receiving a second user input, deriving a second CAK based on the second user input, identifying the first CAK of the IED, establishing an adoption link with the IED based on a match between the first CAK and the second CAK, generating a third CAK, and distributing a copy of the third CAK to the IED via the adoption link to establish a MKA connectivity association with the IED.

Abstract: Techniques are described for providing a highly available data ingestion system for ingesting machine data sent from remote data sources across potentially unreliable networks. To provide for highly available delivery of such data, a data intake and query system provides users with redundant sets of ingestion endpoints to which messages sent from users' computing environments can be delivered to the data intake and query system. Users' data sources, or data forwarding components configured to obtain and send data from one or more data sources, are then configured to encapsulate obtained machine data into discrete messages and to send copies of each message to two or more of the ingestion endpoints provisioned for a user. The ingestion endpoints receiving the messages implement a deduplication technique and provide only one copy of each message to a subsequent processing component (e.g., to an indexing subsystem for event generation, event indexing, etc.).

Abstract: A method including configuring a first server to receive, from a second server, an encrypted authentication packet to enable the first server and the second server to conduct an authentication process, the encrypted authentication packet including a crypted code field indicating that a portion of the encrypted authentication packet is encrypted and a crypted payload including an encrypted initial authentication packet; and configuring the first server to transmit, to the second server, a response based at least in part on determining that the portion of the encrypted authentication packet is encrypted and on decrypting the encrypted initial authentication packet. Various other aspects are contemplated.

Abstract: Techniques for encrypted-data-only media operations are described. In some instances, data from a source to be written to memory of a storage device is received by a storage device and the storage devices determines whether the data is encrypted at a storage location based on an amount of entropy of the received data. When the received data is not encrypted a media error is returned to the source and when the received data is encrypted the data is written.

Abstract: A computer-implemented method according to one embodiment includes compressing an uncompressed instance of data to create a compressed instance of data; encrypting the compressed instance of data in response to determining that a size of the compressed instance of data is less than a predetermined threshold; creating a message authentication code (MAC) for the encrypted compressed instance of data; and adding a variable-length zero pad and the MAC to the encrypted compressed instance of data to create a formatted string.

Abstract: A Software-Defined Networking (SDN)-based “upstream” approach is a controller-based solution that provides secure key distribution and management for multi-site data centers. The approach uses an SDN Multi-Site Controller (MSC) that acts as an intermediary between SDN controllers at sites in a multi-site data center and manages the distribution of keys to sites. The approach is not dependent upon any particular routing protocol, such as the Border Gateway Protocol (BGP), and is well suited for multicast stream encryption by allowing the same key to be used for all replicated packets sent to downstream sites from an upstream source site. The approach distributes keys in a secure manner, ensures that data transferred between sites is done in a secure manner, and supports re-keying with error handling.

Abstract: A method including configuring, by an infrastructure device, a transmitting device to determine an encryption key that is determined based at least in part on seed information associated with the transmitting device and a receiving device, and to encrypt one or more content messages to be transmitted during a first time interval by utilizing the encryption key; and configuring, by the infrastructure device, the receiving device to determine a decryption key that is determined based at least in part on the seed information associated with the transmitting device and the receiving device, and to decrypt one or more encrypted content messages received during the first time interval by utilizing the decryption key. Various other aspects are contemplated.

Abstract: A method including transmitting, by a transmitting device to a receiving device, a combination of messages including encrypted decoy messages and one or more encrypted content messages; determining, by the receiving device, a cryptographic decryption key based at least in part on unique seed information associated with the transmitting device and the receiving device; and determining, by the receiving device, that a message, included in the combination of messages, is a content message or that the message is a decoy message based at least in part on decrypting the message by utilizing the cryptographic decryption key. Various other aspects are contemplated.

Abstract: Methods and systems for implementing a moving target defense are described. The moving target defense can comprise obfuscating a protocol identifier within a packet. The protocol identifier can be replaced with a faux protocol identifier. Additionally, diversion headers can be inserted into to the packet, thereby creating additional layers of complexity.

Abstract: Techniques for identifying a trusted SSID for a wireless network are disclosed. Prior to establishing a connection with a wireless network comprising a service set identifier (SSID), a network message is received at a wireless station (STA), from an access point (AP) associated with the wireless network. The STA identifies an encrypted identifier in the network message. The STA validates the encrypted identifier, and in response determines that the AP corresponds to a trusted wireless network. The SSID is designated as trusted, at the STA.

Abstract: Disclosed are various embodiments for updating IoT endpoints. A software update package can be deployed to a IoT gateway. The software package can have lifecycle scripts and software executable for installation on IoT endpoints. The lifecycle scripts represent different lifecycle phases of the update process.

Abstract: An Encrypted Transport Proxy Backbone Protocol module is configured to set up ET Proxy Backbone connections with another distributed proxy device with each ET Proxy Backbone connection including multiple ET Proxy Backbone channels for transmitting ET proxy packets having different QoS classes. Each ET Proxy Backbone channel includes a separate queue. The ET Proxy Backbone Protocol module is also configured to schedule transmissions of the ET proxy packets from each respective queue; multiplex the ET proxy packets from each respective queue via the associated ET Proxy Backbone channel; perform local recovery of network impairments over the access network and perform congestion control to prevent packets from client devices and web servers from causing network congestion to the access network.

Abstract: Technologies for accelerated QUIC packet processing include a computing device having a network controller. The computing device programs the network controller with an encryption key associated with a QUIC protocol connection. The computing device may pass a QUIC packet to the network controller, which encrypts a payload of the QUIC packet using the encryption key. The network controller may segment the QUIC packet into multiple segmented QUIC packets before encryption. The network controller transmits encrypted QUIC packets to a remote host. The network controller may receive encrypted QUIC packets from a remote host. The network controller decrypts the encrypted payload of received QUIC packets and may evaluate an assignment function with an entropy source in the received QUIC packets and forward the received QUIC packets to a receive queue based on the assignment function. Each receive queue may be associated with a processor core. Other embodiments are described and claimed.

Abstract: An artificial intelligence system can be implemented to identify relationships through the propagation of ripple patterns through a grid. In such a system, the grid may comprise cells which operate as cellular automata. Relationships may be identified based on collisions of signals detected by the cells in the grid, and, when a relationship is identified, it may be used to create high speed connections between cells.

Abstract: A network node configured to transmit packets to a destination node in a packet network, includes at least one processor and at least one memory including computer program code. The at least one memory and the computer program code are configured to, with the at least one processor, cause the network node to: assemble at least a first packet including a plurality of data units, each of the plurality of data units being grouped into one of a connection group, a network function group or an application group; and transmit the first packet to the destination node.

Abstract: A system and method are provided for controlling visibility of elements of displayed electronic content. The method includes providing via a communications module a user interface viewable by a plurality of entity devices, and enabling via the communications module the user interface to display electronic content comprising at least one element. The method also includes determining at least one filtering criterion for controlling visibility of the at least one element of the electronic content being displayed, and concealing or modifying at least one element of the electronic content as displayed in the user interface for at least one of the plurality of entity devices, according to the at least one filtering criterion.

Abstract: Systems and methods for metadata processing. The method comprises acts of associating, in a first system, metadata with application data processed by a host processor, wherein the application data is protected within the first system by one or more first policies using the metadata, and transferring the application data and its associated metadata to a second system in which the application data is unprotected using metadata processing or is protected by one or more second policies different from the one or more first policies.

Abstract: Systems and methods are provided for submitting data in a computer network. An exemplary method includes: receiving a first request to process a first data at one or more data servers; determining whether the first data includes a plurality of first set of properties; generating a second data having a plurality of second set of properties; providing a plurality of rule sets for submitting the second data; analyzing the second data to determine which of the rule sets is applicable; selecting one or more applicable rules from the rule sets; generating a plurality of third data by applying the one or more applicable rules to the second data; identifying the one or more external sources to distribute the third data; and sending the third data to the one or more external sources.

Abstract: A searching method is applicable to Gigabit-capable Passive Optical Network (GPON). The searching method includes: dividing a GPON Encapsulation Mode Port Identifier (GEM Port ID) of a GEM frame into a first portion GEM Port ID and a second portion GEM Port ID; performing a row look-up in a first memory array by using the first portion GEM Port ID, and performing a column look-up in the first memory array by using the second portion GEM Port ID; and identifying a specific bit's position in the first memory array, according to results of the row look-up and the column look-up in the first memory array, wherein the specific bit's position represents a GPON Encapsulation Mode Port (GEM Port) that is used by the GEM frame.

Abstract: A cable distribution system that includes a head end connected to a plurality of customer devices through a transmission network that includes a remote fiber node that converts digital data to analog data suitable for the plurality of customer devices, where the head end includes a processor. A packetized elementary stream of a video is provided from the head end to customer devices through the transmission network, wherein the packetized elementary stream includes a plurality of groups comprising pairs of packetized elementary stream headers and packetized elementary stream payloads. A first one of the plurality of groups corresponding to a non-predicted coded picture of the video of the packetized elementary stream is determined. The first one of the plurality of groups is encrypted while not encrypting all of the plurality of groups of the video.

Abstract: A messaging system may include an account module that maintains user accounts associated with user identifying data that include a first password required to access the user account. The messaging system may receive message data including a message and identification of one or more of the user accounts the message is to be shared. Upon request, the messaging system may issue a second password to one of the user accounts. When the second password is used to access the user account, the user account may revert to an original state wherein all personalized information, including payment information, associated with the user account is deleted and unrecoverable.

Abstract: A compute device of an information handling system includes a security chip. The security chip includes a programmable read only memory, which in turn includes multiple one-time programmable slots and a one-time programmable slot counter. A first slot of the one-time programmable slots stores a first group of keys associated with a first entity of the security chip. A second slot of the one-time programmable slots stores a second group of keys associated with a second entity of the security chip. The one-time programmable slot counter includes multiple entries. Each of the entries is associated with a different one of the one-time programmable slots. Each of the entries is preset to a first value. The one-time programmable slot counter is only able to count in one direction. A first entry of the entries is updated to invalidate the second group of keys associated with the second entity.

Abstract: Technologies for accelerated HTTP message processing include a computing device having a network controller. The computing device may generate an HTTP message, frame the HTTP message to generate a transport protocol packet such as a TCP/IP packet or QUIC packet, and pass the transport protocol packet to the network controller. The network controller compresses the HTTP header of the HTTP message, encrypts the compressed HTTP message, and transmits the encrypted message to a remote device. The network controller may segment the transport protocol packet into multiple segmented packets. The network controller may receive transport protocol packets that include encrypted HTTP message. The network controller decrypts the encrypted HTTP message to generate a compressed HTTP message, decompresses the HTTP message, and steers the HTTP message to a receive queue based on contents of an HTTP header. The network controller may coalesce multiple transport protocol packets. Other embodiments are described and claimed.

Abstract: Techniques for providing multi-access edge computing (MEC) services security in mobile networks (e.g., service provider networks for mobile subscribers, such as for 5G networks) by parsing Application Programming Interfaces (APIs) are disclosed. In some embodiments, a system/process/computer program product for MEC services security in mobile networks by parsing APIs in accordance with some embodiments includes monitoring network traffic on a mobile network at a security platform to identify an API message associated with a new session, wherein the mobile network includes a 5G network or a converged 5G network that includes a multi-access edge computing (MEC) service; extracting mobile network identifier information from the API message at the security platform; and determining a security policy to apply at the security platform to the new session based on the mobile network identifier information.

Abstract: Sender Policy Framework (SPF) is one of the most widely used methods of distinguishing electronic mail that is authorized by the purported sending domain from unauthorized mail. SPF policies are published into a domain's DNS and then looked up and evaluated by mail receivers. Due to the complexity and limitations of the SPF specification, implementation mistakes are widespread. This problem is compounded by the common practice of nesting SPF policies which introduces hidden risks, particularly exceeding DNS lookup limits. To address these issues, inline service provider designation may be configured to capture the benefits of existing techniques without their associated costs. Additionally, the domain owner may enjoy simplified SPF service provider onboarding and policy failover redundancy to protect against SPF service provider disruptions, thus improving policy availability uptime.

Abstract: An example operation may include one or more of receiving a data block for storage on a blockchain from an orderer node, the data block comprising a full-step hash of a storage request and a reduced-step hash of the storage request, performing an approximate hash verification on the data block based on the reduced-step hash of the storage request included in the data block, and in response to a success of the approximate hash verification, committing the data block among a hash-linked chain of data blocks stored within a distributed ledger of a blockchain.

Abstract: A method for contactless payment relay attack protection includes receiving an online authorization request including a cryptogram, a measured processing time, and a reference processing time from a terminal. The cryptogram is verified, and a determination is performed as to whether the measured processing time exceeds the reference processing time. An online authorization response authorizing or declining a monetary transaction is transmitted, based on the determination. An artificial intelligence transaction analysis can be performed based on past and current conditions (e.g., battery level, operating system, open applications) of a payment device such as a mobile phone, past and current conditions of a terminal, and/or a monetary amount. The online authorization response can be based on the artificial intelligence transaction analysis.

Abstract: Disclosed here is a system and method to determine which wireless telecommunication network functionalities are impaired when using end-to-end encryption and to ameliorate the impairment of the functionality. The system receives a request from a sender device to communicate with a receiver device, where the request indicates whether the sender device is capable of an end-to-end encryption. The system determines whether the receiver device is capable of the end-to-end encryption, and whether the receiver device is associated with a functionality provided by a wireless telecommunication network that is impaired when the end-to-end encryption is used. Upon determining that the receiver device is not capable of the end-to-end encryption or that the receiver device is associated with the functionality that is impaired, the system performs an action to ameliorate the impairment to the functionality.