Abstract: Techniques are described for providing a highly available data ingestion system for ingesting machine data sent from remote data sources across potentially unreliable networks. To provide for highly available delivery of such data, a data intake and query system provides users with redundant sets of ingestion endpoints to which messages sent from users' computing environments can be delivered to the data intake and query system. Users' data sources, or data forwarding components configured to obtain and send data from one or more data sources, are then configured to encapsulate obtained machine data into discrete messages and to send copies of each message to two or more of the ingestion endpoints provisioned for a user. The ingestion endpoints receiving the messages implement a deduplication technique and provide only one copy of each message to a subsequent processing component (e.g., to an indexing subsystem for event generation, event indexing, etc.).

Abstract: A method including configuring a first server to receive, from a second server, an encrypted authentication packet to enable the first server and the second server to conduct an authentication process, the encrypted authentication packet including a crypted code field indicating that a portion of the encrypted authentication packet is encrypted and a crypted payload including an encrypted initial authentication packet; and configuring the first server to transmit, to the second server, a response based at least in part on determining that the portion of the encrypted authentication packet is encrypted and on decrypting the encrypted initial authentication packet. Various other aspects are contemplated.

Abstract: Techniques for encrypted-data-only media operations are described. In some instances, data from a source to be written to memory of a storage device is received by a storage device and the storage devices determines whether the data is encrypted at a storage location based on an amount of entropy of the received data. When the received data is not encrypted a media error is returned to the source and when the received data is encrypted the data is written.

Abstract: A computer-implemented method according to one embodiment includes compressing an uncompressed instance of data to create a compressed instance of data; encrypting the compressed instance of data in response to determining that a size of the compressed instance of data is less than a predetermined threshold; creating a message authentication code (MAC) for the encrypted compressed instance of data; and adding a variable-length zero pad and the MAC to the encrypted compressed instance of data to create a formatted string.

Abstract: A Software-Defined Networking (SDN)-based “upstream” approach is a controller-based solution that provides secure key distribution and management for multi-site data centers. The approach uses an SDN Multi-Site Controller (MSC) that acts as an intermediary between SDN controllers at sites in a multi-site data center and manages the distribution of keys to sites. The approach is not dependent upon any particular routing protocol, such as the Border Gateway Protocol (BGP), and is well suited for multicast stream encryption by allowing the same key to be used for all replicated packets sent to downstream sites from an upstream source site. The approach distributes keys in a secure manner, ensures that data transferred between sites is done in a secure manner, and supports re-keying with error handling.

Abstract: A method including configuring, by an infrastructure device, a transmitting device to determine an encryption key that is determined based at least in part on seed information associated with the transmitting device and a receiving device, and to encrypt one or more content messages to be transmitted during a first time interval by utilizing the encryption key; and configuring, by the infrastructure device, the receiving device to determine a decryption key that is determined based at least in part on the seed information associated with the transmitting device and the receiving device, and to decrypt one or more encrypted content messages received during the first time interval by utilizing the decryption key. Various other aspects are contemplated.

Abstract: A method including transmitting, by a transmitting device to a receiving device, a combination of messages including encrypted decoy messages and one or more encrypted content messages; determining, by the receiving device, a cryptographic decryption key based at least in part on unique seed information associated with the transmitting device and the receiving device; and determining, by the receiving device, that a message, included in the combination of messages, is a content message or that the message is a decoy message based at least in part on decrypting the message by utilizing the cryptographic decryption key. Various other aspects are contemplated.

Abstract: Techniques for identifying a trusted SSID for a wireless network are disclosed. Prior to establishing a connection with a wireless network comprising a service set identifier (SSID), a network message is received at a wireless station (STA), from an access point (AP) associated with the wireless network. The STA identifies an encrypted identifier in the network message. The STA validates the encrypted identifier, and in response determines that the AP corresponds to a trusted wireless network. The SSID is designated as trusted, at the STA.

Abstract: Methods and systems for implementing a moving target defense are described. The moving target defense can comprise obfuscating a protocol identifier within a packet. The protocol identifier can be replaced with a faux protocol identifier. Additionally, diversion headers can be inserted into to the packet, thereby creating additional layers of complexity.

Abstract: Disclosed are various embodiments for updating IoT endpoints. A software update package can be deployed to a IoT gateway. The software package can have lifecycle scripts and software executable for installation on IoT endpoints. The lifecycle scripts represent different lifecycle phases of the update process.

Abstract: An Encrypted Transport Proxy Backbone Protocol module is configured to set up ET Proxy Backbone connections with another distributed proxy device with each ET Proxy Backbone connection including multiple ET Proxy Backbone channels for transmitting ET proxy packets having different QoS classes. Each ET Proxy Backbone channel includes a separate queue. The ET Proxy Backbone Protocol module is also configured to schedule transmissions of the ET proxy packets from each respective queue; multiplex the ET proxy packets from each respective queue via the associated ET Proxy Backbone channel; perform local recovery of network impairments over the access network and perform congestion control to prevent packets from client devices and web servers from causing network congestion to the access network.

Abstract: Technologies for accelerated QUIC packet processing include a computing device having a network controller. The computing device programs the network controller with an encryption key associated with a QUIC protocol connection. The computing device may pass a QUIC packet to the network controller, which encrypts a payload of the QUIC packet using the encryption key. The network controller may segment the QUIC packet into multiple segmented QUIC packets before encryption. The network controller transmits encrypted QUIC packets to a remote host. The network controller may receive encrypted QUIC packets from a remote host. The network controller decrypts the encrypted payload of received QUIC packets and may evaluate an assignment function with an entropy source in the received QUIC packets and forward the received QUIC packets to a receive queue based on the assignment function. Each receive queue may be associated with a processor core. Other embodiments are described and claimed.

Abstract: A network node configured to transmit packets to a destination node in a packet network, includes at least one processor and at least one memory including computer program code. The at least one memory and the computer program code are configured to, with the at least one processor, cause the network node to: assemble at least a first packet including a plurality of data units, each of the plurality of data units being grouped into one of a connection group, a network function group or an application group; and transmit the first packet to the destination node.

Abstract: An artificial intelligence system can be implemented to identify relationships through the propagation of ripple patterns through a grid. In such a system, the grid may comprise cells which operate as cellular automata. Relationships may be identified based on collisions of signals detected by the cells in the grid, and, when a relationship is identified, it may be used to create high speed connections between cells.

Abstract: Systems and methods for metadata processing. The method comprises acts of associating, in a first system, metadata with application data processed by a host processor, wherein the application data is protected within the first system by one or more first policies using the metadata, and transferring the application data and its associated metadata to a second system in which the application data is unprotected using metadata processing or is protected by one or more second policies different from the one or more first policies.

Abstract: A system and method are provided for controlling visibility of elements of displayed electronic content. The method includes providing via a communications module a user interface viewable by a plurality of entity devices, and enabling via the communications module the user interface to display electronic content comprising at least one element. The method also includes determining at least one filtering criterion for controlling visibility of the at least one element of the electronic content being displayed, and concealing or modifying at least one element of the electronic content as displayed in the user interface for at least one of the plurality of entity devices, according to the at least one filtering criterion.

Abstract: Systems and methods are provided for submitting data in a computer network. An exemplary method includes: receiving a first request to process a first data at one or more data servers; determining whether the first data includes a plurality of first set of properties; generating a second data having a plurality of second set of properties; providing a plurality of rule sets for submitting the second data; analyzing the second data to determine which of the rule sets is applicable; selecting one or more applicable rules from the rule sets; generating a plurality of third data by applying the one or more applicable rules to the second data; identifying the one or more external sources to distribute the third data; and sending the third data to the one or more external sources.

Abstract: A cable distribution system that includes a head end connected to a plurality of customer devices through a transmission network that includes a remote fiber node that converts digital data to analog data suitable for the plurality of customer devices, where the head end includes a processor. A packetized elementary stream of a video is provided from the head end to customer devices through the transmission network, wherein the packetized elementary stream includes a plurality of groups comprising pairs of packetized elementary stream headers and packetized elementary stream payloads. A first one of the plurality of groups corresponding to a non-predicted coded picture of the video of the packetized elementary stream is determined. The first one of the plurality of groups is encrypted while not encrypting all of the plurality of groups of the video.

Abstract: A searching method is applicable to Gigabit-capable Passive Optical Network (GPON). The searching method includes: dividing a GPON Encapsulation Mode Port Identifier (GEM Port ID) of a GEM frame into a first portion GEM Port ID and a second portion GEM Port ID; performing a row look-up in a first memory array by using the first portion GEM Port ID, and performing a column look-up in the first memory array by using the second portion GEM Port ID; and identifying a specific bit's position in the first memory array, according to results of the row look-up and the column look-up in the first memory array, wherein the specific bit's position represents a GPON Encapsulation Mode Port (GEM Port) that is used by the GEM frame.

Abstract: A compute device of an information handling system includes a security chip. The security chip includes a programmable read only memory, which in turn includes multiple one-time programmable slots and a one-time programmable slot counter. A first slot of the one-time programmable slots stores a first group of keys associated with a first entity of the security chip. A second slot of the one-time programmable slots stores a second group of keys associated with a second entity of the security chip. The one-time programmable slot counter includes multiple entries. Each of the entries is associated with a different one of the one-time programmable slots. Each of the entries is preset to a first value. The one-time programmable slot counter is only able to count in one direction. A first entry of the entries is updated to invalidate the second group of keys associated with the second entity.

Abstract: A messaging system may include an account module that maintains user accounts associated with user identifying data that include a first password required to access the user account. The messaging system may receive message data including a message and identification of one or more of the user accounts the message is to be shared. Upon request, the messaging system may issue a second password to one of the user accounts. When the second password is used to access the user account, the user account may revert to an original state wherein all personalized information, including payment information, associated with the user account is deleted and unrecoverable.

Abstract: Technologies for accelerated HTTP message processing include a computing device having a network controller. The computing device may generate an HTTP message, frame the HTTP message to generate a transport protocol packet such as a TCP/IP packet or QUIC packet, and pass the transport protocol packet to the network controller. The network controller compresses the HTTP header of the HTTP message, encrypts the compressed HTTP message, and transmits the encrypted message to a remote device. The network controller may segment the transport protocol packet into multiple segmented packets. The network controller may receive transport protocol packets that include encrypted HTTP message. The network controller decrypts the encrypted HTTP message to generate a compressed HTTP message, decompresses the HTTP message, and steers the HTTP message to a receive queue based on contents of an HTTP header. The network controller may coalesce multiple transport protocol packets. Other embodiments are described and claimed.

Abstract: Techniques for providing multi-access edge computing (MEC) services security in mobile networks (e.g., service provider networks for mobile subscribers, such as for 5G networks) by parsing Application Programming Interfaces (APIs) are disclosed. In some embodiments, a system/process/computer program product for MEC services security in mobile networks by parsing APIs in accordance with some embodiments includes monitoring network traffic on a mobile network at a security platform to identify an API message associated with a new session, wherein the mobile network includes a 5G network or a converged 5G network that includes a multi-access edge computing (MEC) service; extracting mobile network identifier information from the API message at the security platform; and determining a security policy to apply at the security platform to the new session based on the mobile network identifier information.

Abstract: Sender Policy Framework (SPF) is one of the most widely used methods of distinguishing electronic mail that is authorized by the purported sending domain from unauthorized mail. SPF policies are published into a domain's DNS and then looked up and evaluated by mail receivers. Due to the complexity and limitations of the SPF specification, implementation mistakes are widespread. This problem is compounded by the common practice of nesting SPF policies which introduces hidden risks, particularly exceeding DNS lookup limits. To address these issues, inline service provider designation may be configured to capture the benefits of existing techniques without their associated costs. Additionally, the domain owner may enjoy simplified SPF service provider onboarding and policy failover redundancy to protect against SPF service provider disruptions, thus improving policy availability uptime.

Abstract: An example operation may include one or more of receiving a data block for storage on a blockchain from an orderer node, the data block comprising a full-step hash of a storage request and a reduced-step hash of the storage request, performing an approximate hash verification on the data block based on the reduced-step hash of the storage request included in the data block, and in response to a success of the approximate hash verification, committing the data block among a hash-linked chain of data blocks stored within a distributed ledger of a blockchain.

Abstract: Disclosed here is a system and method to determine which wireless telecommunication network functionalities are impaired when using end-to-end encryption and to ameliorate the impairment of the functionality. The system receives a request from a sender device to communicate with a receiver device, where the request indicates whether the sender device is capable of an end-to-end encryption. The system determines whether the receiver device is capable of the end-to-end encryption, and whether the receiver device is associated with a functionality provided by a wireless telecommunication network that is impaired when the end-to-end encryption is used. Upon determining that the receiver device is not capable of the end-to-end encryption or that the receiver device is associated with the functionality that is impaired, the system performs an action to ameliorate the impairment to the functionality.

Abstract: A method for contactless payment relay attack protection includes receiving an online authorization request including a cryptogram, a measured processing time, and a reference processing time from a terminal. The cryptogram is verified, and a determination is performed as to whether the measured processing time exceeds the reference processing time. An online authorization response authorizing or declining a monetary transaction is transmitted, based on the determination. An artificial intelligence transaction analysis can be performed based on past and current conditions (e.g., battery level, operating system, open applications) of a payment device such as a mobile phone, past and current conditions of a terminal, and/or a monetary amount. The online authorization response can be based on the artificial intelligence transaction analysis.

Abstract: A method comprises receiving a session identifier from a streaming system that identifies a user session with the streaming system. The method further includes receiving a first message from a streaming system that is based on a token that is generated based on a combination of the session identifier and a timestamp at which an insertable content item was presented to the user in a content stream by the streaming system. The first message is decrypted using a plurality of timestamps that are within a range of a current time. An identifier is determined for the insertable content item based on the decrypted message. A second message is transmitted to an enabling system, the message including instructions for execution by the enabling system to execute one or more operations with the identified insertable content item.

Abstract: A computer-implemented method according to one aspect includes creating an initialization vector, utilizing an instance of plaintext and a secret key; encrypting the instance of plaintext, utilizing the initialization vector, the secret key, and the instance of plaintext; combining the initialization vector and the encrypted instance of plaintext to create a ciphertext string; and sending the ciphertext string to a storage device performing deduplication.

Abstract: Embodiments for a method of storing e-mail messages using a cloud native e-mail data protection process. E-mail messages are first compressed and stored in a container along with selected metadata. An Email Record is created for each e-mail message. A Container Record is created for each newly created container, and a Backup Record is created for each container for each backup. Once the required records are created, the process facilitates the execution of backup operations, such as full or incremental backups of the stored e-mail messages. Data tiering is supported so that low cost object storage in the public cloud is used instead of expensive processing methods, such as deduplication backups.

Abstract: Systems, computer program products, and methods are described herein for dynamically permitting and restricting access to and modification of computer resources. The present invention may be configured to receive a change request identifying computer resources to be modified, determine whether privileged access is required to modify the computer resources, and receive credentials from a user device. The present invention may be further configured to generate an encrypted configuration file, determine whether the change request is valid, and further encrypt the encrypted configuration file based on determining that the change request is valid.

Abstract: An electronic device includes a communication unit that communicates with a battery, a storage unit that stores a first identification information of the battery, and a determination unit that determines whether the communication unit is capable of performing a predetermined communication with the battery, in a case where a second identification information of the battery received from the battery is matched with the first identification information stored in the storage unit.

Abstract: A protected link between a first computing device and a second computing device is set up, wherein communication over the protected link is to comply with a communication protocol that allows packets to be reordered during transit. A plurality of packets are generated according to a packet format that ensures the plurality of packets will not be reordered during transmission over the protected link, the plurality of packets comprising a first packet and a second packet. Data of the plurality of packets are encrypted for transmission over the protected link, wherein data of the first packet is encrypted based on the cryptographic key and a first value of a counter and data of the second packet is encrypted based on the cryptographic key and a second value of the counter.

Abstract: In method of protecting signaling messages in a hop-by-hop network communication link between a source node and a destination node, a source node public digital signature verification key and a respective source node private digital signature key associated with said public digital signature verification key are provided to the source node. The source node public digital signature verification key associated with the source node private digital signature key is also provided to the destination node. The source node builds a message including a sequence of Information Elements, and calculates, for each Information Element, an Information Element hash value. The source node also calculates a sequence hash value of a concatenation of the calculated Information Element hash values, and generates a source node digital signature by digitally signing the calculated sequence hash value. An intermediate node receives and forwards the signaling message to the destination node.

Abstract: A system, method, and apparatus is provided for integrating multiple payment options on a merchant webpage. The method includes receiving, from a merchant system associated with a merchant webpage, a payment data capture request, generating, with at least one processor, web payment capture data based on the payment data capture request, the web payment capture data configured to adapt the merchant webpage to receive payment information input by a user, communicating, to the merchant system, the web payment capture data, receiving, directly from a client computer via at least one client-side script executed by the client computer based on the web payment capture data, the payment information input by the user, generating, with at least one processor, a transient payment token based on the payment information, and directly communicating the transient payment token to the client computer.

Abstract: Systems and methods for verifying files in bulk in a file system. When files are represented by a segment tree, the levels of the segment trees are walked by level such that that multiple files are verified at the same time in order to identify missing segments. Then, a bottom up scan is performed using the missing segments to identify the files corresponding to the missing segments. The missing files can then be handled by the file system.

Abstract: A computer processing hardware architecture system for the Kyber lattice-based cryptosystem which is created with high resource reuse in the compression and decompression module, the operation unit, the binomial samplers, and the operation ordering, wherein the architecture system includes an internal controller operably configured to independently accelerate a plurality of cryptographic Kyber algorithms at all NIST-recommended post-quantum cryptography security levels and is operably coupled to a singular module operably configured to perform compression and decompression as specified in Kyber, perform arithmetic operations utilized in the plurality of cryptographic Kyber algorithms, and reuse hardware resources for all the arithmetic operations utilized in the plurality of cryptographic Kyber algorithms.

Abstract: The technology disclosed teaches protecting sensitive data in the cloud via indexable databases. The method includes identifying sensitive fields of metadata for encryption and for hashing. The method also includes hashing at least partial values in the indexable sensitive fields to non-reversible hash values, concatenating the non-reversible hash values with the metadata for the network events, and encrypting the sensitive fields of metadata. Also included is sending the metadata for the network events, with the non-reversible hash values and the encrypted sensitive fields, to a remote database server that does not have a decryption key for the encrypted sensitive fields and that indexes the non-reversible hash values for indexed retrieval against the indexable sensitive fields.

Abstract: Systems and methods for a communications system architecture having a base station/access points, a multiple operator core Gateway/X2 Gateway, a plurality of Mobile Network Operator core networks and an enterprise core network are present. A first secure tunnel is provided for communicating user-plane traffic between the base station/access points and the multiple operator core Gateway/X2 Gateway. A second secure tunnel is provided for communicating control-plane traffic between the base station/access points and the enterprise core network. Additional secure tunnels are provided for communications between the multiple operator core Gateway/X2 Gateway and each Mobile Network Operator core.

Abstract: A computation is divided into computation tasks that are sent to worker nodes and distributed results are received in response. A redundant subtask is sent to each of the worker nodes, the redundant subtask being a random linear combination of the computation tasks sent to others of the worker nodes. The worker nodes perform the redundant subtasks to produce redundant results. The redundant result of each worker node is combined with distributed results of others of the worker nodes to determine whether one or more of the worker nodes are acting maliciously. Optionally, the worker nodes can be initially evaluated for trustworthiness using a homomorphic hash function applied to an initial computation task and applied to results of the initial tasks. If the results of both hash functions match, then the worker nodes are considered trustworthy and can be used for subsequent computations with redundant subtasks as described above.

Abstract: A method for encrypting a video stream in a video encoder is provided that includes receiving the video stream and encrypting randomly selected pictures in the video stream as the video stream is encoded.

Abstract: A virtual private network (VPN) server connected to a client device within a VPN obtains data for delivery to the client device. The VPN server selects a data stream from a set of data streams of the VPN connection with the client device, where each data stream of the set of data streams has a different encryption context. The VPN server generates a data packet based on the data such that the data packet is encrypted using the encryption context specific to the selected data stream. The VPN server transmits the data packets to the client device via the selected data stream.

Abstract: A method, apparatus, and system for assigning the execution of a cryptography and/or compression operation on a data segment to either a central processing unit (CPU) or a hardware accelerator is disclosed. In particular, a data segment on which a cryptography and/or compression operation is to be executed is received. Status information relating to a CPU and a hardware accelerator is determined. Whether the operation is to be executed on the CPU or on the hardware accelerator is determined based at least in part on the status information. In response to determining that the operation is to be executed on the CPU, the data segment is forwarded to the CPU for execution of the operation. On the other hand, in response to determining that the operation is to be executed on the hardware accelerator, the data segment is forwarded to the hardware accelerator for execution of the operation.

Abstract: Embodiments of the invention are directed to systems, methods, and computer program products for protection of network-based resource transfers via the use of encrypted tags. As such, the system allows for generation of unique encrypted tags which encode authorization parameters for denominations of electronic resources. The system may then authorize or deny requested network-based transfers by utilizing a decryption module to access the authorization parameters for a specific electronic resource denomination. Furthermore, the system may manipulate the encrypted tags to alter the authorization parameters or to track an electronic resource denomination across multiple network-based transfers.

Abstract: A network controller provides proactive notification of a wireless client device's address rotation to layer 2 (L2) and/or layer 3 (L3) devices. Traditional methods of device address discovery rely on broadcasting of address queries across a plurality of links until a path to a device having the queried address responds. As device address changes become more frequent in an effort to improve user privacy, traditional methods of address discovery impose a large burden on networks, reducing their performance and efficiency. By proactively propagating address changes to upstream devices, the need for broadcast oriented address discovery techniques is reduced, resulting in improved network performance.

Abstract: A transmitter device of a bus-based communication system may add one or more padding bits, associated with providing traffic flow confidentiality for communication of a payload on a communication bus, either to the payload on a transport layer, or to one or more first frames on a data link layer. The one or more first frames may include a transport layer payload associated with the payload. The transmitter device may transmit one or more second frames, including a data link layer payload associated with the one or more first frames, on the communication bus. A receiver device of the bus-based communication system may receive the one or more second frames on the communication bus. The receiver device may process the one or more padding bits from either the one or more first frames on the data link layer, or from the payload on the transport layer.

Abstract: Metadata associated with content stored in a corresponding primary storage system is received receiving from each secondary storage cluster of a plurality of different secondary storage clusters included in different storage domains. The metadata received from the plurality of different secondary storage clusters is stored and indexed together. A unified metadata search interface is provided for stored data of the corresponding primary storage systems and the plurality of different secondary storage clusters of the different storage domains.

Abstract: Disclosed here is a system and method to determine which wireless telecommunication network functionalities are impaired when using end-to-end encryption and to ameliorate the impairment of the functionality. The system receives a request from a sender device to communicate with a receiver device, where the request indicates whether the sender device is capable of an end-to-end encryption. The system determines whether the receiver device is capable of the end-to-end encryption, and whether the receiver device is associated with a functionality provided by a wireless telecommunication network that is impaired when the end-to-end encryption is used. Upon determining that the receiver device is not capable of the end-to-end encryption or that the receiver device is associated with the functionality that is impaired, the system performs an action to ameliorate the impairment to the functionality.

Abstract: The present application describes a method, system, and non-transitory computer-readable medium for generating new keys during a secure communication session. A key derivation function is operatively connected to both a counter and a memory. The key derivation function generates new key material from a first input and a second input in response to a signal provided by the counter. The key derivation function generates the new key material and outputs it to the memory.

Abstract: A method and a system of selective encryption of a test dataset is disclosed. In an embodiment, the method may include determining a relevancy grade associated with each of a plurality of datapoints within a test dataset by comparing the test dataset with a common heat map, wherein the common heat map is generated using a plurality of training datasets. The method may further include calculating, based on the relevancy grade, an encryption level associated with each of the plurality of datapoints. The method may further include selectively encrypting at least one datapoint from the plurality of datapoints based on the encryption level associated with each of the plurality of datapoints. The at least one data point is rendered to a user after being decrypted.