Abstract: A server system can receive an assertion of an alarm condition from a security system that processes sensor signals from sensors and that triggers the alarm condition. The server system is can send messages to determined nearby sensors to start sending data back to the server system according to the alarm condition. The server system can analyze sensor data received from the sensors. The analysis includes a verification of the alarm condition, a determination of how often queried data is requested, and a determination of which of selected data received from selected sensors to forward to one or more mixed reality devices. The server system can forward data to the one or more mixed reality.

Abstract: Some embodiments provide a simplified mechanism to deploy and control a multi-segmented application by using application-based manifests that express how application segments of the multi-segment application are to be defined or modified, and how the communication profiles between these segments. In some embodiments, these manifests are application specific. Also, in some embodiments, deployment managers in a software defined datacenter (SDDC) provide these manifests as templates to administrators, who can use these templates to express their intent when they are deploying multi-segment applications in the datacenter. Application-based manifests can also be used to control previously deployed multi-segmented applications in the SDDC. Using such manifests would enable the administrators to be able to manage fine grained micro-segmentation rules based on endpoint and network attributes.

Abstract: A small piece of hardware connects to a mobile device and filters out attacks and malicious code. Using the piece of hardware, a mobile device can be protected by greater security and possibly by the same level of security offered by its associated corporation/enterprise. In one embodiment, a mobile security system includes a connection mechanism for connecting to a data port of a mobile device and for communicating with the mobile device; a network connection module for acting as a gateway to a network; a security policy for determining whether to forward content intended for the mobile device to the mobile device; and a security engine for executing the security policy.

Abstract: A method and system for wireless communication between a mobile router in a moving vehicle, such as a train, and one or several external server(s) via at least two types of external wireless networks, a first external wireless network type, trackside network, including a plurality of trackside base stations, such as access points, for communication in compliance with a Wireless Local Area Network (WLAN) standard, said trackside base stations being arranged in the vicinity of a vehicle path of travel, and a second external wireless network type, cellular network, communicating via cellular network standard(s), such as in accordance with 3G, 4G or 5G standards, wherein the mobile router is arranged, at least periodically, to simultaneously communicate with the two types of external wireless networks thereby providing at least two concurrently useable external wireless networks.

Abstract: Example methods are provided for host to implement application-based network segmentation in a virtualized computing environment. The method may comprise detecting an egress packet from a virtualized computing instance supported by the host for transmission to a destination and identifying a source application associated with the egress packet. The source application may be one of multiple applications supported by the virtualized computing instance, the multiple applications being associated with respective target networks. The method may further comprise, based on a network policy configured for the source application, determining a particular target network associated with the source application; and sending, to the destination, the egress packet via a physical network interface controller (NIC) associated with the particular target network.

Abstract: An exemplary computer-implemented method includes obtaining at least one teleportation invite block that records a virtual universe teleportation invite marked by at least one parameter. The teleportation invite identifies a virtual universe user as an invitee. Responsive to the parameter, assess whether the virtual universe teleportation invite is potentially malicious, and alert the invitee in case the virtual universe teleportation invite is potentially malicious.

Abstract: Sensor enrollment management is conducted where features and capabilities for one or more broker computing nodes within the cluster are received by an enrollment service operating within a management system. The enrollment service is configured to receive advertised features and capabilities for computing nodes that are part of a cluster and provide address information associated with the enrollment service to the sensor. Based on information supplied by the sensor, the enrollment service authenticates the sensor, and upon authentication, forwards keying material associated with the sensor to a computing node selected that is selected for supporting communications to the cluster from the sensor. Also, the enrollment service provides a portion of the advertised features and capabilities associated with the computing node to the sensor to enable the sensor to establish a secure communication path with the computing node for malware analysis of suspicious objects within network traffic monitored by the sensor.

Abstract: A transmitted transport communication protocol (TCP) packet in an established TCP connection is intercepted and resent with a modified IP layer to determine network nodes within a network path. No new connection is required, and the data may be transmitted to its intended location as part of the existing connection, bypassing firewalls and other obstacles commonly affecting ping commands. The change to the IP layer may include a modified TTL value. Address location and response time may be determined for each node in a network path.

Abstract: A medical device for facilitating data direction to storage in a patient-specific electronic record is provided herein. In embodiments, the medical device visually presents patient data received from devices that more directly capture physiological data. The medical device is associated with a patient corresponding to the physiological data, and communicates the patient data to a centralized server for processing and forwarding to a database, which includes an electronic record that is specific to the patient. Then, the medical device may be dissociated from the patient.

Abstract: Method, product and device for selective traffic blockage. In one embodiment, in response to a detection that a computing device cannot connect to a predetermined server, the blockage policy is applied to an outgoing packet, whereby selectively blocking outgoing packets when the computing device has limited connectivity to the predetermined server. In another embodiment, in response to an attempt to transmit a packet, invoking a local Virtual Private Network (VPN) service that is configured to apply a blockage policy, wherein the local VPN service provides an Application Programming Interface (API) of a VPN service. As a result, selective blockage is implemented using the local VPN service.

Abstract: System and method for managing firewall rules for hierarchical entities modify a processing order of the firewall rules to be executed in a distributed computer system based on hit counts of the firewall rules and direct descendent relationships of destination entities of the firewall rules.

Abstract: A system, method and computer program product for detecting distributed denial-of-service (DDoS) attacks is provided. Current aggregated flow information for a defined period of time is analyzed. It is determined whether network flow increased above a defined flow threshold value to a second data processing system connected to a network within the defined period of time based on analyzing the current aggregated flow information. In response to determining that the network flow has increased above the defined flow threshold value to the second data processing system connected to the network within the defined period of time, it is determined that the second data processing system is under a DDoS attack.

Abstract: A method, apparatus and program product utilize Domain Name Service (DNS) prefetching in a recursive DNS server, e.g., to mitigate Distributed Denial of Service (DDoS) attacks on a DNS service.

Abstract: A method, apparatus and program product utilize Domain Name Service (DNS) prefetching in a recursive DNS server, e.g., to mitigate Distributed Denial of Service (DDoS) attacks on a DNS service.

Abstract: A mobile device application executing on a mobile device as an operating system extension that uses a virtual private network (VPN) stack of the operating system intercepts a first Internet protocol (IP) packet for delivery to a remote computer system. The application determines that the intercepted first IP packet is associated with sensitive information. In response creates a VPN tunnel between the remote computer system to securely send data from the mobile device to the remote computer system.

Abstract: Systems and methods for providing multi-perimeter firewalls via a virtual global network are disclosed. In one embodiment the network system may comprise an egress ingress point in communication with a first access point server, a second access point server in communication with the first access point server, an endpoint device in communication with the second access point server, a first firewall in communication with the first access point server, and a second firewall in communication with the second access point server. The first and second firewalls may prevent traffic from passing through their respective access point servers. The first and second may be in communication with each other and exchange threat information.

Abstract: Methods and systems for protecting a secured network are presented. For example, one or more packet security gateways may be associated with a security policy management server. At each packet security gateway, a dynamic security policy may be received from the security policy management server, packets associated with a network protected by the packet security gateway may be received, and at least one of multiple packet transformation functions specified by the dynamic security policy may be performed on the packets. Performing the at least one of multiple packet transformation functions specified by the dynamic security policy on the packets may include performing at least one packet transformation function other than forwarding or dropping the packets.

Abstract: In an example, metrics that cause a deviation in data may be identified by collecting the data for selected metrics stored in a plurality of tables. A metric vector is constructed based on the data for the selected metrics. A probability density may be calculated for the metric vector that indicates a deviation value for the metric vector relative to other metric vectors. Moreover, an outlier metric from the metric vector that causes the deviation value for the metric vector may be identified.

Abstract: Embodiments herein provide methods and apparatus for monitoring and/or protecting property or other area is presented. Aspects of invention provide devices, software, systems, and methods for property and area monitoring that detect the presence of wireless devices on or over a property or in a particular geographical area. In some embodiments the detected wireless device and/or owner of a detected device can be identified. Embodiments provide methods and system for detection of wireless devices, identifiers, record time and duration that detected device was active on a property or within an area, record and transmit information to remote storage, and/or alert authorized individuals of activity within a monitored area. Embodiments of the invention allow systems and methods to work independent or with remote sensors to perform pre-programmed functions upon detection of a wireless device. Embodiments present a method for mobile configuration for scanning an area.

Abstract: If a host name and a port number of an HTTP request do not correspond to those of an HTTP server, it is determined whether or not the host name indicates a local host and an address of a client that has transmitted the request is a loop-back address, and if so, processing for the HTTP request is continued.

Abstract: Systems, methods, and computer-readable media analyzing memory usage in a network node. A network assurance appliance may be configured to obtain reference concrete level rules for a node in the network, obtain implemented concrete level rules for the node from the node in the network, compare the reference concrete level rules with the implemented concrete level rules, and determining that the implemented concrete level rules are not appropriately configured based on the comparison.

Abstract: There is described a digital agent for monitoring of cybersecurity-related events in an industrial control system. The digital agent being residable in a host. The digital agent includes a module for monitoring behavioral data of the host, such as violation of security policy, system usage metric, etc. The digital agent also includes a module for recording behavior baseline of the host, such as operating system, operating system version, firewall status etc. In addition, the digital agent includes an agent state machine for monitoring the CPU load and/or memory usage of the host. Further, the digital agent includes an agent communication module for transmitting monitored data to an analysis unit external to the industrial control system.

Abstract: Systems and methods for implementing content, streaming, and network security inside a chip or inside a computing device are disclosed. In exemplary embodiments, a system comprises a communication chip and a second processor. The communication chip comprises a router and security instructions. The router is configured to intercept untrusted data between a network, and a first router. The second processor is configured to receive the untrusted data from the router, process the untrusted data with the security instructions to produce trusted data, and provide the trusted data to the router.

Abstract: A packet-filtering device may receive packet-filtering rules configured to cause the packet-filtering device to identify packets corresponding to network-threat indicators. The packet-filtering device may receive packets and, for each packet, may determine that the packet corresponds to criteria specified by a packet-filtering rule. The criteria may correspond to one or more of the network-threat indicators. The packet-filtering device may apply an operator specified by the packet-filtering rule. The operator may be configured to cause the packet-filtering device to either prevent the packet from continuing toward its destination or allow the packet to continue toward its destination.

Abstract: Systems and methods are disclosed herein for opening files via local applications. A first application on a local device receives a request to open a document specified by a user via a user interface associated with the first application, the document having a document identifier and associated with a first file stored on a server, the request comprising the document identifier and a user identifier. The first application forwards the request to open the document associated with the first file to a second application on the local device, and receives, from the second application, a list comprising one or more document processing applications that are on the local device and are capable of opening a second file that is stored on the local device and has the same document identifier as the document specified by the user, the second file being a local copy of the first file.

Abstract: The technology disclosed herein enables the enforcement of firewall policies based on high level identification strings. In a particular embodiment, a method provides receiving a first reply from a first identification system directed to a requestor system. In response to determining that the first identification system comprises an identification system trusted by the firewall, the method provides inspecting at least one packet included in the first reply to identify a first network address therein associated with a first high level identification string. The method further provides updating a data structure comprising allowed network addresses with the first network address and, after updating the data structure with the first network address, allowing at least one packet from the requestor system directed to a first destination at the first network address to traverse the firewall system based on the data structure.

Abstract: A system and method for providing private instances of shared resources utilizing VxLAN technology is disclosed, the system consisting of a private management local area network (MLAN), a separate virtual local area network (VLAN) to place resources that are to be shared, and private instances (replicas) of the shared resources that are located on a client's private network.

Abstract: A system for managing security within an enterprise includes a computing device that receives a vulnerability, generates a user score for each user within the enterprise and generates a threat score for the vulnerability. A user device score may also be generated for each device associated with a user. Based on the user score and the threat score, a composite score is generated. After acquiring a security measure, the security measure is implemented based on the composite score and, at times, the user score.

Abstract: A system for dynamically implementing exceptions in an onboard network firewall has a client application interface receptive to a data link request from a client device. An onboard connectivity manager includes a firewall interface connected to the onboard network firewall to request the exceptions in response to a connection authorization, and a client presence manager receptive to the data link request relayed by the client application interface from the client device. A presence state for the client devices is activated and maintained following the data link request. A remote connectivity manager is connected to a remote application service and is in communication with the onboard connectivity manager. The remote connectivity manager generates a connection authorization based upon an evaluation of the presence state for the client device against the conditions set by the remote application service.

Abstract: Mechanisms for establishing persistent bi-directional communication channels with cloud computing systems are disclosed. A processor device initiates a plurality of persistent bi-directional communication channels with a corresponding plurality of cloud computing systems. Each cloud computing system comprises a plurality of computing devices used to implement on-demand computing resources on one or more of the plurality of computing devices at the request of different entities. The processor device receives real-time messages from at least some respective cloud computing systems of the plurality of cloud computing systems via the corresponding persistent bi-directional communication channel that identifies a status of at least one computing resource implemented in the respective cloud computing system.

Abstract: Techniques for providing multi-modal multi-party calling include receiving a join request at a multiway server (MWS) from a first client, the join request identifying a second client; sending a call invitation to the second client from the MWS; receiving a connection from the second client to the MWS; receiving a first media status from one of the first client or the second client while the first client and the second client are in a peer-to-peer mode; and forwarding the first media status to the other of the first client or the second client. Other embodiments are described and claimed.

Abstract: Systems and methods for implementing content, streaming, and network security inside a chip or inside a computing device are disclosed. In exemplary embodiments, a system comprises a communication chip and a second processor. The communication chip comprises a router and security instructions. The router is configured to intercept untrusted data between a network, and a first router. The second processor is configured to receive the untrusted data from the router, process the untrusted data with the security instructions to produce trusted data, and provide the trusted data to the router.

Abstract: A request to access a network resource is received from a client device. The request includes a purported hostname of the network resource. A Domain Name System (DNS) lookup of the purported hostname is performed. A result of the lookup is used in making a determination that the request received from the client device is invalid. In response to the determination being made that the request received from the client device is invalid, an action to take with respect to the client device is determined.

Abstract: A method may include monitoring communications from a first user device coupled to a network and determining, based on the communications, whether the first user device is operating in accordance with a profile associated with the first user device. The method may also include transmitting a message to a network device in response to determining that the first user device is not operating in accordance with the profile. The method may further include blocking at least some communications from being transmitted to or received by the first user device, in response to determining that the first user device is not operating in accordance with the profile.

Abstract: A machine learning-based system and method for identifying digital threats that includes implementing a machine learning-based digital threat mitigation service over a distributed network of computers; constructing, by the machine learning-based digital threat mitigation service, a subscriber-specific machine learning ensemble that includes a plurality of distinct machine learning models, wherein each of the plurality of distinct machine learning models is configured to perform a distinct machine learning task for identifying a digital threat or digital fraud; constructing a corpus of subscriber-specific digital activity data for training the plurality of distinct machine learning models of the subscriber-specific ensemble; training the subscriber-specific ensemble using at least the corpus of subscriber-specific digital activity data; and deploying the subscriber-specific ensemble.

Abstract: A messaging queue system includes computing devices that each host an application, a messaging queue service device that is coupled to the computing devices and that hosts a messaging queue service for each of the applications, and a messaging queue topology configuration service device that is coupled to the messaging queue service device. The messaging queue topology configuration service device receives a selection of application use criteria. The messaging queue topology configuration service device then determines a recommended messaging queue topology solution based on the selection of application use criteria. The messaging queue topology configuration service device may then receive messaging queue object details for each messaging queue object that will make up the messaging queue topology.

Abstract: A user of a client device that is protected by a firewall may navigate to a website using a particular browser process (e.g., a window/tab of a browser) of the client device, sending a content request toward a web content server in the process. The firewall may intercept the content request, and may also receive information from the client device identifying which browser process initiated the content request. Before passing the content request to the appropriate web content server, the firewall may request and download a security policy from a security policy server. The security policy may notify the firewall which hosts are authorized/unauthorized for use with a particular domain, and which file types from each of these hosts are authorized/unauthorized for use with the particular domain. The firewall may then filter content related to the identified browser process based on the security policy.

Abstract: According to one example embodiment, a modem or other network device include an energy module configured to enter a low-power, low-bandwidth state when not in active use by a user. The low-power state may be maintained under certain conditions where network activity is not present, and or when only non-bandwidth-critical traffic is present. The network device may include a user interface for configuring firewall rules, and the user may be able to concurrently designate particular types of traffic as important or unimportant. The energy module may also be integrated with a firewall, and power saving rules may be inferred from firewall rules.

Abstract: Systems and methods for implementing access control by systems-on-chip (SoCs). An example SoC may comprise: an access control unit comprising a secure memory for storing access control data, the access control unit to: receive a message comprising an access control data item; store the access control data item in the secure memory; perform at least one of: authenticating the message using a message digest function, or validating contents of the secure memory by comparing a stored reference value with a calculated value of a message digest function of the contents of the secure memory; and control, in view of the access control data item, access by an initiator device to a target device.

Abstract: A method is provided to control the flow of packets within a system that includes one or more computer networks comprising: policy rules are provided that set forth attribute dependent conditions for communications among machines on the one or more networks; machine attributes and corresponding machine identifiers are obtained for respective machines on the networks; and policy rules are transformed to firewall rules that include machine identifiers of machines having attributes from among the obtained machine attributes that satisfy the attribute dependent policy rules.

Abstract: A method, system, and computer-implemented method to manage blacklists used for mitigating network traffic is provided. The method includes monitoring a first blacklist and a second blacklist, wherein the first blacklist is used by a first mitigation process applied to network traffic that is performed upstream along a communication path of the network traffic relative to a second mitigation process that is performed using the second blacklist. The method further includes moving at least one entry from one of the first and second blacklists to the other of the first and second blacklist based on a result of the monitoring.

Abstract: Systems, methods, and apparatus for data transmission authentication and self-destruction are disclosed. An example method comprises receiving, by a computing device associated with a first token, communications, determining, by the computing device, whether the first token is associated with a second token within the communications, wherein the second token is configured to authorize the computing device to process the communications, processing, by the computing device and in response to determining that the first token is associated with the second token, the communications, and destructing, by the computing device and in response to determining that the first token is not associated with the second token, the communications.

Abstract: A computing system may include a database disposed within a remote network management platform that manages a managed network, and a software application associated with the platform and configured to: obtain, from an external computing system, information about a function-application arranged to execute source code segment(s) on demand; determine that the obtained information relates to (i) a plurality of authorization-keys each respectively arranged to authorize on-demand execution of one of the source code segments, (ii) a first key-value string pair that enables establishment of connectivity to a service of the external computing system or of another computing system, and/or (iii) a second key-value string pair that enables establishment of connectivity to a data source of the external computing system or of another computing system, and responsively determine association(s) between the source code segment(s), the function-application, the service, and/or the data source; and store the association(s) in t

Abstract: The disclosure generally describes methods, software, and systems, including a method for using an object definition from which object documents are instantiated defining real-world variants of a physical object and including a meta-model identifying nodes, fields, and associations with other object definitions. The object definition includes, at instantiation of a given object document marking an existence of the physical object, an object identifier node, including an object identifier, and at least one variant type node, including a variant type identifier identifying the real-world variant of the physical object and including variant extension nodes and fields extending the object definition to a variant object definition.

Abstract: A method and a routing device (110) for managing data frames as well as a method and a further routing device (120) for managing data frames are disclosed. The routing device (110) is addressable by a virtual Media Access Control address, “virtual MAC address”, for assignment to routers. The routing device (110) sends (205) a data frame comprising a source MAC address field, which includes a unicast MAC address of the routing device (110). The routing device (110) sends (208) a message including information about the virtual MAC address. The routing device (110) is configured to send, in a periodic manner, a periodic message for conveying information about the virtual MAC address throughout the switched network (100). In another embodiment, the further routing device (120) receives (201) at least one data frame. The further routing device (120) sends (202) a request which instructs the routing device (110) to send an alert message for conveying information about the virtual MAC address.

Abstract: Systems and methods for a cyber security system with adaptive machine learning features. One embodiment is a system that includes a server configured to manage a plurality of user devices over a network, and a user device that includes an interface and a processor. The interface is configured to communicate with the server over the network, and the processor implements a machine learning function configured to monitor user interactions with the user device over time to establish a use profile, to detect anomalous use of the user device based on a variance from the use profile, to determine whether the anomalous use is representative of a security threat, and to instruct the user device to perform one or more automatic actions to respond to the security threat.

Abstract: A small piece of hardware connects to a mobile device and filters out attacks and malicious code. Using the piece of hardware, a mobile device can be protected by greater security and possibly by the same level of security offered by its associated corporation/enterprise. In one embodiment, a mobile security system includes a connection mechanism for connecting to a data port of a mobile device and for communicating with the mobile device; a network connection module for acting as a gateway to a network; a security policy for determining whether to forward content intended for the mobile device to the mobile device; and a security engine for executing the security policy.

Abstract: Access to transactional multimedia content may be based on network routing. Some multimedia content may be best delivered via a private network. Other multimedia content may be best delivered via a public network. A type of the multimedia content may thus determine network routing.

Abstract: Techniques for inspecting network traffic are disclosed. An application executing as an operating system extension that uses a virtual private network (VPN) stack of the operating system intercepts an Internet protocol (IP) packet for delivery to a remote computer system. A determination is made, by the application, that the intercepted IP packet indicates a security threat. The intercepted IP packet is prevented from being delivered to the remote computer system based on the determination.

Abstract: A method, in a monitoring function, for monitoring resource usage in a communication network comprising a plurality of M2M devices is disclosed. The method comprises detecting issuance of a user instruction (120), the user instruction specifying an action to be carried out by at least one of the M2M devices, identifying M2M devices subject to the user instruction (120), calculating an impact upon the communication network of completion of the action by the identified M2M devices (140), and sending the calculated impact to a resource management function (150). Also disclosed is a method, in a resource management function, for managing resources in a communication network comprising a plurality of M2M devices. The method comprises receiving, from a monitoring function, a calculated impact upon the communication network of completion of an action by M2M devices subject to a user instruction specifying the action (260), and adjusting resource allocation within the network according to the calculated impact (270).