Abstract: Principles, apparatuses, systems, circuits, methods, and computer program products for performing a software upgrade in a MoCA network includes receiving an image of a software upgrade at a server and sending the image in the MoCA network using an L2ME message channel to a client that is enabled to receive the image and store the image in a client memory. The image may be broken up into packets, and a sequence number may be assigned to each packet to assist the client in assembling them. CRC information may also be appended to the packets to enable the client to verify their contents.

Abstract: Embodiments of this application disclose a method for authenticating an access network device. The method includes a terminal device sends an authentication request to the access network device. The terminal device receives, in a first transmission time unit, a first authentication request response in response to the authentication request. The terminal device obtains first time window information in the first authentication request response. The first time window information indicates a time range in which the terminal device receives the first authentication request response and a first time window indicated by the first time window information comprises at least one transmission time unit. The terminal device determines that the access network device is a legal access network device when the terminal device determines that the first transmission time unit falls within the first time window.

Abstract: A cloud infrastructure performs governance and security control for datacenters on a cloud platform. The system specifies one or more session policies for the plurality of datacenters. A session policy associated with a datacenter specifies a set of access conditions for accessing the entities of the datacenter, and may be generated based at least on the network information in the declarative specification for the datacenter, and network artifacts from provisioning the network resources for the datacenter. Responsive to receiving a request to access an entity of a datacenter from a user, the system obtains credentials for the user and attaches the session policies. Responsive to determining that the credentials are used to access the datacenter from a set of access conditions that match the set of access conditions in the attached session policy, the cloud platform grants access.

Abstract: Techniques for providing consistent monitoring and analytics for security insights for network and security functions for a security service are disclosed. In some embodiments, a system/process/computer program product for providing consistent monitoring and analytics for security insights for network and security functions for a security service includes receiving a flow at a software-defined wide area network (SD-WAN) device; inspecting the flow to determine whether the flow is associated with a split tunnel; and monitoring the flow at the SD-WAN device to collect security information associated with the flow for reporting to a security service.

Abstract: A disclosed method may assign, with a DHCP module, two static IP addresses to each of one or more hyper-converged infrastructures nodes. The two static IP addresses may include an out of band IP address for a baseboard management controller (BMC) network interface to an OOB management network and an internal management IP address for a network interface associated with an internal management network. Disclosed methods may then access, for each of the one or more nodes, a BMC at the OOB IP address, to invoke a BMC tool to retrieve cluster configuration information for each node. A dashboard user interface may then be generated, based on the configuration retrieved for each node, and displayed. The cluster configuration information may indicate whether the node is a cluster node, comprising a node assigned to a cluster, or a free node, comprising a node not assigned to a cluster.

Abstract: A third party gateway for validating egress traffic in a computer network system is provided. The third party gateway includes a proxy and a gateway agent. The proxy includes a termination proxy and a forward proxy. The proxy is configured to terminate Transport Layer Security communication for the egress traffic. The proxy is further configured to forward the egress traffic to the gateway agent. The gateway agent is configured to validate the egress traffic as valid traffic or invalid traffic based on predetermined validation requirements. The proxy is further configured to receive the valid traffic or the invalid traffic from the gateway agent, and to forward the valid traffic to a destination service or to block the invalid traffic.

Abstract: A system and a method for providing managed services are provided. The system provides a first access control platform and a second access control platform. The first access control platform is configured to receive at least one of a hardware event, an access request event, and a management request event from at least one gateway (e.g., located at a premises). The first access control platform may include at least one of a permissions database (e.g., storing authorized access credentials), a hardware event database (e.g., storing hardware events), and a management database (e.g., storing management request events). The first access control platform may compare received access credentials to the authorized access credentials in the permissions database. The second access control platform may be configured to update at least one of the permissions database (e.g., adding/removing authorized access credentials) and the hardware event database (e.g., adding/removing security devices).

Abstract: A method for updating software comprises transmitting a first version of the software and a first decryption key to a computing system. The method further comprises generating a second version of the software and a second decryption key. The method further comprises encrypting the second version of the software and the second decryption key. The encrypted second version of the software is configured to be decrypted using the first decryption key and not the second decryption key. The method further comprises transmitting the encrypted second version of the software and the encrypted second decryption key to the computing system.

Abstract: An autonomic incident response system (AIRS) that can be used within any cyber system (computing systems, network devices, applications, cyber-physical systems, data, and files). If a cyber system is attacked, the cyberattack pattern type can be seamlessly identified by the AIRS along with the method used to launch the attack, the vulnerability that was exploited, the impact and consequence of the attack, and finally the recovery actions that can be taken automatically or semi-automatically to stop the attack or mitigate its impact on cyber system operations.

Abstract: A computing device receives an IP address and a port number related to a transport protocol and an application protocol version and other attributes related to an application protocol extracted from an encrypted client hello (ECH) enabled transport layer security (TLS) connection request from a client computing device and extracts, from the database, a set of all known hostnames matching the IP address. The device generates a reduced list of the set of all hostnames matching the IP address, and assigns a confidence score to each hostname of the reduced list based on an alias count and/or a popularity ranking of the hostname. Finally, a prioritized list of one or more hostnames is generated based on the confidence score, the prioritized list indicating the one or more hostnames in the order of descending probability of being requested in the ECH enabled TLS connection request.

Abstract: Described herein is an infrastructure management device. In accordance with one aspect, the infrastructure management device includes at least one communication interface to connect to and provide power to at least one information technology (IT) device, and communicate with at least one other infrastructure management device. The infrastructure management device may further include one or more processors and one or more non-transitory machine-readable media comprising instructions configured to cause at least one of the one or more processors to perform operations to manage the IT device.

Abstract: According to an example aspect of the present invention, there is provided a method comprising transmitting to a security service provider, by a firewall apparatus, a request to update firewall strategy of the firewall apparatus for a location center, wherein the request comprises at least one characteristic of the firewall apparatus, the at least one characteristic of the firewall apparatus further comprising load data of the firewall apparatus, receiving from the security service provider, by the firewall apparatus, an updated firewall strategy for the location center, wherein the updated firewall strategy comprises load data required by the updated firewall strategy and adjusting the operation of the firewall apparatus based on the updated firewall strategy by reserving resources at the firewall apparatus for updates according to the required load data.

Abstract: A distributed cloud computing system is statistics logic a controller configured to deploy a first gateway in a spoke virtual private cloud network (VPC) and a second gateway in a transit VPC, wherein the second gateway is configured to connect to a first firewall instance deployed within the transit VPC. The spoke VPC and the transit VPC are both located within a cloud computing network. The logic, upon execution by one or more processors, causes performance of operations including receiving network traffic by the second gateway from the first gateway, providing the network traffic to the first firewall instance for inspection, and routing the network traffic to a destination VPC deployed within the cloud computing network. In some embodiments, the first gateway is attached to a first interface of the second gateway and the first firewall instance is connected to a second interface.

Abstract: Some embodiments provide a centralized overlay-network cloud gateway and a set of centralized services in a transit virtual cloud network (VCN) connected to multiple other compute VCNs hosting compute nodes (VMs, containers, etc.) that are part of (belong to) the overlay network. The centralized overlay-network cloud gateway provides connectivity between compute nodes of the overlay network (e.g., a logical network spanning multiple VCNs) and compute nodes in external networks. Some embodiments use the centralized overlay-network cloud gateway to provide transitive routing (e.g., routing through a transit VCN) in the absence of direct peering between source and destination VCNs. The overlay network, of some embodiments, uses the same subnetting and default gateway address for each compute node as the cloud provider network provided by the virtual private cloud provider.

Abstract: A computerized method of managing a computer remote session operation, comprising providing a server for hosting application execution; configuring a number of predefined user accounts with low security permissions on said server, where said user accounts are not tied to any specific real user; Whenever a remote user requests to start a remote session, finding an available user account not currently in use on said computer, allocating it for the remote session and marking it as unavailable for subsequent session requests; Generating a one-time password for said user account; Communicating the assigned user account identifier and temporary password to client component on the user's side, either directly or through an intermediate broker; causing the client component to connect to the server using said user account identifier and temporary password; and, upon termination of the remote session, deleting the assigned user account's data and marking it as available again.

Abstract: A framework for managing credentials for access to a secured entity of an infrastructure service. For example, techniques for maintaining credentials for access to the secured entity within a trusted environment while utilizing the credentials for performance of actions within the infrastructure service.

Abstract: A wearable device enables access to VPN endpoint devices for secure data communication and privacy for a computing device. The wearable device stores VPN configuration information for a user, which includes the user's VPN credentials for each of one or more remote VPN endpoint devices. When the wearable device is in close proximity to a computing device and is being worn by a user that is authenticated to at least one of the wearable device and the computing device, the wearable device communicates the configuration information to the computing device. The computing device can then use this VPN configuration information to establish a VPN connection to a VPN endpoint device.

Abstract: Various approaches for providing scalable network access processing. In some cases, approaches discussed relate to systems and methods for providing scalable zero trust network access control.

Abstract: According to one or more embodiments, a system can comprise a processor and a memory that can store executable instructions that, when executed by the processor, facilitate performance of operations. The operations can include establishing a wireless connection to a wireless network. The operations can further include receiving, via the wireless connection, data from a gateway device, that has been communicated via a network device of a publicly accessible network, wherein the data has been compared, by the gateway device, to a template of anomalous activity.

Abstract: Systems and methods for automatically prioritizing computing resource configurations for remediation include receiving information describing configuration issues that may result in impaired system performance or unauthorized access, parsing that information and automatically analyzing configuration details of a user's private computing environment to determine that assets provide an environment in which configuration issues may be exploited to produce undesired results. Such systems and methods can generate assessments indicating the likelihood an issue can be exploited and potential impacts of the issue being exploited. Such systems and methods can use these assessments to generate a report prioritizing remediation of specific configuration issues for specific vulnerable assets based on the actual configuration of the user's computing resources and the data managed using those resources.

Abstract: Introduced here are Internet monitoring platforms configured to define, monitor, and assess the boundary of a private network associated with a client. By monitoring the entire Internet, a private network, and relationships between these networks, an Internet monitoring platform can discover changes in the boundary of the private network that is defined by those assets on the private network capable of interfacing with a public network, such as the Internet. The Internet monitoring platform may, in response to discovering the boundary of the private network has experienced a change, identify an appropriate remediation action by mapping the change to a technological issue, a relevant business relationship, etc. For example.

Abstract: Computerized techniques to determine and verify maliciousness of an object are described. A malware detection system intercepts in-bound network traffic at a periphery of a network to capture and analyze behaviors of content of network traffic monitored during execution in a virtual machine. One or more endpoint devices on the network also monitor for behaviors during normal processing. Correlation of the behaviors captured by the malware detection system and the one or more endpoint devices may verify a classification by the malware detection system of maliciousness of the content. The malware detection system may communicate with the one or more endpoint devices to influence detection and reporting of behaviors by those device(s).

Abstract: Certain aspects of the present disclosure provide techniques for entering user credentials through a proxy. One example method generally includes receiving, at a user device, a push request for user data from a cloud server and receiving a request file from an aggregation system. The method further includes injecting user credentials stored on the user device into the request file, wherein when injected the user credentials replace at least one dummy entry of the request file, and transmitting the request file to a data source associated with the request file. The method further includes receiving user data from the data source and transmitting the user data to the aggregation system.

Abstract: A communication system includes: a management server that receives, from an information terminal connectable to a first network, a connection request for connecting to a web service provided by a web server connectable to a second network; first communication control circuitry that controls communication of a communication apparatus connectable to the second network, and second communication control circuitry that controls communication of the information terminal. The first communication control circuitry connects to a relay server that relays communication between the second network and the first network. The second communication control circuitry connects the information terminal to the relay server. A request for the web service provided by the web server and a response to the request are transmitted and received between a web browser of the information terminal and the web server via the relay server and the first communication control circuitry.

Abstract: A method of certifying a state of a platform includes receiving one or more software elements of a software stack of the platform by an authentication module and performing a hash algorithm on the software stack to generate one or more hash values. The software stack uniquely determines a software state of the platform. The method includes generating creation data, a creation hash, and a creation ticket, corresponding to the hash values and sending the creation ticket to the platform. The method also includes receiving the creation ticket by the authentication module and certifying the creation data and the creation hash based on the creation ticket. The method further includes generating a certified structure based on the creation data and performing the hash algorithm on the certified structure to generate a hash of the certified structure. The certified structure uniquely determines the software state of the platform.

Abstract: A method that is performed to access data nodes of a data cluster. The method includes obtaining, by a data access gateway (DAG), a request from a host; and in response to the request, obtaining bidding counters from the data nodes; obtaining metadata mappings from the data nodes; identifying, based on the bidding counters and metadata mappings, a data node of the data nodes associated with a highest bidding counter of the bidding counters and an appropriate metadata mapping of the metadata mappings; and sending the request to the data node.

Abstract: Systems and methods are disclosed for accessing protected data. A computing device may have a secured stared storage accessible by two or more applications operating on the mobile device. The computing device may obtain a first token from an authorization service to verify user identity for a first application. The first token may be stored in the shared storage area, and be accessible to one or more applications sharing the storage space. In response to a user attempt to access a web service using a second application, the user identity may be verified using the first token. The authorization service may verify user credentials, and send a second token to the computing device. The second token may be a proxy ticket authorizing access and exchange of protected data between the second application and a web service. The second token may also be stored in the secure storage area.

Abstract: Various systems and methods for bus-off attack detection are described herein. An electronic device for bus-off attack detection and prevention includes bus-off prevention circuitry coupled to a protected node on a bus, the bus-off prevention circuitry to: detect a transmitted message from the protected node to the bus; detect a bit mismatch of the transmitted message on the bus; suspend further transmissions from the protected node while the bus is analyzed; determine whether the bit mismatch represents a bus fault or an active attack against the protected node; and signal the protected node indicating whether a fault has occurred.

Abstract: A device may determine that a network function of a network is to use a secure communication protocol. The network function may be configured to facilitate communication via the network. The device may identify a component of a resource configuration that is to instantiate the network function. The device may instantiate, using the component, a proxy for the network function. The device may configure the proxy to obtain a certificate that is associated with the secure communication protocol. The device may cause the proxy to use the certificate to communicate with another proxy that is associated with the network function to perform an operation associated with the network function.

Abstract: Disclosed are various approaches for providing authentication of a user and a client device. A user's credentials can be authenticated by an identity provider. In addition, a device posture assessment that analyzes the device from which the authentication request originates is also performed. An authentication request can be authenticated based upon whether the device posture assessment reveals that device to be a managed device that is in compliance with compliance rules.

Abstract: Arrangement and method for securely executing an automation program in a cloud computing environment, wherein the automation program is installed on computer hardware in a public IT infrastructure, and wherein the computer hardware is connected via a data connection to a cloud server, where the connection and a dedicated runtime environment of the computer hardware are configured such that the automation program is transferrable onto the computer hardware and its execution can be monitored via the server and data connection, such that the automation program and sensitive information, i.e.

Abstract: Methods, systems, and devices for server-initiated secure sessions are described. A browser application may connect to a portal, where the portal may transmit a command to a server agent to initiate a secure session with an endpoint device. The server agent may be housed in a destination server, and may establish a secure connection with an intermediary server using a secure communication protocol. The secure connection may be made by directing the destination server to open an out-bound connection through a firewall of the destination server. A browser session may be redirected to the intermediary server from the browser application, and the intermediary server may route the browser session traffic to the secure connection.

Abstract: This disclosure relates to a fully software-defined, fully virtualized, and customizable mobile communication platform deployed on public cloud infrastructure. Such mobile networks allows for end to end control of automatic and programmatic deployment and configuration of the mobile network components. The implementations below effectively enables instant creation and deployment of a true private global end-to-end Software Defined Network (SDN) for 3G, 4G, LTE, and 5G mobile communication from the ground up. Users will effectively act their own mobile carrier, allowing them to customize the features available to them via a programmatic interface.

Abstract: The host computer securitization architecture, which comprises: an offline source server, an offline provisioning server configured to connect with a portable mobile securitization server via a wired communication, an administration server configured to monitor and interact with at least one portable mobile securitization server, at least one portable mobile securitization server configured to connect via a wired communication to a host computer, said portable mobile securitization server comprising: a connector to mechanically connect and establish a removable wired communication between the mobile server and the host computer, a first wired bidirectional communicator with the host computer, a second of bidirectional communicator with a data storage peripheral or a data network and a unit securing the communication between the host computer and the data storage mobile server or the data network, this communication being established between the first and the second communicator, a blockchain comprising

Abstract: A vehicle relay device includes a plurality of communication ports. Each of the plurality of communication ports communicate with a communication device as a node in accordance with an Ethernet standard. A connection permission node that is a node to be connected is predefined for each of the plurality of communication ports. The vehicle relay device does not communicate with an unregistered node that is a node not registered as the connection permission node.

Abstract: A method, system and computer-usable medium for constructing a distribution of interrelated event features. The constructing a distribution of interrelated event features includes receiving a stream of events, the stream of events comprising a plurality of events; extracting features from the plurality of events; constructing a distribution of the features from the plurality of events; and, analyzing the distribution of the features from the plurality of events.

Abstract: A security level of data generated by an application may be communicated from the application layer to the network layer and that security level used to determine of several available network connects for transmitting the data. A method of communicating may include associating the plurality of network connections with security levels to form associations, the associations indicating security levels of data that may be transmitted over each of the plurality of network connections; receiving, at the network layer, data for transmission; determining, at the network layer, a security level for the data; determining, at the network layer, at least one network connection of a plurality of network connections to transmit the data based, at least in part, on the security level; and transmitting the data packet over the at least one network connection.

Abstract: A determination method includes determining an attack type of an attack code included in an attack request on a server, carrying out emulation of an attack by the attack code on the server in accordance with the determined attack type, extracting a feature related to a backdoor operation appearing in an attack code on the server in a case of succeeding in an attack on the server as a result of the emulation, and determining that an attack by the attack code has succeeded in a case where a communication log of the server has the extracted feature, by a processor.

Abstract: A method for enforcing entitlements includes configuring a wide variety of entitlements at a server; determining applicable combination of entitlements for a given client request; sending entitlements to the requesting client securely; handling entitlement information securely on a plurality of client devices at run time; storing entitlement information securely on a plurality of client devices for offline use; and enforcing entitlements on a plurality of client devices. The method employs manipulation of manifest files by a proxy that may be included in the client device or located in the network.

Abstract: The disclosure provides an approach for detecting and preventing attacks in a network. Embodiments include receiving network traffic statistics of a system. Embodiments include determining a set of features of the system based on the network traffic statistics. Embodiments include inputting the set of features to a classification model that has been trained using historical features associated with labels indicating whether the historical features correspond to attacks. Embodiments include receiving, as output from the classification model, an indication of whether the system is a target of an attack. Embodiments include receiving additional statistics related to the system. Embodiments include analyzing, in response to the indication that the system is the target of the attack, the additional statistics to identify a source of the attack. Embodiments include performing an action to prevent the attack based on the source of the attack.

Abstract: The present disclosure relates to a computer implemented method for executing an application. The method comprises: executing a bootloader in a trusted execution environment, wherein the executing comprises: decrypting received encrypted secrets using decryption keys of the boot loader, storing the decrypted secrets in a storage accessible by the application, creating a proof record indicating the application, the secrets and the trusted execution environment, storing the proof record in the storage, and deleting the decryption keys. The application may be executed in the trusted execution environment using the decrypted secrets. The proof record may be provided by the application for proving authenticity.

Abstract: A method and system for performing authentication are described. The method and system include receiving, from a client, a communication for a data source at a wrapper. The wrapper includes a dispatcher and a service. The dispatcher receives the communication and is data agnostic. The communication is provided from the dispatcher to the service. The service determines whether the client is authorized to access the data source utilizing multi-factor authentication.

Abstract: A system for protecting public cloud-hosted virtual resources features cloud visibility logic. According to one embodiment, the cloud visibility logic includes credential evaluation logic, data collection logic, correlation logic, and reporting logic. The credential evaluation logic is configured to gain authorized access to a cloud account within a first public cloud network. The data collection logic is configured to retrieve account data from the cloud account, while the correlation logic is configured to conduct analytics on the account data to determine whether the cloud account is subject to a cybersecurity threat or misconfiguration. The reporting logic is configured to generate an alert when the cloud account is determined by the correlation logic to be subject to the cybersecurity threat or misconfiguration.

Abstract: A method for visualizing network flows of a network is provided. The method monitors network flows between a group of machines in a network. The method associates identifiers with the monitored network flows. The method aggregates the monitored network flows into a set of groups based on the associated identifiers. The method displays a set of flow records for the each group of the set of groups.

Abstract: A method is implemented by a computing device to configure and monitor a virtual application in a cloud environment. The method includes generating instructions for configuring and monitoring the virtual application based on configuration data for the virtual application, modifying an injection virtual appliance image to include the instructions for configuring and monitoring the virtual application, where the injection virtual appliance image is a template for instantiating an injection virtual appliance (e.g., a software container or unikernel) that is to configure and monitor the virtual application according to the instructions, modifying a virtual application deployment descriptor for the virtual application to indicate that the injection virtual appliance is to be injected into the virtual application, and causing the virtual application, with the injection virtual appliance, to be deployed in the cloud environment using the modified virtual application deployment descriptor.

Abstract: Systems, methods, and computer-readable media are provided for software defined branch single IP orchestration. An example method can include establishing, by a controller, a secure tunnel agent to an orchestrator, generating, by the controller, a single IP address on a virtual router for a virtual branch site, and monitoring, by the controller, reachability of the single IP address on the virtual router.

Abstract: System, method, and apparatus of securing and managing Internet-connected devices and networks. A wireless communication router is installed at a customer venue, and provides Internet access to multiple Internet-connected devices via a wireless communication network that is served by the router. A monitoring and effecting unit of the router performs analysis of traffic that passes through the router; identifies which Internet-connected devices send or receive data; and selectively enforces traffic-related rules based on policies stored in the router. Optionally, the monitoring and effecting unit is pre-installed in the router in a disabled mode; and is later activated after the router was deployed at a customer venue. Optionally, the router notifies the Internet Service Provider the number and type of Internet-connected devices that are served by the router.

Abstract: The invention relates to a multi-carrier base station and a method performed at the multi-carrier base station configured to enable wireless access to wireless communication terminals. In an aspect, a device is provided configured to provide wireless communication access to wireless communication terminals. The device comprises a Base Transceiver Station (BTS), configured to be connectable to a core network, a tethering access point, and at least one antenna. The BTS is configured to provide at least a first carrier via the at least one antenna for Third Generation Partnership Project (3GPP) wireless access, and further to provide the tethering access point via a wired connection with at least a second carrier exclusively used by the tethering access point for 3GPP access. Moreover, the tethering access point is configured to provide non-3GPP wireless access via the at least one antenna.

Abstract: A method that is performed to access data nodes of a data cluster. The method includes obtaining, by a data access gateway (DAG), a first request from a host; and in response to the first request, obtaining first bidding counters from the data nodes; obtaining first metadata mappings from the data nodes; making a first determination that the first request may not be served using any data node in an accelerator pool of the data cluster; and in response to the first determination, identifying, based on the bidding counters and metadata mappings, a data node in a non-accelerator pool of the data cluster associated with a first highest bidding counter of the bidding counters and a first appropriate metadata mapping of the metadata mappings; and sending the first request to the data node in the non-accelerator pool of the data cluster.

Abstract: The present disclosure relates to network security software cooperatively configured on plural nodes to authenticate and authorize devices, applications, users, and data protocol in network communications by exchanging nonpublic identification codes, application identifiers, and data type identifiers via pre-established communication pathways and comparing against pre-established values to provide authorized communication and prevent compromised nodes from spreading malware to other nodes.