Abstract: A computer implemented method for synchronizing multi-tenant single sign-on configuration. Utilizing a combination layer that is configured a single time to interact with a trust application at an identity provider. The combination layer is also configured to interact with the service provider and manages the security token and authentication state of the user. The identity provider can create a single long-lived trust application that is only responsible for redirecting to the combination layer, rather than a creating plurality of short-lived applications that redirect to a service provider every time a user login request is received. Thus, resulting in improved utilization of computing resources at the identity provider.

Abstract: A method for managing transmission resources in a SIP-based communication system by a SIP registrar server can include receiving a first number of register requests from a first client from the number of clients, each register request corresponding to one slot in the predetermined first time period; receiving a second number of register requests from a second client of the number of clients, each register request corresponding to one slot in the predetermined first time period, wherein the second number of register requests exceeds the acceptable predetermined number of register requests for the second client, and assigning a number of slots not used by the first client within the predetermined first time period to the second client for sending the register requests which exceed the acceptable predetermined number of register requests for the second client. A system for implementation of the method and an apparatus can be utilized in embodiments of the method and the system.

Abstract: Malicious behavior of a device on a local network may be detected. A data stream from a device may be collected. A functional group may be created using behavioral data of devices of a known type. A behavior profile for the functional group may be generated and stored in a database. The data stream of the device is compared to the behavior profile of the functional group. A malicious behavior is indicated for the device in response to determining that the device's current behavior is not within a predetermined or configurable threshold of the behavior profile.

Abstract: Systems described herein may dynamically add one or more proxy data protection agents to a cloud data storage system to process a data protection job. Upon completion of the job or at some other appropriate interval, the system can power down and decommission the proxy data protection agents and/or the virtual machines on which the data protection proxies reside according to a cleanup schedule (e.g., at hourly or minute intervals). In order to improve the allocation of computing resources, the system takes into account currently existing proxies or virtual machines when processing a backup request to determine the need for new proxies to service the backup request. In this manner the system can save costs and computing resources through efficient virtual machine deployment and retirement.

Abstract: A flexible framework is provided for specifying permissions a user allows for an application to access. The framework further provides for specifying the way in which the application can behave during run-time. Predefined rules are used to detect a potentially misbehaving application, and a user may be notified or a specific action may be taken. Behavior of the application may be monitored during run-time to verify that the application is behaving in accordance to the predefined rules.

Abstract: An illustrative embodiment of a computer-implemented method for correlating artifacts between a versioned domain and an un-versioned domain, generates metadata having attributes of both of the versioned domain and the un-versioned domains, for an artifact in a set of artifacts; creates an instance using a specific version of a versioned artifact definition, wherein the instance comprises a first part directly created from the versioned artifact definition and a second part created from an un-versioned artifact definition; specifies linkages between a respective representation of the artifact in the versioned domain and the un-versioned domain; provides a set of facades through which a selected one of author, execute and update instances of the artifact is performed using either the versioned domain or the un-versioned domain; and correlates all versions of the artifact definition to a single un-versioned definition.

Abstract: Various systems and methods for bus-off attack detection are described herein. An electronic device for bus-off attack detection and prevention includes bus-off prevention circuitry coupled to a protected node on a bus, the bus-off prevention circuitry to: detect a transmitted message from the protected node to the bus; detect a bit mismatch of the transmitted message on the bus; suspend further transmissions from the protected node while the bus is analyzed; determine whether the bit mismatch represents a bus fault or an active attack against the protected node; and signal the protected node indicating whether a fault has occurred.

Abstract: Disclosed embodiments relate to systems and methods for a standalone e-discovery machine to initiate an external connection to an external cloud-based resource. The external connection may occur without any changes to the port configurations and/or network firewall. The embodiments further disclose the standalone e-discovery machine observing, tracking, and reporting usage data of the e-discovery software stored on the standalone e-discovery machine. The observing, tracking, and reporting may occur in real-time or periodically. The embodiments also disclose the standalone e-discovery machine performing an initialization routine when it is connected wirelessly or in wired fashion to a client network.

Abstract: The present disclosure resides in a method for monitoring an automated facility, wherein a plurality of field devices are integrated in the facility, comprising: connecting a cloud gateway with a first communication network of the facility; ascertaining field devices connected to the first communication network; testing whether device descriptions corresponding to the field devices are present in a server connected with the cloud gateway via a second communication network; downloading from the server device descriptions corresponding to the field devices and installing the device descriptions in the cloud gateway; creating a configuration plan, wherein the configuration plan defines at least one field device to be queried, the type of queried data, and the frequency of the querying; transmitting the configuration plan to the cloud gateway; querying data from the queried field devices according to the configuration plan; transmitting queried data to the server; and collecting and evaluating transmitted data.

Abstract: The disclosed embodiments relate to securely transferring data between a source node and a destination node using an application whitelist. A control flow may be established between a source node and a perimeter gateway. The perimeter controller may receive a request to establish a node flow between an application executing on the source node and the destination node. The perimeter controller may determine whether the first application is included in an application whitelist that includes applications allowed to transfer data to nodes in a private network via a node flow. A node flow between the source node and destination node may be established upon determining that the first application is included in the application whitelist to facilitate secure data transfer between the source node and destination node.

Abstract: A business service providing system 1 according to an example embodiment includes a server 200 that provides a business service, a client 300 that uses the business service, and a monitoring apparatus 100 that monitors a state of the business service in the server 200 and the client 300. The monitoring apparatus 100 includes a monitoring information acquisition unit 110 that acquires monitoring information indicating the state of the business service in the server 200 and the client 300, a response policy determination unit 120 that determines a response policy for recovery of the business service based on the monitoring information in the server 200 and the client 300, and a recovery process request unit 130 that requests the server 200 or the client 300 to perform a recovery process based on the response policy.

Abstract: A method of performing a ritual of chucking during Hajj includes an authentication process, a connectivity process which connects a remote user to a chucking system located at the religious site, and a notification process. The authentication process allows a remote user, who is preferably a pilgrim unable to attend Hajj due to physical disability, age or sickness, to connect to the chucking system. The connectivity allows the pilgrim to perform the ritual of chucking remotely. To do so, the chucking system includes a primary pebble reservoir providing pebbles to a set of secondary pebble reservoirs, and a set of pebble projecting units. The remote user remotely connects to the set of pebble projecting units to chuck pebbles at the stoning sites, wherein the required pebbles are stored in the set of secondary pebble reservoirs. When chucking is complete, the remote user is notified regarding completion.

Abstract: A method for defending an HTTP flood attack includes: determining the number of HTTP requests, transmitted by a protection device, received within each monitored time interval, where the HTTP requests include HTTP requests carried by a single data packet and HTTP requests carried by a plurality of data packets; verifying a target HTTP request after the number of HTTP requests received within any monitored time interval reaches a first threshold, where the target HTTP request includes an HTTP request received after the number of HTTP requests received within any monitored time interval reaches the first threshold; and responding to a verified target HTTP request.

Abstract: Methods and apparatus to facilitate certificate and trust management across a distributed environment are disclosed.

Abstract: The current document is directed to a query-as-a-service system (“QAAS system”) that collects enormous volumes of data from network-connected entities, referred to as “Things” in the phrase “Internet of Things,” persistently stores the collected data and provides a distributed-query-execution engine that allows remote clients to continuously execute queries against the collected data. In a described implementation, both the raw data and query results are persistently stored in the QAAS system, with the raw data stored for significantly longer periods of time. Query results generated by the query-processing engine are securely transmitted to QAAS remote clients for distribution to file systems, storage appliances, applications, and other data sinks within client systems.

Abstract: To provide validation information to web publishers indicative of the presence of operational malicious software protection systems on user computing devices, an evaluation system resident on a web publisher server can cause web content, including validation request data, to be transmitted from the publisher server to a computing device. A submission system resident on the computing device can analyze the web content for the validation request data, and can cause the validation information to be transmitted from the computing device to the evaluation system based on the analysis. Upon receiving the validation information, the evaluation system can analyze it to determine the likelihood that content delivered to the computing device will be viewed by a real user (and not by automated computer programs).

Abstract: Systems and methods are disclosed for managing access between a data storage server and a client that are on the same local network. Access is managed using a cloud service that is remote from both the data storage server and the client requesting access to the server. The cloud-based management of local connections described herein simplifies the process of connecting to a data storage server on a local network from a client program or device. Connections are authorized based on the use of a local code. The local code is generated by the cloud service and includes a concatenation of a device identifier associated with the data storage server and a time-varying value, such as a timestamp.

Abstract: A system may include a server and a data store system. The server may include at least one storage device and at least one processor. The server may execute an application and may store an encrypted password. The data store system may include at least one persistent storage device configured to store a data store. The data store system may further include a plurality of processing nodes configured to operate on the data store. The data store system may receive the encrypted password from the application with one of the plurality of processing nodes and may decrypt the encrypted password with the one of the plurality of processing nodes. The data store system may authenticate the decrypted password with the one of the processing nodes and provide the decrypted password to other processing nodes. Each processing node that has the decrypted password may be accessible to the application to operate on the data store. A method and computer-readable medium may also be implemented.

Abstract: Best known configurations can be automatically created for particular platforms. An update tool can be installed on end user devices and can include a health monitor engine that creates health reports for drivers and/or firmware installed on the corresponding end user device. The health reports generated on the end user devices can be provided to a best known configuration engine that can evaluate them to calculate a best known configuration for each platform. The best known configurations can then be distributed to the update tool on the end user devices to cause them to configure the end user devices to match the corresponding best known configuration.

Abstract: Embodiments of the invention are directed to a system, method, or computer program product for providing inline authorization structuring for activity data transmissions. In particular, the invention provides a secure platform for transmission of activity data associated with an electronic activity and performance of the electronic activity at a recipient system based on inserting an encoded authorization instruction into inline activity data. The encoded authorization instruction comprises a processing instruction required for processing an associated activity data string. The invention provides a novel method for encoding authorization instructions associated with activity data strings. Another aspect of the invention is directed to constructing an inline activity data set configured for secure transmission to a recipient system, for performing an electronic activity associated with the inline activity data set at the recipient system.

Abstract: The present invention provides a system in which, via a web page provided using a web browser by a management server, a management screen provided by a network device can be accessed while the management server does not need to have a private IP address of the network device.

Abstract: Application-based point of sale systems in mobile operating systems. A first application may generate a first URL directed to a second application, a parameter of the first URL comprising an identifier of the first application. A mobile operating system (OS) may access the first URL to open the second application. The second application may receive, from a server, a virtual account number (VAN). The second application may initiate a server on a port and generate a second URL directed to the first application, a parameter of the second URL comprising the port. The OS may access the second URL to open the first application. The first application may establish a connection with the server using the specified port and receive the VAN from the second application via the connection. The first application may autofill the VAN to a form field of a payment form in the first application.

Abstract: Methods of managing an information technology (IT) infrastructure include detecting by a configuration management system an unauthorized change to one of a plurality of network elements, determining by the configuration management system that the unauthorized change to the one of the plurality of network elements creates a risk condition to an operation of one of the services provided by the IT infrastructure, and initiating an action to remedy the unauthorized change in response to determining that the unauthorized change to the one of the plurality of network elements creates the risk condition to the operation of one of the services provided by the IT infrastructure. Related systems and computer program products are disclosed.

Abstract: A security monitor monitors network communications at a loopback interface of a pod in the container system. The pod includes a service mesh proxy and an application container. The application container includes computer-readable instructions and is initiated via a container service and is isolated using operating system-level virtualization. The application container communicates with the service mesh proxy using the loopback interface. The security monitor extracts network address and port information from packet data in the network communications at the loopback interface. The security monitor determines one or more connection contexts of the network communications at the loopback interface, each connection context used to identify a network session of the application container with a remote application container.

Abstract: Disclosed are various examples for transferring device identifying information during authentication. In some examples, an authentication request is transmitted to an identity manager. Instructions to negotiate a ticket are received from the identity manager. A ticket is negotiated from a key distribution center using a certificate comprising a unique device identifier of the client device. The unique device identifier is embedded in the ticket by the key distribution center based on verification that the certificate is valid. Authentication of the client device is completed through the identity manager using the ticket.

Abstract: A plurality of users connect to an application sending requests over a transport and receiving responses from an application that contain sensitive data. For each user request, the application runs one or more data requests and commands to various data sources or other information systems which return the sensitive data. The application then processes the data and returns is to the user as is or processed based on some business logic. The application includes a run-time environment—where the application logic is executed.

Abstract: Systems and methods are disclosed for encrypting portions of data for storage and processing in a remote network. For example, methods may include receiving a message that includes data for forwarding to a server device; encrypting a portion of the data to determine an encrypted portion; determining metadata based on the portion of the data, wherein the metadata indicates one or more properties of the portion of the data and enables one or more operations to be performed by the server device that depend on the one or more properties; determining a payload including the data with both the encrypted portion and the metadata substituted for the portion of the data; and transmitting the payload to the server device.

Abstract: According to certain embodiments, a method by a user equipment (UE) for securing network steering information includes transmitting a registration request to a Visited Public Land Mobile Network (VPLMN). Upon successful authentication by an authentication server function (AUSF), a home network root key is generated. A protected message comprising Network Steering Information is received from a first network node. The protected message is protected using a configuration key (Kconf) and a first Message Authentication Code (MAC-1). The configuration key (Kconf) is determined from the home network root key, and the UE verifies the MAC-1. Based on the Kconf and the MAC-1, it is verified that the VPLMN did not alter Network Steering Information. An acknowledgement message, which is protected with a second Message Authentication Code (MAC-2), is transmitted to a Home Public Land Mobile Network (HPLMN).

Abstract: Mechanisms for performing advanced rule analysis are provided. The mechanisms perform natural language processing of a security rule set data structure, specifying a plurality of security rules. The mechanisms execute, for each security rule pairing, a determination of a similarity measure indicating a degree of similarity of the textual description of the first security rule in the pairing with the textual description of the second security rule in the pairing, and in response to the security measure being equal to or above duplicate rule threshold value, eliminating one of the first security rule or the second security rule in the pairing from the security rule set data structure to generate a modified security rule set data structure. The mechanisms deploy the modified security rule set data structure to a computing environment for use in identifying security incidents and performing event management.

Abstract: An exemplary system, method, and computer-accessible medium for authenticating a second device, can include initiating a first network connection between a server and a first device, initiating a second network connection between the server and the second device, and authenticating the second device based on the first network connection and the second network connection. Access to a network resource(s) can be granted to the second device based on the authentication. Access to the network resource(s) by the second device can be revoked if the first network connection is severed. The first network connection can be a first encrypted network connection and the second network connection can be a second encrypted network connection. The first network connection can be a first virtual private network (“VPN”) connection and the second network connection can be a second VPN connection.

Abstract: A method for a communication network in a motor vehicle, wherein a communication in the communication network involves a data transmission being performed and the communication network has provision for at least two communication subscribers. Also, disclosed is an electronic monitoring unit for a motor vehicle control device.

Abstract: Techniques to perform an operation comprising determining, by a local area network (LAN) controller, that a first device has connected to a predefined service set identifier (SSID) of a first wireless access point (AP), of a plurality of wireless APs, receiving, by the LAN controller from the first device, an Extensible Authentication Protocol (EAP) response specifying a destination address of a first private LAN controller associated with a first private network, creating, by the LAN controller based on the destination address, a Control and Provisioning of Wireless Access Points (CAPWAP) tunnel between the first wireless AP and the first private LAN controller, and configuring, by the LAN controller, the first wireless AP to broadcast a private SSID associated with the first private network, wherein the first device accesses the first private network via the CAPWAP tunnel by connecting to the first wireless AP using the private SSID.

Abstract: A computer-implemented method of managing security services for one or more cloud computing platforms is disclosed.

Abstract: Example methods are provided for a network management entity to perform network configuration failure diagnosis in a software-defined networking (SDN) environment. The method may comprise receiving a request to diagnose a network configuration failure; and generating and sending control information to a host to cause the host to inject, at a first network element, a diagnostic packet for transmission along a datapath to a configuration server via multiple second network elements. The diagnostic packet may be configured according to a network configuration protocol supported by the configuration server. The method may also comprise: receiving report information associated with the diagnostic packet from at least one of the following: the first network element, the multiple second network elements and the configuration server; and based on the report information, determining a diagnosis result associated with the network configuration failure.

Abstract: System, method, and apparatus of securing and managing Internet-connected devices and networks. A wireless communication router is installed at a customer venue, and provides Internet access to multiple Internet-connected devices via a wireless communication network that is served by the router. A monitoring and effecting unit of the router performs analysis of traffic that passes through the router; identifies which Internet-connected devices send or receive data; and selectively enforces traffic-related rules based on policies stored in the router. Optionally, the monitoring and effecting unit is pre-installed in the router in a disabled mode; and is later activated after the router was deployed at a customer venue. Optionally, the router notifies the Internet Service Provider the number and type of Internet-connected devices that are served by the router.

Abstract: An embodiment may involve a managed network containing computing devices. The computing devices may be respectively associated with unqualified domain names. One or more server devices may be disposed within a remote network management platform that manages the managed network. These server devices may be configured to: probe the managed network, by way of a proxy server application disposed within the managed network, to obtain information related to applications operating on the computing devices, network connectivity of the computing devices, and representations of the unqualified domain names; obtain a regular expression; determine a subset of the computing devices in the managed network on which a particular application is operating and for which the respectively associated unqualified domain names match the regular expression; and generate a map of the managed network in which the subset of the computing devices is represented as a grouped node instead of individual nodes.

Abstract: Techniques for generating access control policy warnings and suggestions are disclosed herein. An access control policy change specifying changes to one or more permissions associated with the access control policy is received and, based on a set of requests for access associated with the access control policy, an access control policy warning is produced which specifying an indication of whether or not the changes to the one or more permissions should be permitted.

Abstract: A computer-implemented method includes: detecting, by a user device, an event that indicates a potential security compromise of the user device; determining, by the user device, a service accessible on the user device; sending, by the user device, a breach notification to a service provider corresponding to the service accessible on the user device; receiving, by the user device, a security profile from the service provider; and restricting, by the user device, access to the service provider by a client of the service provider on the user device until the security profile is satisfied by a user completing a security challenge defined in the security profile.

Abstract: The invention relates to a communication module for connecting a lighting bus system (1) to a network (3) based on an internet protocol, wherein each component (2a . . . 2f) coupled to the bus system (1) is assigned a unique bus address, the communication module (4) is assigned a plurality of network addresses, at least one of the plurality of network addresses contains the bus address of a component (2a . . . 2f) and the communication module (4) is designed to receive data transmitted to the at least one network address from the network (3), to extract the bus address of the component (2a . . . 2f) from the network address, to determine data to be transmitted to the component (2a . . . 2f) by using the extracted bus address on the basis of the received data, and to transmit the determined data to the component (2a . . . 2f) having the extracted bus address via the bus system (1), or to provide the data generated autonomously by a component (2a . . .

Abstract: Systems and methods related to an online security center are provided. For example, a processor may receive authentication information via a first website, a first application, or both. The authentication information may be associated with an account registered with a second website, a second application, or both. The processor may store the authentication information. The processor may receive input of a selection related to managing a stored password of the authentication information. The processor may automatically generate a new password based at least in part on one or more password specifications that enhance security of the new password, a configurable time limit for changing the authentication information, or some combination thereof. The processor may then display a recommendation including the new password, automatically change the stored password to the new password, or some combination thereof, based on the input.

Abstract: A method for variable length decoding, the method including: receiving, in a default word length mode, at least one first data word having a default first word length; combining the received at least one first data word as a first portion of data; receiving, after the at least one first data word, a transition word indicative of transitioning to a variable word length mode; receiving, after the transition word, a first word length word indicative of a second word length; receiving, after the first word length word, at least one second data word having the second word length; and combining the received at least one second data word as a second portion of the data.

Abstract: A proxy in a service-based telecommunication network, such as a fifth generation (5G) network, can receive a request a from a consumer network function (NF) and route the request to a producer NF. The request can be addressed to the proxy at an Internet Protocol (IP) layer, but include a path header, such as a Hypertext Transfer Protocol Two (HTTP/2) path pseudo-header field, that indicates a type of producer NF and a type of service. The proxy can select a particular instance of that type of producer NF based on the path header and can forward the request to an IP address of the selected producer NF that corresponds to the type of service indicated in the path header.

Abstract: Authentication information at a first portion of encrypted data may be identified. A cryptographic key may be derived based on a combination of an identification of the first portion of the received encrypted data and a master key. Additional authentication information may be generated based on a combination of the derived cryptographic key and another portion of the received encrypted data. The encrypted data may be verified by comparing the authentication information at the first portion of the received encrypted data with the generated additional authentication information. In response to verifying the received encrypted data, a second cryptographic key may be derived based on a combination of an identification of the another portion of the encrypted data and the master key. The other portion of the received encrypted data may be decrypted by using the second cryptographic key.

Abstract: Examples relate to detecting vulnerabilities in a web application. One example enables identifying a set of inputs in a web application input form. The set of inputs may be categorized based on a set of predetermined conditions. The set of inputs may be scored based on the categorization. A subset of the set of inputs may be determined to be a set of parameters of interest for the web application based on the scored set of inputs.

Abstract: Example methods are provided for a firewall controller to implement a distributed firewall in a virtualized computing environment that includes a source host and a destination host. The method may comprise retrieving a first firewall rule that is applicable at the destination host to an ingress packet destined for a destination virtualized computing instance supported by the destination host; and based on the first firewall rule, generating a second firewall rule that is applicable at the source host to an egress packet destined for the destination virtualized computing instance. The method may further comprise instructing the source host to apply the second firewall rule to, in response to determination that the egress packet is blocked by the second firewall rule, drop the egress packet such that the egress packet is not sent from the source host to the destination host.

Abstract: Techniques are described for providing users with access to computer networks, such as to enable users to create computer networks that are provided by a remote configurable network service for use by the users. Such provided computer networks may be configured to be private computer networks accessible only by the users who create them, and may each be created and configured by a client of the configurable network service to be an extension to an existing computer network of the client, such as a private computer network extension to an existing private computer network of the client. In addition, access to remote resource services may be configured and provided from such computer networks in various manners, such as to include a local access mechanism as part of a provided computer network that is configured to forward communications sent to the access mechanism to a particular remote resource service.

Abstract: At least one application may include instructions comprising application instructions and a plurality of separate pipeline definition instructions. The application instructions may be within a virtual container including at least one program that is generically executable in a plurality of different continuous integration and delivery (CI/CD) environments. Each of the plurality of separate pipeline definition instructions may be configured for each of the plurality of different CI/CD environments such that each pipeline definition may operate only in the CI/CD environment for which it is created. Each pipeline definition may be configured to cause the CI/CD environment for which it is created to execute the at least one program.

Abstract: Disclosed herein are system, method, and computer program product embodiments for routing and storing files. In an embodiment, a file router system may route files to different geographic locations. This routing may aid in adhering to government regulations pertaining to the archival of files. For example, the file router system may interface with and/or receive files from a cloud computing platform. The file router system may manage the geographic file storage location. The file router system may also determine a file retention plan. The file retention plan may indicate a file retention period. The file router system may transmit the file retention plan to a data storage center located in the geographic file storage location. The file retention plan may further aid in adhering to government regulations.

Abstract: In one embodiment, a system for managing a virtualization environment comprises a plurality of host machines, one or more virtual disks comprising a plurality of storage devices, a virtualized file server (VFS) comprising a plurality of file server virtual machines (FSVMs), wherein each of the FSVMs is running on one of the host machines and conducts I/O transactions with the one or more virtual disks, and a virtualized file server backup system configured to back up data stored in a VFS located a cluster of host machines to an object store, and retrieve the backed-up data as needed to restore the data in the VFS. The object store may be located in a public cloud. The object store may include a low-cost storage medium within the cluster. An FSVM of the VFS may provide an object store interface to low-cost storage media.

Abstract: Systems and methods for facilitating distribution of application programming interfaces (APIs) in a social hub are described herein. The social API hub enables users (i.e., API consumers) to access (e.g., search, test, and/or otherwise utilize or consume) APIs that other users (i.e., API developers) submitted to the hub in a standardized manner. Additionally, users can wrap submitted APIs in a standard description format and add various add-ons on top of an existing API infrastructure in order to provide additional functionality.