Abstract: Disclosed are systems, methods and computer-readable storage medium for extending a private cloud to a public cloud. The private cloud can be extended to the public cloud by establishing a virtual private network between a private cloud and a public cloud, receiving one or more access control lists provisioned by the private cloud, determining contracts between an end point group of the private cloud and an end point group of the public cloud based on the one or more access control lists, and extending the end point group of the private cloud to the end point group of the public cloud across the virtual private network.

Abstract: A security system is described for managing a premises. The security system comprises security system components and a first controller. A takeover component receives security data of the security system from the first controller. The security data is used to configure a second controller to communicate with the security system. The second controller communicates with the security system components and replaces the first controller in management of the security system.

Abstract: Embodiments for enforced registry of cookies in a tiered delivery network by at least a portion of a processor. Information of a cookie may be extracted at a reverse proxy providing access to an application server. Cookie registration rules provided to the registry by an application on the application server may be obtained such that the registry enables the reverse proxy to enforce compliance with the cookie registration rules for each cookie requesting access to the application. The extracted information of the cookie may be compared against the cookie registration rules provided to the registry by the application. The cookie may be suppressed from being relayed to the application upon determining the extracted information is non-compliant with the cookie registration rules.

Abstract: A client computer hosts a virtual private network tool to establish a virtual private network connection with a remote network. Upon startup, the virtual private network tool collects critical network information for the client computer, and sends this critical network information to an address assignment server in the remote network. The address assignment server compares the critical network information with a pool of available addresses in the remote network, and assigns addresses for use by the client computer that do not conflict with the addresses for local resources. The address assignment server also provides routing information for resources in the remote network to the virtual private network tool. The virtual private network tool will postpone loading this routing information into the routing tables of the client computer until the client computer requests access to a specific resource in the remote network.

Abstract: At least one application may include instructions comprising application instructions and a plurality of separate pipeline definition instructions. The application instructions may be within a virtual container including at least one program that is generically executable in a plurality of different continuous integration and delivery (CI/CD) environments. Each of the plurality of separate pipeline definition instructions may be configured for each of the plurality of different CI/CD environments such that each pipeline definition may operate only in the CI/CD environment for which it is created. Each pipeline definition may be configured to cause the CI/CD environment for which it is created to execute the at least one program.

Abstract: The present invention relates to a server comprising at least an application outputting at least one cookie, the server including a scrambled cookie names generator, a correspondence mechanism associating connections attributes for the application with an unpredictable scrambled cookie name, the scrambled cookie name being the one provided in the cookie sent to client side for use in the next connections to the application.

Abstract: A network access device (NAD) receives a UDP packet from a client to be transmitted to a management server over Internet, the UDP packet including a management message. The NAD is one of NADs managed by the management server. The NAD determines whether the management server is reachable using a UDP protocol. The NAD transmits the UDP packet to the management server using the UDP protocol over the Internet if it is determined that the management server is reachable using the UDP protocol. Otherwise, the NAD extracts a UDP payload from the UDP packet, encapsulates the UDP payload within an HTTP POST request, and transmits the HTTP POST request having the UDP payload encapsulated therein to the management server using a HTTP protocol over the Internet.

Abstract: The disclosed embodiments include systems and methods for dynamically investigating a changing asset-to-asset cloud communication environment. The disclosed embodiments may involve creating a baseline context for a trusted server, the baseline context including categories of assets in the changing asset-to-asset cloud communication environment and corresponding access rights for the categories of assets, training the baseline context for the trusted server based on automatically discovered access rights, and operating the trained baseline context for the trusted server.

Abstract: In one embodiment, a system for managing a virtualization environment comprises a plurality of host machines, one or more virtual disks comprising a plurality of storage devices, a virtualized file server (VFS) comprising a plurality of file server virtual machines (FSVMs), wherein each of the FSVMs is running on one of the host machines and conducts I/O transactions with the one or more virtual disks, and a virtualized file server backup system configured to back up data stored in a VFS located a cluster of host machines to an object store, and retrieve the backed-up data as needed to restore the data in the VFS. The object store may be located in a public cloud. The object store may include a low-cost storage medium within the cluster. An FSVM of the VFS may provide an object store interface to low-cost storage media.

Abstract: Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource.

Abstract: A new approach is proposed that contemplates systems and methods to support a mechanism to offload all aspects of inline SSL processing of an application running on a server/host to an embedded networking device such as a Network Interface Card (NIC), which serves as a hardware accelerator for all applications running on the server that need to have a secure connection with a remote client device over a network. By utilizing a plurality of its software and hardware features, the embedded networking device is configured to process all SSL operations of the secure connection inline, i.e., the SSL operations are performed as packets are transferred between the host and the client over the network, rather than having the SSL operations offloaded to the NIC, which then returns the packets to the host (or the remote client device) before they can be transmitted to the remote client device (or to the host).

Abstract: In some embodiments, a network regulator device protects a local network of client systems (e.g. Internet-of-things devices such as smartphones, home appliances, wearables, etc.) against computer security threats. When introduced to the local network, some embodiments of network regulator take over some network services from a router, and automatically install the network regulator as gateway to the local network. The network regulator then carries out an automatic device discovery procedure and distribute device-specific utility agents to the protected client systems. An exemplary utility agent detects when its host device has left the local network, and in response, sets up a virtual private network (VPN) tunnel with a security server to maintain protection of the respective device.

Abstract: Techniques for communication in a hybrid cloud computing system. The techniques include utilizing cross-origin resource sharing to allow a web-based application to communicate with both a public host computer and a private host computer of the hybrid cloud computing system. More specifically, a web-based application downloaded from the public host computer would include code that, when executed, would programmatically make HTTP requests to the private host computer. The private host computer would respond with an Access-Control-Allow-Origin header specifying the origin of the public host computer as an allowed origin, thereby allowing the web-based application to access resources from the private host computer. The techniques may be used for managing computing or software resources of the hybrid cloud computing system and also for transfer of data related to managing computing or software resources of the hybrid cloud computing system.

Abstract: Intrusion preludes may be detected (including detection using fabricated responses to blocked network requests), and particular sources of network communications may be singled out for greater scrutiny, by performing intrusion analysis on packets blocked by a firewall. An integrated intrusion detection system uses an end-node firewall that is dynamically controlled using invoked-application information and a network policy. The system may use various alert levels to trigger heightened monitoring states, alerts sent to a security operation center, and/or logging of network activity for later forensic analysis. The system may monitor network traffic to block traffic that violates the network policy, monitor blocked traffic to detect an intrusion prelude, and monitor traffic from a potential intruder when an intrusion prelude is detected.

Abstract: Provided are methods, network devices, and computer-program products for a network deception system. The network deception system can engage a network threat with a deception mechanism, and dynamically escalating the deception to maintain the engagement. The system can include super-low, low, and high-interaction deceptions. The super-low deceptions can respond to requests for address information, and requires few computing resources. When network traffic directed to the super-low deception requires a more complex response, the system can initiate a low-interaction deception. The low-interaction deception can emulate multiple devices, which can give the low-interaction deception away as a deception. Hence, when the network traffic includes an attempted connection, the system can initiate a high-interaction deception. The high-interaction more closely emulates a network device, and can be more difficult to identify as a deception.

Abstract: In some implementations, a computer-implemented method and system for enrolling customers into a digital identification program may include obtaining, from a digital identification database, customer information that describes a customer, providing to the customer device an access code for activation, receiving a request from the customer device for the digital identification, where the request includes the access code and customer information that describes the customer, providing a request for secure information that describes the customer from a secure information database, receiving the secure information that describes the customer stored in the secure information database, generating the digital identification for the customer based on the secure information and the customer information, and providing the digital identification to the customer device.

Abstract: Methods and nodes (200, 202) in a data distribution network, for distributing content to multiple consuming nodes (C1, C2, C3, . . . ). A first node (200) detects (2:2) multiple data flows (2:1b) of a first content from the first node to a second node (202) in the distribution network, when the first node operates as delivering node of the first content for the consuming nodes. The first node then instructs (2:4) the second node to operate as delivering node of the first content for the consuming nodes and redirects (2:5) the consuming nodes to use the second node as delivering node of the first content. The first node further reduces (2:6) the multiple data flows to a common data flow of the first content to the second node. Thereby, efficiency can be improved in the data distribution network by reducing the number of data flows between the first and second nodes.

Abstract: The present invention provides the initiation of a transport layer security (TLS) session between a client device and a server using a firewall without interruption. The present invention holds a TLS hello message received from the client device until after the server has been validated. A firewall consistent with the present invention does not interrupt a transport layer control (TCP) connection that was established between the client device and the firewall before the TLS hello message was received by the firewall.

Abstract: A user device registers with a proxy-call session control function device (P-CSCF) associated with an Internet protocol (IP) multimedia subsystem (IMS). The user device forwards a request to the P-CSCF requesting a session via the IMS for an IMS call. If a response to the request is not received from the P-CSCF during a time period after forwarding the request, the user device attempts to newly register with the P-CSCF. If the new registration is successful, the user device re-forwards the request to the P-CSCF. Otherwise, if the new registration with the P-CSCF is unsuccessful, the user device registers with a different P-CSCF and forwards the request to the second P-CSCF.

Abstract: Methods of facilitating communication between clients and servers are contemplated. Embodiments of the inventive subject matter make it possible for a client to establish a packet-based connection with a server by first authenticating with a web backend. This can enable, for example, a client to establish a packet-based connection with a server though a web browser.

Abstract: The disclosed embodiments include systems and methods for securing an asset-to-asset cloud communication environment. The disclosed embodiments may involve identifying an asset spun up in the cloud communication environment based on a notification identifying the spun up asset, determining that the spun up asset will require authorization to achieve at least some secure communication functionality with a different asset in the cloud communication environment, automatically authenticating the spun up asset based on authentication information from a trusted source to the spun up asset, automatically determining, based on the authenticating, whether the spun up asset is authorized to perform secure communication functionality with at least one different asset, and automatically performing a control action, based on the authenticating, to enable the spun up asset to perform the secure communication functionality with the at least one different asset.

Abstract: A method including determining, by a processing device, whether a computer system is able to access an authentication server, in response to determining that the computer system is able to access the authentication server, requesting a first set of credentials, authenticating the first set of credentials, assigning a user a first role for performing operations on the computer system in view of the first set of credentials, and in response to determining that the computer system is unable to access the authentication server, requesting a second set of credentials different from the first set of credentials, authenticating one or more credentials provided by the user, and assigning the user a second role for performing operations on the computer system in view of the one or more credentials, wherein the first role specifies a first type of access to at least one object on the computer system, and the second role specifies a second type of access to the at least one object, wherein the first type of access is di

Abstract: Methods and systems for providing a virtual private network service on a per mobile application basis are presented. In some embodiments, a mobile device that is connected to private network may determine that one of its mobile applications is requesting to communicate with a private network. The mobile device may intercept one or more system calls to communicate with the private network issued by the mobile application. The mobile device may generate a communication link to a virtual private network (VPN) server on a port of the mobile device through which to transmit communications from the mobile application to the private network. The mobile device may instruct the VPN server to transmit one or more messages from the mobile application to an access gateway for forwarding to the private network.

Abstract: A system and method for visual importance indication enhancement for collaborative environments comprises a processor for establishing a set of attributes for a primary participant based on attributes obtained from data sources accessible by the primary participant, generating a dynamic rule in accordance with the set of attributes, applying the dynamic rule to an activity stream comprising one or more messages to obtain points of commonality between a participant and the primary participant and determining an importance level of at least one of the one or more messages, and visually indicating the points of commonality and the importance level of the at least one message as a display on a display device. The system can further comprise computer readable storage medium for storing data including the set of attributes.

Abstract: A system and method for visual importance indication enhancement for collaborative environments comprises a processor for establishing a set of attributes for a primary participant based on attributes obtained from data sources accessible by the primary participant, generating a dynamic rule in accordance with the set of attributes, applying the dynamic rule to an activity stream comprising one or more messages to obtain points of commonality between a participant and the primary participant and determining an importance level of at least one of the one or more messages, and visually indicating the points of commonality and the importance level of the at least one message as a display on a display device. The system can further comprise computer readable storage medium for storing data including the set of attributes.

Abstract: Technologies are described for using a cloud-based computer system to access services provided by a particular server over public Internet Protocol (IP) connections. In one aspect, a system includes a first computer system configured to run the particular server to provide a first service over public IP connections; and a second computer system configured to run a second server, where the particular server transmits, over public IP connections, a request for the second server to check the first service, where, responsive to receipt of the request for the second server to check the first service, the second server provides, to the particular server over public IP connections, information relating to whether the first service is available over public IP connections, and where the particular server updates an availability status of the first service over public IP connections based on the information provided by the second server.

Abstract: Systems and methods are provided for monitoring access of computing resources. Usage rules may be created and stored that define a usage constraint based on actions available to be performed at the computing resources. An authenticator may verify login credentials received from a user and authorize the user to access a computing resource. A request to perform an action at the computing resource may be received, and a usage monitor may apply a usage rule to the requested action. If the requested action violates the usage constraint of the usage rule, the usage monitor may halt performance of the requested action and notify another user of the usage constraint violation. The authenticator may receive and verify another set of login credentials from that other user. In response to successful verification of the additional set of login credentials, the usage monitor may resume performance of the requested action.

Abstract: In some embodiments, a network regulator device protects a local network of client systems (e.g. Internet-of-things devices such as smartphones, home appliances, wearables, etc.) against computer security threats. When introduced to the local network, some embodiments of network regulator take over some network services from a router, and automatically install the network regulator as gateway to the local network. The network regulator then carries out an automatic device discovery procedure and distribute device-specific utility agents to the protected client systems. An exemplary utility agent detects when its host device has left the local network, and in response, sets up a virtual private network (VPN) tunnel with a security server to maintain protection of the respective device.

Abstract: A client device is authenticated in a wireless local area network using a pairwise master key when the client device associates to a first access point. A set of neighbor devices to the client device is generated. The set includes less than a total number of access points in the wireless local area network. The pairwise master key is distributed to the neighbor devices such that the pairwise master key is not distributed to access points outside of the set of neighbor devices. Data representing the set of neighbor devices for the client device is maintained.

Abstract: Management of virtual machines within a private network may be provided from a server application, such as a web application, on a machine remote from a private network. The server application receives management commands and communications the management commands in a vendor independent format to a client application within the private network. The client application receives the management commands, instantiates the management commands into a vendor specific definition and redirects the management commands to the virtual machine host for appropriate execution.

Abstract: A method, system and computer program product are provided for implementing block extent granularity authorization and deauthorization processing for a Coherent Accelerator Processor Interface (CAPI) adapter. The Application Client, such as an Application Child Client sends a Delete Authorizations command to the CAPI Adapter via the Client CAPI Server Registers assigned to the specific Application Client. The CAPI Adapter deletes the Authorizations in all Lists in the Delete Authorizations command.

Abstract: Systems and methods for performing web authentication using a client platform root of trust are disclosed herein. Website and user validity and integrity may be authenticated based on the user device's attempt to access the website. A user device may securely access the website once the user device is successfully authenticated with a server. In an embodiment, the user device may perform an authentication of the website to ensure the website is a valid entity.

Abstract: Technologies are generally disclosed for methods and systems for providing secure document storage and retrieval services. In an example embodiment, a method includes receiving an exclusive address at which to send secure links, receiving a request to store a document, storing the document with a remote storage service, receiving location information from the remote storage service, transmitting the location information at which the document is stored to the exclusive address, and updating the location information dynamically.

Abstract: According to one embodiment, a storage device includes a processor which executes first processing, second processing and third processing. The second processing includes processing for relaying a command issued by a host device, and an execution result of the first processing corresponding to the. command, between the host device and the first processing. The third processing includes processing for causing the second processing to transition from a first state to a second state of lower energy consumption than the first state, when a first period in which the second processing is in an idle state exceeds a second period. The third processing further includes processing for maintaining the first state under a first condition, when the first period exceeds the second period.

Abstract: A method includes performing, by a processor of a network controller of a network: storing device identifications corresponding to respective ones of a plurality of devices connected via the network, respectively, storing an association between a first one and a second one of the plurality of devices, the association being represented as a pairing identification code corresponding to the first and second ones of the plurality of devices, receiving a communication from an intruder device, the communication comprising the device identification corresponding to one of the first and the second ones of the plurality of devices, sending a request to the intruder device to communicate the pairing identification code, and denying access to the network to the intruder device responsive to the intruder device failing to communicate the pairing identification code.

Abstract: Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource.

Abstract: Methods, computer systems, and computer-storage media for presenting third-party clinical information on a mobile device are provided. A request for clinical information is received from a user of the mobile device. After the user is authenticated, a number of plug-in applications are determined for the user. The request for clinical information is communicated to the plug-in applications. The clinical information is received from the plug-in applications in the form of one or more generic hierarchical structures populated with the clinical information. The populated hierarchical structures are rendered for display on the mobile device.

Abstract: Disclosed herein are technologies for implementing a web application firewall specific to tenants, and providing different security rules that are particular to the tenants. In accordance with one implementation, authentication instructions as to one or more tenants may be received and the one or more tenants may be registered. Rules associated to and specific to each of the one or more tenants may further be identified and implemented.

Abstract: Peer-to-peer management of mobile devices is disclosed. In various embodiments, a message is received at a first mobile device indicating that a device management permission with respect to a second mobile device that is a peer of the first mobile device has been granted to a user associated with the first mobile device. The first mobile device is configured to be used to perform with respect to the second mobile device a device management action associated with the device management permission.

Abstract: A method for controlling access to a plurality of computing resources in a distributed computing environment can comprise the steps of: an application role server, responsive to receiving a certificate request, authenticating the requester and issuing a digital certificate to the requester; an access control node, responsive to receiving a resource access request, granting access to the computing resource to the requester upon ascertaining the requestor's access privileges, or forwarding the resource access request to another access control node.

Abstract: Described herein is a method and system for distributing requests and responses across a multi-core system. Each core executes a packet engine that further processes data packets allocated to that core. A flow distributor executing within the multi-core system forwards client requests to a packet engine on a core that is selected based on a value generated when a hash is applied to a tuple comprising a client IP address, a client port, a server IP address and a server port identified in the request. The packet engine maintains the client IP address, selects a first port of the core, and determines whether a hash of a tuple comprising those values identifies the selected core. A modification is then made to the client request so that the client request includes a tuple comprising the client IP address, the server IP address, the first port and the server port.

Abstract: A data communication network has computer systems that process virtual network elements during network processing time cycles to forward data communication packets for user data services. The computer systems process hardware-embedded codes during the network processing time cycles to identify the computer systems. A security server validates the computer system identities for the virtual network elements. A database system maintains a distributed data structure that individually associates the data services, the computer systems, the virtual network elements, and the computer system validities. The security server and the database system could be discrete systems or they may be at least partially integrated within the computer systems where they would typically execute during different processing time cycles from the virtual network elements.

Abstract: Methods and systems for monitoring communication traffic in communication networks, such as Internet Protocol (IP) traffic transferred over the Internet or over a wireless network. The disclosed techniques identify communication traffic that is associated with target individuals, by extracting digital images from the traffic and recognizing target individuals who appear in the images. A correlation system monitors communication sessions that are conducted in a communication network to identify known target individuals who appear in images. Upon recognizing a target individual in an image extracted from a certain session, the system correlates this target user with one or more of the communication identifiers used in the session. The system automatically identifies IP addresses or other identifiers that are used by target individuals, and enable subsequent tracking of such identifiers.

Abstract: Various exemplary embodiments relate to a method, network node, and non-transitory machine-readable storage medium including one or more of the following: receiving, at the network device, an ownership indication that a first network processor is currently serving an anti-replay connection; and in response to receiving the ownership indication, effecting a presetting in a second network processor of a current sequence number (SN) for the anti-replay connection to a first value that is greater than or equal to a re-key threshold value, wherein the network device includes at least one of the first network processor and the second network processor wherein the re-key threshold value is a value beyond which an SN triggers re-keying of the anti-replay connection, and wherein the second network processor utilizes the current sequence number upon beginning to serve the anti-replay connection.

Abstract: In an approach for providing data privacy in information integration systems, a method performed during compilation of an information integration job receives information regarding a data flow structure of the job to be executed, said data flow structure comprising at least one source system, one or more target entities, and at least one operator for modifying output data provided by the source system. The method determines data exit points at which output data are provided to the target entities and determines at least one non-trusted target entity. The method determines, for each non-trusted target entity, if at least one data field included in the output data provided to the non-trusted target entity is classified as sensitive information, and, if so, modifies the information integration job by including a masking operator directly before a data exit point associated with the non-trusted target entity in order to mask said sensitive information.

Abstract: In an approach for providing data privacy in information integration systems, a method performed during compilation of an information integration job receives information regarding a data flow structure of the job to be executed, said data flow structure comprising at least one source system, one or more target entities, and at least one operator for modifying output data provided by the source system. The method determines data exit points at which output data are provided to the target entities and determines at least one non-trusted target entity. The method determines, for each non-trusted target entity, if at least one data field included in the output data provided to the non-trusted target entity is classified as sensitive information, and, if so, modifies the information integration job by including a masking operator directly before a data exit point associated with the non-trusted target entity in order to mask said sensitive information.

Abstract: A firewall security device, system and corresponding method are provided that includes an operating system of an entirely new architecture. The operating system is based fundamentally around a protocol stack (e.g., TCP/IP stack), rather than including a transport/network layer in a conventional core operating system. The firewall security device may include a processor and an operating system (OS) embedded in the processor. The OS may include a kernel. The operating system kernel is a state machine and may include a protocol stack for communicating with one or more devices via a network interface. The OS may be configured to receive and transmit data packets and block unauthorized data packets within one or more layers of the protocol stack based on predetermined firewall policies.

Abstract: An exemplary profiling system builds a two-layer mapping model for a mobile network. The two-layer mapping model establishes a causal relationship between a plurality of application behavior indicators and network resource usage within the mobile network by defining a first mapping relationship between the plurality of application behavior indicators and a plurality of network performance indicators representative of network traffic that passes through the mobile network, and a second mapping relationship between the plurality of network performance indicators and network resource usage within the mobile network. Corresponding systems and methods are also described.

Abstract: Systems and methods for extending and re-using an IP multimedia subsystem (IMS) to extend the trust relationship from a closed group of customers of wireless service providers to users of other ecosystems (e.g., Gmail, Facebook, or Yahoo!) for IMS services. Some embodiments include receiving a request from an initiating device to establish a service connection between the initiating device and an endpoint through an Internet Protocol Multimedia Subsystem (IMS) session. The request may include third-party domain credentials (e.g., maintained by a third-party domain) associated with an end-user. The third-party domain credentials can be extracted from the request. Communications with the third-party domain can be used to verify the third-party domain credentials. The IMS session can be established between the initiating device and the endpoint upon verification of the third-party domain credentials.

Abstract: Aspects of this disclosure relate to filtering network data transfers. In some variations, multiple packets may be received. A determination may be made that a portion of the packets have packet header field values corresponding to a packet filtering rule. Responsive to such a determination, an operator specified by the packet filtering rule may be applied to the portion of packets having the packet header field values corresponding to the packet filtering rule. A further determination may be made that one or more of the portion of the packets have one or more application header field values corresponding to one or more application header field criteria specified by the operator. Responsive to such a determination, at least one packet transformation function specified by the operator may be applied to the one or more of the portion of the packets.