Abstract: Embodiments described herein disclose technology for authenticating a user. In some embodiments, a smart card or other similar authentication device can be associated with a user profile. When a request to interact is received via an application associated with a device, the system prompts the user to waive the smart card within a threshold proximity of the device. In response to the smart card being placed within the proximity, the system collects information from the smart card and verifies that the smart card is associated with the user profile of the user. In response to verifying the information from the smart card, the system authenticates the user and allows the user to interact.

Abstract: A method for filtering data packets at a firewall system is disclosed that includes receiving a data packet having a plurality of fields at a processor, and determining whether a precondition exists, where an action is associated the precondition. The action associated with the precondition is performed if it is determined that the precondition exists. The data packet is processed using a plurality of rules if it is determined that the precondition does not exist for the one or more of the plurality of fields. A user associated with the data packet is identified, and it is determined whether one or more rules are stored in a cache for one or more of a plurality of groups associated with the user. The data packet is processed using the one or more rules stored in the cache if present.

Abstract: A statistical information generation device that generates statistical information from Ethernet frames on a mobility network includes: a transceiver that transmits and receives the Ethernet frames; and a statistical information generator that collects a plurality of Ethernet frames transmitted or received by the transceiver within a predetermined time period, and classifies, out of the plurality of Ethernet frames collected, Ethernet frames containing the same destination IP address, source IP address, destination port number, source port number, and protocol, and containing, in payloads, same identification information related to mobility control, into the same group, generates the statistical information for each group from the Ethernet frames classified into groups, and transmits the generated statistical information from the transceiver.

Abstract: Embodiments of the present invention provide a system for dynamically monitoring and filtering data packets associated with accessing one or more entity resources. The system is configured for identifying a data packet in a network comprising at least a first data unit and a second data unit, determining that the first data unit and the second data unit of the data packet are attempting to access an entity resource, determining that first data associated with the first data unit and second data associated with the second data unit cannot access the entity resource at a same instance based on a first signature bit associated with the first data unit and a second signature bit associated with the second data unit, and attenuating the first data unit or the second data unit from the data packet based on the first signature bit and the second signature bit.

Abstract: An HTTP connection between a client computing device and an application is established through a reverse proxy. A response to the client computing device includes a payload instructing initiation of a non-HTTP connection (e.g., TCP, UDP). The response is modified to replace references to an original port with a dynamic port allocated to the non-HTTP connection and a temporary ACL entry is created. A subsequent connection request addressed to the dynamic port is authorized per the ACL, modified to replace the dynamic port with the original port, and forwarded to the application. Subsequent packets for the non-HTTP connection have port numbers translated between the original and dynamic ports.

Abstract: A system and method for trigger-based scanning of cyber-physical assets, including a distributed operating system, parameter evaluation engine, at least one cyber-physical asset, at least one crypt-ledger, a network, and a scanner that detects trigger conditions and events and performs scans of cyber-physical assets based on the trigger and any relevant stored scan rules before storing scan results as time-series data.

Abstract: An appliance includes an external communication port, such as an RJ45 port, and a wireless communication module in wireless communication with a remote server through an external network. A controller is configured to detect port activity at the external communication port, e.g., by detecting a plug-in or data transfer, transmit a notification of the port activity to the remote server using the wireless communication module, receive an activity assessment, e.g., such as an activity approval or disapproval, from the remote server, and adjust at least one operating parameter of the appliance in response to the activity assessment.

Abstract: A method for guaranteeing data transmission and a communications device are provided. The method for guaranteeing data transmission, applied to a terminal, includes: obtaining information of an IPsec tunnel, where the IPsec tunnel is used for transmitting information between the terminal and a second network; and performing a related operation for a tunnel of a first network based on the information of the IPsec tunnel.

Abstract: Systems and methods for mitigating cyberattacks are described herein. A computing system can detect illegitimate network traffic associated with a cyberattack in network traffic. The computing system can determine an amplification factor of the cyberattack based in part on a probability distribution of the illegitimate network traffic. The computing system can determine a filter to demotivate a generation of the illegitimate network traffic. The determined filter can reduce the amplification factor of the cyberattack. The computing system can implement the determined filter to block the illegitimate network traffic.

Abstract: A device may determine internet protocol (IP) traffic monitoring criteria and may monitor IP traffic based on the IP traffic monitoring criteria. The device may update, based on monitoring the IP traffic, a table of currently active IP traffic flows and may update, based on the table of currently active IP traffic flows, an address resolution protocol (ARP) packet filter. The device may receive one or more ARP packets from a different device and may determine whether to accept or discard the one or more ARP packets based on the ARP packet filter. The device may update an ARP table based on determining to accept the one or more ARP packets.

Abstract: Systems, devices, and methods are discussed for forward testing rule sets at a granularity that is less than all activity on the network. In some cases, the granularity is that of an individual application.

Abstract: Methods to secure against IP address thefts by rogue devices in a virtualized datacenter are provided. Rogue devices are detected and distinguished from a migration of an endpoint in a virtualized datacenter. A first hop network element in a one or more network fabrics intercepts a request that includes an identity of an endpoint and performs a local lookup for the endpoint entity identifier. Based on the lookup not finding the endpoint entity identifier, the first hop network element broadcasts a message such as a remote media access address (MAC) query to other network elements in the one or more network fabrics. Based on the received response, which may include an IP address associated with the MAC address, the first hop network element performs a theft validation process to determine whether the request originated from a migrated endpoint or a rogue device.

Abstract: Techniques for providing a large scale high-interaction honeypot farm are disclosed. In some embodiments, a system/method/computer program product for providing a large scale high-interaction honeypot farm includes sending traffic detected at a sensor to a smart proxy for a honeypot farm that is executed in a honeypot cloud, wherein the traffic is forwarded attack traffic that is sent using a tunneling protocol, and wherein the honeypot farm includes a plurality of container images of distinct types of vulnerable services; selecting a matching type of vulnerable service from the plurality of container images of distinct types of vulnerable services based on a profile of the attack traffic; forwarding the traffic to an instance of the matching type of vulnerable service; and executing a security agent associated with the instance of the matching type of vulnerable service to identify a threat by monitoring behaviors and detecting anomalies or post exploitation activities.

Abstract: A computer performs dynamic address isolation. The computer comprises an application associated with an application address, a network interface coupled to receive incoming data packets from and transmit outgoing data packets to an external network, a network address translation engine configured to translate between the application address and a public address, and a driver for automatically forwarding the outgoing data packets to the network address translation engine to translate the application address to the public address, and for automatically forwarding the incoming data packets to the network address translation engine to translate the public address to the application address. The computer may communicate with a firewall configured to handle both network-level security and application-level security.

Abstract: Outbound traffic of a host application may be received from a host device having a host processor. The secure resource may be configured to provide a secure transaction based on the outbound network traffic. Using a second processor different than the host processor, it may be determined whether the host application is authorized to provide the outbound network traffic to the secure resource. The outbound network traffic may be allowed to be forwarded to the secure resource if the host application is authorized. The outbound network traffic may be disallowed to be forwarded to the secure resource if the host application is not authorized.

Abstract: Techniques for providing a smart proxy for a large scale high-interaction honeypot farm are disclosed. In some embodiments, a system/method/computer program product for providing a smart proxy for a large scale high-interaction honeypot farm includes receiving tunneled traffic at a smart proxy from a sensor for a honeypot farm that is executed in a honeypot cloud, wherein the tunneled traffic is forwarded attack traffic, and wherein the honeypot farm includes a plurality of container images of distinct types of vulnerable services; selecting a matching type of vulnerable service from the plurality of container images of distinct types of vulnerable services based on a profile of the attack traffic; and forwarding the tunneled traffic to an instance of the matching type of vulnerable service.

Abstract: Methods and systems for generating a security policy at a gateway are disclosed. A server computer and a gateway can perform a protocol in order to train a security model at a gateway, such that it can detect attack packets and prevent those attack packets from reaching the server computer via the gateway. In a learning phase, the server computer can provide training packets and test packets to the gateway. The gateway can use the training packets to train a security model, and the gateway can classify the test packets using the security model in order to test its accuracy. When the server computer is satisfied with the accuracy of the security policy, the server computer can transmit an acceptance of the security policy to the gateway, which can subsequently deploy the model in order to detect and filter attack packets.

Abstract: Some embodiments provide a method for a network management and control system that manages a virtual infrastructure deployed across a set of datacenters. The method receives a definition of an application to be deployed in the virtual infrastructure. The application definition specifies a requirement that the application receive data traffic from sources external to the virtual infrastructure. Based on the application definition, the method defines a first set of firewall rules for the application that indicate conditions for allowing data traffic from sources external to the virtual infrastructure. For an existing second set of higher-level firewall rules for data traffic entering and exiting the virtual infrastructure, the method specifies a new firewall rule that directs a network element implementing the sets of firewall rules to apply the first set of firewall rules to any data traffic that is from sources external to the virtual infrastructure and directed to the application.

Abstract: A method at a system including a firewall and at least one application, the method including obtaining, at the at least one application, a new address for a service provider for the at least one application; triggering a firewall update; obtaining a new firewall configuration; and updating the firewall, wherein the updating the firewall allows a connection from the at least one application to the new address for the service provider.

Abstract: A device is described that includes a first microprocessor configured for interfacing with a digital access control backend, and a second microprocessor configured for dedicated communications with an access control manager device backend. The first microprocessor is a master device that controls the operation of the second microprocessor as a secondary device. The proposed device is configured for operation of the first microprocessor and the second microprocessor at low clock speeds and to maintain a hash segregation between locally received data sets and data sets transmitted to an external authentication system.

Abstract: A data security system, including a security manager computer making network application programming interface (API) calls to a cloud-based service that performs data exchange transactions among end users, the API calls remotely controlling the cloud-based service so that the security manager computer accesses transactions that have entered the cloud-based service, whereby an end user may forward a transaction received through the cloud-based service to a central authority as being a potentially harmful or deceptive transaction, and a data inspector operative to analyze a transaction as being indeed harmful or deceptive, by applying machine learning, wherein the security manager computer controls the cloud-based service so as to transmit to the security manager transactions forwarded to the central authority, instead of or in addition to transmitting these transactions to the central authority, for analysis by the data inspector.

Abstract: A multi-enterprise system for selecting custom high-value sets of SIEM rules for individual member enterprises communicates with member enterprises via network connections. User interfaces are implemented to enable member enterprises to access the system for search, download, and other functions. Advanced rule identification using a sophisticated security knowledge graph enhances processing efficiency and effectiveness.

Abstract: A method including receiving, at a VPN server from a user device during an established VPN connection between the VPN server and the user device, a data request for the VPN server to retrieve data of interest from a host device; utilizing, by the VPN server, a first exit IP address to transmit a query for retrieving the data of interest to the host device during the established VPN connection; determining, by the VPN server based at least in part on transmitting the query, that the first exit IP address is blocked by the host device; and utilizing, by the VPN server, a second exit IP address to retransmit the query for retrieving the data of interest to the host device during the established VPN connection is disclosed. Various other aspects are contemplated.

Abstract: Detection and notification of malware at a user device may be performed by a validation server. The user device may hash elements associated with a document object model of a webpage and send generated hash values to the validation server. The validation server may validate the hash values. Based on detection of hash values corresponding to elements maliciously-injected by malware, the validation server may send one or more notifications to other servers that may communicate with the user device.

Abstract: Device and method for intrusion detection in a computer network. A data packet is received at an input of a hardware switch unit, an actual value from a field of the data packet being compared in a comparison by a hardware filter with a setpoint value for values from the field, the field including data link layer data or network layer data, a value for a counter determined as a function of a result of the comparison being provided by the hardware switch unit, and a computing device determining a result of the intrusion detection as a function of the value of the counter in the hardware switch unit and independently of information from the data packet, in particular, without an evaluation of information from the data packet by the computing device.

Abstract: Aspects of the disclosure relate to monitoring virtual desktops accessed by devices at remote locations using machine-learning models to mitigate potential cyber-attacks. In some embodiments, a computing platform may monitor data associated with a series of activities from a virtual desktop accessed by a remote computing device. Subsequently, the computing platform may detect new activity data on the virtual desktop accessed by the remote computing device, and evaluate the new activity data relative to the data associated with the series of activities, wherein evaluating includes applying a machine learning model to the new activity data. Based on evaluating the new activity data, the computing platform may determine if the new activity data is indicative of a potential cyber-attack. In response to determining that the new activity data is indicative of a potential cyber-attack, the computing platform may initiate one or more security response actions.

Abstract: According to examples, an apparatus may include a processor and a memory on which are stored machine-readable instructions that when executed by the processor, may cause the processor to obtain an encryption key from a user. The processor may identify session activity data during a proxy session of the user and may encrypt the identified session activity data using the encryption key obtained from the user. The processor may store the encrypted session activity data.

Abstract: Described embodiments provide systems and apparatuses for enhanced quality of service, steering and policy enforcement for https traffic via intelligent in-line path discovery of a TLS terminating node. The system may include a first network device having a secure connection traversing through the first network device, and in communication with a second network device. The first network device and the second network device may be intermediary to a client device and a server. The first network device may determine that the second network device terminates the secure connection. The first network device may receive key generation information of the secure connection from the second network device following determining the second network device terminates the secure connection.

Abstract: A privatized link between an origin server and a content delivery network is provided. A privatized link can be a direct connection that does not route over the internet. Another privatized link is one that rotates IP addresses. An origin server may be assigned to use a set of multiple IP addresses for communication with the content delivery network. However, at any given time, the origin server is only using a small number of IP addresses. When one of the IP addresses being used to communicate with the content delivery network comes under attack, the origin server switches to another IP address in the set in order to continue serving content to the content delivery network via an IP address that is not under attack.

Abstract: A system for firewall data log processing, comprising a firewall logging system operating on a first processor and configured to cause the first processor to receive firewall log data and to process the firewall log data on a periodic basis to reduce the size of the firewall log data and a firewall reporting system operating on a second processor and configured to process the reduced size firewall log data to generate a report on a user interface that includes one or more analytics from the reduced size firewall data.

Abstract: A method, including identifying, in network data traffic, multiple scans, each of the scans including an access, in the traffic, of multiple ports on a given destination node by a given source node during a time period. A group of high-traffic ports are identified in the traffic that include one or more ports that receive respective volumes of the traffic that exceed a threshold, and respective signatures are generated for the identified port scans that indicate the ports other than the high-traffic ports that were accessed in each of the port scans. A respective frequency of occurrence of each of the signatures over the set of the port scans is computed, and a whitelist of the signatures for which the respective frequency of occurrence is greater than a threshold is assembled. Upon detecting a port scan for which the respective signature is not whitelisted, a preventive action is initiated.

Abstract: A method comprising: receiving a request from a second application to access information from a first application, said first and second applications installed on a user equipment, and in response to said request, determining whether said second application is operating in accordance with at least one rule.

Abstract: A control device is connected to a plurality of networks, dispatches a packet received from a user terminal to a network among the plurality of networks, and includes a memory and a processor configured to execute receiving a DNS query packet transmitted from the user terminal, and based on a query target of the DNS query packet, dispatching the DNS query packet to a network among the plurality of networks; and receiving a packet, determining a destination of the packet based on a destination address of the packet, and transmitting the packet to the determined destination.

Abstract: This disclosure provides a device monitoring method and apparatus and a deregistration method and apparatus. The device monitoring apparatus has a capability of obtaining signaling plane data exchanged between a core network element and a terminal device, and after obtaining the signaling plane data, the device monitoring apparatus can determine, by analyzing attribute information of the signaling plane data, a device that may initiate a DoS attack.

Abstract: The present disclosure is directed to systems and methods for logical flow aggregation for fragmented multicast flows, the methods including the steps of identifying a plurality of fragmented multicast flows that are logically related as a single flow in a multicast network; generating a plurality of multicast joins associated with the plurality of fragmented multicast flows, wherein each multicast join of the plurality of multicast joins includes a join attribute comprising a common flow identifier that identifies the plurality of fragmented multicast flows as logically related; and selecting a reverse forwarding path toward an upstream device for the plurality of multicast joins.

Abstract: Systems and methods for implementing filters within computer networks include obtaining blocklist data that includes blocklist entries for a network. Each of the blocklist entries includes one or more network traffic attributes for identifying traffic to be blocked. In response to receiving the blocklist data, a filter based on a common network traffic attribute shared between at least two of the plurality of blocklist entries is generated. The filter is then deployed to a network device within the network such that the filter may be implemented at the network device to block corresponding traffic.

Abstract: Embodiments are directed to monitoring communication between computers using network monitoring computers (NMCs). NMCs identify a secure communication session established between two of the computers based on an exchange of handshake information associated with the secure communication session. Key information that corresponds to the secure communication session may be obtained from a key provider such that the key information may be encrypted by the key provider. NMCs may decrypt the key information. NMCs may derive the session key based on the decrypted key information and the handshake information. NMCs may decrypt network packets included in the secure communication session. NMCs may be employed to inspect the one or more decrypted network packets to execute one or more rule-based policies.

Abstract: A plurality of security rule processing nodes is configured for network traffic of a set of sources and destinations. Respective subsets of configuration information of the sources and destinations, including security rules, are transmitted to the nodes. Respective addresses of at least a subset of the nodes are transmitted to a packet processing intermediary. The intermediary requests evaluation of applicable security rules with respect to packet flows by selected nodes prior to initiating routing actions for packets of the flows.

Abstract: Methods and apparatuses providing file type inspection in firewalls by moving the flow between deep inspection file and lightweight accelerated paths. The method includes obtaining, by a network security device, a packet flow of a file transfer session in which at least two files are transferred and determining, by the network security device, at least an offset parameter based on at least one attribute of at least a first packet in the packet flow. The offset parameter is for a first file being transferred of the at least two files and relates to an expected positon of a control data sequence within the packet flow. In this method, based on the offset parameter, directing, by the network security device, to an accelerated packet inspection path instead of to a deep packet inspection path, a portion of the packet flow including one or more packets that follow the first packet.

Abstract: A secure data exchange system comprising a security device including a first external device plug, and a security engine operative to enforce a security policy on data transfer requests received from the host; an external device including a second external device plug; and a host including a first external device port operative to communicatively couple with the first external device plug, a second external device port operative to communicatively couple with the second external device plug, and a driver, e.g., a redirect driver, operative to transfer a data transfer request to the security device before executing the data transfer request.

Abstract: To provide a structure capable of performing more secure authentication between devices. There is provided a processing device comprising: a processing unit that executes a defined process that is defined in advance according to an input first request, executes calculation using first information included in the first request, and transmits a first response including a result of the calculation to a first device having output the first request, wherein the processing unit transmits a second request including second information different from the first information to at least one second device different from the first device, and acquires a second response including a result of calculation using the second information from the at least one second device.

Abstract: A first device may receive content from a second device based on a request for the content. The first device may be located between the second device and a third device. The first device may determine a value for a portion of the content using a function, where the value is to be used to analyze the content. The value may uniquely identify the portion of the content. The first device may determine whether a classification of the content can be determined. The first device may selectively determine the classification of the content by providing the value or the portion of the content corresponding to the value, to a fourth device when the classification cannot be determined, or determine the classification of the content using a data store when the classification can be determined. The first device may perform an action with respect to the content.

Abstract: It is provided a method, comprising triggering a terminal of a wireless network to establish a control session to a translator device via the wireless network; providing a control port to a station of a wireline network; forwarding at least one of a first message from the station received on the control port via the control session to the translator device and a second message received via the control session from the translator device to the station.

Abstract: A network device may receive a first configuration object associated with an application and may parse the first configuration object to identify first configuration data. The network device may calculate a first hash value based on the first configuration data and may generate a first operational object based on the first configuration data and the first hash value. The network device may receive a second configuration object associated with the application of the network device and may parse the second configuration object to identify second configuration data. The network device may calculate a second hash value based on the second configuration data and may determine whether the first hash value matches the second hash value. The network device may prevent, based on the first hash value matching the second hash value, generation of a second operational object based on the second configuration data and the second hash value.

Abstract: In response to a first programmatic request, metadata indicating that a first isolated read channel of a real-time category has been associated with a first target stream is stored at a stream management service. In response to another request, metadata indicating that a second isolated read channel of a non-real-time category has been associated with a second target stream is stored. In response to a read request indicating the first channel or the second channel, one or more data records of the corresponding target streams are provided.

Abstract: A cloud-based traffic classification engine maintains a catalog of application-based traffic classes which have been developed based on known applications, and a local traffic classification engine maintains a subset of these classes. Network traffic intercepted by the firewall which cannot be classified by the local engine is forwarded to the cloud-based engine for classification. Upon determination of a class of the traffic, the cloud-based engine forwards the determined class and corresponding signature to the local engine. The firewall maintains a cache which is updated with the signatures corresponding to the class communicated by the cloud-based engine. Subsequent network traffic sent from the application can be determined to correspond to the application and classified according locally at the firewall based on the cached signatures. Localization of the cache to the firewall reduces latency of traffic classification operations as the catalog of classification information stored in the cloud scales.

Abstract: Network interface provisioning of containerized instances based on tenant policies. A network interface assignment process (NIAP) receives a first request to assign a network interface to a first containerized instance comprising at least one container. The NIAP determines that a first tenant of a plurality of different tenants is associated with the first containerized instance. The NIAP accesses a first network assignment tenant policy (NATP) that corresponds to the first tenant. Based on the first NATP, the NIAP assigns, to the first containerized instance, a first network interface via which the first containerized instance can communicate with other containerized instances associated with the first tenant.

Abstract: Audio visual privacy controls can be provided. A privacy service can be configured to interface with multiple filter drivers that are loaded above components of an AV platform to enable the privacy service to selectively block a particular AV app's access to an AV device based on context. A privacy service may leverage a first filter driver to identify an AV app and may leverage a second filter driver to block the AV app's access. The privacy service may consider different types and combinations of context to determine when access to an AV device's stream should be blocked.

Abstract: A method performed by a node of a communications network such as a virtual routing function or policy enforcement node comprises receiving at least one packet, such as an internet protocol packet having an associated address and obtaining one or more metrics. The method involves dynamically configuring a longest-prefix match process on the basis of at least the metric(s). The dynamically configured longest-prefix match process is used with the associated address to identify an action and the identified action is applied to the packet.

Abstract: A logic circuit for managing reception of secure data packets in an industrial controller snoops data being transferred by a Media Access Controller (MAC) between a network port and a shared memory location within the industrial controller. The logic circuit is configured to perform authentication and/or decryption on the data packet as the data packet is being transferred between the port and the shared memory location. The logic circuit performs authentication as the data is being transferred and completes authentication shortly after the MAC has completed transferring the data to the shared memory. The logic circuit coordinates operation with the MAC and signals a Software Packet Processing (SPP) module when authentication is complete. The logic circuit is further configured to decrypt the data packet, if necessary, and to similarly coordinate operation with the MAC and delay signaling the SPP module that data is ready until decryption is complete.