Abstract: A communication apparatus comprises a rollback control unit that rolls back a first process to a second process; and a storage unit to store one or more network states shared by the first process and the second process, the second process enabled to take over or more network states from the first process; wherein the rollback control unit includes a network state control unit that controls to provide delayed updating of at least one of the one or more network states taken over by the second process.

Abstract: An apparatus for deploying a firewall on a software-defined network (SDN) includes a public key distributor configured to transmit a public key, a resource monitor configured to monitor resources of a network, a host monitor configured to receive a firewall rule of at least one host, which is encrypted by the public key, a decryption unit configured to decrypt information received from the host monitor by using a secret key, a merge unit configured to merge the decrypted information to provide a merged firewall rule, and a firewall deployment unit configured to deploy the merged firewall rule to a switch.

Abstract: Methods and systems for a two-stage attribution of application layer DDoS attack are provided. In a first table just a hash index is maintained whereas the second stage table keeps the string parameter corresponding to the application layer attribute under attack. A linked list maintains a plurality of rows if there is hash collision in the first table. The second table is aged out and reported periodically with details of large strings.

Abstract: A method for configuring a firewall equipment in a first communication network managed by an access equipment for accessing a second communication network. Such a method implements: obtaining characteristic information of a user equipment in the first network by analyzing its active interfaces in the network; generating configuration rules for configuring the firewall equipment on the basis of the obtained features and of a predetermined configuration model; and transmitting, to the firewall equipment, an update command message to update a configuration, including the determined configuration rules.

Abstract: The innovation disclosed and claimed herein, in one aspect thereof, comprises systems and methods of reconfiguring network settings. The systems and methods monitor a network and detect a hacker on a network. The systems and methods can reconfigure network settings of the network upon detecting the hacker. The systems and methods can analyze the hack for severity; and determine a reconfiguration layer based on the severity of the hack. The reconfiguration layer determines a subset of the network settings to be reconfigured. The systems and methods can dismantle the network and generate a replacement network having the reconfigured set of network settings and replace the network with the replacement network.

Abstract: Systems and methods for implementing filters within computer networks include obtaining blocklist data that includes blocklist entries for a network. Each of the blocklist entries includes one or more network traffic attributes for identifying traffic to be blocked. In response to receiving the blocklist data, a filter based on a common network traffic attribute shared between at least two of the plurality of blocklist entries is generated. The filter is then deployed to a network device within the network such that the filter may be implemented at the network device to block corresponding traffic.

Abstract: In one embodiment, a monitoring process identifies a set of counters maintained by a networking device by comparing a configuration of the networking device to an object relationship model. The monitoring process obtains counter values from the identified set of counters maintained by the networking device. The monitoring process detects an anomaly by using the obtained counter values as input to a machine learning-based anomaly detector. The monitoring process generates an anomaly detection alert for the detected anomaly.

Abstract: An apparatus and method is disclosed for the secure access to field instruments. An interface device that includes a built-in firewall, is communicatively coupled between the device manager of an industrial automation process control system and a network of field instruments. The interface device includes at least one processor configured to execute instructions that provides a firewall for the one or more field instruments by blocking one or more user selected commands from being sent to the field instruments from the device manager.

Abstract: The present application is directed a computer-implemented methods and systems implementing Virtual Private Network (VPN) policies created or modified by Software Defined Network (SDN) applications. The VPN policies can be provided to SDN controllers for implementation. An SDN application can handle a request to establish a VPN by transmitting the request to a VPN provider, obtaining credentials for the VPN, and providing a security policy to an SDN controller.

Abstract: Provided are a network system and a network bandwidth control management method capable of preventing packets that need to preferentially flow from being discarded at a time of high load. A network system includes an external switch that is provided between a virtualization platform and an external network and configured to control a bandwidth amount of packets flowing into an open virtual switch, and an network control management device that is configured to modify a configuration of bandwidth control and priority control of the external switch in response to addition or deletion of a service of the virtualization platform based on information acquired from compute nodes, a network node, and a controller node.

Abstract: In particular embodiments, a data processing data inventory generation system is configured to: (1) generate a data model (e.g., a data inventory) for one or more data assets utilized by a particular organization; (2) generate a respective data inventory for each of the one or more data assets; and (3) map one or more relationships between one or more aspects of the data inventory, the one or more data assets, etc. within the data model. In particular embodiments, a data asset (e.g., data system, software application, etc.) may include, for example, any entity that collects, processes, contains, and/or transfers personal data (e.g., such as a software application, “internet of things” computerized device, database, website, data-center, server, etc.). The system may be configured to identify particular data assets and/or personal data in data repositories using any suitable intelligent identity scanning technique.

Abstract: Embodiments of the present disclose provide a method and apparatus for identifying network attacks. The method can include: acquiring access data within at least two time periods of a target website server, wherein the access data include one or more fields; determining, for each of the at least two time periods, a quantity of access data having same content in at least two of the one or more fields; determining whether the quantities of access data for each of the at least two time periods are the same; and in response to the quantities of access data being the same, determining that at least two access requests of the access data are network attacks.

Abstract: The technology disclosed relates to securely encrypting a document. In particular, it relates to accessing a key-manager with a triplet of organization identifier, application identifier and region identifier and in response receiving a triplet-key and a triplet-key identifier that uniquely identifies the triplet-key. Also, for a document that has a document identifier (ID), the technology disclosed relates to deriving a per-document key from a combination of the triplet-key, the document ID and a salt. Further, the per-document key is used to encrypt the document.

Abstract: Systems and methods are provided for mitigating security attacks by enabling collaboration between security service functions. A Service Function Chaining (SFC) node receives a packet and determines whether to apply a service function to the packet. Responsive to determining that the packet has been treated by the service function, the packet can be reclassified and switched to a different SFC path.

Abstract: An artificial intelligence (AI) system which utilizes machine learning algorithm such as deep learning and application is provided. The artificial intelligence (AI) system includes a controlling method of an electronic device for determining a chatbot using an artificial intelligence learning model includes receiving a voice uttered by a user, processing the voice and acquiring text information corresponding to the voice, and displaying the text information on a chat screen, determining a chatbot for providing a response message regarding the voice by inputting the acquired text information and chat history information regarding the chat screen to a model which is trained to determine the chatbot by inputting text information and chat history information, transmitting the acquired text information and the chat history information regarding the chat screen to a server for providing the determined chatbot, and receiving a response message from the server and displaying the response message on the chat screen.

Abstract: Certain embodiments of the present disclosure provide a method and apparatus for processing data. The method comprises, at an edge device, parsing a first data packet after receiving the first data packet sent by a client device to obtain a virtual IP address and a destination port that correspond to the first data packet; querying an IP address mapping table according to the virtual IP address to obtain a destination IP address corresponding to the virtual IP address; and sending the first data packet according to the destination IP address and the destination port.

Abstract: A method for reducing unwanted data traffic in a computer network due to a Distributed Reflection Denial of Service (DRDoS) attack. The method comprises operating a filtering module in a normal mode or a blocking mode to allow or block requests from being communicated within a computer network in response to data from a honeypot device in the computer network. The method allows the honeypot device to continue to monitor further attack requests that are received during the DRDoS attack.

Abstract: A technique for network attack tainting and tracking includes monitoring data packets received from a network for a malicious request. Responsive to detecting a malicious request, a forensic token is created having information pertaining to the malicious request that is configured to be stored by a source of the malicious request and discoverable regarding involvement of the source in the malicious request. The forensic token is injected into a response message, and the response message is then transmitted to the source of the request as a response to the request.

Abstract: Disclosed herein is a network evaluating apparatus including: an acquisition section acquiring a plurality of packets each of which includes an identification value indicating an order in accordance with which data is transmitted from a transmission source, the plurality of packets being received one by one; and an evaluation section, in a case where the identification value included in a first packet as any one of the plurality of received packets indicates that the first packet is transmitted before a second packet received before the first packet, increasing an evaluation value indicating instability of a transmission and reception path.

Abstract: A router of a private cellular network is configured to receive data packets from a plurality of endpoints; analyze the data packets to determine a corresponding source of each data packet; determine whether each corresponding source is a valid source; drop a data packet for which the corresponding source is invalid; for a data packet received from a valid source, determine whether to process the data packet internally or forward the data packet for external processing and route the data packet to a corresponding destination, the corresponding destination being one of a local enterprise network or a corresponding home cellular network of the valid source from which the data packet is received, wherein the private cellular network is configured to service a confined physical location in which home cellular networks of data packets received from valid sources do not provide cellular connectivity that meets a threshold level of cellular service.

Abstract: Information technology/cyber security for computer-related processes in which vulnerabilities are identified and, those vulnerabilities which are technology-related are automatically remediated by determining and executing network-based tasks. The most granular level of computer-related process assessment in made possible by reliance on a critical function/process taxonomy this is automatically generated and, as such, the present invention, identifies both technology and non-technology-related vulnerabilities.

Abstract: Provided herein are identification of a distributed denial of service attack and automatic implementation of preventive measures to halt the distributed denial of service attack. At substantially the same time as the attack, valid users/customers (e.g., devices) are provided quality of service and continued access to a website experiencing the distributed denial of service attack. Further, service to temporary or unknown users (e.g., devices) with public access to the website is suspended during the duration of the distributed denial of service attack.

Abstract: A method, including identifying, in network data traffic, multiple scans, each of the scans including an access, in the traffic, of multiple ports on a given destination node by a given source node during a time period. A group of high-traffic ports are identified in the traffic that include one or more ports that receive respective volumes of the traffic that exceed a threshold, and respective signatures are generated for the identified port scans that indicate the ports other than the high-traffic ports that were accessed in each of the port scans. A respective frequency of occurrence of each of the signatures over the set of the port scans is computed, and a whitelist of the signatures for which the respective frequency of occurrence is greater than a threshold is assembled. Upon detecting a port scan for which the respective signature is not whitelisted, a preventive action is initiated.

Abstract: This disclosure relates to the processing of data streams. More specifically, application of particular protocols to a stream and a detection analysis facilitate a selective, reliable and efficient transmission of pertinent stream data to destination addresses.

Abstract: Web traffic at different geographic traffic distribution buckets are compared against each other to try and machine-learn the underlying traffic parameters of legitimate (human-initiated) traffic. Distributions of the traffic parameters for the web traffic at multiple servers are compared to see whether they match. If so, matching or substantially matching traffic parameters signal that such web traffic is, in fact, legitimate. A clean profile is built with the matching traffic parameters and used to determine how much bot traffic is resident in web traffic at different servers.

Abstract: Disclosed is a system for processing data streams that includes a parallel processor and a netflow aggregator module to generate a storage representation for data packets. Each storage representation includes segments of information about the data packet, the segments of information including information about a communication protocol specification related to the data packet. The netflow aggregator module generates a composite index to identify a data packet association characteristic for each data packet and stores the composite index in a segment of the storage representation. The netflow aggregator module groups data packets by their composite index. The netflow aggregator module generates a session flow identifier by identifying a beginning and/or end of a transmission netflow for each data packet having the same data packet association characteristic. The netflow aggregator module aggregates and orders the data packets having the same session flow identifiers into a flow channel.

Abstract: A method (1400) of and a system (222) for associating past activity indications (602) associated with past activities of a user (170) with items. The method comprises accessing (1402) the past activity indications (602); accessing (1404) item indications; determining (1406) a past activity feature vector (606); determining (1408) a text feature vector (706) corresponding to the text features; mapping (1410) the past activity feature vector (606) and the text feature vector (706) to generate a text feature space (904); determining (1412) an image feature vector (806); mapping (1414) the past activity feature vector (606) and the image feature vector (806) to generate an image feature space (1004); generating a user item space (1104); and storing (1418) the user item space (1104). A method (1500) of and a system (222) for associating a first item and a second item are also disclosed.

Abstract: System and techniques for network architecture for Internet-of-Things (IoT) device are described herein. An indication may be received from a pre-certified IoT blank device. Here, the indication includes a unique identifier and a request for configuration information. An application to send to the IoT device may be located using the unique identifier. The application may be sent to the IoT device. data from the IoT device corresponding to a sensor on the IoT device operated using the application may be received.

Abstract: A computer system performs tracking of security context for confidential or untrusted values input from sources in an executing application to sinks in the executing application. The security context includes indications of sources and declassifier methods corresponding to the values and has been previously defined prior to the tracking. Prior to release of a selected confidential or untrusted value by a sink in the executing application, security context is fetched for the selected confidential or untrusted value. A selected declassifier method is caused to be used on the selected confidential or untrusted value prior to release of the selected confidential or untrusted value to the sink. The selected declassifier method obfuscates the selected confidential or untrusted value and is selected based on the security context for the selected confidential or untrusted value. The obfuscated confidential or untrusted value is caused to be released to the sink in the executing application.

Abstract: A system and method are disclosed for providing an enhanced email client having interactive content capabilities. The system includes a recipient email server for receiving emails from a sender email server and for receiving dynamic interactive content from a third party content service provider when it is determined that the email includes capabilities for displaying interactive content. The method includes steps of sanitizing a received email at a user's computing system, checking the sanitized email to determine if it contains interactive content, and retrieving the interactive content in the sanitized email without requiring the user to click out to a separate window or browser instance.

Abstract: Systems and methods are described to predict spikes in requests for content on a computing network based on referrer field values of prior requests associated with spikes. Specifically, a traffic spike prediction service is disclosed that can analyze information regarding past requests on the computing network to detect a spike in requests to a content item, where a significant number of request within the spike include a common referrer field value. The traffic spike prediction service can then detect a request to a second content also including the common referrer field value, and predict that a spike is expected to occur with respect to the second content. The traffic spike prediction service can manage the expected spike by increasing an amount of computing resources available to service requests to the second content.

Abstract: The systems and methods described herein can enable the indirect transmission of session data between different domains. The system can pass the session data through a hashing function so that the data from a given domain remains private and secure to the specific domain. The system can generate clusters of associated domains for a given client device that the system can use to maintain a session between the client device and the domain.

Abstract: A routing system for distributing multicast routing information for a multicast service includes a plurality of routers including a multicast source router and a plurality of multicast receiver routers, the plurality of routers providing a multicast service, wherein the routers are configured to exchange multicast information associated with the multicast service including identification of multicast sources and the multicast receivers.

Abstract: A method for data center network segmentation is provided. The data center network segmentation is for a hybrid environment including physical servers and appliances as well as virtual servers and appliances. The data center network segmentation uses software-defined networking (SDN) technology of physical SDN-ready servers/appliances and virtual SDN-ready servers/appliances. The method includes centralizing the management of network security policies for physical and virtual firewalls. The method includes using SDN to direct network traffic between physical servers through physical firewalls, and to direct network traffic between virtual servers through virtual firewalls. The method further includes using the SDN to direct network traffic from physical servers to virtual servers through physical firewalls, and to direct network traffic from virtual servers to physical servers through virtual firewalls.

Abstract: To detect a communication by a predetermined type of software, which disguises normal communication, an information processing apparatus includes: a communication data acquiring unit 21 configured to acquire communication data generated by a terminal connected to a network; a distribution calculating unit 24 configured to calculate distribution of attribute information of a plurality of communications with a same communication destination, based on the acquired communication data; and an estimating unit 25 configured to estimate whether a detected communication is a communication by a predetermined type of software by determining whether the calculated distribution satisfies a predetermined criterion.

Abstract: Methods, non-transitory computer readable media, attack mitigation apparatuses, and network security systems that maintain an application context model for a protected application based on ingested logs. The application context model includes a map of network infrastructure associated with the protected application. Using the application context model, potential attack(s) against the protected application are identified and possible mitigation action(s) to take in response to one or more of the identified potential attack(s) are scored. A stored policy is executed to evaluate the possible mitigation action(s) based on the scoring. One or more of the possible mitigation action(s) are initiated on the identified potential attack(s) based on the evaluation. With this technology, malicious network activity can be more effectively and quickly detected and mitigated resulting in improved network security.

Abstract: Some embodiments provide a method for a first network slice selector that selects network slices for connections from endpoint devices located within a first geographic range. The method selects a network slice for a connection between a mobile endpoint device and a network domain that originates when the mobile endpoint device is located within the first geographic range. The method stores state that maps the connection to the selected network slice. The method forwards data traffic belonging to the connection from the mobile endpoint device onto the selected network slice using the stored state. After the mobile endpoint device moves from the first geographic range to a second geographic range, the method receives data traffic belonging to the connection from a second network slice selector that selects network slices for connections from endpoint devices within the second geographic range and forwards said received data traffic onto the selected network slice.

Abstract: Disclosed are a system, method, and computer readable storage medium having instructions for applying a plurality of interconnected filters to protect a computing device from a DDoS attack. The method includes, responsive to detecting the computing device is subject to the DDoS attack, intercepting data from a network node to the computing device, determining data transmission parameters, assigning an initial danger rating to the network node, identifying a subset of the plurality of the interconnected filters which are concurrently triggered, changing the danger rating of the network node based on an application of the subset of the plurality of interconnected filters that are triggered and the data transmission parameters, and responsive to determining that the danger rating of the network node exceeds a threshold value, limiting a transmittal of data from the network node to the computing device by limiting channel capacity between the network node and the computing device.

Abstract: A network security system implements connectivity policies of a network environment. The network security system may use a network topology mapping to implement connectivity policies, where the network topology mapping includes sets of security zones, security devices, and zone paths between the security zones via the one or more security devices. The network security system can generate a universal representation of a connectivity policy for the network environment using a universal syntax. Using the network topology mapping, the network security system can identify zone paths between the security zones for implementing the connectivity policy. The network security system can configure security devices along the zone paths in accordance with the connectivity policies. Configuring security devices may include converting some or all of the universal representation of the connectivity policy into a device-specific representation in a native syntax of the security device.

Abstract: A managing unit included in a distributed storage network (DSN) receives an event representation request, and identifies event record entries based on that request. The event record entries include information associating reporting entities with the event record entries. The management unit obtains the event record entries from the reporting entities; at least one event record entry is obtained from a first reporting entity, and at least another event record entry is obtained from a second reporting entity. In response to receiving the event representation request, the management unit generates a representation of the event record entries, and outputs the representation to a requesting entity.

Abstract: A system and method for applying extended regular expressions against arbitrary data objects, wherein a state machine maintains an internal state model for the system, an object analysis server receives data objects from a data source, and the object analysis server analyzes the structure and contents of the objects, compares them against received search pattern, and directs the state machine to update the state model based on either or both of the analysis and comparison operations.

Abstract: Methods and systems are disclosed for document isolation. A host computer system may be configured to implement document isolation via one or more of a host-based firewall, an internet isolation firewall, and/or a segregation of a trusted memory space and an untrusted memory space. The host computer system may be configured to access one or more files using a first set of one or more applications and/or processes operating within the trusted memory space and/or a second set of one or more applications and/or processes operating within an untrusted memory space. The host computer system may be configured to open (e.g., always open) the one or more accessed files in the trusted memory space of the host computer system.

Abstract: An information processing device (20) performs a session timer updating process of restoring the remaining time of a session timer to N seconds whenever a packet is received from a client (10). The information processing device (20) does not perform the session timer updating process even when a packet is received from the client (10) until a session timer update stop time (?) elapses after the session timer was last updated. The information processing device (20) resumes the session timer updating process after the session timer update stop time (?) has elapsed after the session timer was last updated.

Abstract: A security gateway security gateway provisions a web browser hosted on a user device with a proxy auto-configuration file configured to automatically redirect the web browser to the security gateway as a proxy server for clientless virtual private network (VPN) operation when the web browser browses any uniform resource locator including a particular domain name that encompasses a private network. Upon receiving from the web browser over a public network a request to access a private resource on the private network, the security gateway establishes a secure public connection to the web browser, establishes a private connection to the private resource, and associate the private connection with the secure public connection to form a clientless VPN connection between the web browser and the private resource. The security gateway forwards content between the private resource and the web browser over the clientless VPN connection without performing any content rewrite operations.

Abstract: Methods, systems, and computer readable media may be operable to wireless hotspot activity of one or more access points supporting multiple radios. A DHCP relay agent may receive a DHCP request from a device seeking to join a hotspot service provided through a gateway. If the number of currently connected devices is less than the maximum connected device limit, then the agent may increase the number of currently connected devices by one, and relay the encapsulated DHCP request over a GRE tunnel. If the number of connected devices already meets or exceeds the allowed limit, then the DHCP relay agent may instruct the gateway or its access point to disconnect the new device.

Abstract: In particular embodiments, a data processing data inventory generation system is configured to: (1) generate a data model (e.g., a data inventory) for one or more data assets utilized by a particular organization; (2) generate a respective data inventory for each of the one or more data assets; and (3) map one or more relationships between one or more aspects of the data inventory, the one or more data assets, etc. within the data model. In particular embodiments, a data asset (e.g., data system, software application, etc.) may include, for example, any entity that collects, processes, contains, and/or transfers personal data (e.g., such as a software application, “internet of things” computerized device, database, website, data-center, server, etc.). The system may be configured to identify particular data assets and/or personal data in data repositories using any suitable intelligent identity scanning technique.

Abstract: Enterprise users' mobile devices typically access the Internet without being protected by the enterprise's network security policy, which exposes the enterprise network to Internet-mediated attack by malicious actors. This is because the conventional approach to protecting the mobile devices and associated enterprise network is to tunnel all of the devices' Internet communications to the enterprise network, which is very inefficient since typically only a very small percentage of Internet communications originating from an enterprise's mobile devices are communicating with Internet hosts that are associated with threats. In the present disclosure, the mobile device efficiently identifies which communications are associated with Internet threats, and tunnels only such identified traffic to the enterprise network, where actions may be taken to protect the enterprise network.

Abstract: Methods, devices and apparatus for verifying a terminal device are provided. In one aspect, a method includes: recording a correspondence between a source IP address of an authentication message and an MAC address of the terminal device in a first whitelist after successful authentication is performed for the terminal device based on the authentication message, where the authentication message carries an MAC address of the terminal device; querying the first whitelist based on a source IP address of a data packet when the data packet from the terminal device is monitored; confirming the terminal device is successfully authenticated if the source IP address hits the first whitelist.

Abstract: A novel method for managing firewall configuration of a software defined data center is provided. Such a firewall configuration is divided into multiple sections that each contains a set of firewall rules. Each tenant of the software defined data center has a corresponding set of sections in the firewall configuration. The method allows each tenant to independently access and update/manage its own corresponding set of sections. Multiple tenants or users are allowed to make changes to the firewall configuration simultaneously.

Abstract: An information handling system operating a low power communications engine comprising a wireless adapter for communicating on a low power communication technology network for receiving low power communication technology data traffic for at least one always-on remote management service for the information handling system, a controller receiving a location status of the information handling system via the low power communication technology network indicating a location or network, where the controller executes code instructions for a low power communications engine to assess a location trust level from an environment characteristics analysis engine to determine whether the location status is a trusted zone location or an untrusted zone location utilizing binary classification machine learning based on input variables including data relating to history of activity at the location or on the network learned by the environment characteristics analysis engine from reported operational or network activity, and the co