Abstract: Methods, non-transitory computer readable media, attack mitigation apparatuses, and network security systems that maintain an application context model for a protected application based on ingested logs. The application context model includes a map of network infrastructure associated with the protected application. Using the application context model, potential attack(s) against the protected application are identified and possible mitigation action(s) to take in response to one or more of the identified potential attack(s) are scored. A stored policy is executed to evaluate the possible mitigation action(s) based on the scoring. One or more of the possible mitigation action(s) are initiated on the identified potential attack(s) based on the evaluation. With this technology, malicious network activity can be more effectively and quickly detected and mitigated resulting in improved network security.

Abstract: Some embodiments provide a method for a first network slice selector that selects network slices for connections from endpoint devices located within a first geographic range. The method selects a network slice for a connection between a mobile endpoint device and a network domain that originates when the mobile endpoint device is located within the first geographic range. The method stores state that maps the connection to the selected network slice. The method forwards data traffic belonging to the connection from the mobile endpoint device onto the selected network slice using the stored state. After the mobile endpoint device moves from the first geographic range to a second geographic range, the method receives data traffic belonging to the connection from a second network slice selector that selects network slices for connections from endpoint devices within the second geographic range and forwards said received data traffic onto the selected network slice.

Abstract: A network security system implements connectivity policies of a network environment. The network security system may use a network topology mapping to implement connectivity policies, where the network topology mapping includes sets of security zones, security devices, and zone paths between the security zones via the one or more security devices. The network security system can generate a universal representation of a connectivity policy for the network environment using a universal syntax. Using the network topology mapping, the network security system can identify zone paths between the security zones for implementing the connectivity policy. The network security system can configure security devices along the zone paths in accordance with the connectivity policies. Configuring security devices may include converting some or all of the universal representation of the connectivity policy into a device-specific representation in a native syntax of the security device.

Abstract: Disclosed are a system, method, and computer readable storage medium having instructions for applying a plurality of interconnected filters to protect a computing device from a DDoS attack. The method includes, responsive to detecting the computing device is subject to the DDoS attack, intercepting data from a network node to the computing device, determining data transmission parameters, assigning an initial danger rating to the network node, identifying a subset of the plurality of the interconnected filters which are concurrently triggered, changing the danger rating of the network node based on an application of the subset of the plurality of interconnected filters that are triggered and the data transmission parameters, and responsive to determining that the danger rating of the network node exceeds a threshold value, limiting a transmittal of data from the network node to the computing device by limiting channel capacity between the network node and the computing device.

Abstract: A managing unit included in a distributed storage network (DSN) receives an event representation request, and identifies event record entries based on that request. The event record entries include information associating reporting entities with the event record entries. The management unit obtains the event record entries from the reporting entities; at least one event record entry is obtained from a first reporting entity, and at least another event record entry is obtained from a second reporting entity. In response to receiving the event representation request, the management unit generates a representation of the event record entries, and outputs the representation to a requesting entity.

Abstract: Methods and systems are disclosed for document isolation. A host computer system may be configured to implement document isolation via one or more of a host-based firewall, an internet isolation firewall, and/or a segregation of a trusted memory space and an untrusted memory space. The host computer system may be configured to access one or more files using a first set of one or more applications and/or processes operating within the trusted memory space and/or a second set of one or more applications and/or processes operating within an untrusted memory space. The host computer system may be configured to open (e.g., always open) the one or more accessed files in the trusted memory space of the host computer system.

Abstract: A system and method for applying extended regular expressions against arbitrary data objects, wherein a state machine maintains an internal state model for the system, an object analysis server receives data objects from a data source, and the object analysis server analyzes the structure and contents of the objects, compares them against received search pattern, and directs the state machine to update the state model based on either or both of the analysis and comparison operations.

Abstract: An information processing device (20) performs a session timer updating process of restoring the remaining time of a session timer to N seconds whenever a packet is received from a client (10). The information processing device (20) does not perform the session timer updating process even when a packet is received from the client (10) until a session timer update stop time (?) elapses after the session timer was last updated. The information processing device (20) resumes the session timer updating process after the session timer update stop time (?) has elapsed after the session timer was last updated.

Abstract: A security gateway security gateway provisions a web browser hosted on a user device with a proxy auto-configuration file configured to automatically redirect the web browser to the security gateway as a proxy server for clientless virtual private network (VPN) operation when the web browser browses any uniform resource locator including a particular domain name that encompasses a private network. Upon receiving from the web browser over a public network a request to access a private resource on the private network, the security gateway establishes a secure public connection to the web browser, establishes a private connection to the private resource, and associate the private connection with the secure public connection to form a clientless VPN connection between the web browser and the private resource. The security gateway forwards content between the private resource and the web browser over the clientless VPN connection without performing any content rewrite operations.

Abstract: Methods, systems, and computer readable media may be operable to wireless hotspot activity of one or more access points supporting multiple radios. A DHCP relay agent may receive a DHCP request from a device seeking to join a hotspot service provided through a gateway. If the number of currently connected devices is less than the maximum connected device limit, then the agent may increase the number of currently connected devices by one, and relay the encapsulated DHCP request over a GRE tunnel. If the number of connected devices already meets or exceeds the allowed limit, then the DHCP relay agent may instruct the gateway or its access point to disconnect the new device.

Abstract: In particular embodiments, a data processing data inventory generation system is configured to: (1) generate a data model (e.g., a data inventory) for one or more data assets utilized by a particular organization; (2) generate a respective data inventory for each of the one or more data assets; and (3) map one or more relationships between one or more aspects of the data inventory, the one or more data assets, etc. within the data model. In particular embodiments, a data asset (e.g., data system, software application, etc.) may include, for example, any entity that collects, processes, contains, and/or transfers personal data (e.g., such as a software application, “internet of things” computerized device, database, website, data-center, server, etc.). The system may be configured to identify particular data assets and/or personal data in data repositories using any suitable intelligent identity scanning technique.

Abstract: Methods, devices and apparatus for verifying a terminal device are provided. In one aspect, a method includes: recording a correspondence between a source IP address of an authentication message and an MAC address of the terminal device in a first whitelist after successful authentication is performed for the terminal device based on the authentication message, where the authentication message carries an MAC address of the terminal device; querying the first whitelist based on a source IP address of a data packet when the data packet from the terminal device is monitored; confirming the terminal device is successfully authenticated if the source IP address hits the first whitelist.

Abstract: Enterprise users' mobile devices typically access the Internet without being protected by the enterprise's network security policy, which exposes the enterprise network to Internet-mediated attack by malicious actors. This is because the conventional approach to protecting the mobile devices and associated enterprise network is to tunnel all of the devices' Internet communications to the enterprise network, which is very inefficient since typically only a very small percentage of Internet communications originating from an enterprise's mobile devices are communicating with Internet hosts that are associated with threats. In the present disclosure, the mobile device efficiently identifies which communications are associated with Internet threats, and tunnels only such identified traffic to the enterprise network, where actions may be taken to protect the enterprise network.

Abstract: A novel method for managing firewall configuration of a software defined data center is provided. Such a firewall configuration is divided into multiple sections that each contains a set of firewall rules. Each tenant of the software defined data center has a corresponding set of sections in the firewall configuration. The method allows each tenant to independently access and update/manage its own corresponding set of sections. Multiple tenants or users are allowed to make changes to the firewall configuration simultaneously.

Abstract: An information handling system operating a low power communications engine comprising a wireless adapter for communicating on a low power communication technology network for receiving low power communication technology data traffic for at least one always-on remote management service for the information handling system, a controller receiving a location status of the information handling system via the low power communication technology network indicating a location or network, where the controller executes code instructions for a low power communications engine to assess a location trust level from an environment characteristics analysis engine to determine whether the location status is a trusted zone location or an untrusted zone location utilizing binary classification machine learning based on input variables including data relating to history of activity at the location or on the network learned by the environment characteristics analysis engine from reported operational or network activity, and the co

Abstract: In general, certain embodiments of the present disclosure provide techniques or mechanisms for automatically filtering network messages in an aviation network for an aircraft based on a current system context. According to various embodiments, a method is provided comprising receiving a network message transmitted from a source avionic device to a destination avionic device via one or more network packets within the aviation network. A current system context, indicating an aggregate status of avionic devices within the aviation network, is determined based on monitoring the avionic devices. The network message is analyzed by identifying a plurality of attributes corresponding to header and data fields of the one or more network packets corresponding to the network message. The acceptability of the network message within the current system context is determined based on one or more filter rules that specify what attributes are allowed within a particular system context.

Abstract: In one embodiment, a device in a network receives information regarding a network anomaly detected by an anomaly detector deployed in the network. The device identifies the detected network anomaly as a false positive based on the information regarding the network anomaly. The device generates an output filter for the anomaly detector, in response to identifying the detected network anomaly as a false positive. The output filter is configured to filter an output of the anomaly detector associated with the false positive. The device causes the generated output filter to be installed at the anomaly detector.

Abstract: Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack.

Abstract: A method and system for protecting cloud-hosted applications against application-layer slow distributed denial-of-service (DDoS) attacks. The comprising collecting telemetries from a plurality of sources deployed in at least one cloud computing platform hosting a protected cloud-hosted application; providing a set of rate-based and rate-invariant features based on the collected telemetries; evaluating each feature in the set of rate-based and rate-invariant features to determine whether a behavior of each feature and a behavior of the set of rate-based and rate-invariant features indicate a potential application-layer slow DDoS attack; and causing execution of a mitigation action, when an indication of a potential application-layer slow DDoS attack is determined.

Abstract: A method of requesting a search query to be displayed in a web browser. The method includes receiving search terms and slash operators and generating results based on the search terms and slash operators.

Abstract: A secure terminal configured to support a trusted execution environment that utilizes policy enforcement to filter and authorize transmissions received from a host device and destined for a remote device. Upon receiving a transmission from the host device, the secure terminal verifies that the instruction, message, or request contained within the transmission satisfy parameters set by a policy. If the transmission satisfies the parameters, then the secure terminal signs the transmission with a key unique to the trusted platform module associated with the secure terminal and forwards the signed transmission to the remote device. If the transmission fails one or more parameters within the policy, a message that details the instruction or operation contained within the transmission is exposed to a user at an output device, in which the user can authorize or reject the transmission using an input device.

Abstract: Example methods and systems are provided for network-address-to-identifier translation in a virtualized computing environment. The method may comprise: based on traffic flow information associated with a first network address and a second network address, determining that the first network address is associated with a first identifier that identifies the first virtualized computing instance. The method may also comprise: obtaining network topology information specifying how the first virtualized computing instance is connected to the second virtualized computing instance via one or more logical forwarding elements; and based on the network topology information, determining that the second network address is associated with a second identifier that identifies the second virtualized computing instance.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer-readable storage medium, for pre-boot network-based authentication. In some implementations, a computing device enters a UEFI environment upon powering on the computing device. While in the UEFI environment, the computing device restricts booting of an operating system of the computing device, accesses a signed certificate corresponding to a particular user, sends a verification request to a server system over a communication network, and receives a verification response from the server system over the communication network. In response to receiving the verification response, the computing device (i) enables the operating system to boot and (ii) verifies the identity of the particular user to the operating system such that the operating system logs in the particular user without requiring further proof of identity for the particular user.

Abstract: A tracing mechanism is provided for analyzing session-based attacks. An exemplary method comprises: detecting a potential attack associated with a session from a potential attacker based on predefined anomaly detection criteria; adding a tracing flag identifier to a response packet; sending a notification to a cloud provider of the potential attack, wherein the notification comprises the tracing flag identifier; and sending the response packet to the potential attacker, wherein, in response to receiving the response packet with the tracing flag identifier, the cloud provider: determines a source of the potential attack based on a destination of the response packet; forwards the response packet to the potential attacker based on the destination of the response packet; and monitors the determined source to evaluate the potential attack. The response packet is optionally delayed by a predefined time duration and/or until the cloud provider has acknowledged receipt of the notification.

Abstract: To improve the access control in regard to safety and protection of network operation and network data when controlling accesses to networks based on IT systems including embedded systems or distributed systems, it is proposed that observation and evaluation (detection) of the communication in a network (performance of a network communication protocol collation of the observed protocol with a multiplicity of reference protocols, preferably stored in a list, that are usually used in operation- and/or safety-critical networks) be used to independently identify whether an uncritical or critical network is involved in the course of a network access, in particular the setup of a network connectivity, to at least one from at least one network that is uncritical in regard to operation and/or safety, in particular referred to as a standard network, and at least one network that is critical in regard to operation and/or safety.

Abstract: A monitoring method implemented by an access point for a network that can maintain an address association table is described. The method can include selecting at least two entries in the address association table, storing at least one predetermined characteristic obtained over a predefined period of time for each inflow and each outflow associated with the selected entries, and comparing, for at least one pair of selected entries, at least one stored characteristic for an inflow associated with one of the entries of the pair with the at least one corresponding stored characteristic for an outflow associated with the other entry of the pair. If, for at least one pair of entries, the comparison step indicates that an inflow associated with one of the entries of the pair transports an application content of the same nature as an outflow associated with the other entry of the pair, a risk of fraud can be detected.

Abstract: A DMA (Direct Memory Access) transfer apparatus acquires information including a transfer source address and a transfer destination address based on a received transfer instruction, selects whether to perform first checksum calculation for data from an area of a memory corresponding to the transfer source address or perform second checksum calculation different from the first checksum calculation, and transfers data obtained via the checksum calculation selected in the selecting to an area of the memory corresponding to the transfer destination address.

Abstract: Embodiments of the invention are directed to systems, methods, and computer program products for vulnerability assessment and hash generation for exterior data deployment. In this way, the system utilizes a vulnerability assessment to generate a permit to send approval for dissemination of data, files, or the like outside of the entity via an electronic communication. The vulnerability assessment determines a permit to send status for the communication. The system may then generate a hash for the communication and embed the hash within the data of the communication. Upon sending, the entity will only permit communications with a known hash embedded therein from being transmitted outside of the internal entity network.

Abstract: Methods and systems are provided for automatically capturing network data for a detected anomaly. In some examples, a network node establishes a baseline usage by applying at least one baselining rule to network traffic to generate baseline statistics, detects an anomaly usage by applying at least one anomaly rule to network traffic and generating an anomaly event, and captures network data according to an anomaly event by triggering at least one capturing rule to be applied to network traffic when an associated anomaly event is generated.

Abstract: A disclosed method may include (1) receiving a packet at a tunnel driver in kernel space on a routing engine of a network device, (2) identifying, at the tunnel driver, metadata of the packet that indicates whether at least one firewall filter had already been correctly applied to the packet before the packet arrived at the tunnel driver, (3) determining, based at least in part on the metadata of the packet, that the firewall filter had not been correctly applied to the packet before the packet arrived at the tunnel driver, and then in response to determining that the firewall filter had not been correctly applied to the packet, (4) invoking at least one firewall filter hook that applies at least one firewall rule on the packet before the packet is allowed to exit kernel space on the routing engine. Various other apparatuses systems, and methods are also disclosed.

Abstract: A wireless mobile device (“UE”) operating in a battery-conserving low-power state processes incoming signaling or data in a received message to determine whether to act further on information in the message by enabling additional processing capability in the UE. A server may generate awaken information derived from a stored secret value that only the UE device and a server that manages the UE can obtain. The awaken information may also be based on a shared value shared between the server and the UE. The UE may separately derive the awaken information and may exit a low power state when awaken information received from the server in an awaken message in a first protocol matches the separately derived awaken information. The server may transmit a fall-back second awaken message in a different protocol than the first protocol if no confirmation is received that the UE received the first awaken message.

Abstract: In particular embodiments, a data processing data inventory generation system is configured to: (1) generate a data model (e.g., a data inventory) for one or more data assets utilized by a particular organization; (2) generate a respective data inventory for each of the one or more data assets; and (3) map one or more relationships between one or more aspects of the data inventory, the one or more data assets, etc. within the data model. In particular embodiments, a data asset (e.g., data system, software application, etc.) may include, for example, any entity that collects, processes, contains, and/or transfers personal data (e.g., such as a software application, “internet of things” computerized device, database, website, data-center, server, etc.). The system may be configured to identify particular data assets and/or personal data in data repositories using any suitable intelligent identity scanning technique.

Abstract: Example embodiments disclosed herein relate to implementing pre-filter rules at a network infrastructure device. In one example, the network infrastructure device receives a packet flow including a first pre-filter tag including information from implementation of a first subset of a set of pre-filter rules. In the example, the network infrastructure device includes logic to implement a second subset of the pre-filter rules. The second subset of pre-filter rules are different from the first subset of pre-filter rules. The second subset of pre-filter rules are implemented on the packet flow to yield a pre-filter result.

Abstract: Methods, computer program products, and systems are presented. The method computer program products, and systems can include, for instance: generating a first mobile device fingerprint of a mobile device and associating the first mobile device fingerprint to an identifier, and generating a second mobile device fingerprint of the mobile device and associating the second mobile device fingerprint to a MAC address of a mobile device. The methods, computer program products, and systems can include, for instance: receiving a first mobile device fingerprint of a mobile device and an identifier associated to the first mobile device fingerprint; receiving a second mobile device fingerprint of the mobile device and a MAC address associated to the second mobile device fingerprint; and associating received data received from the mobile device to the identifier.

Abstract: Techniques are described of forming a mesh network for wireless communication. One method includes broadcasting, from a first node connected to a core network, a beacon signal, receiving a connection establishment request from a second node in response to the broadcasted beacon signal; determining a radio resource availability associated with a plurality of radios of the first node based on the connection establishment request, and establishing a connection with the second node using a radio of the plurality of radios based on the radio resource availability. In some cases, the radio resource availability may include a number of active connections associated with one or more radios of the plurality of radios of the first node.

Abstract: The present invention is related to verifying an installed lighting system (300), in particular an Ethernet-based lighting system (300), without it being necessary to employ a designated lighting controller and without it being necessary to completely commission the installed lighting system (300). According to an aspect of the invention, this is achieved by providing a network switch (200) that comprises a plurality of ports for coupling luminaires (312A, 312B, 312C, 312D) and sensors and/or actuators (314A, 314B) of the lighting system (300) to the network switch (200); and by setting the network switch (200) such that a signal received at a first port (e.g. port 4) of the plurality of ports is only forwarded to pre-selected ports (e.g. ports 2,3,5,6 and 7) of the plurality of ports.

Abstract: Embodiments relate to systems, computer readable media, devices, and computer-implemented methods for providing improved network security by receiving a network packet, applying a filter rule in a first instance of a distributed reputation database to the network packet, determining, using a network interface card with a field programmable gate array, to drop or modify the network packet based on the applying, and transmitting reputation data to a security control center that includes a second instance of the distributed reputation database, where the reputation data includes information corresponding to the network packet that was dropped or modified.

Abstract: Implementations disclosed herein provide a managed security service that distributes processing tasks among a number of network security modules working in parallel to process component portions of a replayed network traffic stream. If a network security module detects a potential security threat, the network security module may generate a delivery request specifying other information potentially useful in further investigation of the potential security threat. The delivery request is communicated to a plurality of other processing entities, such as the other network security modules, and any processing entity currently receiving the requested information may respond to the delivery request. Once a source of the requested information is determined, the requested information is routed to the origin of the request.

Abstract: An elevator system stores, in a server, information on an elevator installed in a building that is communicably connected to a data center in which the server is installed, the building and the data center being communicable independently via a first network and a second network, respectively, wherein the building includes: an information collection device configured to collect information on the elevator; a sorting device configured to determine which of the first network and the second network is to be used as a transmission path via which the information on the elevator collected by the information collection device is to be transmitted to the data center; and a communication device configured to transmit the information on the elevator collected by the information collection device to the data center via the transmission path determined by the sorting device.

Abstract: According to one aspect, a system for locating application-specific data that includes a server, a broker, and an agent. An operator may define a command using the server, and this command may be sent to the broker. The broker may then send the command to the agent operating on an end-point system. The agent may then conduct an application-specific data search on the end-point system in respect of the user command. Search results may then be sent to the broker. The broker may then sent the search results to the server.

Abstract: A method for containing a threat in network environment using dynamic firewall policies is provided. In one example embodiment, the method can include detecting a threat originating from a first node having a source address in a network, applying a local firewall policy to block connections with the source address, and broadcasting an alert to a second node in the network. In more particular embodiments, an alert may be sent to a network administrator identifying the source address and providing remedial information. In yet other particular embodiments, the method may also include applying a remote firewall policy to the first node blocking outgoing connections from the first node.

Abstract: This document describes a system and method for quantitatively unifying and assimilating all unstructured, unlabelled and/or fragmented real-time and non-real-time cyber threat data generated by a plurality of sources. These sources may include cyber-security surveillance systems that are equipped with machine learning capabilities.

Abstract: A technique for network attack tainting and tracking includes monitoring data packets received from a network for a malicious request. Responsive to detecting a malicious request, a payload is created that is digitally signed. The digitally signed payload is encrypted and injected into a response message, and the response message is then transmitted to a source of the request as a response to the request.

Abstract: A novel algorithm for packet classification that is based on a novel search structure for packet classification rules is provided. Addresses from all the containers are merged and maintained in a single Trie. Each entry in the Trie has additional information that can be traced back to the container from where the address originated. This information is used to keep the Trie in sync with the containers when the container definition dynamically changes.

Abstract: A gateway device for a vehicle network system, the vehicle network system including a bus, a first electronic control unit connected to the bus, and the gateway device connected to the bus. The gateway device comprising: one or more memories; and circuitry which, in operation, performs operations including: receiving a first frame transmitted to the bus by the first electronic control unit; when the first frame is received, including first control information in a second frame, the second frame including information based on content of the first frame, the first control information related to a restriction on processing, the restriction on processing being after a reception of the second frame; and transmitting the second frame to the bus.

Abstract: Systems and methods that determine an anomaly in a network are provided. A monitoring engine is installed on a computing device that monitors network information and application information for data flows generated on the computing device and transmitted over a network and for data flows received by the computing device from the network. The network information includes an internet protocol (IP) source address, a source port, an IP destination address, a destination port, and a transport protocol, and a number of bytes sent or received by the flow. The application information includes a process identifier (ID), the threads ID, an application ID and/or a function call, arguments passed to the function, a stack trace of the function, etc., that application used to generate the data flows. The network information and application information can be used to identify the application, thread and/or a function that caused an anomaly in the network.

Abstract: Disclosed are techniques for implementing network devices with pluralities of packet checkers or packet generators. The packet generators can be configured to self generate data packets with a packet payload and header information and a test type of data packets. The packet checkers can determine if a data packet is a test type of data packet and perform one or more actions.

Abstract: The present invention provides a method for detecting a website attack, comprising: selecting multiple uniform resource locators (URLs) from history access records of a website; clustering the multiple uniform resource locators; and generating a whitelist from the multiple uniform resource locators according to a clustering result. In some embodiments of the present invention, a common OWASP attack at URL level can be checked.

Abstract: A security network system is disclosed. The security network system includes a processor selectively operable in either a normal world or a secure world, wherein the processor receives, from an external network, a packet by using a network driver module of the secure world, extracts data of the packet by using a TCP/IP module of the secure world if the packet received from the external network is used in the secure world, uses the data of the packet in the secure world, and extracts the data of the packet by using the TCP/IP module of the secure world so as to transmit the data of the packet to the normal world if the packet is not used in the secure world.

Abstract: Private network request forwarding can include receiving a request from a user for Internet services over a public network. Private network request forwarding can include analyzing the request and determining whether the request is legitimate. Private network request forwarding can include forwarding the request to an entity through a private network when it is determined that the request is legitimate, wherein the user has access to the entity through a proxy.