Abstract: A computer-implemented method causes data processing hardware to perform operations for training a firewall utilization model. The operations include receiving firewall utilization data for firewall connection requests during a utilization period. The firewall utilization data includes hit counts for each sub-rule associated with at least one firewall rule. The operations also include generating training data based on the firewall utilization data. The training data includes unused sub-rules corresponding to sub-rules having no hits during the utilization period and hit sub-rules corresponding to sub-rules having more than zero hits during the utilization period. The operations also include training a firewall utilization model on the training data. The operations further include, for each sub-rule associated with the at least one firewall rule, determining a corresponding sub-rule utilization probability indicating a likelihood the sub-rule will be used for a future connection request.

Abstract: Systems and methods provide for management of a gateway. In one embodiment, a method includes: in response to a request from a client device, establishing, by a computer system implementing a gateway to a private network, a network tunnel between the client device and the gateway; and starting a firewall service with a set of firewall rules on the computer system for selectively blocking and allowing network traffic between the client device and one or more network devices in the private network.

Abstract: This technology allows time synchronization in passive optical networks (“PON”). A first Ethernet device timestamps and transmits a packet to a second Ethernet device via the PON. The first Ethernet device transmits the packet to a small form-factor pluggable (“SFP”) device within the PON and connected to the first Ethernet device. The SFP device determines a transmission time to a second SFP device and modifies a correction field (“CF”) of the packet by subtracting an ingress time and the transmission time from the CF. The packet is transmitted to the second SFP device, which modifies the CF by the addition of an egress time. The modified CF value represents the real-time transmission delay incurred in the SFP devices. The packet is transmitted to a second Ethernet device to synchronize a clock using the timestamp and the CF value in accordance with the PTP/IEEE-1588 standard.

Abstract: In various examples, firewalls may include machine learning models that are automatically trained and applied to analyze service inputs submitted to input processing services and to identify whether service inputs are desirable (e.g., will result in an undesirable status code if processed by a service). When a service input is determined by a firewall to be desirable, the firewall may push the service input through to the input processing service for normal processing. When a service input is determined by the firewall to be undesirable, the firewall may block or drop the service input before it reaches the input processing service and/or server. This may be used to prevent the service input, which is likely to be undesirable, from touching a server that hosts the input processing service (e.g., preventing a crash).

Abstract: A system and method for detecting potential lateral movement using cloud keys in a cloud computing environment includes determining a first node in a security graph is a compromised node, wherein the security graph represents cloud entities of the cloud computing environment; detecting a cloud key node connected to the first node, wherein the cloud key node represents a cloud key of the cloud computing environment; and generating a potential lateral movement path, including the first node, and a second node, wherein the second node is connected to the cloud key node.

Abstract: A system and method for detecting potential lateral movement in a cloud computing environment includes detecting a private encryption key and a certificate, each of which further include a hash value of a respective public key, wherein the certificate is stored on a first resource deployed in the cloud computing environment; generating in a security graph: a private key node, a certificate node, and a resource node connected to the certificate node, wherein the security graph is a representation of the cloud computing environment; generating a connection in the security graph between the private key node and the certificate node, in response to determining a match between the hash values of the public key of the private key and the public key of the certificate; and determining that the first resource node is potentially compromised, in response to receiving an indication that an element of the public key is compromised.

Abstract: Examples of dynamically selecting tunnel endpoints are described. In an example, a request for authenticating a client device connected to an edge device via a wired link is received. The request includes information indicative of a port of the edge device at which the client device is connected and a type of the client device. Based on at least one of the port, the type, resource availability of a plurality of network devices, and location of the plurality of network devices, a network device is identified as a tunnel endpoint. A message indicative of a successful authentication of the client device is sent to the edge device. The message includes a network address of the network device identified as the tunnel endpoint.

Abstract: A data monitoring and evaluation system may receive a query associated with a data record from a user. The system obtains target data including a plurality of data presentations associated with the data record. The system identifies a plurality of attributes associated with the data record and maps the same with each of the plurality of data presentations for identifying a data presentation modification. The system may evaluate the data presentation modification to identify a principal data presentation. The system may determine the conformity of the principal data presentation a rule to create a principal data record. The system may determine the conformity of the principal data record to a record acceptance parameter. The system may generate a data modeling result comprising the principal data record conforming to the record acceptance parameter.

Abstract: A method, system and/or computer usable program product for automatically managing the conveying of messages among multiple communication channels including (i) receiving, from a first computing system, an on-line message addressed to a user, (ii) automatically categorizing the message among a predetermined set of message categories stored in memory, (iii) identifying a set of on-line message channels preselected by the addressee user for receiving messages for each of the predetermined set of message categories, (iv) identifying a set of performance metrics stored in memory for optimizing message channel selection, (v) utilizing the performance metrics to automatically select an optimum message channel from the preselected message channels for sending the categorized message to a second computing system of the addressee user, (vi) automatically formatting the categorized message for the optimum message channel, and (vii) sending the formatted message on-line to the second computing system of the addressee us

Abstract: Computer assets within a defined network are identified using scanning services respectively connected to each of a plurality of network zones within the defined network. A plurality of interne protocol (IP) addresses within the particular one of the network zones are identified by a particular scanning service contained within the particular one of the network zones. The particular scanning service collects information associated with each of the plurality of IP addresses and infers, using the collected information, additional information about the plurality of IP addresses. The particular scanning service validates the additional information and presents analytics based upon the collected information and the additional information. Firewalls contained within the particular one of the network zones are configured to allow access by the particular scanning service.

Abstract: The present technology pertains to a organization directory hosted by a synchronized content management system. The corporate directory can provide access to user accounts for all members of the organization to all content items in the organization directory on the respective file systems of the members' client devices. Members can reach any content item at the same path as other members relative to the organization directory root on their respective client device. In some embodiments novel access permissions are granted to maintain path consistency.

Abstract: The technology relates to executing a multi-portion web application. A web browser executing on one or more computing devices may load a main portion of a web application into a main window. The web browser may load into a sandboxed environment a feature application. The feature application may include a portion of the web application. A release isolation framework (RIF) executing on the one or more computing devices, may apply one or more patches to the sandboxed environment. The one or more patches may be configured to redirect elements from a window of the sandboxed environment to the main window.

Abstract: A method by an AUSF of a home PLMN configured to communicate through an interface with electronic devices is provided. A first authentication request is received from a first PLMN that is authenticating an electronic device. A first security key used for integrity protection of messages delivered from the home PLMN to the electronic device is obtained. A second authentication request is received from a second PLMN that is authenticating the electronic device. A second security key used for integrity protection of the messages delivered from the home PLMN to the electronic device is obtained. A message protection request is received. Which of the first security key and the second security key is a latest security key is determined. The latest security key is used to protect a message associated with the message protection request.

Abstract: A programmable switch includes a plurality of ports for communicating with devices on a network. Circuitry of the programmable switch is configured to receive a series of related messages from a first device on the network via at least one port, and determine whether one or more messages of the series of related messages have been received out-of-order based at least in part on a sequence number included in the one or more messages. The series of related messages are sent by the programmable switch to a second device via one or more ports in an order indicated by sequence numbers included in the series of related messages by delaying at least one message. According to one aspect, a network controller selects a programmable switch between the first device and the second device to serve as a message sequencer for reordering out-of-order messages using a stored network topology.

Abstract: Techniques for detecting emails that pertain to Internet services are disclosed. Information about such emails can be recognized by performing a discrete analysis of the email before delivering the email to the user and determining whether a corrective action is warranted. Such emails can be recognized by heuristic pattern analysis that scans incoming emails for patterns known to pertain to certain Internet services. Emails relating to other Internet services can be detected by a machine learning classifier that uses labeled training data. These accesses to Internet services can be written to a database. In many implementations, such discrete analysis is performed after an email has been classified as legitimate by one or both of a spam filter and a malware detector. An aggregate analysis, whose output can also update the database, can provide a broad picture of Internet service usage within a set of email users (e.g., by department).

Abstract: A datagram-oriented UDP protocol is used for communication between tunnel gateways in a wide area network. Lightweight remote client accesses network services using TCP tunneling. Each remote client maintains one or more UDP/IP+DTLS communication channels to a single member of the gateway group. Gateway servers belonging to the gateway group form some interconnection topology linking each gateway server to each other gateway server, whereby each gateway server maintains a communication channel with every other gateway server in the gateway group.

Abstract: A computing system may include a proxy server application and a database. The proxy server application may provide, to a computing device disposed within a managed network, instructions to identify one or more processes executing on the computing device. The proxy server application may also determine, for a process of the one or more processes, a file system path of a directory associated with the process and, based thereon, select one or more directories to scan for files associated with the process. The computing device may be provided with instructions to (i) scan the one or more directories and (ii) determine a plurality of attributes associated with one or more files discovered therein. The proxy server application may additionally receive results of the scan containing a representation of the plurality of attributes and store, in the database, the results of the scan.

Abstract: Methods and systems to manage permissions in a structured user-environment which provide a User Interface (UI) that provides a simple, intuitive administration to apply permissions at the user and group level to data in the structured user-environment. The UI also provides feedback to the administrator as to the inheritance path of each user and/or group as well as links between permissions, allowing the administrator to determine how a user or group was granted or denied access to a permission or resource.

Abstract: Methods and devices for determining whether a computing device has been compromised. File tree structure information for the computing device is obtained that details at least a portion of a tree-based structure of folders and files in a memory on the computing device. It is then determined from the file tree structure information that the computing device is compromised and, based on the determination that the computing device has been compromised, an action is taken.

Abstract: Various methods, apparatuses/systems, and media for automatically establishing a communication between two or more applications that do not share a compatible authentication model are disclosed. A receiver receives a request from a first application to communicate with a second application, wherein the first application supports a first authentication model and the second application supports a second authentication model which is incompatible with the first authentication model. A processor utilizes a configurable gateway layer, in response to receiving the request, to mediate a communication between the first application and the second application; and routes the request from the first application to the configurable gateway layer. The configurable gateway layer translates the first authentication model to the second authentication model.

Abstract: Methods, systems, and programs are presented for securing user-address information. A first memory is configured according to a first table that does not include information about user identifiers. Each entry in the first table includes a physical location identifier and information about a physical location. A second memory is configured according to a second table, where each entry in the second table includes the physical location identifier and an account identifier of a user for accessing a service. The first and second tables are configured to separate profile information from the address information of the user. Additionally, a firewall is configured to control access to the second memory. The firewall defines an authentication zone including the second memory but not the first memory, where access to the second memory by internal services is allowed and direct access by the user to the second memory is denied.

Abstract: Technologies to facilitate supervision of an online identify include a gateway server to facilitate and monitor access to an online service by a user of a “child” client computer device. The gateway server may include an identity manager to receive a request for access to the online service from the client computing device, retrieve access information to the online service, and facilitate access to the online service for the client computing device using the access information. The access information is kept confidential from the user. The gateway server may also include an activity monitor module to control activity between the client computing device and the online service based on the set of policy rules of a policy database. The gateway server may transmit notifications of such activity to a “parental” client computing device for review and/or approval, which also may be used to update the policy database.

Abstract: An example method to provide communication between a first computer in a first computer network and a second computer in a second computer network is disclosed. The method includes aliasing the second computer's address in the second computer network to a loopback interface of a third computer in the first computer network and establishing a tunnel between the third computer and a fourth computer in the second computer network. Establishing the tunnel includes configuring the fourth computer to forward traffic received from the tunnel to the second computer. The method further includes configuring routing in the first computer network to direct traffic destined for the second computer network to the third computer, and configuring the first computer to transmit packets destined for the second computer with the second computer's address in the second computer network.

Abstract: A surgical hub within a surgical hub network may include a controller having a processor, in which the controller may determine a priority of a communication, an interaction, or a processing of information based on a requirement of a device communicating with the hub. The device may be a smart surgical device. The requirement of the surgical device may comprise data processed by a device component of an associated system The controller may prioritize communication of the data processed by the device component of the associate system with the surgical device. A network of surgical hubs may include a plurality of surgical hubs. Each hub may have one of a plurality of controllers, in which a first of the plurality of controllers is configured to distribute an execution of a process and data used by the process among at least a subset of the plurality of surgical hubs.

Abstract: Methods, systems, and devices are provided for authenticating API messages using PKI-based authentication techniques. A client system can generate a private/public key pair associated with the client system and sign an API message using the private key of the private/public key pair and a PKI-based cryptographic algorithm, before sending the signed API message to a server system. The server system (e.g., operated by a service provider) can authenticate the incoming signed API message using a proxy authenticator located in less trusted zone (e.g., a perimeter network) of the server system. In particular, the proxy authenticator can be configured to verify the signature of the signed API message using the public key corresponding to the private key and the same cryptographic algorithm. The authenticated API message can then be forwarded to a more trusted zone (e.g., an internal network) of the server system for further processing.

Abstract: An example network device receives an encapsulated network packet via a network tunnel; extracts IPv6 header information from the encapsulated network packet; extracts IPv4 header information from the encapsulated network packet; determines that the encapsulated network packet is a spoofed network packet based on the IPv6 header information and the IPv4 header information; and in response to detecting the spoofed network packet, transmits a message to a Tunnel Entry Point (TEP) device, the message including data representing the IPv6 header information and IPv4 header information. A tunnel entry point (TEP) device may receive the message and use the message to detect spoofed IPv6 traffic, e.g., when an IPv6 header and an IPv4 header of an encapsulated packet matches the IPv6 header and the IPv4 header specified in the message. In this manner, the TEP device may block, rate limit, or redirect spoofed network traffic.

Abstract: A system and method for performing firewall operations on an edge service gateway virtual machine that monitors traffic for a network. The method includes detecting, from a directory service executing on a computing device, a login event on the computing device, obtaining, from the detected login event, login event information comprising an identifier that identifies a user associated with the login event, storing the login event information as one or more context attributes in an attribute table, and applying a firewall rule to a data message that corresponds to the one or more context attributes.

Abstract: A firewall intelligence system, includes a data storage storing a set of firewall rules for a network; a recommendation engine that receives, from a log service, traffic logs detailing traffic for the network and firewall logs detailing the usage of firewall rules in response to the traffic for the network, accesses, from the data storage, the set of firewall rules for the network; processes the set of firewall rules to evaluate the firewall rules against a set of quantitative evaluation rules to determine one or more firewall rule recommendations, wherein each firewall rule recommendation is a recommendation to change at least one of the firewall rules in the set of firewall rules; and a front end API that provides data describing the one or more firewall rule recommendations to a user device.

Abstract: Layer 7 protocol (non-HTTP) client applications are executed in the browser. The non-HTTP layer 7 protocol client application connects to a compute server that proxies layer 4 packets to the origin network that has the non-HTTP layer 7 protocol service. As an example, an SSH client (a non-HTTP layer 7 protocol) can execute in the browser and the TCP packets (layer 4 packets) are proxied by a compute server to the origin network that has the appropriate SSH server. The non-HTTP layer 7 protocol client application allows users to run commands or otherwise interact with the client as if they were using a native application (one that is not executed within the browser) without any client-side configuration or agent.

Abstract: In order to enable a dynamic handshake procedure, a device may be configured with a list of handshake contributors. Contributors with connection handshake properties may be added to the contributor list. To perform handshake, the contributor list is processed to extract the connection handshake properties of each contributor to the handshake. Handlers for handling the connection handshake properties may also be dynamically added and invoked when a handshake is received.

Abstract: Disclosed herein are various systems, apparatuses, software, and methods relating to data diode-TCP proxy with a User Datagram Protocol (UDP) across a wide area network (WAN) comprising providing a WAN data diode using a uni-directional semantics protocol, providing a set of data diode proxies in either end of a point-to-point WAN link, providing a symmetric key encryption semantics to extend the WAN data diode securely across a WAN that is specified, wherein the symmetric key encryption semantics are implemented through the set of data diode proxies on either end of the point-to-point WAN link, employing a unidirectional protocol in communication transmitted using the WAN, and, with data diode proxies, terminating one or more data channels on either end of the point-to-point WAN link or transporting a requisite information across the WAN over the uni-directional protocol.

Abstract: A configuration control transfer (“CCT”) system controls the transferring of control of configuration information of a device from a current configuration source to a target configuration source. A CCT server of the CCT system may send a request for the configuration information of the device where the configuration information of the device currently under control of the at least one first configuration source. The CCT server may also receive the requested configuration information, determine whether the second configuration source is able to support the configuration information of the first configuration source, and based at least on a determination that the second configuration source is able to support the configuration information, request that the device transfer control of the configuration information from the first configuration source to the second configuration source to unenroll the device with the first configuration source and enroll the device with the second configuration source.

Abstract: Aspects of the present invention disclose a method, computer program product, and system for multi-factor authentication. In response to a request for an action, the method includes one or more processors whether a first authentication credential passes validation. In response to determining that the first authentication credential does pass validation, the method further includes one or more processors determining a second authentication credential, wherein the second authentication credential includes an indication of a wireless connection between a first computing device and a second computing device. The method further includes one or more processors determining whether the second authentication credential passes validation. In response to determining that the second authentication credential passes validation, the method further includes one or more processors allowing execution of the requested response.

Abstract: A method for multiparty computation wherein a plurality of parties each compute a preset function without revealing inputs thereof to others, comprises: each of the parties performing a validation step to validate that computation of the function is carried out correctly, wherein the validation step includes: a first step that prepares a plurality of verified multiplication triples and feeds a multiplication triple to a second step when required; and the second step that consumes a randomly selected multiplication triple generated by the first step, wherein the first step performs shuffling of the generated multiplication triples, in at least one of shuffle in a sequence and shuffle of sequences.

Abstract: Server cluster communication across the public internet using a single secure User Datagram Protocol (UDP) is facilitated by an intermediary registry server. The intermediary registry server enables servers within a cluster to identify and securely communicate with peer servers in the cluster across disparate locations and through firewalls Using an external address registry shared to each member of a server cluster peer group, individual servers can establish a direct secure channel using a single UDP tunnel.

Abstract: Adaptive network security policies can be selected by assigning a number of risk values to security intelligence associated with network traffic, and identifying a number of security policies to implement based on the risk values.

Abstract: A system includes a data owner interface, a database, a requester interface, an approver interface, a database interface, and a central controller. The data owner interface can provide protected data and data usage rules. The database can store the protected data. The requester interface can provide a request to access the protected data and receive sanitized results. The approver interface can provide approval or disapproval of access to the protected data and receive the data usage rules. The database interface can store the protected data in the database and provide access to the protected data.

Abstract: A method is described, the method relating to control of a communication between a first device and a second device using a communication protocol including at least a first transaction, and at least one subsequent second transaction. The method can include transmission, by the first device to the second device during the first transaction, of both a maximum acceptable delay between the end of the first transaction and the beginning of the second transaction, as well as an explicit indication of the type of message characterizing the beginning of the second transaction. The second device can then trigger a timer for the delay. The method is applicable to IMS networks.

Abstract: An anti-attack data transmission method and an apparatus thereof are provided. The method includes obtaining a communication protocol message to be transmitted; performing an anti-attack pre-processing for data on information bit(s) located at a message header in the communication protocol message, and generating processing information; storing the processing information in extension bit(s) at the message header of the communication protocol message to obtain a converted communication protocol message, wherein the message header of the communication protocol message includes the information bit(s) and the extension bit(s); and sending the converted communication protocol message to a receiving device. The present disclosure solves the problem of false negatives associated with normally transmitted data flow caused by existing anti-attack methods.

Abstract: A secure Simultaneous Authentication of Equals (SAE) anti-clogging mechanism may be provided. A public key of an access point may be provided from the access point to a client attempting to connect with a network via the access point. The access point may receive from the client a first anti-clogging token and a public key of the client. The first anti-clogging token may be generated by the first client using a shared secret based on a private key of the client and the public key of the access point and a multiplier. The access point may generate a second anti-clogging token using a shared secret based on a private key of the access point and the public key of the client and the multiplier. The access point may then verify the first anti-clogging token and the second anti-clogging token match to authenticate the client.

Abstract: Systems and methods for implementing a micro firewall in a mobile application are provided here. Firewall logic can be injected or provided to a mobile application. The firewall logic can provide one or more rules for processing network traffic from application programming interfaces (APIs) of the mobile application. The mobile application having the firewall logic can be made available for installation on a mobile device. The mobile application having the firewall logic can be provided or installed on to a mobile device. During execution of the mobile application, the firewall logic of the mobile application can hook a plurality of API calls of the mobile application relevant to network traffic. The firewall logic can apply one or more rules of the firewall logic to process network traffic corresponding to an API call of the plurality of API calls of the mobile application.

Abstract: Techniques for polluting phishing campaign responses with content that includes fake sensitive information of a type that is being sought in phishing messages. Embodiments disclosed herein identify phishing messages that are designed to fraudulently obtain sensitive information. Rather than simply quarantining these phishing messages from users' accounts to prevent users from providing “real” sensitive information, embodiments disclosed herein analyze these phishing messages to determine what type(s) of information is being sought and then respond to these phishing messages with “fake” sensitive information of these type(s). For example, if a phishing message is seeking sensitive credit card and/or banking account information, some fake information of this type(s) may be generated and sent in response to the phishing message. In various implementations, a natural language processing (NLP) model may be used to analyze the phishing message and/or generate a response thereto.

Abstract: A method, apparatus, system, and computer program product for evaluating enforcement decisions on an asset using a policy. Rules in the policy are applied by a computer system to the asset taking into account a context for a request to access the asset in response receiving to the request to access the asset, and wherein the rules in the policy determine whether access to the asset is allowed. A determination is made by the computer system as to whether a conflict is present in an initial decision made using the rules in the policy. A set of conflict resolution processes are applied by the computer system when the conflict is present such that a final decision is made on the request to access the asset.

Abstract: Techniques for implementing a secure enclave-based guest firewall are provided. In one set of embodiments, a host system can load a policy enforcer for a firewall into a secure enclave of a virtual machine (VM) running on the host system, where the secure enclave corresponds to a region of memory in the VM's guest memory address space that is inaccessible by processes running in other regions of the guest memory address space (including privileged processes that are part of the VM's guest operating system (OS) kernel). The policy enforcer can then, while running within the secure enclave: (1) obtain one or more security policies from a policy manager for the firewall, (2) determine that an event has occurred pertaining to a new or existing network connection between the VM and another machine, and (3) apply the one or more security policies to the network connection.

Abstract: A computing environment for monitoring usage of an application to identify characteristics and trigger security control includes an application system that performs a query configured to identify any application calls performed in a predetermined period of time within the computing environment; for each identified application call, builds a corresponding application characteristics entry in a database; for each identified application call, identifies a plurality of characteristics of the called application including at least one downstream resource; associates the identified plurality of characteristics with the application characteristics entry in the database, thereby creating an application mapping; identifies security controls associated with each of the applications in the application mapping; associates the identified security controls with the associated application characteristics entry in the application mapping; and automatically triggers assessment of an effectiveness of the security controls in re

Abstract: A method for information interaction includes: when an access request sent by a webpage to a preset domain name is received by a browser component, resolving the preset domain name into a designated access address, the access request being sent by the webpage when the webpage is required to interact with an operating system of a terminal, and the designated access address being an access address that has not been occupied; sending the access request to the designated access address as a destination address; and when a firewall detects that the destination address of the access request is the designated access address, redirecting the access request to a local web service, the local web service being configured for information interaction with the operating system of the terminal.

Abstract: A method useful for implementing an enterprise risk and compliance automation engine comprises the step of obtaining an information technology (IT) security policy standard. The method comprises normalizing the IT security policy standard into a machine-readable format. The method comprises templatizing the machine-readable format version of the IT security policy standard. Each template comprises a collection of controls. Each control comprises a statement that describes a condition that a transaction or activity an IT system is required to perform by IT security policy standard; discovering a set of configurations of the IT system. The method comprises comparing the set of configurations of the IT system with the collection of controls of each template. The method comprises generating a validation report that comprises a report of whether the set of configurations of the IT system satisfies the collection of controls of each template.

Abstract: A method and system for contraindicating firmware and driver updates. Specifically, the disclosed method and system entail discerning whether installation of a hardware device firmware and/or device driver update, targeting a hardware device on a host device, would succeed or fail given a set of features (or indicators) reflective of the current host device state and metadata respective to the hardware device update. Further, the determination may employ predictive machine learning techniques.

Abstract: The present disclosure relates to methods, apparatus, and systems for protecting data in a communications system. One example method includes obtaining, by a core network node, information associated with a service of a terminal device, and determining, by the core network node and based on the information associated with the service, a network node that is to perform security protection on data of the service.

Abstract: A method and system for collecting information on responses and their interpretation on a client device that requests access to a server. A request to access the server is received. If there was a response by the server for this request, then the response is being intercepted and is being injected with a client side language script to be executed by the requesting client side device. Information is collected at the server side from the execution of the injected client side language script by the client device.