Abstract: A computing system may include a proxy server application and a database. The proxy server application may provide, to a computing device disposed within a managed network, instructions to identify one or more processes executing on the computing device. The proxy server application may also determine, for a process of the one or more processes, a file system path of a directory associated with the process and, based thereon, select one or more directories to scan for files associated with the process. The computing device may be provided with instructions to (i) scan the one or more directories and (ii) determine a plurality of attributes associated with one or more files discovered therein. The proxy server application may additionally receive results of the scan containing a representation of the plurality of attributes and store, in the database, the results of the scan.

Abstract: Methods and systems to manage permissions in a structured user-environment which provide a User Interface (UI) that provides a simple, intuitive administration to apply permissions at the user and group level to data in the structured user-environment. The UI also provides feedback to the administrator as to the inheritance path of each user and/or group as well as links between permissions, allowing the administrator to determine how a user or group was granted or denied access to a permission or resource.

Abstract: Methods and devices for determining whether a computing device has been compromised. File tree structure information for the computing device is obtained that details at least a portion of a tree-based structure of folders and files in a memory on the computing device. It is then determined from the file tree structure information that the computing device is compromised and, based on the determination that the computing device has been compromised, an action is taken.

Abstract: Various methods, apparatuses/systems, and media for automatically establishing a communication between two or more applications that do not share a compatible authentication model are disclosed. A receiver receives a request from a first application to communicate with a second application, wherein the first application supports a first authentication model and the second application supports a second authentication model which is incompatible with the first authentication model. A processor utilizes a configurable gateway layer, in response to receiving the request, to mediate a communication between the first application and the second application; and routes the request from the first application to the configurable gateway layer. The configurable gateway layer translates the first authentication model to the second authentication model.

Abstract: Methods, systems, and programs are presented for securing user-address information. A first memory is configured according to a first table that does not include information about user identifiers. Each entry in the first table includes a physical location identifier and information about a physical location. A second memory is configured according to a second table, where each entry in the second table includes the physical location identifier and an account identifier of a user for accessing a service. The first and second tables are configured to separate profile information from the address information of the user. Additionally, a firewall is configured to control access to the second memory. The firewall defines an authentication zone including the second memory but not the first memory, where access to the second memory by internal services is allowed and direct access by the user to the second memory is denied.

Abstract: Technologies to facilitate supervision of an online identify include a gateway server to facilitate and monitor access to an online service by a user of a “child” client computer device. The gateway server may include an identity manager to receive a request for access to the online service from the client computing device, retrieve access information to the online service, and facilitate access to the online service for the client computing device using the access information. The access information is kept confidential from the user. The gateway server may also include an activity monitor module to control activity between the client computing device and the online service based on the set of policy rules of a policy database. The gateway server may transmit notifications of such activity to a “parental” client computing device for review and/or approval, which also may be used to update the policy database.

Abstract: An example method to provide communication between a first computer in a first computer network and a second computer in a second computer network is disclosed. The method includes aliasing the second computer's address in the second computer network to a loopback interface of a third computer in the first computer network and establishing a tunnel between the third computer and a fourth computer in the second computer network. Establishing the tunnel includes configuring the fourth computer to forward traffic received from the tunnel to the second computer. The method further includes configuring routing in the first computer network to direct traffic destined for the second computer network to the third computer, and configuring the first computer to transmit packets destined for the second computer with the second computer's address in the second computer network.

Abstract: A surgical hub within a surgical hub network may include a controller having a processor, in which the controller may determine a priority of a communication, an interaction, or a processing of information based on a requirement of a device communicating with the hub. The device may be a smart surgical device. The requirement of the surgical device may comprise data processed by a device component of an associated system The controller may prioritize communication of the data processed by the device component of the associate system with the surgical device. A network of surgical hubs may include a plurality of surgical hubs. Each hub may have one of a plurality of controllers, in which a first of the plurality of controllers is configured to distribute an execution of a process and data used by the process among at least a subset of the plurality of surgical hubs.

Abstract: Methods, systems, and devices are provided for authenticating API messages using PKI-based authentication techniques. A client system can generate a private/public key pair associated with the client system and sign an API message using the private key of the private/public key pair and a PKI-based cryptographic algorithm, before sending the signed API message to a server system. The server system (e.g., operated by a service provider) can authenticate the incoming signed API message using a proxy authenticator located in less trusted zone (e.g., a perimeter network) of the server system. In particular, the proxy authenticator can be configured to verify the signature of the signed API message using the public key corresponding to the private key and the same cryptographic algorithm. The authenticated API message can then be forwarded to a more trusted zone (e.g., an internal network) of the server system for further processing.

Abstract: An example network device receives an encapsulated network packet via a network tunnel; extracts IPv6 header information from the encapsulated network packet; extracts IPv4 header information from the encapsulated network packet; determines that the encapsulated network packet is a spoofed network packet based on the IPv6 header information and the IPv4 header information; and in response to detecting the spoofed network packet, transmits a message to a Tunnel Entry Point (TEP) device, the message including data representing the IPv6 header information and IPv4 header information. A tunnel entry point (TEP) device may receive the message and use the message to detect spoofed IPv6 traffic, e.g., when an IPv6 header and an IPv4 header of an encapsulated packet matches the IPv6 header and the IPv4 header specified in the message. In this manner, the TEP device may block, rate limit, or redirect spoofed network traffic.

Abstract: A system and method for performing firewall operations on an edge service gateway virtual machine that monitors traffic for a network. The method includes detecting, from a directory service executing on a computing device, a login event on the computing device, obtaining, from the detected login event, login event information comprising an identifier that identifies a user associated with the login event, storing the login event information as one or more context attributes in an attribute table, and applying a firewall rule to a data message that corresponds to the one or more context attributes.

Abstract: A firewall intelligence system, includes a data storage storing a set of firewall rules for a network; a recommendation engine that receives, from a log service, traffic logs detailing traffic for the network and firewall logs detailing the usage of firewall rules in response to the traffic for the network, accesses, from the data storage, the set of firewall rules for the network; processes the set of firewall rules to evaluate the firewall rules against a set of quantitative evaluation rules to determine one or more firewall rule recommendations, wherein each firewall rule recommendation is a recommendation to change at least one of the firewall rules in the set of firewall rules; and a front end API that provides data describing the one or more firewall rule recommendations to a user device.

Abstract: Layer 7 protocol (non-HTTP) client applications are executed in the browser. The non-HTTP layer 7 protocol client application connects to a compute server that proxies layer 4 packets to the origin network that has the non-HTTP layer 7 protocol service. As an example, an SSH client (a non-HTTP layer 7 protocol) can execute in the browser and the TCP packets (layer 4 packets) are proxied by a compute server to the origin network that has the appropriate SSH server. The non-HTTP layer 7 protocol client application allows users to run commands or otherwise interact with the client as if they were using a native application (one that is not executed within the browser) without any client-side configuration or agent.

Abstract: In order to enable a dynamic handshake procedure, a device may be configured with a list of handshake contributors. Contributors with connection handshake properties may be added to the contributor list. To perform handshake, the contributor list is processed to extract the connection handshake properties of each contributor to the handshake. Handlers for handling the connection handshake properties may also be dynamically added and invoked when a handshake is received.

Abstract: Disclosed herein are various systems, apparatuses, software, and methods relating to data diode-TCP proxy with a User Datagram Protocol (UDP) across a wide area network (WAN) comprising providing a WAN data diode using a uni-directional semantics protocol, providing a set of data diode proxies in either end of a point-to-point WAN link, providing a symmetric key encryption semantics to extend the WAN data diode securely across a WAN that is specified, wherein the symmetric key encryption semantics are implemented through the set of data diode proxies on either end of the point-to-point WAN link, employing a unidirectional protocol in communication transmitted using the WAN, and, with data diode proxies, terminating one or more data channels on either end of the point-to-point WAN link or transporting a requisite information across the WAN over the uni-directional protocol.

Abstract: A configuration control transfer (“CCT”) system controls the transferring of control of configuration information of a device from a current configuration source to a target configuration source. A CCT server of the CCT system may send a request for the configuration information of the device where the configuration information of the device currently under control of the at least one first configuration source. The CCT server may also receive the requested configuration information, determine whether the second configuration source is able to support the configuration information of the first configuration source, and based at least on a determination that the second configuration source is able to support the configuration information, request that the device transfer control of the configuration information from the first configuration source to the second configuration source to unenroll the device with the first configuration source and enroll the device with the second configuration source.

Abstract: Aspects of the present invention disclose a method, computer program product, and system for multi-factor authentication. In response to a request for an action, the method includes one or more processors whether a first authentication credential passes validation. In response to determining that the first authentication credential does pass validation, the method further includes one or more processors determining a second authentication credential, wherein the second authentication credential includes an indication of a wireless connection between a first computing device and a second computing device. The method further includes one or more processors determining whether the second authentication credential passes validation. In response to determining that the second authentication credential passes validation, the method further includes one or more processors allowing execution of the requested response.

Abstract: A method for multiparty computation wherein a plurality of parties each compute a preset function without revealing inputs thereof to others, comprises: each of the parties performing a validation step to validate that computation of the function is carried out correctly, wherein the validation step includes: a first step that prepares a plurality of verified multiplication triples and feeds a multiplication triple to a second step when required; and the second step that consumes a randomly selected multiplication triple generated by the first step, wherein the first step performs shuffling of the generated multiplication triples, in at least one of shuffle in a sequence and shuffle of sequences.

Abstract: Server cluster communication across the public internet using a single secure User Datagram Protocol (UDP) is facilitated by an intermediary registry server. The intermediary registry server enables servers within a cluster to identify and securely communicate with peer servers in the cluster across disparate locations and through firewalls Using an external address registry shared to each member of a server cluster peer group, individual servers can establish a direct secure channel using a single UDP tunnel.

Abstract: Adaptive network security policies can be selected by assigning a number of risk values to security intelligence associated with network traffic, and identifying a number of security policies to implement based on the risk values.

Abstract: A system includes a data owner interface, a database, a requester interface, an approver interface, a database interface, and a central controller. The data owner interface can provide protected data and data usage rules. The database can store the protected data. The requester interface can provide a request to access the protected data and receive sanitized results. The approver interface can provide approval or disapproval of access to the protected data and receive the data usage rules. The database interface can store the protected data in the database and provide access to the protected data.

Abstract: A method is described, the method relating to control of a communication between a first device and a second device using a communication protocol including at least a first transaction, and at least one subsequent second transaction. The method can include transmission, by the first device to the second device during the first transaction, of both a maximum acceptable delay between the end of the first transaction and the beginning of the second transaction, as well as an explicit indication of the type of message characterizing the beginning of the second transaction. The second device can then trigger a timer for the delay. The method is applicable to IMS networks.

Abstract: An anti-attack data transmission method and an apparatus thereof are provided. The method includes obtaining a communication protocol message to be transmitted; performing an anti-attack pre-processing for data on information bit(s) located at a message header in the communication protocol message, and generating processing information; storing the processing information in extension bit(s) at the message header of the communication protocol message to obtain a converted communication protocol message, wherein the message header of the communication protocol message includes the information bit(s) and the extension bit(s); and sending the converted communication protocol message to a receiving device. The present disclosure solves the problem of false negatives associated with normally transmitted data flow caused by existing anti-attack methods.

Abstract: A secure Simultaneous Authentication of Equals (SAE) anti-clogging mechanism may be provided. A public key of an access point may be provided from the access point to a client attempting to connect with a network via the access point. The access point may receive from the client a first anti-clogging token and a public key of the client. The first anti-clogging token may be generated by the first client using a shared secret based on a private key of the client and the public key of the access point and a multiplier. The access point may generate a second anti-clogging token using a shared secret based on a private key of the access point and the public key of the client and the multiplier. The access point may then verify the first anti-clogging token and the second anti-clogging token match to authenticate the client.

Abstract: Systems and methods for implementing a micro firewall in a mobile application are provided here. Firewall logic can be injected or provided to a mobile application. The firewall logic can provide one or more rules for processing network traffic from application programming interfaces (APIs) of the mobile application. The mobile application having the firewall logic can be made available for installation on a mobile device. The mobile application having the firewall logic can be provided or installed on to a mobile device. During execution of the mobile application, the firewall logic of the mobile application can hook a plurality of API calls of the mobile application relevant to network traffic. The firewall logic can apply one or more rules of the firewall logic to process network traffic corresponding to an API call of the plurality of API calls of the mobile application.

Abstract: Techniques for polluting phishing campaign responses with content that includes fake sensitive information of a type that is being sought in phishing messages. Embodiments disclosed herein identify phishing messages that are designed to fraudulently obtain sensitive information. Rather than simply quarantining these phishing messages from users' accounts to prevent users from providing “real” sensitive information, embodiments disclosed herein analyze these phishing messages to determine what type(s) of information is being sought and then respond to these phishing messages with “fake” sensitive information of these type(s). For example, if a phishing message is seeking sensitive credit card and/or banking account information, some fake information of this type(s) may be generated and sent in response to the phishing message. In various implementations, a natural language processing (NLP) model may be used to analyze the phishing message and/or generate a response thereto.

Abstract: Techniques for implementing a secure enclave-based guest firewall are provided. In one set of embodiments, a host system can load a policy enforcer for a firewall into a secure enclave of a virtual machine (VM) running on the host system, where the secure enclave corresponds to a region of memory in the VM's guest memory address space that is inaccessible by processes running in other regions of the guest memory address space (including privileged processes that are part of the VM's guest operating system (OS) kernel). The policy enforcer can then, while running within the secure enclave: (1) obtain one or more security policies from a policy manager for the firewall, (2) determine that an event has occurred pertaining to a new or existing network connection between the VM and another machine, and (3) apply the one or more security policies to the network connection.

Abstract: A method, apparatus, system, and computer program product for evaluating enforcement decisions on an asset using a policy. Rules in the policy are applied by a computer system to the asset taking into account a context for a request to access the asset in response receiving to the request to access the asset, and wherein the rules in the policy determine whether access to the asset is allowed. A determination is made by the computer system as to whether a conflict is present in an initial decision made using the rules in the policy. A set of conflict resolution processes are applied by the computer system when the conflict is present such that a final decision is made on the request to access the asset.

Abstract: A method for information interaction includes: when an access request sent by a webpage to a preset domain name is received by a browser component, resolving the preset domain name into a designated access address, the access request being sent by the webpage when the webpage is required to interact with an operating system of a terminal, and the designated access address being an access address that has not been occupied; sending the access request to the designated access address as a destination address; and when a firewall detects that the destination address of the access request is the designated access address, redirecting the access request to a local web service, the local web service being configured for information interaction with the operating system of the terminal.

Abstract: A computing environment for monitoring usage of an application to identify characteristics and trigger security control includes an application system that performs a query configured to identify any application calls performed in a predetermined period of time within the computing environment; for each identified application call, builds a corresponding application characteristics entry in a database; for each identified application call, identifies a plurality of characteristics of the called application including at least one downstream resource; associates the identified plurality of characteristics with the application characteristics entry in the database, thereby creating an application mapping; identifies security controls associated with each of the applications in the application mapping; associates the identified security controls with the associated application characteristics entry in the application mapping; and automatically triggers assessment of an effectiveness of the security controls in re

Abstract: A method useful for implementing an enterprise risk and compliance automation engine comprises the step of obtaining an information technology (IT) security policy standard. The method comprises normalizing the IT security policy standard into a machine-readable format. The method comprises templatizing the machine-readable format version of the IT security policy standard. Each template comprises a collection of controls. Each control comprises a statement that describes a condition that a transaction or activity an IT system is required to perform by IT security policy standard; discovering a set of configurations of the IT system. The method comprises comparing the set of configurations of the IT system with the collection of controls of each template. The method comprises generating a validation report that comprises a report of whether the set of configurations of the IT system satisfies the collection of controls of each template.

Abstract: A method and system for contraindicating firmware and driver updates. Specifically, the disclosed method and system entail discerning whether installation of a hardware device firmware and/or device driver update, targeting a hardware device on a host device, would succeed or fail given a set of features (or indicators) reflective of the current host device state and metadata respective to the hardware device update. Further, the determination may employ predictive machine learning techniques.

Abstract: A method and system for collecting information on responses and their interpretation on a client device that requests access to a server. A request to access the server is received. If there was a response by the server for this request, then the response is being intercepted and is being injected with a client side language script to be executed by the requesting client side device. Information is collected at the server side from the execution of the injected client side language script by the client device.

Abstract: The present disclosure relates to methods, apparatus, and systems for protecting data in a communications system. One example method includes obtaining, by a core network node, information associated with a service of a terminal device, and determining, by the core network node and based on the information associated with the service, a network node that is to perform security protection on data of the service.

Abstract: To provide secure communication over end-to-end data paths or segments of end-to-end paths in a timed deterministic packet network including a plurality of packet engines that perform packet handling, cipher engines are provided separately from the packet engines. The cipher engines are operative to perform at least one cyber security function. A cipher engine and key manager provides central control for the plurality of cipher engines. A centralized packet flow path manager, PFPM, may set up endpoint nodes and intermediate transit nodes of the end-to-end data paths of the packet network.

Abstract: A method of defining distributed firewall rules in a group of datacenters is provided. Each datacenter includes a group of data compute nodes (DCNs). The method sends a set of security tags from a particular datacenter to other datacenters. The method, at each datacenter, associates a unique identifier of one or more DCNs of the datacenter to each security tag. The method associates one or more security tags to each of a set of security group at the particular datacenter and defines a set of distributed firewall rules at the particular datacenter based on the security tags. The method sends the set of distributed firewall rules from the particular datacenter to other datacenters. The method, at each datacenter, translates the firewall rules by mapping the unique identifier of each DCN in a distributed firewall rule to a corresponding static address associated with the DCN.

Abstract: Two devices can be connected for communication by a wireless connection, where those devices will function as master and slave devices with respect to that connection. A slave device to a connection can perform changes to the connection on behalf of an application, subsystem, or other such source on either the slave device or a master device. These changes can include changes to connection parameter values, or can include state changes such as to perform a disconnect action. Enabling the slave device to perform these actions can help to bypass any restrictions that would otherwise prevent these actions being performed from a master device to the connection.

Abstract: A method and a proxy server for selecting an input server of an IMS communication network in order to register a terminal in the IMS communication network. Following receipt from the terminal of an SIP registration message, the proxy server obtains a value of at least one field of the SIP registration message, the field being representative of a characteristic belonging to the terminal, and selects an input server using the at least one value obtained. Then, the proxy server sends, to the terminal, an SIP redirection message including an IP address of the selected input server.

Abstract: A method, an apparatus, a system, and a computer program product for handling security threats in a network data processing system. A computer system determines a connection type for a connection in response to detecting the connection between a target resource in the network data processing system and a requestor. The computer system redirects the connection to a virtual resource in place of the target resource when the connection type is a threat connection, wherein the requestor originating the connection to the target resource is unable to perceive a redirection of the connection to the virtual resource. The computer system records information in the connection redirected to the virtual resource to form recorded information. The computer system adjusts a security policy for handling connections in the network data processing system using the recorded information, wherein the security threats in the network data processing system are decreased using the security policy.

Abstract: A cloud-based fleet of sandboxes is scalable along two tiers. Additional sandboxes may be added to a particular sandbox network in a particular sandbox stack, or additional sandbox stacks may be added. Isolation of individual sandboxes within a sandbox network is provided by virtual switches or routers, and subnetting. Isolation of sandbox networks is provided by network or port address translation, and by running hypervisors in respective infrastructure-as-a-service virtual machines. Provisioning efficiency can be provided by the two-tiered architecture, by use of differencing disks, by use of virtual machine scale sets, and by hybrid core-count sandboxes. Sandboxes may be secured but still have outgoing internet connectivity. Workloads run in the sandbox may include builds, tests of development code, investigations of possible malware, and other tasks.

Abstract: A system and method for anonymous message broadcasting uses secret shares of a first vector of size i and a second vector of size j from each client device with a message in an anonymity set of client devices. Each secret share of the first and second vectors is received at each of a plurality of message broadcasting servers to construct a matrix M of i and j dimensions, which is added to a matrix A of i and j dimensions maintained at that message broadcasting server. The matrix A at each message broadcasting server is shared with the other message broadcasting servers and a final matrix A is constructed using the shared matrices A at each message broadcasting server, wherein the final matrix A includes the messages from the client devices in the anonymity set. The messages in the final matrix A are broadcasted from the message broadcasting servers.

Abstract: Systems and methods for analyzing SQL queries for constraint violations for injection attacks. Tokenizing a SQL query generates a token stream. A parse tree is constructed by iterating over lexical nodes of the token stream. The parse tree is compared to a SQL schema and access configuration for a database in order to analyze the SQL query for constraint violations. Evaluation flaws are also detected. A step-wise, bottom-up approach is employed to walk through the parse tree to detect types and to ascertain from those types whether the condition for SQL execution is static or dynamic. SQL request security engine logic refers to predetermined protective action data and takes the particular type of action specified by the predetermined protective action data. Security is further enhanced by limiting service of requests to requests of one or more specific, accepted data types. Each request is parsed into individual data elements, each an associated key-value pair.

Abstract: Apparatus to enforce network policy based on identity authentication at a network endpoint device by offloading the authentication to a network attached authentication devices is disclosed. The authentication device may use Statistical Object Identification to perform the authentication. The present invention greatly reduces the resources needed by the network endpoint device to perform the authentication and eliminates the topological restrictions found in traditional network appliance based approaches.

Abstract: Methods, systems, and devices are provided for authenticating API messages using PKI-based authentication techniques. A client system can generate a private/public key pair associated with the client system and sign an API message using the private key of the private/public key pair and a PKI-based cryptographic algorithm, before sending the signed API message to a server system. The server system (e.g., operated by a service provider) can authenticate the incoming signed API message using a proxy authenticator located in less trusted zone (e.g., a perimeter network) of the server system. In particular, the proxy authenticator can be configured to verify the signature of the signed API message using the public key corresponding to the private key and the same cryptographic algorithm. The authenticated API message can then be forwarded to a more trusted zone (e.g., an internal network) of the server system for further processing.

Abstract: Technologies to facilitate supervision of an online identify include a gateway server to facilitate and monitor access to an online service by a user of a “child” client computer device. The gateway server may include an identity manager to receive a request for access to the online service from the client computing device, retrieve access information to the online service, and facilitate access to the online service for the client computing device using the access information. The access information is kept confidential from the user. The gateway server may also include an activity monitor module to control activity between the client computing device and the online service based on the set of policy rules of a policy database. The gateway server may transmit notifications of such activity to a “parental” client computing device for review and/or approval, which also may be used to update the policy database.

Abstract: A system and method for determining spoofing of at least one identifier are described, the identifier being intended for the use of a communication device, during communication between a first communication terminal and a second communication terminal. The method can be implemented by a device for determining spoofing of at least one identifier. The method can include receiving a signaling message of the communication from the first communication terminal and intended for the second communication terminal, the signaling message including at least one identifier and at least one first item of certification data, obtaining at least one second item of certification data on the basis of the at least one received identifier, comparing the at least one first item of certification data with said at least one second item of certification data, and transmitting at least the message to the second terminal on the basis of the result of the comparison.

Abstract: The subject matter describes devices, networks, systems, media, and methods to create secure communications between wireless devices and cellular networks, where the wireless devices communicate with the cellular networks via multi-hopping methods in non-cellular networks.

Abstract: A smart home includes Internet of things (IOT) devices that are paired with an IOT gateway. A backend system is in communication with the IOT gateway to receive IOT operating data of the IOT devices. The backend system generates a machine learning model for an IOT device. The machine learning model is consulted with IOT operating data of the IOT device to detect anomalous operating behavior of the IOT device. The machine learning model is updated as more and newer IOT operating data of the IOT device are received by the backend system.

Abstract: A method by an AUSF of a home PLMN configured to communicate through an interface with electronic devices is provided. A first authentication request is received from a first PLMN that is authenticating an electronic device. A first security key used for integrity protection of messages delivered from the home PLMN to the electronic device is obtained. A second authentication request is received from a second PLMN that is authenticating the electronic device. A second security key used for integrity protection of the messages delivered from the home PLMN to the electronic device is obtained. A message protection request is received. Which of the first security key and the second security key is a latest security key is determined. The latest security key is used to protect a message associated with the message protection request.

Abstract: An apparatus for mitigating a DDoS attack in a networked computing system includes at least one detector coupled with a corresponding router in the networked computing system. The detector is configured: to obtain network flow information from the router regarding current data traffic to at least one host; to compare the current data traffic to the host with stored traffic patterns associated with at least one prior DDoS attack; and to generate an output indicative of a match between the current data traffic and at least one of the stored traffic patterns. The apparatus further includes at least one mitigation unit coupled with the at least one detector. The mitigation unit is configured: to receive the output indicative of the match between the current data traffic and at least one of the stored traffic patterns; and to initiate a DDoS attack mitigation action in response to the received output.