Abstract: The present disclosure relates to methods, apparatus, and systems for protecting data in a communications system. One example method includes obtaining, by a core network node, information associated with a service of a terminal device, and determining, by the core network node and based on the information associated with the service, a network node that is to perform security protection on data of the service.

Abstract: A method and system for collecting information on responses and their interpretation on a client device that requests access to a server. A request to access the server is received. If there was a response by the server for this request, then the response is being intercepted and is being injected with a client side language script to be executed by the requesting client side device. Information is collected at the server side from the execution of the injected client side language script by the client device.

Abstract: To provide secure communication over end-to-end data paths or segments of end-to-end paths in a timed deterministic packet network including a plurality of packet engines that perform packet handling, cipher engines are provided separately from the packet engines. The cipher engines are operative to perform at least one cyber security function. A cipher engine and key manager provides central control for the plurality of cipher engines. A centralized packet flow path manager, PFPM, may set up endpoint nodes and intermediate transit nodes of the end-to-end data paths of the packet network.

Abstract: Two devices can be connected for communication by a wireless connection, where those devices will function as master and slave devices with respect to that connection. A slave device to a connection can perform changes to the connection on behalf of an application, subsystem, or other such source on either the slave device or a master device. These changes can include changes to connection parameter values, or can include state changes such as to perform a disconnect action. Enabling the slave device to perform these actions can help to bypass any restrictions that would otherwise prevent these actions being performed from a master device to the connection.

Abstract: A method of defining distributed firewall rules in a group of datacenters is provided. Each datacenter includes a group of data compute nodes (DCNs). The method sends a set of security tags from a particular datacenter to other datacenters. The method, at each datacenter, associates a unique identifier of one or more DCNs of the datacenter to each security tag. The method associates one or more security tags to each of a set of security group at the particular datacenter and defines a set of distributed firewall rules at the particular datacenter based on the security tags. The method sends the set of distributed firewall rules from the particular datacenter to other datacenters. The method, at each datacenter, translates the firewall rules by mapping the unique identifier of each DCN in a distributed firewall rule to a corresponding static address associated with the DCN.

Abstract: A method and a proxy server for selecting an input server of an IMS communication network in order to register a terminal in the IMS communication network. Following receipt from the terminal of an SIP registration message, the proxy server obtains a value of at least one field of the SIP registration message, the field being representative of a characteristic belonging to the terminal, and selects an input server using the at least one value obtained. Then, the proxy server sends, to the terminal, an SIP redirection message including an IP address of the selected input server.

Abstract: A method, an apparatus, a system, and a computer program product for handling security threats in a network data processing system. A computer system determines a connection type for a connection in response to detecting the connection between a target resource in the network data processing system and a requestor. The computer system redirects the connection to a virtual resource in place of the target resource when the connection type is a threat connection, wherein the requestor originating the connection to the target resource is unable to perceive a redirection of the connection to the virtual resource. The computer system records information in the connection redirected to the virtual resource to form recorded information. The computer system adjusts a security policy for handling connections in the network data processing system using the recorded information, wherein the security threats in the network data processing system are decreased using the security policy.

Abstract: A cloud-based fleet of sandboxes is scalable along two tiers. Additional sandboxes may be added to a particular sandbox network in a particular sandbox stack, or additional sandbox stacks may be added. Isolation of individual sandboxes within a sandbox network is provided by virtual switches or routers, and subnetting. Isolation of sandbox networks is provided by network or port address translation, and by running hypervisors in respective infrastructure-as-a-service virtual machines. Provisioning efficiency can be provided by the two-tiered architecture, by use of differencing disks, by use of virtual machine scale sets, and by hybrid core-count sandboxes. Sandboxes may be secured but still have outgoing internet connectivity. Workloads run in the sandbox may include builds, tests of development code, investigations of possible malware, and other tasks.

Abstract: A system and method for anonymous message broadcasting uses secret shares of a first vector of size i and a second vector of size j from each client device with a message in an anonymity set of client devices. Each secret share of the first and second vectors is received at each of a plurality of message broadcasting servers to construct a matrix M of i and j dimensions, which is added to a matrix A of i and j dimensions maintained at that message broadcasting server. The matrix A at each message broadcasting server is shared with the other message broadcasting servers and a final matrix A is constructed using the shared matrices A at each message broadcasting server, wherein the final matrix A includes the messages from the client devices in the anonymity set. The messages in the final matrix A are broadcasted from the message broadcasting servers.

Abstract: Systems and methods for analyzing SQL queries for constraint violations for injection attacks. Tokenizing a SQL query generates a token stream. A parse tree is constructed by iterating over lexical nodes of the token stream. The parse tree is compared to a SQL schema and access configuration for a database in order to analyze the SQL query for constraint violations. Evaluation flaws are also detected. A step-wise, bottom-up approach is employed to walk through the parse tree to detect types and to ascertain from those types whether the condition for SQL execution is static or dynamic. SQL request security engine logic refers to predetermined protective action data and takes the particular type of action specified by the predetermined protective action data. Security is further enhanced by limiting service of requests to requests of one or more specific, accepted data types. Each request is parsed into individual data elements, each an associated key-value pair.

Abstract: Apparatus to enforce network policy based on identity authentication at a network endpoint device by offloading the authentication to a network attached authentication devices is disclosed. The authentication device may use Statistical Object Identification to perform the authentication. The present invention greatly reduces the resources needed by the network endpoint device to perform the authentication and eliminates the topological restrictions found in traditional network appliance based approaches.

Abstract: Methods, systems, and devices are provided for authenticating API messages using PKI-based authentication techniques. A client system can generate a private/public key pair associated with the client system and sign an API message using the private key of the private/public key pair and a PKI-based cryptographic algorithm, before sending the signed API message to a server system. The server system (e.g., operated by a service provider) can authenticate the incoming signed API message using a proxy authenticator located in less trusted zone (e.g., a perimeter network) of the server system. In particular, the proxy authenticator can be configured to verify the signature of the signed API message using the public key corresponding to the private key and the same cryptographic algorithm. The authenticated API message can then be forwarded to a more trusted zone (e.g., an internal network) of the server system for further processing.

Abstract: Technologies to facilitate supervision of an online identify include a gateway server to facilitate and monitor access to an online service by a user of a “child” client computer device. The gateway server may include an identity manager to receive a request for access to the online service from the client computing device, retrieve access information to the online service, and facilitate access to the online service for the client computing device using the access information. The access information is kept confidential from the user. The gateway server may also include an activity monitor module to control activity between the client computing device and the online service based on the set of policy rules of a policy database. The gateway server may transmit notifications of such activity to a “parental” client computing device for review and/or approval, which also may be used to update the policy database.

Abstract: A system and method for determining spoofing of at least one identifier are described, the identifier being intended for the use of a communication device, during communication between a first communication terminal and a second communication terminal. The method can be implemented by a device for determining spoofing of at least one identifier. The method can include receiving a signaling message of the communication from the first communication terminal and intended for the second communication terminal, the signaling message including at least one identifier and at least one first item of certification data, obtaining at least one second item of certification data on the basis of the at least one received identifier, comparing the at least one first item of certification data with said at least one second item of certification data, and transmitting at least the message to the second terminal on the basis of the result of the comparison.

Abstract: The subject matter describes devices, networks, systems, media, and methods to create secure communications between wireless devices and cellular networks, where the wireless devices communicate with the cellular networks via multi-hopping methods in non-cellular networks.

Abstract: A smart home includes Internet of things (IOT) devices that are paired with an IOT gateway. A backend system is in communication with the IOT gateway to receive IOT operating data of the IOT devices. The backend system generates a machine learning model for an IOT device. The machine learning model is consulted with IOT operating data of the IOT device to detect anomalous operating behavior of the IOT device. The machine learning model is updated as more and newer IOT operating data of the IOT device are received by the backend system.

Abstract: A method by an AUSF of a home PLMN configured to communicate through an interface with electronic devices is provided. A first authentication request is received from a first PLMN that is authenticating an electronic device. A first security key used for integrity protection of messages delivered from the home PLMN to the electronic device is obtained. A second authentication request is received from a second PLMN that is authenticating the electronic device. A second security key used for integrity protection of the messages delivered from the home PLMN to the electronic device is obtained. A message protection request is received. Which of the first security key and the second security key is a latest security key is determined. The latest security key is used to protect a message associated with the message protection request.

Abstract: An apparatus for mitigating a DDoS attack in a networked computing system includes at least one detector coupled with a corresponding router in the networked computing system. The detector is configured: to obtain network flow information from the router regarding current data traffic to at least one host; to compare the current data traffic to the host with stored traffic patterns associated with at least one prior DDoS attack; and to generate an output indicative of a match between the current data traffic and at least one of the stored traffic patterns. The apparatus further includes at least one mitigation unit coupled with the at least one detector. The mitigation unit is configured: to receive the output indicative of the match between the current data traffic and at least one of the stored traffic patterns; and to initiate a DDoS attack mitigation action in response to the received output.

Abstract: Methods and apparatus for publisher-independent auxiliary communications in data router-mediated publisher/subscriber transmission architectures provide faster processing of actionable information by subscribers and increased flexibility to add publishers to a system. Publisher-originated information in a publisher-specific format is used by either the publisher, or a data router coupled to the publisher, to generate information, based on the publisher-originated information, in a publisher-independent format recognized by subscribers, and provided by the data router to subscribers. Publishers may include analyzers such as blood, immuno-assay, and clinical chemistry analyzers, IoT devices, and automation systems.

Abstract: An exemplary apparatus for mitigating a distributed denial-of-service (DDoS) attack includes a controller configured: to receive an output signal from a detector in a networked computing system, the output signal indicating a probability of a DDoS attack based at least in part on a threat level corresponding to an Autonomous System Number (ASN) associated with a source Internet Protocol address of received data packets when a volume of the received data packets exceeds a prescribed threshold value; to obtain action information correlating a specific ASN to at least one corresponding action for mitigating a DDoS attack; and to generate at least one control signal for initiating at least one action for mitigating the DDoS attack as a function of the obtained action information. The apparatus further includes at least one mitigation device for performing at least one action for mitigating the DDoS attack in response to the control signal.

Abstract: In general, the techniques of this disclosure describe a hub device that is configured to receive data packets from both secured client devices and non-secured client devices. The hub device may send the data packets from the secured client devices to a host device. For the data packets from the non-secured client devices, the hub device may first process the data packets to ensure the integrity of the received non-secure data packets and then send the non-secure data packets to the host device once the hub device determines that the non-secure data packets meet some threshold level of integrity.

Abstract: A computing system may include a proxy server application and a database. The proxy server application may provide, to a computing device disposed within a managed network, instructions to identify one or more processes executing on the computing device. The proxy server application may also determine, for a process of the one or more processes, a file system path of a directory associated with the process and, based thereon, select one or more directories to scan for files associated with the process. The computing device may be provided with instructions to (i) scan the one or more directories and (ii) determine a plurality of attributes associated with one or more files discovered therein. The proxy server application may additionally receive results of the scan containing a representation of the plurality of attributes and store, in the database, the results of the scan.

Abstract: A method for a computer or microchip with one or more inner hardware-based access barriers or firewalls that establish one or more private units disconnected from a public unit or units having connection to the public Internet and one or more of the private units have a connection to one or more non-Internet-connected private networks for private network control of the configuration of the computer or microchip using active hardware configuration, including field programmable gate arrays (FPGA). The hardware-based access barriers include a single out-only bus and/or another in-only bus with a single on/off switch.

Abstract: Example methods are provided for a first endpoint to communicate with a second endpoint over a public network, the second endpoint being in a private network. The method may comprise detecting a chunk of data directly from an application executing on the first endpoint. The virtual adapter may emulate a transport protocol task offload to bypass transport protocol processing by a protocol stack of the first endpoint. The method may comprise processing the chunk of data to generate a chunk of processed data for transfer through a tunnel connecting the virtual adapter over the public network with a gateway associated with the private network and sending the chunk of processed data through a tunnel in a plurality of tunnel segments, wherein the gateway is configured to perform transport protocol processing to generate a plurality of transport protocol segments from the chunk of processed data for transfer to the second endpoint.

Abstract: The disclosure relates to methods, devices, and computer programs in mobile communications for detecting potential system information reference conflicts. In particular, the present disclosure relates to a method (20), performed in a wireless device, for detecting potential system information reference conflicts. The method comprises receiving (S21) first access information from a network node of a first wireless network, the first access information comprising a first system information reference and a first identifier relating to the first wireless network. The method also comprises determining (S23) a potential system information reference conflict based on a comparison of the first access information and second access information. The second access information is received from the first or a second wireless network; and comprises a second system information reference and a second identifier relating to the wireless network from which the second access information is received.

Abstract: Embodiments of the present invention disclose a method, computer program product, and system for parallel access to an electronic design automation (EDA) application. The computer receives a request to access an electronic design automation (EDA) application from at least two user computing device and authenticates a user associated with each of the requests from the at least two user computing devices to access the EDA application. The computer determines a level of access to be granted to each of the user of the at least two user computing devices and creates a parallel connection to each of the at least user computing device based on the determined level of access granted to each of the users. The computer retrieves data to be transmitted to each of the at least user computing device to be displayed on each of the user computing devices and stores the data in a memory unit.

Abstract: An access control method, system, and a switch, pertains to the field of network technologies. The access control method includes receiving, by an authentication device, a packet from an access device, where the packet includes a virtual local area network (VLAN) identifier, and authenticating, by the authentication device based on the VLAN identifier and a preconfigured correspondence using an authentication method corresponding to the VLAN identifier, a terminal device sending the packet, where the correspondence includes a mapping from a plurality of VLAN identifiers to at least two authentication methods. Hence, the authentication method of the terminal device is determined based on the VLAN identifier such that different authentication methods may be used for terminal devices in different VLANs. Therefore, an access manner is flexible.

Abstract: A system that includes a routing device and a proxy server in a private network. The routing device configures itself to route data traffic for a network device within a private network using private links. The routing device forwards an access request requesting access to a destination address in a public network from the network device to the proxy server. The proxy server determines whether the access request satisfies a set of access rules and generates an access request response. The routing device forwards the access request response from the proxy server to the network device. The routing device configures itself to route data traffic between the network device and the destination address using public links in response to receiving an access approval message. The routing device communicates data traffic between the network device and the destination address using public links.

Abstract: A terminal management apparatus includes a connection unit that connects, through a network, to a terminal apparatus to be managed, an authentication unit that authenticates the terminal apparatus using predetermined authentication information, a specific state determination unit that determines whether a predetermined specific state, in which a normal connection is not established, has occurred in relation to the terminal apparatus, and a connection controller that controls data communication with the terminal apparatus on a basis of a result of the authentication performed by the authentication unit and a result of the determination made by the specific state determination unit.

Abstract: Disclosed are various examples for network printer detection and authentication for managed device deployment. In one example, a computing environment can access a listing of network printers received from a printer discovery service executed in an enterprise device in an intranet behind a firewall. A user group associated with a client device enrolled with a management service can be identified as well as at least one of the network printers assigned to the user group. The client device can be remotely configured to access the at least one of the network printers assigned to the user group.

Abstract: A method of operating a payment device for selectively enabling a payment function according to the validity of a host is provided. The method relates to a method of operating the payment device which includes a near field communication controller (NFCC) and a host communicating with the NFCC. The method selectively enables the payment function according to the validity of the host, thereby preventing illegal or unwanted payment.

Abstract: Control policies are configured to automatically update a whitelist and to permit an application, including its associated computing operations, to execute on the computer system. After the application is installed, initialization and execution of the application is triggered. Concurrently, the application's computing operations are recorded and certain control policies, such as a firewall, are paused from being enforced. The recorded computing operations are classified into at least two different categories, where one category includes computing operations associated with the application and where another category includes computing operations that are not associated with the application but that occurred while the application was running. The first category computing operations are then whitelisted so that they are identified as being permissible computing operations by the control policies.

Abstract: A method and system for the policy-based restriction of electronic mail transmissions. A method for classifying electronic mail message transfer requests for policy enforcement can include identifying a source of an incoming electronic message, classifying the source, and applying a message transfer policy associated with the classification for the source. In particular, the identifying step can include identifying a network address for the source. The classifying step by comparison, can include classifying the source as one of a trusted source, a blocked source, and a suspect source. The classifying step also can include classifying the source as one of an authenticated source and an anonymous source. Finally, the classifying step further can include classifying the source as a blocked source where the source appears in a realtime black hole list.

Abstract: A processing device receives an event notification indicating a security configuration change of a cloud computing resource associated with a member account. In response, the processing device identifies a security policy associated with an administrative account corresponding to the member account and evaluates the security policy against the security configuration change to determine compliance with the policy. If not in compliance, the processing device generates a change event indicating a repair to the security configuration of the cloud computing resource to bring the security configuration into compliance with the security policy.

Abstract: Statically configured secure tunnels forward application-level Transmission Control Protocol (“TCP”) application data between servers using a User Datagram Protocol (“UDP”) channel. Applications operating on a server cluster can communicate with other applications on another server in the cluster over the public Internet using secure TCP connection forwarding through a single UDP datagram-oriented communication channel.

Abstract: One embodiment is related to a method for creating a redundancy data chunk for data protection with a chain topology, comprising: transmitting a data chunk of a first frontend zone of a data storage system to a second frontend zone of the data storage system; creating a redundancy data chunk at the second frontend zone of the data storage system based on the data chunk of the first frontend zone and a data chunk of the second frontend zone; passing the redundancy data chunk onto one or more subsequent frontend zones of the data storage system from the second frontend zone, wherein at each subsequent frontend zone the redundancy data chunk is updated based on the received redundancy data chunk and a data chunk of the respective subsequent frontend zone, and wherein the redundancy data chunk is passed through each subsequent frontend zone exactly once; and at a last subsequent frontend zone of the data storage system, forwarding the updated redundancy data chunk to a backend zone of the data storage system for

Abstract: A method and system for controlling multi-tiered mitigation of cyber-attacks.

Abstract: Methods, systems, and apparatus for Internet Protocol security (IPsec) selector coalescing for per-host Security Associations (SAs) are disclosed. In one aspect, separate per-host SAs are assigned, by a network communications device including one or more processors, to each of two or more different source communication devices that each communicates with corresponding destination devices. While the separate per-host SAs are assigned to each of the two or more different source communication devices, a group SA is generated. The group SA is assigned, by the network communications device, to all of the two or more different source communication devices. The assignment of the separate per-host SAs is removed from each of the two or more different source communication devices.

Abstract: The present technology pertains to a organization directory hosted by a synchronized content management system. The corporate directory can provide access to user accounts for all members of the organization to all content items in the organization directory on the respective file systems of the members' client devices. Members can reach any content item at the same path as other members relative to the organization directory root on their respective client device. In some embodiments novel access permissions are granted to maintain path consistency.

Abstract: A botnet identification module identifies members of one or more botnets based upon network traffic destined to one or more servers over time, and provides sets of botnet sources to a traffic monitoring module. Each set of botnet sources includes a plurality of source identifiers of end stations acting as part of a corresponding botnet. A traffic monitoring module receives the sets of botnet sources from the botnet identification module, and upon a receipt of traffic identified as malicious that was sent by a source identified within one of the sets of botnet sources, activates a protection mechanism with regard to all traffic from all of the sources identified by the one of the sets of botnet sources for an amount of time.

Abstract: Techniques are described for processing anomalies detected using user-specified rules with anomalies detected using machine-learning based behavioral analysis models to identify threat indicators and security threats to a computer network. In an embodiment, anomalies are detected based on processing event data at a network security system that used rules-based anomaly detection. These rules-based detected anomalies are acquired by a network security system that uses machine-learning based anomaly detection. The rules-based detected anomalies are processed along with machine learning detected anomalies to detect threat indicators or security threats to the computer network. The threat indicators and security threats are output as alerts to the network security system that used rules-based anomaly detection.

Abstract: A compliance checker to verify that a device complies with a policy is described. In one embodiment, the compliance checker comprises a compliance checker agent, to initiate the compliance check, in response to receiving the request, and an encryption checker to obtain an original data and a data stored on the storage. The system further comprising a comparator to determine whether known data read from the upper driver is identical to known data read from the lower driver. The compliance checker plug-in in one embodiment verifies the compliance status of the device, based on the data from the comparator.

Abstract: In an information processing method, a query including a first encrypted feature value provided with confidential information unique to a user is received. The first encrypted feature value is generated by encrypting a first feature value calculated from privacy data of the user by using inner product encryption. A plurality of inner product values are acquired by computing an inner product of the first encrypted feature value and each of a plurality of second encrypted feature values. Privacy data of a plurality of pieces of privacy data having an inner product value of the first encrypted feature value and a second encrypted feature value with an encrypted reference feature value calculated from the privacy data being equal to or smaller than a predetermined threshold is transmitted. A secret key of the user is identified by using the confidential information when an unauthorized access is detected, and identification information is outputted.

Abstract: A method for configuring a network monitoring device is provided. One or more performance metrics associated with one or more thresholds to be configured are received from a user. Historical network traffic flow information associated with a previously detected malicious activity is analyzed to identify characteristic values for the one or more performance metrics. Threshold values are automatically configured based on the identified characteristic values.

Abstract: In a computer-implemented method for managing firewall flow records, firewall flow records of a virtual infrastructure including a distributed firewall are received, wherein the firewall flow records are captured according to firewall rules of the distributed firewall, and wherein the firewall flow records each include tuples and at least one field of network traffic data. Responsive to detecting a number of received firewall flow records exceeding a threshold value, it is determined whether the tuples are identical for any of the firewall flow records. Provided the tuples are not identical for any of the firewall flow records, the tuples for the firewall flow records are modified to generate modified firewall flow records. It is determined whether the tuples are identical for any of the modified firewall flow records.

Abstract: A system for providing an isolated testing model for testing the disaster recovery capabilities of a streamlined backup network backing up a primary network. The primary network provides one or more users access to critical data and critical services. The system is configured to be switched between a production mode and a test mode. When the system is in the test mode, the primary network and the streamlined backup network form a live production environment and the streamlined backup network provides the one or more users access to the critical data and the critical services in the event the primary network is unable to do so. When the system is in the test mode, the streamlined backup network is removed from the live production environment by physically and logically isolating the streamlined backup network from the primary network.

Abstract: Methods and systems provide network security by associating login credentials with a specific end-point. By doing so, valid user login credentials are not recognized when not used on a device authorized to use those credentials. By creating that association in a secure manner, the protection of confidential information becomes more complete and the leakage or theft of data such as usernames and passwords becomes less critical. Additionally, creating this hard association makes hacking tools such as password crackers and rainbow tables significantly less effective since the possession of a valid username/password is no longer sufficient for bad actors to access assets using this two-factor authentication model.

Abstract: A computing environment for monitoring usage of an application to identify characteristics and trigger security control includes an application system that performs a query configured to identify any application calls performed in a predetermined period of time within the computing environment; for each identified application call, builds a corresponding application characteristics entry in a database; for each identified application call, identifies a plurality of characteristics of the called application including at least one downstream resource; associates the identified plurality of characteristics with the application characteristics entry in the database, thereby creating an application mapping; identifies security controls associated with each of the applications in the application mapping; associates the identified security controls with the associated application characteristics entry in the application mapping; and automatically triggers assessment of an effectiveness of the security controls in re

Abstract: Example methods and systems to validate integrity of data and one or more configurations in response to an upgrade in a virtualized computing environment are disclosed. One method may include preparing a first pre-upgrade backup file and a first post-upgrade backup file in response to a data plane upgrade of the virtualized computing environment and validating the integrity of data and one or more configurations based on the first pre-upgrade backup file and the first post-upgrade backup file before upgrading a control plane of the virtualized computing environment.

Abstract: An electronic device includes a communication circuit that communicates with an external device, a memory configured to store first setting data corresponding to a first time period, and a processor operatively connected with the communication circuit and the memory. The processor receives second setting data corresponding to a second time period from the external device through the communication circuit if a specified time point is reached, deletes at least a portion of the first setting data based on whether a status of a user is a login status or a logout status, and applies the second setting data to the electronic device.