Abstract: Systems and methods for optimizing system resources by selectively enabling various scanning functions of a network security device are provided. According to one embodiment, information specifying a set of reputable websites deemed to be trustworthy by one or more web filtering services is received by a network security device protecting a private network. One or more directives are received by the network security device from a network administrator via a GUI of the network security device identifying one or more security features that are to be disabled for the set of reputable websites. Network traffic is intercepted by the network security device from an external network. When it is determined by the network security device that the external network is among the set of reputable websites, the network security device foregoes application of the one or more identified security features to the network traffic.

Abstract: Some aspects of the methods and systems presented relate to performing stateless address translation between IPv4 capable devices to IPv6 capable networks and devices. Stateless address translation may form a new IPv6 addresses by combining the IPv4 address of a device with an IPv6 prefix address assigned to the translator. The translation may also combine the IPv4 destination address and UDP port information with the new IPv6 address. Existing Domain Name Systems (DNSs) may be leveraged for resolving the IPv4 and IPv6 addresses across different networks.

Abstract: Controlled-environment facility resident electronic communications for controlled-environment facility resident communications and/or data devices disposed within a controlled-environment facility may employ a controlled-environment facility communications processing system, or the like. The controlled-environment facility communications processing system, may be configured to host controlled-environment facility communications access services and accept a Cross-Origin Request Sharing (CORS) request from a non-resident device. These CORS requests may be for access to the controlled-environment facility communications access services for use by a controlled-environment facility communications Application Program Interface (API) running on the non-resident device to communicate with one of the controlled-environment facility resident devices.

Abstract: There are provided measures for supporting an authentication to an external packet data network over an untrusted access network, said measures exemplarily comprising authenticating a user equipment to a communication network providing connectivity for the user equipment across an unsecured access network in response to a first authentication request, wherein the authentication request is an authentication request of a key information exchange mechanism and includes authentication data, receiving a second authentication request for authenticating the user equipment towards a packet data network external to the communications network. The measures may further comprise creating a binding update message including the authentication data and identity information of the user received from the user equipment.

Abstract: Aspects of this disclosure relate to filtering network data transfers. In some variations, multiple packets may be received. A determination may be made that a portion of the packets have packet header field values corresponding to a packet filtering rule. Responsive to such a determination, an operator specified by the packet filtering rule may be applied to the portion of packets having the packet header field values corresponding to the packet filtering rule. A further determination may be made that one or more of the portion of the packets have one or more application header field values corresponding to one or more application header field criteria specified by the operator. Responsive to such a determination, at least one packet transformation function specified by the operator may be applied to the one or more of the portion of the packets.

Abstract: An information processing apparatus includes plural communication interfaces, a specifying unit, a network determining unit, and a transmission controller. The plural communication interfaces are individually connected to plural communication networks having different security levels. The specifying unit specifies a destination terminal to which a file stored in a data memory is to be transmitted. The network determining unit determines a communication network, among the plural communication networks, via which the file is to be transmitted to the destination terminal. The transmission controller prohibits transmission of the file to the destination terminal in a case where a security level set to the file is higher than a security level set to the communication network determined by the network determining unit.

Abstract: Example implementations relate to network policy distribution. For example, a system for network policy distribution can include a state engine to determine a change in a state of a network, a policy engine to determine a number of policy changes based on the change in the state of the network, an identification engine to identify a number of network endpoints that correspond to the number of policy changes, and a distribution engine to load instructions based on the number of policy changes to the number of endpoints that correspond to the number of policy changes.

Abstract: A method includes, with a distributed telecommunication component, providing a plurality of first type nodes, each first type node configured to perform a signaling function. The method further include, with the distributed telecommunication component, providing a plurality of second type nodes, each second type node configured to perform a media bearing function. At least one of the plurality of bearer nodes is geographically separate by a predetermined distance from at least one of the plurality of control nodes.

Abstract: Unknown and reference signatures are accessed. The unknown and reference signatures indicate patterns that correspond to known threats to resources (such as computer systems and/or computer networks) in a computer environment and comprise a multitude of descriptive elements having information describing different aspects of a corresponding signature. A set of similarity measures is created of the unknown and reference signatures from different perspectives, each perspective corresponding to a descriptive element. The set of similarity measures are integrated to generate an overall similarity metric. The overall similarity metric is used to find appropriate categories in the reference signatures into which the unknown signatures should be placed. The unknown signatures are placed into the appropriate categories to create a mapping from the unknown signatures to the reference signatures.

Abstract: Example routing systems and methods are disclosed. In one realization, a first routing system and a second routing system are disposed within a vehicle. A computing system disposed within the vehicle is configured to communicate with a remote computing system via a network interface, with the first routing system being coupled to the network interface, the second routing system being coupled to the computing system, and the first routing system and second routing system being coupled via two independent, uncoupled, unidirectional data channels.

Abstract: Concepts and technologies disclosed herein are directed to the dynamic creation and management of ephemeral coordinated feedback instances. In accordance with one aspect disclosed herein, a system can receive a feedback instance creation request. The feedback instance creation request can be received from a policy engine in response to the policy engine attempting to satisfy a policy request. The system can examine the feedback instance creation request to determine an objective to be met by a new feedback instance model. The system can build a specification for the new feedback instance model. The specification can be built in accordance with a feedback instance building policy. The system can create the new feedback instance model in accordance with the specification. The system can store the new feedback instance model and a unique identifier associated with the new feedback instance model in a feedback instance model repository.

Abstract: Example routing systems and methods are described. In one implementation, a first set of routing systems is interfaced with a network connection via a network interface. A second set of routing systems interfaced with a secure system is configured to receive information from the first set of routing systems via a first unidirectional data channel. In some embodiments, the first set of routing systems is configured to receive information from the second set of routing systems via a second unidirectional data channel. The secure system is not visible from the network interface.

Abstract: Authentication can be performed on thin clients using independent mobile devices. Because many users have smart phones or other similar mobile devices that include biometric scanners, such mobile devices can be leveraged to perform authentication of users as part of logging in to a thin client desktop. A mapping can be created on a central server between a user's mobile device and the user's domain identity. A mapping can also be created between the user's domain identity and the user's thin client desktop. Then, when a user desires to log in to his thin client desktop, the user can employ the appropriate biometric scanner on his mobile device to perform authentication. The central server can then rely on this authentication to identify and log the user into his thin client desktop.

Abstract: An application profile is provided to manage security of an application deployed across two or more cloud computing networks. A user can define in the application profile first and second server groups, a cloud chamber as including the first and second server groups, and a computing flow to the cloud chamber. A firewall rule is generated based on the computing flow. The firewall rule is distributed to the first server group of the cloud chamber. A copy of the firewall rule is distributed to the second server group of the cloud chamber. The first server group is in a first cloud computing network that is provided by a first cloud provider. The second server group is in a second cloud computing network that is provided by a second cloud provider, different from the first cloud provider.

Abstract: A system including a baseboard management controller (BMC) and a storage device connected to the BMC, for dynamic protection of the storage device. The BMC includes a processor and a non-volatile memory storing a computer executable code. The computer executable code, when executed at the processor, is configured to: perform redirection of the storage device; receive a write protect command including write protect information of the storage device; extract the write protect information from the write protect command; store the write protect information in a data store of the non-volatile memory; and in response to receiving a write command to write data in the storage device, determine whether the data is writable to the storage device based on the write protect information stored in the data store. The data is written to the storage device only if it is determined that the data is writable to the storage device.

Abstract: Computer systems and methods for: (1) analyzing electronic correspondence associated with a data subject (e.g., the emails within one or more email in-boxes associated with the data subject); (2) based on the analysis, identifying at least one entity that that the data subject does not actively do business with (e.g., as evidenced by the fact that the data subject no longer opens emails from the entity, and/or has set up a rule to automatically delete emails received from the entity); and (3) in response to identifying the entity as an entity that the data subject no longer does business with, at least substantially automatically populating and/or submitting a data subject access request to the entity (e.g., to delete all personal information being processed by the entity).

Abstract: A destination server communicates with a computer system using cryptographically protected communications utilizing a first negotiable feature. The destination server detects a triggering event and, in response to the triggering event, causes the cryptographic protected communications with the computer system to change from the first negotiable feature to a second negotiable feature. As a result of stored data indicating that the computer system fails to support the second negotiable feature, the destination server initiates a security measure.

Abstract: This disclosure relates to managing Fog computations between a coordinating node and Fog nodes. In one embodiment, a method for managing Fog computations includes receiving a task data and a request for allocation of at least a subset of a computational task. The task data includes data subset and task constraints associated with at least the subset of the computational task. The Fog nodes capable of performing the computational task are characterized with node characteristics to obtain resource data associated with the Fog nodes. Based on the task data and the resource data, an optimization model is derived to perform the computational task by the Fog nodes. The optimization model includes node constraints including battery degradation constraint, communication path loss constraint, and heterogeneous computational capacities of Fog nodes. Based on the optimization model, at least the subset of the computational task is offloaded to a set of Fog nodes.

Abstract: At least one processor is configured to cause a communication unit to transmit log-in request including an account and designation of a security mode to a service server via a relay device when the security mode is set and to transmit a log-in request including an account and designation of a normal mode to the service server via the relay device when the normal mode is set. The at least one processor is configured to the communication unit to log in the service server when permission of the log-in request is received from the service server via the relay device.

Abstract: A local gateway device receives email across the internet from a sender of the email and forwards it across the internet to an email filtering system. The email filtering system analyzes the email to determine whether it is spam, phishing or contains a virus and sends it back to the local gateway device along with the filtered determination. The local gateway device forwards the received email and the filtered determination to a local junk store which handles the email appropriately. For example, if the email has been determined to be spam, phishing or containing a virus, the junk store can quarantine the email and if the email has been determined to be non-spun and/or not phishing and/or not containing a virus, the junk store can forward the email to a local mail server for delivery.

Abstract: A service access method and an apparatus. A secure transmission proxy apparatus performs verification and management on service permission, which reduces networking costs of a service server side and workload of reconstruction and maintenance of the service server side, and enhances communication security. A solution includes: decrypting, by a secure transmission proxy apparatus, a service request message sent by a client, where the service request message includes a service type; performing verification on service permission of a decrypted service request message according to the service type; performing protocol conversion on the decrypted service request message if the service permission verification succeeds; and sending a service request message obtained after the protocol conversion to a service server side, so that the service server side executes a corresponding service according to the service request message obtained after the protocol conversion.

Abstract: One embodiment relates to a processing method for a communication intended for at least one receiving terminal. The method may comprise receiving a communication intended for the at least one receiving terminal and obtaining a certified identifier and an uncertified identifier of a sender of the communication, the identifiers being comprised in a signal message for the communication. The method may further comprise comparing the certified identifier with the uncertified identifier and processing the communication including a process for searching for the certified identifier in a list containing certified identifiers for senders associated with uncertified identifiers of those senders; the processing process being based on the results of the comparison process and the searching process.

Abstract: System and method for preventing undesirable smart device communications. A system includes memory for storing a list of contacts, the memory integrated into a smart device; and a locking application configured to permit a user to select and lock one or more contacts included within said list of contacts such that the user is unable to communicate with the selected one or more contacts via said smart device. The locking application may be further configured to permit a user to select a pre-established time period during which the one or more selected contacts remain locked. Challenges may be presented to the user to unlock the contacts in advance of the lockout time expiring. Optional features include GPS tracking, rewards, ride and networking modules.

Abstract: A method of providing a hash value for a piece of data is disclosed, where the hash value provides for a time-stamp for the piece of data upon verification, for limiting a risk of collisions between hash values. The method comprises collecting one or more root time-stamps for a root of a hash tree structure defining a hash function, wherein the root-time stamp is a root time-stamp from the past, determining whether a nonce may be received from a server, and upon failure to receive the nonce from the server, providing the hash value by a hash function of the root time-stamp and the piece of data, or upon success in receiving the nonce from the server, providing the hash value by the hash function of the root time-stamp, the piece of data and the nonce. An electronic device and a computer program are also disclosed.

Abstract: The second connector of the image forming apparatus behind the firewall connects to the first connector of the management server to establish a session. The web browser of the personal computer sends an HTTP request to the first compressor on the basis of an instruction from a user, a destination of the HTTP request being the web server unit of the image forming apparatus. The first compressor of the management server compresses the HTTP request received from the web browser to generate first compressed data, and sends the generated first compressed data to the second decompressor of the image forming apparatus through a communication path established between the first connector and the second connector. The second decompressor of the image forming apparatus decompresses the first compressed data received from the first compressor to reproduce the original HTTP request, and sends the HTTP request to the web server unit.

Abstract: A method is supplied for operating a computer unit, wherein on the computer unit an application can be executed which can access the functions of a crypto API, wherein the functions of the crypto API can be supplied by at least one crypto implementation on the computer unit. The method therein includes the following steps of: executing the application on the computer unit; checking what crypto implementations are available on the computer unit; and selecting one of the available crypto implementations as that crypto implementation which supplies the functions of the crypto API.

Abstract: An access node of a distributed service collects workload data pertaining to at least one peer group of access nodes established for handling client requests. During a particular load shedding analysis, the access node uses the collected metrics to detect that a triggering condition for load shedding with respect to a set of persistent client connections has been met. Each persistent client connection is set up to be usable for a plurality of client requests. The access node initiates a phased termination of at least one selected persistent client connection. The phased termination comprises allowing completion of in-flight requests on the connection and rejecting new requests on the connection.

Abstract: Optimizing web page loading by condensing web requests for files of a certain kind, format, or style. A system for web page loading may incorporate an embedded device having a processor, a web browser, and a web server for the embedded device connected to the web browser. One or more requests to the web server for files may be made by the web browser. Grouping a number of files of modules into one or a smaller number of files may speed up loading the files or requests for a web page. The one or more requests made by the web browser or the grouping the number of files into one or more files may be effected by a processor. The embedded device may combine resources on the fly, during runtime or dynamically into fewer resources when a request to do so is made.

Abstract: In a computer-implemented method for collecting firewall flow records, firewall flow records are received from a plurality of data end nodes of a virtualized infrastructure comprising a distributed firewall according to a collection schedule, wherein the collection schedule defines which data end nodes of the plurality of data end nodes from which firewall flow records are collected, a frequency of collection of firewall flow records from the data end nodes, and an amount of firewall flow records collected from the data end nodes. Firewall flow records received at a firewall flow record collection queue are processed, such that the received firewall flow records are prepared for storage at a flow record data store.

Abstract: Methods, computing systems and computer program products implement embodiments of the present invention that include associating one or more client domains with a computer executing an LDAP client, defining one or more client roles for each of one or more client domains, and associating one or more privileges with each of the client roles. Upon detecting a login of a client user having a client user name, the client user name is conveyed to an LDAP server, and in response, one or more client groups are received from the LDAP server, each given client group comprising a server role and a server domain. For each received client group having a respective server domain matching a given client domain, the respective server role is matched to a given client role, and the one or more privileges associated with the given client role is assigned to the client user.

Abstract: A method and an apparatus for realizing web service. An apparatus having a binary web service interface to communicate with nodes operationally connected to the apparatus using a binary web service, the nodes having one or more resources, the binary web service interface being configured to receive information from a node whenever a resource of a node changes or whenever a pre-configured event regarding a resource occurs. The apparatus also has an interface for communicating with web applications making use of the resources and ap component for receiving subscriptions regarding the information received from the nodes and providing the subscribed information.

Abstract: A system for providing an isolated testing model for testing the disaster recovery capabilities of a streamlined backup network backing up a primary network. The primary network provides one or more users access to critical data and critical services. The system is configured to be switched between a production mode and a test mode. When the system is in the test mode, the primary network and the streamlined backup network form a live production environment and the streamlined backup network provides the one or more users access to the critical data and the critical services in the event the primary network is unable to do so. When the system is in the test mode, the streamlined backup network is removed from the live production environment by physically and logically isolating the streamlined backup network from the primary network.

Abstract: A device such as a smartphone may communicate with a server or other network entity using encrypted communications, making it difficult to examine such communications for purposes of identifying communication issues that may affect user QoE (quality of experience). In certain embodiments, an application may be modified to log communication data before encryption and after decryption. For example, the application program may be decompiled and logging instructions may be inserted before portion that result in data encryption and after portions where received data is decrypted. The modified application program may then be recompiled and executed on a device to produce an unencrypted log of data. In other embodiments, elements of the device operating system may be modified to log data before encryption and after decryption.

Abstract: Devices, methods, systems, and computer-readable media for legacy device securitization within a microgrid system are described herein. One or more embodiments include a system having a microgrid network with at least one remote network connection to a non-local network device and the network having at least one local legacy device in communication with the non-local network device and a bump-in-the-wire (BITW) security device between the local legacy device and the at least one remote connection.

Abstract: The invention presented herein is a system and method for automatically discovering communication capabilities for direct communication between endpoints across one or more unknown networks, the system comprising: a plurality of network enabled endpoints configured with a module in wireless communication with a management database, the module configured to establish a communication path for direct communication between the network-enabled endpoints, independent of a NAT router.

Abstract: Embodiments herein relate to a die to form a system-on-chip (SOC) with one or more other dies, with a policy arbitrator disposed on the die to manage security policies of the plurality of dies of the SOC, where the PA is to receive information about a security policy and a die type from a first of the one or more other dies, compare at least the received information about the security policy and the die type of the first other die with a security policy and a die type of the die, determine, based on the comparison, a common security policy for the plurality of dies of the SOC, and transmit the determined common security policy and the die type of the die to at least a second of the one or more other dies.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for receiving parameters defining a detection technique, an attack scenario, and detection logic, receiving configuration data that is specific to a target system that is to be monitored, providing an attack pattern based on the parameters and the configuration data, monitoring the target system based on the attack pattern and data provided by one or more logs of the target system, and selectively generating, based on monitoring, an alert indicating a potential end-to-end intrusion into the target system.

Abstract: The subject matter describes devices, networks, systems, media, and methods to create secure communications between wireless devices and cellular networks, where the wireless devices communicate with the cellular networks via multi-hopping methods in non-cellular networks.

Abstract: Methods and a system are provided that, in turn, are for providing security between a user device and a computer related device. A method includes providing a distributed registry service that specifies a plurality of services available to support communications between the user device and the computer related device. The method further includes at least one of dynamically constructing and altering one or more multi-node transient processing pathways between the user device and the computer related device based on respective selected ones of the plurality of services. For at least one node in each of the one or more transient processing pathways, an address thereof and a time period the at least one node is active and capable of being used is set or changed, based on at least one of an application programming interface type and a data request type implicated by a received packet.

Abstract: Concepts and technologies disclosed herein are directed to the dynamic creation and management of ephemeral coordinated feedback instances. In accordance with one aspect disclosed herein, a system can receive a feedback instance creation request. The feedback instance creation request can be received from a policy engine in response to the policy engine attempting to satisfy a policy request. The system can examine the feedback instance creation request to determine an objective to be met by a new feedback instance model. The system can build a specification for the new feedback instance model. The specification can be built in accordance with a feedback instance building policy. The system can create the new feedback instance model in accordance with the specification. The system can store the new feedback instance model and a unique identifier associated with the new feedback instance model in a feedback instance model repository.

Abstract: A method implemented by a network element (NE), comprising receiving a classification message comprising a classification rule for identifying a service function chain (SFC) in a network, wherein the SFC comprises an ordered set of service functions (SFs) that provides services to an application, and a dynamic application-specific contextual data associated with an operation of the application, receiving a first of a plurality of application data packets, determining that the first of the application data packets matches the classification rule, generating a first SFC packet by adding the dynamic application-specific contextual data to the first of the application data packets according to the classification rule to enable communication of the dynamic application-specific contextual data to at least one of the SFs in the SFC, and sending the first SFC packet towards a next NE according to an SF path in the network associated with the SFC.

Abstract: Published enterprise threat detection (ETD) security notes are accessed in a computer data store. Applicability of the published ETD security notes are determined for an information technology computing (IT) landscape. A determination is made that a particular applicable ETD security note has not yet been implemented in the IT computing landscape. Aggregated impact of compromise (IoC) and state of compromise (SoC) values associated with the published ETD security note are analyzed and a computing system patching action is performed based on the aggregated IoC and SoC values.

Abstract: In general, in one aspect, a method for managing data in a data storage system includes receiving identifiers corresponding to different respective entries of a map stored in the data storage system, with a particular identifier corresponding to a particular entry of the map, the particular entry including a computed value corresponding to a particular portion of data stored in the data storage system and metadata indicating a location where the particular portion of data is stored in the data storage system, selecting, according to a first selection criterion, at least some of the identifiers for storage in a first portion of an index, and selecting, according to a second selection criterion, at least some of the identifiers for storage in a second portion of the index.

Abstract: Embodiments of the present application provide apparatus and methods for generating a shared key, including setting up a key negotiation connection, and determining an algorithm code by negotiating using the key negotiation connection. An algorithm corresponding to the algorithm code is retrieved from a pre-stored algorithm library, and a pre-stored seed key is calculated using the algorithm to obtain a shared key. Compared with traditional key generation methods, embodiments of the present invention avoid the problem of a high bit error rate that occurs in the traditional quantum key generation methods, especially quantum key generation methods. One exemplary method determines an algorithm code through negotiation, retrieves a pre-stored algorithm corresponding to the algorithm code, and generates a new shared key using a seed key.

Abstract: A method may include performing secure device configuration, via a configuration service manager device, for a SIP user device. The method includes monitoring, via the configuration service manager device, the SIP user device for device authentication problems, configuration file download problems, device registration problems and device third party registration problems. The method may also include detecting the device authentication problems, and logging and reporting the detected device authentication problems. The method may also include automated testing of the device and logging and reporting of detected device test problems. The method further includes resolving the detected device authentication, registration or testing problems.

Abstract: Provided are a method and apparatus for acquiring a port range resource, and method and apparatus for allocating a port range resource. In the method, a first Router Solicitation (RS) message is sent to a server-end device, wherein information carried in the first RS message includes at least one of an Internet Protocol (IP) address multiplexing request and a port range resource allocation request; and a Router Advertisement (RA) message from the server-end device is received, wherein information carried in the RA message includes: a port range resource allocated according to the IP address multiplexing request and/or according to the port range resource allocation request. By virtue of the technical solution, an Address Plus Port (A+P) technology can be applied to an application scenario where stateless configuration of an Internet Protocol Version 6 (IPv6) address is performed via Neighbour Discovery (ND), thereby expanding the application range of the A+P technology.

Abstract: Embodiments as disclosed herein may provide systems and methods for component integration and security. In particular, in one embodiment, a native component that presents a network based interface may be on a device, where that native component may expose a network based interface for access by other components. This native component can then be accessed through the network based interface. To address security concerns and other issues, the native component may be configured to determine if a received request is associated with the same user space and only respond to requests originating from the same user space.

Abstract: A client authentication system receives authentication requests associated with a web page in response to a client computing system requesting access to the web page. The authentication system determines whether a storage device contains configurations for the authentication requests. The authentication system configures client authentication for the client authentication requests in view of whether the storage device includes the configurations for the authentication requests. The GUI allows control to change the client authentication configuration for at least one of the authentication requests.

Abstract: Described is a system for detecting attacks on networks. A hierarchical representation of activity of a communication network is used to detect and predict sources of misinformation in the communication network. The hierarchical representation includes temporal patterns of communication between at least one pair of nodes, each temporal pattern representing a motif, having a size, in the hierarchical representation. Changes in motifs provide a signal for a misinformation attack.

Abstract: A system for providing an isolated testing model for testing the disaster recovery capabilities of a streamlined backup network backing up a primary network. The primary network provides one or more users access to critical data and critical services. The system is configured to be switched between a production mode and a test mode. When the system is in the production mode, the primary network and the streamlined backup network form a live production environment and the streamlined backup network provides the one or more users access to the critical data and the critical services in the event the primary network is unable to do so. When the system is in the test mode, the streamlined backup network is removed from the live production environment by physically and logically isolating the streamlined backup network from the primary network.