Abstract: The present technology pertains to a organization directory hosted by a synchronized content management system. The corporate directory can provide access to user accounts for all members of the organization to all content items in the organization directory on the respective file systems of the members' client devices. Members can reach any content item at the same path as other members relative to the organization directory root on their respective client device. In some embodiments novel access permissions are granted to maintain path consistency.

Abstract: A botnet identification module identifies members of one or more botnets based upon network traffic destined to one or more servers over time, and provides sets of botnet sources to a traffic monitoring module. Each set of botnet sources includes a plurality of source identifiers of end stations acting as part of a corresponding botnet. A traffic monitoring module receives the sets of botnet sources from the botnet identification module, and upon a receipt of traffic identified as malicious that was sent by a source identified within one of the sets of botnet sources, activates a protection mechanism with regard to all traffic from all of the sources identified by the one of the sets of botnet sources for an amount of time.

Abstract: Techniques are described for processing anomalies detected using user-specified rules with anomalies detected using machine-learning based behavioral analysis models to identify threat indicators and security threats to a computer network. In an embodiment, anomalies are detected based on processing event data at a network security system that used rules-based anomaly detection. These rules-based detected anomalies are acquired by a network security system that uses machine-learning based anomaly detection. The rules-based detected anomalies are processed along with machine learning detected anomalies to detect threat indicators or security threats to the computer network. The threat indicators and security threats are output as alerts to the network security system that used rules-based anomaly detection.

Abstract: A compliance checker to verify that a device complies with a policy is described. In one embodiment, the compliance checker comprises a compliance checker agent, to initiate the compliance check, in response to receiving the request, and an encryption checker to obtain an original data and a data stored on the storage. The system further comprising a comparator to determine whether known data read from the upper driver is identical to known data read from the lower driver. The compliance checker plug-in in one embodiment verifies the compliance status of the device, based on the data from the comparator.

Abstract: In an information processing method, a query including a first encrypted feature value provided with confidential information unique to a user is received. The first encrypted feature value is generated by encrypting a first feature value calculated from privacy data of the user by using inner product encryption. A plurality of inner product values are acquired by computing an inner product of the first encrypted feature value and each of a plurality of second encrypted feature values. Privacy data of a plurality of pieces of privacy data having an inner product value of the first encrypted feature value and a second encrypted feature value with an encrypted reference feature value calculated from the privacy data being equal to or smaller than a predetermined threshold is transmitted. A secret key of the user is identified by using the confidential information when an unauthorized access is detected, and identification information is outputted.

Abstract: A method for configuring a network monitoring device is provided. One or more performance metrics associated with one or more thresholds to be configured are received from a user. Historical network traffic flow information associated with a previously detected malicious activity is analyzed to identify characteristic values for the one or more performance metrics. Threshold values are automatically configured based on the identified characteristic values.

Abstract: In a computer-implemented method for managing firewall flow records, firewall flow records of a virtual infrastructure including a distributed firewall are received, wherein the firewall flow records are captured according to firewall rules of the distributed firewall, and wherein the firewall flow records each include tuples and at least one field of network traffic data. Responsive to detecting a number of received firewall flow records exceeding a threshold value, it is determined whether the tuples are identical for any of the firewall flow records. Provided the tuples are not identical for any of the firewall flow records, the tuples for the firewall flow records are modified to generate modified firewall flow records. It is determined whether the tuples are identical for any of the modified firewall flow records.

Abstract: A computing environment for monitoring usage of an application to identify characteristics and trigger security control includes an application system that performs a query configured to identify any application calls performed in a predetermined period of time within the computing environment; for each identified application call, builds a corresponding application characteristics entry in a database; for each identified application call, identifies a plurality of characteristics of the called application including at least one downstream resource; associates the identified plurality of characteristics with the application characteristics entry in the database, thereby creating an application mapping; identifies security controls associated with each of the applications in the application mapping; associates the identified security controls with the associated application characteristics entry in the application mapping; and automatically triggers assessment of an effectiveness of the security controls in re

Abstract: Methods and systems provide network security by associating login credentials with a specific end-point. By doing so, valid user login credentials are not recognized when not used on a device authorized to use those credentials. By creating that association in a secure manner, the protection of confidential information becomes more complete and the leakage or theft of data such as usernames and passwords becomes less critical. Additionally, creating this hard association makes hacking tools such as password crackers and rainbow tables significantly less effective since the possession of a valid username/password is no longer sufficient for bad actors to access assets using this two-factor authentication model.

Abstract: A system for providing an isolated testing model for testing the disaster recovery capabilities of a streamlined backup network backing up a primary network. The primary network provides one or more users access to critical data and critical services. The system is configured to be switched between a production mode and a test mode. When the system is in the test mode, the primary network and the streamlined backup network form a live production environment and the streamlined backup network provides the one or more users access to the critical data and the critical services in the event the primary network is unable to do so. When the system is in the test mode, the streamlined backup network is removed from the live production environment by physically and logically isolating the streamlined backup network from the primary network.

Abstract: An electronic device includes a communication circuit that communicates with an external device, a memory configured to store first setting data corresponding to a first time period, and a processor operatively connected with the communication circuit and the memory. The processor receives second setting data corresponding to a second time period from the external device through the communication circuit if a specified time point is reached, deletes at least a portion of the first setting data based on whether a status of a user is a login status or a logout status, and applies the second setting data to the electronic device.

Abstract: Example methods and systems to validate integrity of data and one or more configurations in response to an upgrade in a virtualized computing environment are disclosed. One method may include preparing a first pre-upgrade backup file and a first post-upgrade backup file in response to a data plane upgrade of the virtualized computing environment and validating the integrity of data and one or more configurations based on the first pre-upgrade backup file and the first post-upgrade backup file before upgrading a control plane of the virtualized computing environment.

Abstract: Systems and methods for optimizing system resources by selectively enabling various scanning functions of a network security device are provided. According to one embodiment, information specifying a set of reputable websites deemed to be trustworthy by one or more web filtering services is received by a network security device protecting a private network. One or more directives are received by the network security device from a network administrator via a GUI of the network security device identifying one or more security features that are to be disabled for the set of reputable websites. Network traffic is intercepted by the network security device from an external network. When it is determined by the network security device that the external network is among the set of reputable websites, the network security device foregoes application of the one or more identified security features to the network traffic.

Abstract: Some aspects of the methods and systems presented relate to performing stateless address translation between IPv4 capable devices to IPv6 capable networks and devices. Stateless address translation may form a new IPv6 addresses by combining the IPv4 address of a device with an IPv6 prefix address assigned to the translator. The translation may also combine the IPv4 destination address and UDP port information with the new IPv6 address. Existing Domain Name Systems (DNSs) may be leveraged for resolving the IPv4 and IPv6 addresses across different networks.

Abstract: There are provided measures for supporting an authentication to an external packet data network over an untrusted access network, said measures exemplarily comprising authenticating a user equipment to a communication network providing connectivity for the user equipment across an unsecured access network in response to a first authentication request, wherein the authentication request is an authentication request of a key information exchange mechanism and includes authentication data, receiving a second authentication request for authenticating the user equipment towards a packet data network external to the communications network. The measures may further comprise creating a binding update message including the authentication data and identity information of the user received from the user equipment.

Abstract: Controlled-environment facility resident electronic communications for controlled-environment facility resident communications and/or data devices disposed within a controlled-environment facility may employ a controlled-environment facility communications processing system, or the like. The controlled-environment facility communications processing system, may be configured to host controlled-environment facility communications access services and accept a Cross-Origin Request Sharing (CORS) request from a non-resident device. These CORS requests may be for access to the controlled-environment facility communications access services for use by a controlled-environment facility communications Application Program Interface (API) running on the non-resident device to communicate with one of the controlled-environment facility resident devices.

Abstract: Aspects of this disclosure relate to filtering network data transfers. In some variations, multiple packets may be received. A determination may be made that a portion of the packets have packet header field values corresponding to a packet filtering rule. Responsive to such a determination, an operator specified by the packet filtering rule may be applied to the portion of packets having the packet header field values corresponding to the packet filtering rule. A further determination may be made that one or more of the portion of the packets have one or more application header field values corresponding to one or more application header field criteria specified by the operator. Responsive to such a determination, at least one packet transformation function specified by the operator may be applied to the one or more of the portion of the packets.

Abstract: An information processing apparatus includes plural communication interfaces, a specifying unit, a network determining unit, and a transmission controller. The plural communication interfaces are individually connected to plural communication networks having different security levels. The specifying unit specifies a destination terminal to which a file stored in a data memory is to be transmitted. The network determining unit determines a communication network, among the plural communication networks, via which the file is to be transmitted to the destination terminal. The transmission controller prohibits transmission of the file to the destination terminal in a case where a security level set to the file is higher than a security level set to the communication network determined by the network determining unit.

Abstract: Example implementations relate to network policy distribution. For example, a system for network policy distribution can include a state engine to determine a change in a state of a network, a policy engine to determine a number of policy changes based on the change in the state of the network, an identification engine to identify a number of network endpoints that correspond to the number of policy changes, and a distribution engine to load instructions based on the number of policy changes to the number of endpoints that correspond to the number of policy changes.

Abstract: A method includes, with a distributed telecommunication component, providing a plurality of first type nodes, each first type node configured to perform a signaling function. The method further include, with the distributed telecommunication component, providing a plurality of second type nodes, each second type node configured to perform a media bearing function. At least one of the plurality of bearer nodes is geographically separate by a predetermined distance from at least one of the plurality of control nodes.

Abstract: Unknown and reference signatures are accessed. The unknown and reference signatures indicate patterns that correspond to known threats to resources (such as computer systems and/or computer networks) in a computer environment and comprise a multitude of descriptive elements having information describing different aspects of a corresponding signature. A set of similarity measures is created of the unknown and reference signatures from different perspectives, each perspective corresponding to a descriptive element. The set of similarity measures are integrated to generate an overall similarity metric. The overall similarity metric is used to find appropriate categories in the reference signatures into which the unknown signatures should be placed. The unknown signatures are placed into the appropriate categories to create a mapping from the unknown signatures to the reference signatures.

Abstract: Example routing systems and methods are disclosed. In one realization, a first routing system and a second routing system are disposed within a vehicle. A computing system disposed within the vehicle is configured to communicate with a remote computing system via a network interface, with the first routing system being coupled to the network interface, the second routing system being coupled to the computing system, and the first routing system and second routing system being coupled via two independent, uncoupled, unidirectional data channels.

Abstract: Example routing systems and methods are described. In one implementation, a first set of routing systems is interfaced with a network connection via a network interface. A second set of routing systems interfaced with a secure system is configured to receive information from the first set of routing systems via a first unidirectional data channel. In some embodiments, the first set of routing systems is configured to receive information from the second set of routing systems via a second unidirectional data channel. The secure system is not visible from the network interface.

Abstract: Concepts and technologies disclosed herein are directed to the dynamic creation and management of ephemeral coordinated feedback instances. In accordance with one aspect disclosed herein, a system can receive a feedback instance creation request. The feedback instance creation request can be received from a policy engine in response to the policy engine attempting to satisfy a policy request. The system can examine the feedback instance creation request to determine an objective to be met by a new feedback instance model. The system can build a specification for the new feedback instance model. The specification can be built in accordance with a feedback instance building policy. The system can create the new feedback instance model in accordance with the specification. The system can store the new feedback instance model and a unique identifier associated with the new feedback instance model in a feedback instance model repository.

Abstract: Authentication can be performed on thin clients using independent mobile devices. Because many users have smart phones or other similar mobile devices that include biometric scanners, such mobile devices can be leveraged to perform authentication of users as part of logging in to a thin client desktop. A mapping can be created on a central server between a user's mobile device and the user's domain identity. A mapping can also be created between the user's domain identity and the user's thin client desktop. Then, when a user desires to log in to his thin client desktop, the user can employ the appropriate biometric scanner on his mobile device to perform authentication. The central server can then rely on this authentication to identify and log the user into his thin client desktop.

Abstract: An application profile is provided to manage security of an application deployed across two or more cloud computing networks. A user can define in the application profile first and second server groups, a cloud chamber as including the first and second server groups, and a computing flow to the cloud chamber. A firewall rule is generated based on the computing flow. The firewall rule is distributed to the first server group of the cloud chamber. A copy of the firewall rule is distributed to the second server group of the cloud chamber. The first server group is in a first cloud computing network that is provided by a first cloud provider. The second server group is in a second cloud computing network that is provided by a second cloud provider, different from the first cloud provider.

Abstract: Computer systems and methods for: (1) analyzing electronic correspondence associated with a data subject (e.g., the emails within one or more email in-boxes associated with the data subject); (2) based on the analysis, identifying at least one entity that that the data subject does not actively do business with (e.g., as evidenced by the fact that the data subject no longer opens emails from the entity, and/or has set up a rule to automatically delete emails received from the entity); and (3) in response to identifying the entity as an entity that the data subject no longer does business with, at least substantially automatically populating and/or submitting a data subject access request to the entity (e.g., to delete all personal information being processed by the entity).

Abstract: A system including a baseboard management controller (BMC) and a storage device connected to the BMC, for dynamic protection of the storage device. The BMC includes a processor and a non-volatile memory storing a computer executable code. The computer executable code, when executed at the processor, is configured to: perform redirection of the storage device; receive a write protect command including write protect information of the storage device; extract the write protect information from the write protect command; store the write protect information in a data store of the non-volatile memory; and in response to receiving a write command to write data in the storage device, determine whether the data is writable to the storage device based on the write protect information stored in the data store. The data is written to the storage device only if it is determined that the data is writable to the storage device.

Abstract: A destination server communicates with a computer system using cryptographically protected communications utilizing a first negotiable feature. The destination server detects a triggering event and, in response to the triggering event, causes the cryptographic protected communications with the computer system to change from the first negotiable feature to a second negotiable feature. As a result of stored data indicating that the computer system fails to support the second negotiable feature, the destination server initiates a security measure.

Abstract: This disclosure relates to managing Fog computations between a coordinating node and Fog nodes. In one embodiment, a method for managing Fog computations includes receiving a task data and a request for allocation of at least a subset of a computational task. The task data includes data subset and task constraints associated with at least the subset of the computational task. The Fog nodes capable of performing the computational task are characterized with node characteristics to obtain resource data associated with the Fog nodes. Based on the task data and the resource data, an optimization model is derived to perform the computational task by the Fog nodes. The optimization model includes node constraints including battery degradation constraint, communication path loss constraint, and heterogeneous computational capacities of Fog nodes. Based on the optimization model, at least the subset of the computational task is offloaded to a set of Fog nodes.

Abstract: At least one processor is configured to cause a communication unit to transmit log-in request including an account and designation of a security mode to a service server via a relay device when the security mode is set and to transmit a log-in request including an account and designation of a normal mode to the service server via the relay device when the normal mode is set. The at least one processor is configured to the communication unit to log in the service server when permission of the log-in request is received from the service server via the relay device.

Abstract: A local gateway device receives email across the internet from a sender of the email and forwards it across the internet to an email filtering system. The email filtering system analyzes the email to determine whether it is spam, phishing or contains a virus and sends it back to the local gateway device along with the filtered determination. The local gateway device forwards the received email and the filtered determination to a local junk store which handles the email appropriately. For example, if the email has been determined to be spam, phishing or containing a virus, the junk store can quarantine the email and if the email has been determined to be non-spun and/or not phishing and/or not containing a virus, the junk store can forward the email to a local mail server for delivery.

Abstract: A service access method and an apparatus. A secure transmission proxy apparatus performs verification and management on service permission, which reduces networking costs of a service server side and workload of reconstruction and maintenance of the service server side, and enhances communication security. A solution includes: decrypting, by a secure transmission proxy apparatus, a service request message sent by a client, where the service request message includes a service type; performing verification on service permission of a decrypted service request message according to the service type; performing protocol conversion on the decrypted service request message if the service permission verification succeeds; and sending a service request message obtained after the protocol conversion to a service server side, so that the service server side executes a corresponding service according to the service request message obtained after the protocol conversion.

Abstract: One embodiment relates to a processing method for a communication intended for at least one receiving terminal. The method may comprise receiving a communication intended for the at least one receiving terminal and obtaining a certified identifier and an uncertified identifier of a sender of the communication, the identifiers being comprised in a signal message for the communication. The method may further comprise comparing the certified identifier with the uncertified identifier and processing the communication including a process for searching for the certified identifier in a list containing certified identifiers for senders associated with uncertified identifiers of those senders; the processing process being based on the results of the comparison process and the searching process.

Abstract: System and method for preventing undesirable smart device communications. A system includes memory for storing a list of contacts, the memory integrated into a smart device; and a locking application configured to permit a user to select and lock one or more contacts included within said list of contacts such that the user is unable to communicate with the selected one or more contacts via said smart device. The locking application may be further configured to permit a user to select a pre-established time period during which the one or more selected contacts remain locked. Challenges may be presented to the user to unlock the contacts in advance of the lockout time expiring. Optional features include GPS tracking, rewards, ride and networking modules.

Abstract: A method of providing a hash value for a piece of data is disclosed, where the hash value provides for a time-stamp for the piece of data upon verification, for limiting a risk of collisions between hash values. The method comprises collecting one or more root time-stamps for a root of a hash tree structure defining a hash function, wherein the root-time stamp is a root time-stamp from the past, determining whether a nonce may be received from a server, and upon failure to receive the nonce from the server, providing the hash value by a hash function of the root time-stamp and the piece of data, or upon success in receiving the nonce from the server, providing the hash value by the hash function of the root time-stamp, the piece of data and the nonce. An electronic device and a computer program are also disclosed.

Abstract: The second connector of the image forming apparatus behind the firewall connects to the first connector of the management server to establish a session. The web browser of the personal computer sends an HTTP request to the first compressor on the basis of an instruction from a user, a destination of the HTTP request being the web server unit of the image forming apparatus. The first compressor of the management server compresses the HTTP request received from the web browser to generate first compressed data, and sends the generated first compressed data to the second decompressor of the image forming apparatus through a communication path established between the first connector and the second connector. The second decompressor of the image forming apparatus decompresses the first compressed data received from the first compressor to reproduce the original HTTP request, and sends the HTTP request to the web server unit.

Abstract: A method is supplied for operating a computer unit, wherein on the computer unit an application can be executed which can access the functions of a crypto API, wherein the functions of the crypto API can be supplied by at least one crypto implementation on the computer unit. The method therein includes the following steps of: executing the application on the computer unit; checking what crypto implementations are available on the computer unit; and selecting one of the available crypto implementations as that crypto implementation which supplies the functions of the crypto API.

Abstract: An access node of a distributed service collects workload data pertaining to at least one peer group of access nodes established for handling client requests. During a particular load shedding analysis, the access node uses the collected metrics to detect that a triggering condition for load shedding with respect to a set of persistent client connections has been met. Each persistent client connection is set up to be usable for a plurality of client requests. The access node initiates a phased termination of at least one selected persistent client connection. The phased termination comprises allowing completion of in-flight requests on the connection and rejecting new requests on the connection.

Abstract: Optimizing web page loading by condensing web requests for files of a certain kind, format, or style. A system for web page loading may incorporate an embedded device having a processor, a web browser, and a web server for the embedded device connected to the web browser. One or more requests to the web server for files may be made by the web browser. Grouping a number of files of modules into one or a smaller number of files may speed up loading the files or requests for a web page. The one or more requests made by the web browser or the grouping the number of files into one or more files may be effected by a processor. The embedded device may combine resources on the fly, during runtime or dynamically into fewer resources when a request to do so is made.

Abstract: In a computer-implemented method for collecting firewall flow records, firewall flow records are received from a plurality of data end nodes of a virtualized infrastructure comprising a distributed firewall according to a collection schedule, wherein the collection schedule defines which data end nodes of the plurality of data end nodes from which firewall flow records are collected, a frequency of collection of firewall flow records from the data end nodes, and an amount of firewall flow records collected from the data end nodes. Firewall flow records received at a firewall flow record collection queue are processed, such that the received firewall flow records are prepared for storage at a flow record data store.

Abstract: Methods, computing systems and computer program products implement embodiments of the present invention that include associating one or more client domains with a computer executing an LDAP client, defining one or more client roles for each of one or more client domains, and associating one or more privileges with each of the client roles. Upon detecting a login of a client user having a client user name, the client user name is conveyed to an LDAP server, and in response, one or more client groups are received from the LDAP server, each given client group comprising a server role and a server domain. For each received client group having a respective server domain matching a given client domain, the respective server role is matched to a given client role, and the one or more privileges associated with the given client role is assigned to the client user.

Abstract: A method and an apparatus for realizing web service. An apparatus having a binary web service interface to communicate with nodes operationally connected to the apparatus using a binary web service, the nodes having one or more resources, the binary web service interface being configured to receive information from a node whenever a resource of a node changes or whenever a pre-configured event regarding a resource occurs. The apparatus also has an interface for communicating with web applications making use of the resources and ap component for receiving subscriptions regarding the information received from the nodes and providing the subscribed information.

Abstract: A system for providing an isolated testing model for testing the disaster recovery capabilities of a streamlined backup network backing up a primary network. The primary network provides one or more users access to critical data and critical services. The system is configured to be switched between a production mode and a test mode. When the system is in the test mode, the primary network and the streamlined backup network form a live production environment and the streamlined backup network provides the one or more users access to the critical data and the critical services in the event the primary network is unable to do so. When the system is in the test mode, the streamlined backup network is removed from the live production environment by physically and logically isolating the streamlined backup network from the primary network.

Abstract: A device such as a smartphone may communicate with a server or other network entity using encrypted communications, making it difficult to examine such communications for purposes of identifying communication issues that may affect user QoE (quality of experience). In certain embodiments, an application may be modified to log communication data before encryption and after decryption. For example, the application program may be decompiled and logging instructions may be inserted before portion that result in data encryption and after portions where received data is decrypted. The modified application program may then be recompiled and executed on a device to produce an unencrypted log of data. In other embodiments, elements of the device operating system may be modified to log data before encryption and after decryption.

Abstract: Devices, methods, systems, and computer-readable media for legacy device securitization within a microgrid system are described herein. One or more embodiments include a system having a microgrid network with at least one remote network connection to a non-local network device and the network having at least one local legacy device in communication with the non-local network device and a bump-in-the-wire (BITW) security device between the local legacy device and the at least one remote connection.

Abstract: The invention presented herein is a system and method for automatically discovering communication capabilities for direct communication between endpoints across one or more unknown networks, the system comprising: a plurality of network enabled endpoints configured with a module in wireless communication with a management database, the module configured to establish a communication path for direct communication between the network-enabled endpoints, independent of a NAT router.

Abstract: Embodiments herein relate to a die to form a system-on-chip (SOC) with one or more other dies, with a policy arbitrator disposed on the die to manage security policies of the plurality of dies of the SOC, where the PA is to receive information about a security policy and a die type from a first of the one or more other dies, compare at least the received information about the security policy and the die type of the first other die with a security policy and a die type of the die, determine, based on the comparison, a common security policy for the plurality of dies of the SOC, and transmit the determined common security policy and the die type of the die to at least a second of the one or more other dies.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for receiving parameters defining a detection technique, an attack scenario, and detection logic, receiving configuration data that is specific to a target system that is to be monitored, providing an attack pattern based on the parameters and the configuration data, monitoring the target system based on the attack pattern and data provided by one or more logs of the target system, and selectively generating, based on monitoring, an alert indicating a potential end-to-end intrusion into the target system.

Abstract: The subject matter describes devices, networks, systems, media, and methods to create secure communications between wireless devices and cellular networks, where the wireless devices communicate with the cellular networks via multi-hopping methods in non-cellular networks.