Abstract: Methods and a system are provided that, in turn, are for providing security between a user device and a computer related device. A method includes providing a distributed registry service that specifies a plurality of services available to support communications between the user device and the computer related device. The method further includes at least one of dynamically constructing and altering one or more multi-node transient processing pathways between the user device and the computer related device based on respective selected ones of the plurality of services. For at least one node in each of the one or more transient processing pathways, an address thereof and a time period the at least one node is active and capable of being used is set or changed, based on at least one of an application programming interface type and a data request type implicated by a received packet.

Abstract: Concepts and technologies disclosed herein are directed to the dynamic creation and management of ephemeral coordinated feedback instances. In accordance with one aspect disclosed herein, a system can receive a feedback instance creation request. The feedback instance creation request can be received from a policy engine in response to the policy engine attempting to satisfy a policy request. The system can examine the feedback instance creation request to determine an objective to be met by a new feedback instance model. The system can build a specification for the new feedback instance model. The specification can be built in accordance with a feedback instance building policy. The system can create the new feedback instance model in accordance with the specification. The system can store the new feedback instance model and a unique identifier associated with the new feedback instance model in a feedback instance model repository.

Abstract: A method implemented by a network element (NE), comprising receiving a classification message comprising a classification rule for identifying a service function chain (SFC) in a network, wherein the SFC comprises an ordered set of service functions (SFs) that provides services to an application, and a dynamic application-specific contextual data associated with an operation of the application, receiving a first of a plurality of application data packets, determining that the first of the application data packets matches the classification rule, generating a first SFC packet by adding the dynamic application-specific contextual data to the first of the application data packets according to the classification rule to enable communication of the dynamic application-specific contextual data to at least one of the SFs in the SFC, and sending the first SFC packet towards a next NE according to an SF path in the network associated with the SFC.

Abstract: Published enterprise threat detection (ETD) security notes are accessed in a computer data store. Applicability of the published ETD security notes are determined for an information technology computing (IT) landscape. A determination is made that a particular applicable ETD security note has not yet been implemented in the IT computing landscape. Aggregated impact of compromise (IoC) and state of compromise (SoC) values associated with the published ETD security note are analyzed and a computing system patching action is performed based on the aggregated IoC and SoC values.

Abstract: In general, in one aspect, a method for managing data in a data storage system includes receiving identifiers corresponding to different respective entries of a map stored in the data storage system, with a particular identifier corresponding to a particular entry of the map, the particular entry including a computed value corresponding to a particular portion of data stored in the data storage system and metadata indicating a location where the particular portion of data is stored in the data storage system, selecting, according to a first selection criterion, at least some of the identifiers for storage in a first portion of an index, and selecting, according to a second selection criterion, at least some of the identifiers for storage in a second portion of the index.

Abstract: Embodiments of the present application provide apparatus and methods for generating a shared key, including setting up a key negotiation connection, and determining an algorithm code by negotiating using the key negotiation connection. An algorithm corresponding to the algorithm code is retrieved from a pre-stored algorithm library, and a pre-stored seed key is calculated using the algorithm to obtain a shared key. Compared with traditional key generation methods, embodiments of the present invention avoid the problem of a high bit error rate that occurs in the traditional quantum key generation methods, especially quantum key generation methods. One exemplary method determines an algorithm code through negotiation, retrieves a pre-stored algorithm corresponding to the algorithm code, and generates a new shared key using a seed key.

Abstract: A method may include performing secure device configuration, via a configuration service manager device, for a SIP user device. The method includes monitoring, via the configuration service manager device, the SIP user device for device authentication problems, configuration file download problems, device registration problems and device third party registration problems. The method may also include detecting the device authentication problems, and logging and reporting the detected device authentication problems. The method may also include automated testing of the device and logging and reporting of detected device test problems. The method further includes resolving the detected device authentication, registration or testing problems.

Abstract: Embodiments as disclosed herein may provide systems and methods for component integration and security. In particular, in one embodiment, a native component that presents a network based interface may be on a device, where that native component may expose a network based interface for access by other components. This native component can then be accessed through the network based interface. To address security concerns and other issues, the native component may be configured to determine if a received request is associated with the same user space and only respond to requests originating from the same user space.

Abstract: Provided are a method and apparatus for acquiring a port range resource, and method and apparatus for allocating a port range resource. In the method, a first Router Solicitation (RS) message is sent to a server-end device, wherein information carried in the first RS message includes at least one of an Internet Protocol (IP) address multiplexing request and a port range resource allocation request; and a Router Advertisement (RA) message from the server-end device is received, wherein information carried in the RA message includes: a port range resource allocated according to the IP address multiplexing request and/or according to the port range resource allocation request. By virtue of the technical solution, an Address Plus Port (A+P) technology can be applied to an application scenario where stateless configuration of an Internet Protocol Version 6 (IPv6) address is performed via Neighbour Discovery (ND), thereby expanding the application range of the A+P technology.

Abstract: A client authentication system receives authentication requests associated with a web page in response to a client computing system requesting access to the web page. The authentication system determines whether a storage device contains configurations for the authentication requests. The authentication system configures client authentication for the client authentication requests in view of whether the storage device includes the configurations for the authentication requests. The GUI allows control to change the client authentication configuration for at least one of the authentication requests.

Abstract: Described is a system for detecting attacks on networks. A hierarchical representation of activity of a communication network is used to detect and predict sources of misinformation in the communication network. The hierarchical representation includes temporal patterns of communication between at least one pair of nodes, each temporal pattern representing a motif, having a size, in the hierarchical representation. Changes in motifs provide a signal for a misinformation attack.

Abstract: A system for providing an isolated testing model for testing the disaster recovery capabilities of a streamlined backup network backing up a primary network. The primary network provides one or more users access to critical data and critical services. The system is configured to be switched between a production mode and a test mode. When the system is in the production mode, the primary network and the streamlined backup network form a live production environment and the streamlined backup network provides the one or more users access to the critical data and the critical services in the event the primary network is unable to do so. When the system is in the test mode, the streamlined backup network is removed from the live production environment by physically and logically isolating the streamlined backup network from the primary network.

Abstract: Embodiments are provided for processing voice communication requests intended for a destination electronic device connected to an on-board communications network. According to certain aspects, a server may receive a request for a routing number and provide the routing number to a service provider network. The server may also identify an identification of a destination electronic device included in a voice communication request, modify the voice communication request to indicate the identification of the destination electronic device, and transmit, to an on-board communications network for delivery to the destination electronic device, a communication according to the voice communication request that was modified.

Abstract: An engineering method for establishing an engineering system includes establishing the engineering system in a virtual system by performing a communication and permitting an access to the virtual system via an internet, the communication being performed by using a service which is provided via the internet, the service being used by a first communication system which is connected to the internet, the virtual system being disposed in the first communication system, and the virtual system virtually implementing the engineering system, and inspecting the engineering system by performing an access to an inspection system via a virtual private network, the access is performed by a second communication system which is connected to the virtual private network, the inspection system being disposed in the second communication system, and the inspection system inspecting operations of the engineering system which is established in the virtual system.

Abstract: An arrangement for a wireless communication device is disclosed. The arrangement is adapted to set up an application connection between an application of an application layer of the device and a remote server. The device comprises a modem subsystem (comprising the application layer, a remote socket client and a remote socket API between the application layer and the remote socket client), an application processor (comprising a remote socket server and an IP stack, wherein the application processor is associated with a wireless communication access unit and the IP stack is adapted to connect to a communication network using the access unit), and a remote socket protocol communication channel between the remote socket client and the remote socket server. The application is adapted to send an application connection setup request to the remote socket client via the remote socket API.

Abstract: Techniques for providing security policy for device data are described. In implementations, data on a device is stored in an encrypted form. To protect the encrypted data from being decrypted by an unauthorized entity, techniques enable a decryption key to be occluded if an attempt to gain unauthorized access to device data is detected. In implementations, a decryption key can be occluded in a variety of ways, such as by deleting the decryption key, overwriting the encryption key in memory, encrypting the encryption key, and so on. Embodiments enable an occluded decryption key to be recovered via a recovery experience. For example, a recovery experience can include an authentication procedure that requests a recovery password. If a correct recovery password is provided, the occluded decryption key can be provided.

Abstract: A system and method for hibernating virtual machines (VMs) are disclosed. In accordance with one embodiment, a computer system that executes a hypervisor and a virtual machine (VM) determines that the virtual machine is to be put to sleep, wherein the determining is performed without involvement of a guest operating system hosted by the virtual machine. In response, the hypervisor stops a first virtual processor of the VM and persists the state of the first virtual processor.

Abstract: End-to-end file transfer security for file transfer is provided over a network such as the Internet between a client, using a secure communication protocol which is pervasively available, such as HTTPS, to a secure file server which is accessible only through a secure file transfer protocol which is not pervasively available by using a secure proxy for accessing the secure file server rather than providing a protocol break merely for traversing a firewall. The secure proxy is arranged to provide a protocol conversion between the pervasively available secure protocol and the communication protocol through which the server is accessible and which is not pervasively available. By doing so, the secure proxy inherits secure functions of the secure server which thus need not be separately or independently provided in the secure proxy.

Abstract: Methods and apparatus for uploading data from a sender to a receiver. A data deduplication technique is described that may reduce the bandwidth used in uploading data from the sender to the receiver. In the technique, the receiver, rather than the sender, maintains a fingerprint dictionary for previously uploaded data. When a sender has additional data to be uploaded, the sender extracts fingerprints for units of the data and sends the fingerprints to the receiver. The receiver checks its fingerprint dictionary to determine the data units to be uploaded and notifies the sender of the identified units, which then sends the identified units of data to the receiver. The technique may, for example, be applied in virtualized data store systems to reduce bandwidth usage in uploading data.

Abstract: A service receives a request from a user of a group of users to perform one or more operations requiring group authentication in order for the operations to be performed. In response, the service provides a first user of the group with a musical seed and an ordering of the group of users. Each user of the group applies a transformation algorithm to the seed to create an authentication claim. The service receives this claim and determines, based at least in part on the ordering of the group of users, an ordered set of transformations, which are used to create a reference audio signal. If the received claim matches the reference audio signal, the service enables performance of the requested one or more operations.

Abstract: A method and system for improving usage of a security compliance framework is provided. The method includes authenticating a user for: access to the security compliance frame work, access to an authoritative source component of the compliance framework, and access to a data store component of the compliance framework. A functionality status of the security compliance framework and a request associated with contents of the data store are presented to a user via a dashboard interface. In response, the request is triggered and associated results are generated.

Abstract: Secured automated or semi-automated systems are provided herein. In one embodiment, a sensor system includes a sensor, a legacy computing environment that is configured to communicate with the sensor and process sensor raw data output, and transmit the processed sensor output to a first network node over the network, and a trusted computing environment configured to receive raw sensor output directly from the sensor and transmit the raw sensor output to an additional network node or the first network node over the network.

Abstract: An identification information management system according to the present invention comprises a plurality of terminals communicable with servers and a site management apparatus which manages site containing the terminals. The terminal has an identification information processing unit which assuming that a one-way hash function is f(x) and a terminal-unique ID is a, generates values x satisfying a conditional equation f(x)=a as identification information. When acquiring multiple items of identification information, the site management apparatus substitutes the identification information as the value x into f(x) and decides whether f(x)=a is satisfied, thereby deciding the terminals.

Abstract: Techniques and solutions for providing a cloud browse service are described. For example, a client can request a web page. In response to the request, the client can receive a processed layer tree representing the web page. The processed layer tree can be created by a server environment (e.g., by creating an original DOM from obtained HTML and associated web page resources for the web page and creating the processed layers from the original DOM). The client can create a simplified DOM from the received processed layers and display the web page using the simplified DOM. Techniques and solutions for providing a browser as a service are described. For example, a web browser component can receive a processed layer tree representing a web page, create a simplified DOM, and display the web page.

Abstract: In an example embodiment, a system determines a set of instructions from the available instructions for a computer application. The determined set of instructions provides specific functionality of the computer application. The system may determine the set of instructions by performing functional testing and negative testing on the specific functionality. The system may reorganize and randomize the set of instructions in memory and write the reorganized set of instructions to a smaller memory space. For each available instruction not in the set of instructions, the system changes the respective instruction to inoperative to prevent execution of the respective instruction. The system may change the respective instruction to inoperative by overwriting the instruction with a NOP instruction. The system then captures a memory address of the computer application being accessed at runtime.

Abstract: A computer-implemented method for increasing security on computing systems that launch application containers may include (1) authenticating an application container that facilitates launching at least one application on a host computing system by verifying that the application container meets a certain trustworthiness threshold, (2) intercepting, via a policy-enforcement proxy, a command to perform a deployment action on the host computing system in connection with the authenticated application container, (3) determining that the deployment action potentially violates a security policy applied to the authenticated application container, and then in response to determining that the deployment action potentially violates the security policy, (4) modifying, via the policy-enforcement proxy, the command to prevent the potential violation of the security policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A software application may be registered for network-based security services that help ensure that the software application only communicates with network devices (e.g., application servers) for which permission is expressly given or network devices otherwise deemed trustworthy. A network server may monitor network traffic originating from the software application installed on a user device. When the software application causes the user device to communicate with a network device for which permission has not been given and/or that is untrustworthy (e.g., for having a reputation of being associated with malicious software), the network server may prohibit the software application from sending information to the network device.

Abstract: A system and method for monitoring, modeling and assessing networked devices. A continuous device profiling (CDP) system builds and maintains device-specific and network-specific behavioral models based on observation of network traffic. The behavioral models may be used for network management, detecting misconfigured or malware infected devices, performing network asset inventory, network access control, network discovery in support of network integration, and information security incident response management. CDP models and monitors the active roles that devices assume on the network based on a set of matching profiles, monitors transitions between roles, and triggers corrective action when role transitions violate the policies of the network.

Abstract: Techniques for placing a virtual edge gateway appliance on at least one host computing system are described. In one embodiment, a virtual switch assigned to a tenant for creating virtual networks is identified. Further, at least one host computing system having access to the virtual switch is identified. Furthermore, placing a virtual edge gateway appliance on the at least one identified host computing system is recommended to allow connectivity to networks created using the virtual switch assigned to the tenant.

Abstract: Secure computer architectures, systems, and applications are provided herein. An exemplary system includes a legacy environment which is an off-the-shelf computing system, a trusted environment device that communicates with a network, and at least one peripheral that is communicatively coupled with the trusted environment device or having an authentication module.

Abstract: A sink device in a Wireless Display (WD) system may establish a user input device control communication channel between a source device and sink device in a WD system to allow the sink device to send device control inputs to the source device. The user input device control communication channel may include a reverse channel architecture referred to as the Wi-Fi User Input Back Channel (UIBC) that has been modified to transport one or more additional input types over UDP. For example, UIBC may be extended to transport voice input and VNC input types.

Abstract: In an example, an analytic function to be performed on data stored in an input block is managed through an interface to a framework through which a user is to define the analytic function. The framework is to buffer batches of the data into a memory through implementation of a Reader, a Writer, a PreReader, and a PreWriter on the data stored in the input block when the user-defined analytic function is performed, and wherein the Reader, the Writer, the PreReader, and the PreWriter are individually movable with respect to each other in the input block. In addition, the user-defined analytic function is received through the interface.

Abstract: Techniques are disclosed for low latency live video streaming. A client can be configured to send a single HTTP request for live video streaming to a server. The server can be configured to push one or more video segments to the client in response to the request, following a pre-defined push strategy. For example, using a so-called all-push strategy, the client sends only one request to the server, and in response, the server sends all of the video segments to the client as soon as each segment is complete. The HTTP 2.0 protocol may be used for pushing the video from the server to the client. This technique eliminates the request explosion problem when small segments are used. Further, the number of segments pushed with each request can be varied, which is to facilitate adaptive bitrate switching.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to validating a specified identity for a participant to a chat session and provide a novel and non-obvious method, system and computer program product for trusted contact name validation for an instant messaging session. In one embodiment of the invention, an instant messaging contact name validation method can be provided. The method can include establishing a trusted relationship among at least two instant messaging servers in a trusted community of instant messaging servers, receiving a request to add a specified contact to a list of instant messaging contacts in association within one of the instant messaging servers in the trusted community of instant messaging servers, and validating the specified contact with another of the instant messaging servers in the trusted community of instant messaging servers.

Abstract: An avionics system comprising a human machine interface configured to display a user interface and a control device is provided. The control device coupled to the human machine interface, wherein the control device is configured to send and receive controller/pilot data link communications (CPDLC) messages and adjust the user interface based on a first CPDLC version of an established first CPDLC session.

Abstract: Wi-Fi flows are intelligently bridged in a software-defined network (SDN) controller of a wireless communication network that centrally coordinates data plane behavior. A default mode tunnels packets received at an access point to the SDN controller for layer 2 routing decisions. A bridging policy concerning bridging of specific types of traffic flows for the wireless communication network is received at the SDN. Data plane traffic flow for each of a plurality of access points distributed around the wireless communication network is centrally monitored. New data streams tunneled to the SDN controller are matched to bridging policies with deep packet inspection. Responsive to matching, the tunnel mode is converted to a bridge mode by sending a rule concerning the new data stream to the access point. As a result, subsequent packets of the new data stream are transferred at the access point without tunneling additional packets to the SDN controller).

Abstract: In a method of selectively applying a data encryption function, a CoAP client and a CoAP server perform a DTLS handshake process. The CoAP client generates a CoAP message when the DTLS handshake process has been completed, and then indicates that encryption does not need to be applied to the CoAP message. The CoAP client generates only the authentication value of the CoAP message via a DTLS record layer protocol. The CoAP client sets the value of the specific field of a DTLS record layer protocol header to a specific value via the DTLS record layer protocol. The CoAP client sends the CoAP message and the authentication value to the CoAP server.

Abstract: An electronic message may be reconfigured to effect an enhanced notification using an input interface to receive at least one electronic message created by or on behalf of a message source for delivery to an intended recipient. A matching engine determines whether the electronic message corresponds to a predetermined definition of an enhanced notification. An enhancement engine reconfigures the electronic message to the enhanced notification if stored information related to the intended recipient indicates that the intended recipient is subscribed to receive the enhanced notification. Reconfiguring the electronic message may include reconfiguring the message to provide special handling, routing or presentation.

Abstract: According to an embodiment, an information processing apparatus includes a main processor, a secure operating system (OS) module, a non-secure OS module, a secure monitor memory setting module, a timer, and an address space controller. When receiving a notification of an interrupt from the timer, a secure monitor instructs the secure OS module to execute certain processing. The secure OS module is configured to execute certain processing instructed by the secure monitor and store data of a result of the processing in a first memory area.

Abstract: A device may receive rule information, associated with a firewall policy, that includes a set of N rules. The device may add a rule, of the set of N rules, to a detector tree associated with the firewall policy. The device may identify other rules to which the rule is to be compared. The other rules may be included in the set of N rules, and may include a quantity of rules approximately equal to a result of a logarithm to base 2 of N. The device may compare the rule and the other rules, and may detect a rule anomaly based on comparing the rule to the other rules. The rule anomaly may be associated with a conflict between the rule and a particular rule of the other rules. The device may identify the rule anomaly within the detector tree, and may output information regarding the rule anomaly.

Abstract: A method for providing secure access to a virtual machine includes dispensing an image corresponding to a virtual machine from a management appliance to a distributed computing system such that the virtual machine is implemented by at least one of a plurality of interconnected physical computing devices in the distributed computing system; establishing a trusted relationship between the management appliance and the virtual machine; and providing a user with access to the virtual machine from the management appliance without further authentication credentials from the user.

Abstract: The method includes determining, using an in-memory database, a privacy risk associated with a resultant dataset of a query, returning, by the in-memory database, an anonymized dataset if the privacy risk is above a threshold value, the anonymized dataset being based on an anonymization, by the in-memory database, of the resultant dataset, and returning, by the in-memory database, the resultant dataset if the privacy risk is below a threshold value.

Abstract: A method for creating a secure link between any two endpoints in a network comprises: assigning a unique identifier to each endpoint of a network; for each endpoint in the network, transmitting the unique identifiers associated with each of the remaining endpoints in the network to said endpoint; establishing a secure link between a source endpoint and a destination comprising: transmitting a data-session establishment packet from the source endpoint to the destination endpoint via a symmetric NAT device; wherein the data-session establishment packet comprises the unique identifier associated with the source endpoint; performing a matching operation at the destination endpoint to match the unique identifier associated with the source endpoint with a unique identifier known to the destination endpoint; and upon matching of unique identifiers then creating a forwarding table entry for the destination endpoint based on the source address and source port associated with the source endpoint.

Abstract: A management appliance includes at least one processor; and a memory communicatively coupled to the at least one processor. The memory comprising executable code stored thereon such that the at least one processor, upon executing the executable code, is configured to: dispense an image corresponding to a virtual machine to a distributed computing system comprising a plurality of interconnected computing devices, such that at least one of the computing devices implements the virtual machine; establish a trusted relationship with the virtual machine; and provide an authenticated user with access to the virtual machine without further authentication credentials from the user.

Abstract: Embodiments of the present invention provide a method, system and computer program product for controlling expiration of electronic mail (e-mail) single store attachments. A method to control expiration of e-mail single store attachments can include sending an e-mail message, the e-mail message including one or more attachments, creating a single store linked e-mail message by removing the one or more attachments from the sent e-mail message and replacing each of the one or more attachments with a corresponding single store attachment link. The method further can include storing the removed one or more attachments in an attachment server, where each of the one or more attachments has an expiration date, sending the single store linked e-mail message having the one or more store attachment links to one or more recipients and deleting an attachment stored on the attachment server based upon its respective expiration date having expired. When there is e-mail activity (e.g., forward, reply, etc.

Abstract: Systems and methods are provided for detecting an anomalous condition in a virtual computing environment having a virtualization control system coupled to a physical server, disk drive, and networking resources, where the virtualization control system is configured to partition the physical resources into virtual resources including virtual processor, memory, and storage resources for a plurality of virtual servers. Contents of a plurality of virtual memory storage locations are determined, where the virtual memory storage locations span multiple virtual servers. A runtime state of the virtual environment is determined based on the contents of the virtual memory storage locations. The runtime state of the virtual environment is verified for correctness or compared with a baseline state to identify a deviation from the baseline state, and a corrective action is performed when the discrepancy meets a predetermined criteria.

Abstract: An approach is provided for causing an extension of secure emergency network resources via one or more trusted point of presence. The approach involves determining a networking context, wherein the networking context initiates a request to join an extension mesh network to a currently trusted network. The approach also involves determining a target network trust level associated with the networking context, the currently trusted network, or a combination thereof. The approach further involves selecting the extension mesh network based on the target network trust level. The approach also involves initiating a joining of the extension mesh network to the currently trusted network.

Abstract: An improved industrial automation system and communication system for implementation therein, and related methods of operation, are described herein. In at least some embodiments, the improved communication system allows communication in the form of messages between modules in different control or enterprise domains. Further, in at least some embodiments, such communications are achieved by providing a communication system including a manufacturing service bus having two internal service busses with a bridge between the internal busses. Also, in at least some embodiments, a methodology of synchronous messaging is employed.

Abstract: A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user's position or department), behavioral attributes, and other criteria.

Abstract: A method comprising dereferencing, in a web browser, a Uniform Resource Identifier (URI) comprising a web resource and a reflex tag, creating a request message comprising a request for the web resource and a reflex request corresponding to the reflex tag, wherein the reflex request is a request for address and port information from a web server comprising the web resource, encapsulating the request message in a transport message comprising an Internet Protocol (IP) address and a port of the web browser, transmitting the transport message to the web server, receiving a response message from the web server, wherein the response message comprises a second IP address and a second port number of the browser as seen by the web server, and determining a characteristic of at least one Network Address Translation (NAT) device coupled between the web browser and the web server based on the second IP address and second port number.