Abstract: An arrangement for a wireless communication device is disclosed. The arrangement is adapted to set up an application connection between an application of an application layer of the device and a remote server. The device comprises a modem subsystem (comprising the application layer, a remote socket client and a remote socket API between the application layer and the remote socket client), an application processor (comprising a remote socket server and an IP stack, wherein the application processor is associated with a wireless communication access unit and the IP stack is adapted to connect to a communication network using the access unit), and a remote socket protocol communication channel between the remote socket client and the remote socket server. The application is adapted to send an application connection setup request to the remote socket client via the remote socket API.

Abstract: Techniques for providing security policy for device data are described. In implementations, data on a device is stored in an encrypted form. To protect the encrypted data from being decrypted by an unauthorized entity, techniques enable a decryption key to be occluded if an attempt to gain unauthorized access to device data is detected. In implementations, a decryption key can be occluded in a variety of ways, such as by deleting the decryption key, overwriting the encryption key in memory, encrypting the encryption key, and so on. Embodiments enable an occluded decryption key to be recovered via a recovery experience. For example, a recovery experience can include an authentication procedure that requests a recovery password. If a correct recovery password is provided, the occluded decryption key can be provided.

Abstract: A system and method for hibernating virtual machines (VMs) are disclosed. In accordance with one embodiment, a computer system that executes a hypervisor and a virtual machine (VM) determines that the virtual machine is to be put to sleep, wherein the determining is performed without involvement of a guest operating system hosted by the virtual machine. In response, the hypervisor stops a first virtual processor of the VM and persists the state of the first virtual processor.

Abstract: End-to-end file transfer security for file transfer is provided over a network such as the Internet between a client, using a secure communication protocol which is pervasively available, such as HTTPS, to a secure file server which is accessible only through a secure file transfer protocol which is not pervasively available by using a secure proxy for accessing the secure file server rather than providing a protocol break merely for traversing a firewall. The secure proxy is arranged to provide a protocol conversion between the pervasively available secure protocol and the communication protocol through which the server is accessible and which is not pervasively available. By doing so, the secure proxy inherits secure functions of the secure server which thus need not be separately or independently provided in the secure proxy.

Abstract: A method and system for improving usage of a security compliance framework is provided. The method includes authenticating a user for: access to the security compliance frame work, access to an authoritative source component of the compliance framework, and access to a data store component of the compliance framework. A functionality status of the security compliance framework and a request associated with contents of the data store are presented to a user via a dashboard interface. In response, the request is triggered and associated results are generated.

Abstract: A service receives a request from a user of a group of users to perform one or more operations requiring group authentication in order for the operations to be performed. In response, the service provides a first user of the group with a musical seed and an ordering of the group of users. Each user of the group applies a transformation algorithm to the seed to create an authentication claim. The service receives this claim and determines, based at least in part on the ordering of the group of users, an ordered set of transformations, which are used to create a reference audio signal. If the received claim matches the reference audio signal, the service enables performance of the requested one or more operations.

Abstract: Methods and apparatus for uploading data from a sender to a receiver. A data deduplication technique is described that may reduce the bandwidth used in uploading data from the sender to the receiver. In the technique, the receiver, rather than the sender, maintains a fingerprint dictionary for previously uploaded data. When a sender has additional data to be uploaded, the sender extracts fingerprints for units of the data and sends the fingerprints to the receiver. The receiver checks its fingerprint dictionary to determine the data units to be uploaded and notifies the sender of the identified units, which then sends the identified units of data to the receiver. The technique may, for example, be applied in virtualized data store systems to reduce bandwidth usage in uploading data.

Abstract: Secured automated or semi-automated systems are provided herein. In one embodiment, a sensor system includes a sensor, a legacy computing environment that is configured to communicate with the sensor and process sensor raw data output, and transmit the processed sensor output to a first network node over the network, and a trusted computing environment configured to receive raw sensor output directly from the sensor and transmit the raw sensor output to an additional network node or the first network node over the network.

Abstract: An identification information management system according to the present invention comprises a plurality of terminals communicable with servers and a site management apparatus which manages site containing the terminals. The terminal has an identification information processing unit which assuming that a one-way hash function is f(x) and a terminal-unique ID is a, generates values x satisfying a conditional equation f(x)=a as identification information. When acquiring multiple items of identification information, the site management apparatus substitutes the identification information as the value x into f(x) and decides whether f(x)=a is satisfied, thereby deciding the terminals.

Abstract: Techniques and solutions for providing a cloud browse service are described. For example, a client can request a web page. In response to the request, the client can receive a processed layer tree representing the web page. The processed layer tree can be created by a server environment (e.g., by creating an original DOM from obtained HTML and associated web page resources for the web page and creating the processed layers from the original DOM). The client can create a simplified DOM from the received processed layers and display the web page using the simplified DOM. Techniques and solutions for providing a browser as a service are described. For example, a web browser component can receive a processed layer tree representing a web page, create a simplified DOM, and display the web page.

Abstract: A computer-implemented method for increasing security on computing systems that launch application containers may include (1) authenticating an application container that facilitates launching at least one application on a host computing system by verifying that the application container meets a certain trustworthiness threshold, (2) intercepting, via a policy-enforcement proxy, a command to perform a deployment action on the host computing system in connection with the authenticated application container, (3) determining that the deployment action potentially violates a security policy applied to the authenticated application container, and then in response to determining that the deployment action potentially violates the security policy, (4) modifying, via the policy-enforcement proxy, the command to prevent the potential violation of the security policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: In an example embodiment, a system determines a set of instructions from the available instructions for a computer application. The determined set of instructions provides specific functionality of the computer application. The system may determine the set of instructions by performing functional testing and negative testing on the specific functionality. The system may reorganize and randomize the set of instructions in memory and write the reorganized set of instructions to a smaller memory space. For each available instruction not in the set of instructions, the system changes the respective instruction to inoperative to prevent execution of the respective instruction. The system may change the respective instruction to inoperative by overwriting the instruction with a NOP instruction. The system then captures a memory address of the computer application being accessed at runtime.

Abstract: A software application may be registered for network-based security services that help ensure that the software application only communicates with network devices (e.g., application servers) for which permission is expressly given or network devices otherwise deemed trustworthy. A network server may monitor network traffic originating from the software application installed on a user device. When the software application causes the user device to communicate with a network device for which permission has not been given and/or that is untrustworthy (e.g., for having a reputation of being associated with malicious software), the network server may prohibit the software application from sending information to the network device.

Abstract: Techniques for placing a virtual edge gateway appliance on at least one host computing system are described. In one embodiment, a virtual switch assigned to a tenant for creating virtual networks is identified. Further, at least one host computing system having access to the virtual switch is identified. Furthermore, placing a virtual edge gateway appliance on the at least one identified host computing system is recommended to allow connectivity to networks created using the virtual switch assigned to the tenant.

Abstract: A system and method for monitoring, modeling and assessing networked devices. A continuous device profiling (CDP) system builds and maintains device-specific and network-specific behavioral models based on observation of network traffic. The behavioral models may be used for network management, detecting misconfigured or malware infected devices, performing network asset inventory, network access control, network discovery in support of network integration, and information security incident response management. CDP models and monitors the active roles that devices assume on the network based on a set of matching profiles, monitors transitions between roles, and triggers corrective action when role transitions violate the policies of the network.

Abstract: Secure computer architectures, systems, and applications are provided herein. An exemplary system includes a legacy environment which is an off-the-shelf computing system, a trusted environment device that communicates with a network, and at least one peripheral that is communicatively coupled with the trusted environment device or having an authentication module.

Abstract: In an example, an analytic function to be performed on data stored in an input block is managed through an interface to a framework through which a user is to define the analytic function. The framework is to buffer batches of the data into a memory through implementation of a Reader, a Writer, a PreReader, and a PreWriter on the data stored in the input block when the user-defined analytic function is performed, and wherein the Reader, the Writer, the PreReader, and the PreWriter are individually movable with respect to each other in the input block. In addition, the user-defined analytic function is received through the interface.

Abstract: A sink device in a Wireless Display (WD) system may establish a user input device control communication channel between a source device and sink device in a WD system to allow the sink device to send device control inputs to the source device. The user input device control communication channel may include a reverse channel architecture referred to as the Wi-Fi User Input Back Channel (UIBC) that has been modified to transport one or more additional input types over UDP. For example, UIBC may be extended to transport voice input and VNC input types.

Abstract: Techniques are disclosed for low latency live video streaming. A client can be configured to send a single HTTP request for live video streaming to a server. The server can be configured to push one or more video segments to the client in response to the request, following a pre-defined push strategy. For example, using a so-called all-push strategy, the client sends only one request to the server, and in response, the server sends all of the video segments to the client as soon as each segment is complete. The HTTP 2.0 protocol may be used for pushing the video from the server to the client. This technique eliminates the request explosion problem when small segments are used. Further, the number of segments pushed with each request can be varied, which is to facilitate adaptive bitrate switching.

Abstract: Wi-Fi flows are intelligently bridged in a software-defined network (SDN) controller of a wireless communication network that centrally coordinates data plane behavior. A default mode tunnels packets received at an access point to the SDN controller for layer 2 routing decisions. A bridging policy concerning bridging of specific types of traffic flows for the wireless communication network is received at the SDN. Data plane traffic flow for each of a plurality of access points distributed around the wireless communication network is centrally monitored. New data streams tunneled to the SDN controller are matched to bridging policies with deep packet inspection. Responsive to matching, the tunnel mode is converted to a bridge mode by sending a rule concerning the new data stream to the access point. As a result, subsequent packets of the new data stream are transferred at the access point without tunneling additional packets to the SDN controller).

Abstract: An avionics system comprising a human machine interface configured to display a user interface and a control device is provided. The control device coupled to the human machine interface, wherein the control device is configured to send and receive controller/pilot data link communications (CPDLC) messages and adjust the user interface based on a first CPDLC version of an established first CPDLC session.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to validating a specified identity for a participant to a chat session and provide a novel and non-obvious method, system and computer program product for trusted contact name validation for an instant messaging session. In one embodiment of the invention, an instant messaging contact name validation method can be provided. The method can include establishing a trusted relationship among at least two instant messaging servers in a trusted community of instant messaging servers, receiving a request to add a specified contact to a list of instant messaging contacts in association within one of the instant messaging servers in the trusted community of instant messaging servers, and validating the specified contact with another of the instant messaging servers in the trusted community of instant messaging servers.

Abstract: In a method of selectively applying a data encryption function, a CoAP client and a CoAP server perform a DTLS handshake process. The CoAP client generates a CoAP message when the DTLS handshake process has been completed, and then indicates that encryption does not need to be applied to the CoAP message. The CoAP client generates only the authentication value of the CoAP message via a DTLS record layer protocol. The CoAP client sets the value of the specific field of a DTLS record layer protocol header to a specific value via the DTLS record layer protocol. The CoAP client sends the CoAP message and the authentication value to the CoAP server.

Abstract: An electronic message may be reconfigured to effect an enhanced notification using an input interface to receive at least one electronic message created by or on behalf of a message source for delivery to an intended recipient. A matching engine determines whether the electronic message corresponds to a predetermined definition of an enhanced notification. An enhancement engine reconfigures the electronic message to the enhanced notification if stored information related to the intended recipient indicates that the intended recipient is subscribed to receive the enhanced notification. Reconfiguring the electronic message may include reconfiguring the message to provide special handling, routing or presentation.

Abstract: According to an embodiment, an information processing apparatus includes a main processor, a secure operating system (OS) module, a non-secure OS module, a secure monitor memory setting module, a timer, and an address space controller. When receiving a notification of an interrupt from the timer, a secure monitor instructs the secure OS module to execute certain processing. The secure OS module is configured to execute certain processing instructed by the secure monitor and store data of a result of the processing in a first memory area.

Abstract: A device may receive rule information, associated with a firewall policy, that includes a set of N rules. The device may add a rule, of the set of N rules, to a detector tree associated with the firewall policy. The device may identify other rules to which the rule is to be compared. The other rules may be included in the set of N rules, and may include a quantity of rules approximately equal to a result of a logarithm to base 2 of N. The device may compare the rule and the other rules, and may detect a rule anomaly based on comparing the rule to the other rules. The rule anomaly may be associated with a conflict between the rule and a particular rule of the other rules. The device may identify the rule anomaly within the detector tree, and may output information regarding the rule anomaly.

Abstract: A method for providing secure access to a virtual machine includes dispensing an image corresponding to a virtual machine from a management appliance to a distributed computing system such that the virtual machine is implemented by at least one of a plurality of interconnected physical computing devices in the distributed computing system; establishing a trusted relationship between the management appliance and the virtual machine; and providing a user with access to the virtual machine from the management appliance without further authentication credentials from the user.

Abstract: The method includes determining, using an in-memory database, a privacy risk associated with a resultant dataset of a query, returning, by the in-memory database, an anonymized dataset if the privacy risk is above a threshold value, the anonymized dataset being based on an anonymization, by the in-memory database, of the resultant dataset, and returning, by the in-memory database, the resultant dataset if the privacy risk is below a threshold value.

Abstract: A method for creating a secure link between any two endpoints in a network comprises: assigning a unique identifier to each endpoint of a network; for each endpoint in the network, transmitting the unique identifiers associated with each of the remaining endpoints in the network to said endpoint; establishing a secure link between a source endpoint and a destination comprising: transmitting a data-session establishment packet from the source endpoint to the destination endpoint via a symmetric NAT device; wherein the data-session establishment packet comprises the unique identifier associated with the source endpoint; performing a matching operation at the destination endpoint to match the unique identifier associated with the source endpoint with a unique identifier known to the destination endpoint; and upon matching of unique identifiers then creating a forwarding table entry for the destination endpoint based on the source address and source port associated with the source endpoint.

Abstract: A management appliance includes at least one processor; and a memory communicatively coupled to the at least one processor. The memory comprising executable code stored thereon such that the at least one processor, upon executing the executable code, is configured to: dispense an image corresponding to a virtual machine to a distributed computing system comprising a plurality of interconnected computing devices, such that at least one of the computing devices implements the virtual machine; establish a trusted relationship with the virtual machine; and provide an authenticated user with access to the virtual machine without further authentication credentials from the user.

Abstract: Embodiments of the present invention provide a method, system and computer program product for controlling expiration of electronic mail (e-mail) single store attachments. A method to control expiration of e-mail single store attachments can include sending an e-mail message, the e-mail message including one or more attachments, creating a single store linked e-mail message by removing the one or more attachments from the sent e-mail message and replacing each of the one or more attachments with a corresponding single store attachment link. The method further can include storing the removed one or more attachments in an attachment server, where each of the one or more attachments has an expiration date, sending the single store linked e-mail message having the one or more store attachment links to one or more recipients and deleting an attachment stored on the attachment server based upon its respective expiration date having expired. When there is e-mail activity (e.g., forward, reply, etc.

Abstract: Systems and methods are provided for detecting an anomalous condition in a virtual computing environment having a virtualization control system coupled to a physical server, disk drive, and networking resources, where the virtualization control system is configured to partition the physical resources into virtual resources including virtual processor, memory, and storage resources for a plurality of virtual servers. Contents of a plurality of virtual memory storage locations are determined, where the virtual memory storage locations span multiple virtual servers. A runtime state of the virtual environment is determined based on the contents of the virtual memory storage locations. The runtime state of the virtual environment is verified for correctness or compared with a baseline state to identify a deviation from the baseline state, and a corrective action is performed when the discrepancy meets a predetermined criteria.

Abstract: An approach is provided for causing an extension of secure emergency network resources via one or more trusted point of presence. The approach involves determining a networking context, wherein the networking context initiates a request to join an extension mesh network to a currently trusted network. The approach also involves determining a target network trust level associated with the networking context, the currently trusted network, or a combination thereof. The approach further involves selecting the extension mesh network based on the target network trust level. The approach also involves initiating a joining of the extension mesh network to the currently trusted network.

Abstract: An improved industrial automation system and communication system for implementation therein, and related methods of operation, are described herein. In at least some embodiments, the improved communication system allows communication in the form of messages between modules in different control or enterprise domains. Further, in at least some embodiments, such communications are achieved by providing a communication system including a manufacturing service bus having two internal service busses with a bridge between the internal busses. Also, in at least some embodiments, a methodology of synchronous messaging is employed.

Abstract: A method comprising dereferencing, in a web browser, a Uniform Resource Identifier (URI) comprising a web resource and a reflex tag, creating a request message comprising a request for the web resource and a reflex request corresponding to the reflex tag, wherein the reflex request is a request for address and port information from a web server comprising the web resource, encapsulating the request message in a transport message comprising an Internet Protocol (IP) address and a port of the web browser, transmitting the transport message to the web server, receiving a response message from the web server, wherein the response message comprises a second IP address and a second port number of the browser as seen by the web server, and determining a characteristic of at least one Network Address Translation (NAT) device coupled between the web browser and the web server based on the second IP address and second port number.

Abstract: A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user's position or department), behavioral attributes, and other criteria.

Abstract: A method for verifying receipt of data packets, including generating a plurality of data packets, wherein each of the plurality of data packets comprises entropy information, transmitting one or more of the plurality of data packets to a receiver, receiving a first hash from the receiver, wherein the first hash is based on the entropy information of the one or more of the plurality of data packets and validating the first hash to determine if the receiver received the one or more of the plurality of data packets. Systems and computer-readable media are also provided.

Abstract: A communication apparatus that is capable of enabling communication even when IPsec life time information is taken over. The communication apparatus is connected to a network via a network interface device and operates in a first power mode or a second power mode with less power consumption. A notification unit notifies the network interface device of IPsec life time information when shifting to the second power mode from the first power mode. A storage unit stores first time information showing time of shifting to the second power mode from the first power mode. An acquisition unit acquires the life time information from the network interface device when shifting to the first power mode from the second power mode. A correction unit corrects the life time information based on second time information showing time of shifting to the first power mode from the second power mode and the first time information.

Abstract: The disclosure concerns a method implemented by a processing device. The method includes performing a first execution by the processing device of a computing function based on one or more initial parameters stored in a first memory device. The execution of the computing function generates one or more modified values of at least one of the initial parameters, wherein during the first execution the one or more initial parameters are read from the first memory device and the one or more modified values are stored in a second memory device. The method also includes performing a second execution by the processing device of the computing function based on the one or more initial parameters stored in the first memory device.

Abstract: A method of providing access to a password-protected electronic control unit (ECU) using encryption includes generating a cryptographic key for the ECU using a master password, a serial number of the ECU, and a password-based key derivation function; converting the generated cryptographic key into an ECU password; and accessing data from the ECU using the ECU password.

Abstract: One embodiment of the present invention provides a system for privacy-preserving sharing of data for secure collaboration. During operation, the system obtains a first set of data describing network events associated with one or more network addresses. Next, the system negotiates with a potential partner to determine a metric for deciding whether to share data. The potential partner is associated with a second set of data describing network events. The system then computes a value for the metric in a privacy-preserving way, based on the first set of data and the second set of data. Subsequently, the system determines whether the metric value exceeds a predetermined threshold, and, responsive to determining that the metric value exceeds the predetermined threshold, the system shares the first set of data with the potential partner, while controlling how the data should be shared to optimize benefits and risks of collaboration.

Abstract: The present disclosure pertains to systems and methods for Ethernet-based management of optical networks using ONT management interface (OMCI). In one exemplary embodiment, an Ethernet-based protocol, such as Active Ethernet, is used to implement an ONT management interface (OMCI) between an optical line terminal (OLT) and a plurality of ONTs of a MON. Further, virtual local area networks (VLANs) are used to separate the traffic carried by the MON. Various techniques are described that permit ONT registration and creation of VLANs for the MON without requiring the use of gigabit PON (GPON) constructs, such as traffic containers (TCONTs) and dedicated GPON encapsulation method (GEM) ports.

Abstract: Apparatus and methods for downloading selected multimedia content and applications. In one embodiment, the apparatus and methods enable various options or functionalities for programming content over a home network. A web-based user interface on a consumer device controls a set-top box (STB) over a local home network is utilized. An initial process connects the consumer device to an application server for the necessary web software. After discovery of both the consumer device and the STB on the local home network, an initial page of the application is loaded and the application calls the web services on the STB via the home network to retrieve data and control the STB with a compatible web browser on the consumer device.

Abstract: Generally, this disclosure relates to adaptive interrupt moderation. A method may include determining, by a host device, a number of connections between the host device and one or more link partners based, at least in part, on a connection identifier associated with each connection; determining, by the host device, a new interrupt rate based at least in part on a number of connections; updating, by the host device, an interrupt moderation timer with a value related to the new interrupt rate; and configuring the interrupt moderation timer to allow interrupts to occur at the new interrupt rate.

Abstract: The present disclosure provides protection of customer data traveling across a network. A reverse cryptographic map (also referred to herein as a reverse crypto map) can be defined for a customer, where the reverse crypto map indicates how customer data should be protected. A reverse crypto map for a customer is applied to an interface of an edge device that is coupled to that customer's private subnet (or customer-facing interface). A reverse crypto map can be configured by a network administrator on a provider edge device, or can be pushed from a key server as part of group policy. A provider edge device can protect customer data by encrypting and decrypting the customer data according to the reverse crypto map. A provider edge device can also be configured with virtual routing and forwarding (VRF) tables that can be used to forward the VPN traffic flow across a provider network.

Abstract: In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group.

Abstract: A method controls the routing of service requests to a plurality of servers using a first routing distribution algorithm. The method includes waiting a first period of time for a designated server to respond to a service request, transmitting the service request to the designated server a second time, and waiting a second period to time for the designated server to respond to the service request assigned to the designated server, the second period of time being longer than the first period of time. The method also includes determining that the designated server has failed, rerouting the service request to a different server, and routing the service requests to the plurality of servers using a second routing distribution algorithm.

Abstract: Content inspection techniques are described. In one or more implementations, it is detected that an application executing on a computing device is calling a particular code element of a group of code elements to be used to process content. For example, the group of code elements can include a pre-specified group of code elements (e.g., functions and/or properties) that may enable access to particular functionalities of a computing device and thus are associated with a known security risk. It is then ascertained that the content is untrusted and, in response to ascertaining that the content is untrusted, the content is inspected to determine if the content is safe to be passed to the code element.

Abstract: Briefly, embodiments of methods or systems for providing enhancements to network security are disclosed.

Abstract: Various methods for server-side recordation and playback of a remote desktop session are provided. One example method may comprise receiving data related to a remote desktop protocol session. The method of this example embodiment may further comprise providing for storage of the data at a location other than the device associated with the remote desktop protocol client of the remote desktop protocol session. Furthermore, the method of this example embodiment may comprise receiving a request to reproduce the remote desktop protocol session. The method of this example embodiment may also comprise retrieving the data from storage. Additionally, the method of this example embodiment may comprise facilitating reproduction of at least a portion of the remote desktop protocol session based at least in part on the retrieved data. Similar and related example methods, apparatuses, systems, and computer program products are also provided.