Abstract: According to embodiments of the present disclosure, systems and methods to manage Security Protocol and Data Model (SPDM) secure communication sessions are provided. According to one embodiment, an Information Handling System (IHS) includes a Security Protocol and Data Model (SPDM)-enabled device conforming to a SPDM specification in which the SPDM-enabled device has a specified quantity of supported private communication sessions. The IHS also includes computer-executable instructions to, when an application requests use of one of the private communication sessions, determine whether one of the private communication sessions is available, and enable the application to communicate with the SPDM-enabled device through the one private communication session based on the determination.

Abstract: Techniques for container environment management are disclosed. For example, a method comprises deploying a first container storage interface driver, wherein the first container storage interface driver comprises multiple interfaces and is configured to: (i) receive a first request from a host configured to execute an application program, wherein the first request is related to a first storage volume associated with a storage system; (ii) receive a second request from a second container storage interface driver configured to provide an additional functionality with respect to the first container storage interface driver, wherein the second request is related to a second storage volume associated with the storage system; and (iii) send the first request and the second request to the storage system.

Abstract: A method in a virtual private network (VPN) environment is disclosed. A user device transmits, to a VPN server before establishment of a VPN connection between the user device and the VPN server, an initiation request to establish the VPN connection. The initiation request includes remote content information indicating remote content that is unavailable in a geographic location of the user device. The user device receives, from the VPN server after establishment of the VPN connection, the remote content based at least in part on a configuration of domain name services (DNS) settings associated with the VPN connection to utilize a remote DNS server that is capable of obtaining the remote content. Various other aspects are contemplated.

Abstract: VPN data for building and maintaining VPNs through a public network is gathered. The VPN data is maintained, at a DNS server, as part of a DNS table. A portion of the VPN data is provided as part of a DNS view of the DNS table to a client device. A VPN mode indicating a manner to establish a VPN node for the client device through the public network is determined using the portion of the VPN data. When the client device is coupled to the public network the VPN node is established and maintained according to the VPN mode using the portion of the VPN data.

Abstract: A data communication system serves a user application in a User Equipment (UE). The data communication system receives a subscription from an application server into a Network Exposure Function (NEF). The subscription is for user data from the user application in the UE. The data communication system receives the user data from the user application in the UE over a Virtual Private Network (VPN) and transfers the user data to the NEF. The data communication system transfers the user data from the NEF for delivery to the application server in response to the subscription.

Abstract: Provided is a method to operate a secure chip card for connecting to a user equipment operating in a cellular network comprising a plurality of network slices, wherein for at least one network slice a slice authentication server is operational, the secure chip card comprising a secured memory with at least one slice authentication application.

Abstract: Systems, computer program products, and methods are described herein for a cloud-based virtual private secured contained communication portal. The present disclosure is configured to receive a request from a user device to connect to one or more entity representatives; analyze the request to determine a device identifier and customer identification number; access an entity database and retrieve resource transfer history data and resource account data for the customer identification number; generate, near-real-time, a virtual private network (VPN) configuration for the user device; and generate a secure application programming interface (API) call from the user device to one or more entity cloud services based on information contained in the request to form an operable connection between the user device and the one or more entity representatives.

Abstract: A method for receiving, at a VPN server, a first data request for the VPN server to retrieve first data of interest from a first host device; utilizing, by the VPN server, a first exit IP address to transmit a first query for retrieving the first data of interest; determining, by the VPN server based on transmitting the first query, that the first exit IP address is blocked by the first host device; suspending, by the VPN server based on determining that the first exit IP address is blocked by the first host device, utilization of the first exit IP address for retrieving the first data of interest from the first host device; and utilizing, by the VPN server, the first exit IP address to transmit a second query for retrieving second data of interest from a second host device is disclosed. Various other aspects are contemplated.

Abstract: Virtual private network (VPN) service provider infrastructure (SPI) receives a request to access a VPN from a client device. The VPN SPI selects an Internet Protocol (IP) address for access to the VPN by the client device from a pool of IP addresses. The VPN SPI provides access to the VPN for the client device via the IP address. The VPN SPI receives one or more handshake notifications from the client device. The VPN SPI determines that a threshold time period has passed since a latest-in-time handshake notification of the one or more handshake notifications. The VPN SPI disconnects the client device from the VPN in response to determining that the threshold time period has passed. The VPN SPI adds the IP address to the pool of IP addresses in response to disconnecting the client device from the VPN.

Abstract: Runtime binary migration is provided. A slice of a 5G network is provisioned based on time period and bandwidth requirements in accordance with a service level agreement corresponding to a customer requesting performance of a business function transaction. A runtime binary for invoking the slice of the 5G network is migrated to a nodal edge server for a set of edge devices associated with the nodal edge server to perform the business function transaction using the slice of the 5G network.

Abstract: A method including configuring a VPN server to receive, from a user device during an established VPN connection between the VPN server and the user device, a data request for the VPN server to retrieve data of interest; configuring the VPN server to transmit, during the established VPN connection, a query to retrieve the data of interest based on utilizing a first exit IP address; configuring the VPN server to determine, based on transmitting the query, that the first exit IP address is blocked; configuring the VPN server to retrieve, during the established VPN connection and based on determining that the first exit IP address is blocked by the host device, the data of interest based on utilizing a second exit IP address; and configuring the VPN server to transmit, to the user device during the established VPN connection, the data of interest is disclosed. Various other aspects are contemplated.

Abstract: One example process may include determining, via a virtual private network (VPN) server, one or more client devices are currently content sharing during a conference including a plurality of active client devices, monitoring, via the VPN server, communication session parameters of one or more of the client devices which are forwarding the shared content to the VPN server, and the shared content is destined for one or more of the other client devices, modifying, via the VPN server, one or more of the communication session parameters of the one or more client devices which are forwarding the shared content to the VPN server, and determining whether the modified one or more communication session parameters have increased a performance of the one or more other client devices.

Abstract: An image processing device includes an image processing unit, a UI unit, a VPN processing unit, and a housing. The image processing unit includes a printer and/or a scanner. The UI unit is the target of an input action performed by the user. The VPN processing unit connects to a VPN using authentication information obtained through the UI unit. The image processing unit, the UT unit, and the VPN processing unit are provided to the housing.

Abstract: Methods and systems for AP location based content presentation are provided. According to one embodiment, a web service receives from a widget executing within a web page requested by a wireless computing device of multiple wireless computing devices operating within an enterprise, a unique identifier of the wireless computing device. An access point (AP) identifier is determined for an AP of multiple APs of the enterprise that is servicing the wireless computing device by querying a log database with the unique identifier. AP specific content is displayed within the web page as a result of the web service retrieving the AP specific content from a content database based on the AP identifier and returning the AP specific content to the widget.

Abstract: Various embodiments include systems and methods of automated scan engine assignment. Responsive to determining to initiate a scan of a target asset, a scan engine assignment strategy may be determined for automatically assigning one or more scan engines to perform the scan. Determining the scan engine assignment strategy may include implementing a strategy selection scheme that defines a hierarchy of scan engine assignment strategies, which may include at least one of a passive discovery strategy, an active discovery strategy, or a scan engine subnet strategy. Using the scan engine assignment strategy, the one or more scan engines may be automatically assigned to perform the scan. The scan may be performed using the one or more scan engines.

Abstract: One example method includes injecting processing into sessions including IO sessions. Events in a file system are intercepted and processed. During processing, policies may be applied to the events. Some of the policies are triggered such that external actions or processing is applied to the event. Once the actions have been performed, the event may be processed by the file system.

Abstract: A computer system and method designed to support and enable a dual obfuscated virtual private network (VPN) for routing data. A plurality of servers is configured with hardware elements in a hardware layer, and an operatively coupled operating system layer with a first virtual private server (VPS) operatively coupled to a second VPS. The first VPS is configured to generate an OpenVPN certificate and the second VPS is configured to generate a WireGuard certificate. Communication tunnels encrypted with a combination of OpenVPN and WireGuard are created to establish the dual obfuscated VPN to support data encryption.

Abstract: The present technology can allow a user to use the OpenID Connect protocol to login to an account that has an anonymous user account ID. More specifically, the present technology can programmatically combine information received from an OpenID provider during the OpenID Connect protocol with a random value to yield a unique anonymous user account ID. The present technology also makes use of the ability within the OpenID Connect protocol to embed a chosen nonce into the token signed by the OpenID provider. This allows for embedding hashes of cryptographic keys, like signature verification keys, into ID tokens received from the OpenID provider that authenticates the user. Subsequently, the user can sign messages that can be verified using the verification key bound to the ID token from the OpenID provider.

Abstract: Techniques for providing a networking and security split architecture are disclosed. In some embodiments, a system, process, and/or computer program product for providing a networking and security split architecture includes receiving a flow at a security service; processing the flow at a network layer of the security service to perform one or more networking functions; and offloading the flow to a security layer of the security service to perform security enforcement based on a policy.

Abstract: Techniques for automatically providing per tenant weighted DCMP over shared transport interfaces and automated flow has load balancing are described. The techniques may include onboarding the tenant to the local multi-tenant edge device associated with a tenant, where the resource profile defines a traffic allowance per transport interface for the tenant. Local weight per transport interface is applied. Information including local weight per transport interface is transmitted to a remote device via an SD-WAN controller. Information including a remote weight per transport interface of the remote device is received via the SD-WAN controller. Traffic is routed from the tenant based on local weight per transport interface of the local device and remote weight per transport interface of the remote device.

Abstract: A user equipment and wireless provisioning method and system associated with a first wireless network are provided. The wireless provisioning system includes a processor, a network interface in communication with the first wireless network, and a non-transitory memory storing a first set and a second set of information of a profile related to operation of a UE on a second wireless network. The processor transmits the first set of information to the UE for provisioning to the UE files associated with authorization and authentication of the UE on the second wireless network. The processor validates that the first set of information was provisioned to the UE and transmits the second set of information to the UE for provisioning to the UE pointer updates for updating pointers on the UE to point to the first set of information. The processor transmits an instruction for the UE to reboot.

Abstract: A method includes identifying a middlebox receiving network flow and communicating with one or more backend virtual machines. The method also includes receiving flow statistics corresponding to the network flow of the middlebox and determining whether the flow statistics satisfy an offload rule. The offload rule indicates when to migrate the network flow from the middlebox to an end host. When the flow statistics satisfy the offload rule, the method also includes migrating the network flow from the middlebox to the end host.

Abstract: Methods, apparatus, and processor-readable storage media for out-of-band management security analysis and monitoring are provided herein. An example computer-implemented method includes generating control state configuration profiles for hardware components of at least one out-of-band server management controller, collecting data from the at least one out-of-band management controller via one or more interfaces, analyzing the collected data by comparing the collected data to the one or more control state configuration profiles and applying at least one rule-based engine to the collected data, and generating a notification of one or more security vulnerabilities associated with the at least one out-of-band server management controller based at least in part on the analyzing of the collected data, wherein the notification is to be utilized in connection with one or more security-related actions on at least a portion of at least one server.

Abstract: A system and a method are disclosed for receiving a request for a user to perform a plurality of activities with respect to a secure document, a given activity of the plurality activities being assigned based on a known parameter of the user. The system transmits the request to the user, and responsive to detecting an interaction with the request, determines that the known parameter has changed. The system responsively determines requirements for performing the plurality of activities based on a replacement parameter of the user, determines a replacement activity based on the requirements, and transmits a new request to the user, the new request replacing the given activity with the replacement activity.

Abstract: A system and methods for protecting a serverless application, the system including: (a) a serverless application firewall configured to inspect input of the serverless function so as to ascertain whether the input contains malicious, suspicious or abnormal data; and (b) a behavioral protection engine configured to monitor behaviors and actions of the serverless functions during execution thereof.

Abstract: An edge synchronization platform that facilitates mesh network routing via dynamic routing tables is disclosed. A node in the mesh network obtains a network communication. The node performs a wrapping operation on the network communication to generate a wrapped data packet. The wrapped data packet includes a destination indicator. The node identifies a recipient node for the wrapped data packet using a dynamic routing table. The node then sends the wrapped data packet to the recipient node.

Abstract: A security system for individually-owned electronic devices includes a network operations center with an enrollment system, device management system, network layer security system, personal information monitoring system, detection and response system, and monitoring and alert system. An individually-owned electronic device communicates with the network operations center in order to receive and install a configuration file and a security application, as well as to configure a virtual private network connection. These components operate independently and collectively to identify and address security threats to the individually-owned electronic devices.

Abstract: An endpoint group (EPG) can be stretched between the sites so that endpoints at different sites can be assigned to the same stretched EPG. Because the sites can use different bridge domains when establishing the stretched EPGs, the first time a site transmits a packet to an endpoint in a different site, the site learns or discovers a path to the destination endpoint. The site can use BGP to identify the site with the host and use a multicast tunnel to reach the site. A unicast tunnel can be used to transmit future packets to the destination endpoint. Additionally, a stretched EPG can be segmented to form a micro-stretched EPG. Filtering criteria can be used to identify a subset of the endpoints in the stretched EPG that are then assigned to the micro-stretched EPG, which can have different policies than the stretched EPG.

Abstract: Embodiments of the present disclosure provide a data migration method and apparatus. The method includes: receiving a migration task of migrating data in a first system to a second system; and calling upper-layer interfaces corresponding to the migration task, and calling underlying operation interfaces of the first system and the second system by the upper-layer interfaces through an abstract interface class to migrate the data of the first system to the second system. Bidirectional data transmission and migration can be implemented between any two data ends. Bidirectional data transmission and migration between any data terminals.

Abstract: A method including receiving, at a VPN server from a user device during an established VPN connection between the VPN server and the user device, a data request for the VPN server to retrieve data of interest from a host device; utilizing, by the VPN server during the established VPN connection, a first exit IP address to transmit a query to the host device for retrieving the data of interest; determining, by the VPN server based on transmitting the query, that the first exit IP address is blocked by the host device; and transmitting, by the VPN server during the established VPN connection and based on determining that the first exit IP address is blocked, the data request to a secondary server to enable retransmission of the query to the host device by utilizing a second exit IP address is disclosed. Various other aspects are contemplated.

Abstract: In one preferred form of the present invention, show in in FIGS. 1 to 3, there is provided a computer implemented security method (10) comprising: providing users (14) with first virtual machines (12), the first virtual machines (12) for being displayed on first electronic devices (18); and providing the users with virtual keyboards (22), the virtual keyboards (22) for providing user input to control the first virtual machines (12), the virtual keyboards (22) for being displayed on second electronic devices (24) that are different to the first electronic devices (18) to reduce the effectiveness of possible malware loggers on the first electronic devices (18).

Abstract: A method for controlling an operation of a virtual machine on a cloud by a server is provided. The method includes: (a) receiving, from a terminal device of a user having only a usage authority for a specific virtual machine resource among a plurality of virtual machine resources, a request for allocating or deallocating at least some of the plurality of virtual machine resources to the terminal device; and (b) based on a control condition of the user for the at least some of the plurality of virtual machine resources being recognized, supporting to perform allocation or deallocation of the virtual machine resource by generating a process corresponding to the at least some of the plurality of virtual machine resources and loading the process on a memory or deleting the process from the memory according to the request.

Abstract: Systems, methods, and related technologies for improving classification use multiple classification resources. The method includes accessing network traffic from a network comprising a plurality of entities, and determining, based on the network traffic, one or more values associated with one or more properties of an entity of the plurality of entities. The method also includes determining, by a processing device, a first classification result of the entity based on the one or more values and at least one local profile, and determining a second classification result of the entity, wherein the second classification result of the entity is based on the one or more values and at least one remote profile.

Abstract: In one embodiment, an electronic device maintains one or more tunnel-based overlays for a communication network. The communication network includes two or more physical provider networks. The device maintains a mapping between a particular application and the one or more overlays for the communication network. The device adjusts the mapping between the particular application and the one or more overlays for the communication network. The device causes one or more routers in the communication network to route traffic for the particular application according to the adjusted mapping between the application and the one or more overlays for the communication network.

Abstract: Some embodiments provide a method of load balancing data message flows across multiple secure connections. The method receives a data message having source and destination addresses formatted according to a first protocol. Based on the source and destination addresses, the method selects one of the multiple secure connections for the data message. Each of the secure connections handles a first set of connections formatted according to the first protocol and a second set of connections formatted according to a second protocol that is an alternative to the first protocol. The method securely encapsulates the data message and forwards the encapsulated data message onto a network. The encapsulation includes an identifier for the selected secure connection.

Abstract: A method including establishing, by a first device, a virtual private network (VPN) connection with a VPN server; establishing, by the first device during the established VPN connection, a meshnet connection with a second device in a mesh network; determining, by the first device, whether the second device is a destination associated with a transmission packet to be transmitted by the first device; and transmitting, by the processor, the transmission packet by utilizing the VPN connection or by utilizing the meshnet connection based at least in part on determining whether the second device is the destination associated with the transmission packet. Various other aspects are contemplated.

Abstract: A system computes a timing interval between high-capacity vehicles (HCVs) for each of a plurality of HCV corridors within a geographic region, each respective HCV corridor of the plurality of HCV corridors including a start area. For each respective HCV corridor, the system transmits, via a network communication interface, (i) first data to a first computing device associated with a first HCV, the first data indicating the start area of the respective HCV corridor, and a first start time for the first HCV, and (ii) second data to a second computing device associated with a second HCV, the second data indicating the start area of the respective HCV corridor and a second start time for the second HCV, wherein the first start time for the first HCV and the second start time for the second HCV are based on the computed timing interval for the respective HCV corridor.

Abstract: The present invention relates to a system for establishing a secure connection between a mobile device container and a number of virtual private networks.

Abstract: Identification of an electronic communication containing specific information is provided. Content of the electronic communication may be evaluated by a machine-learning model, and based on an evaluation of the content, it may be determined that the electronic communication contains the specific information. The electronic communication may be tagged with tag information indicating that the electronic communication contains the specific information, and transmission of the electronic communication may be blocked based on the tag information.

Abstract: A request for a virtual private network (VPN) server that is an optimal VPN server for a user device is received. Respective penalty scores for VPN servers including the optimal VPN server are calculated. A respective penalty score of a VPN server is calculated based on whether the VPN server is in a same country as the user device and a proximity of the VPN server to an international Internet exchange hub. The optimal VPN is server is selected based on the respective penalty scores. An internet protocol (IP) address of the optimal VPN server is transmitted to the user device.

Abstract: A method including configuring a first server to receive, from a second server, an encrypted authentication packet to enable the first server and the second server to conduct an authentication process, the encrypted authentication packet including a crypted code field indicating a type associated with the encrypted authentication packet and a crypted payload including one or more encrypted fields; and configuring the first server to transmit, to the second server, a response based at least in part on determining the type associated with the encrypted authentication packet and on decrypting the one or more encrypted fields. Various other aspects are contemplated.

Abstract: Provided herein are systems, devices and methods for opening a connection in a gateway of a cloud based network for a client device connected via two different network links to the gateway and to a Software Defined Perimeter (SDP) controller of a cloud based network. The SDP controller may receive a request from a client device to connect to a gateway of the cloud based network, generate a one-time SPA key for the client device (after authenticated), transmit the SPA key to the gateway, and transmit, via the first network link, the SPA key to the client device. The client device may transmit the SPA key to the gateway via the second network link and the gateway may be configured to open a connection for the client device via the second network link in case the SPA key is valid.

Abstract: Methods and apparatus for private network peering in virtual network environments in which peerings between virtual client private networks on a provider network may be established by clients via an API to a peering service. The peering service and API 104 may allow clients to dynamically establish and manage virtual network transit centers on the provider network at which virtual ports may be established and configured, virtual peerings between private networks may be requested and, if accepted, established, and routing information for the peerings may be specified and exchanged. Once a virtual peering between client private networks is established, packets may be exchanged between the respective client private networks via the peering over the network substrate according to the overlay network technology used by the provider network, for example an encapsulation protocol technology.

Abstract: A method including configuring a first server to determine an encrypted authentication packet, the configuring including, configuring the first server to determine a crypted code field to indicate a type associated with the encryption authentication packet and that at least a portion of the encryption authentication packet is encrypted, and configuring the first server to determine a crypted payload based at least in part on encrypting one or more fields of an initial authentication packet; and configuring the first server to transmit, to a second server, the encrypted authentication packet to enable the first server and the second server to conduct an authentication process. Various other aspects are contemplated.

Abstract: A method including determining, by a first server, an encrypted authentication packet, the determining including, determining a crypted code field to indicate a type associated with the encryption authentication packet and that at least a portion of the encryption authentication packet is encrypted, and determining a crypted payload based at least in part on encrypting one or more fields of an initial authentication packet; and transmitting, by the first server to a second server, the encrypted authentication packet to enable the first server and the second server to conduct an authentication process. Various other aspects are contemplated.

Abstract: The techniques herein are directed generally to personalized secure communication session management, such as for virtual private networks (VPNs). In one embodiment, a user is authenticated at a client device to verify that the user is present at the client device and authorized to access one or more secured resources, and in response, a secure communication session is established for the client device to access the secured resources. At a later time during the secure communication session, it is determined whether the user is still authenticated at the client device, such that if so, access to the one or more secured resources is maintained on the secure communication session, or else access is restricted to the one or more secured resources (e.g., the session is terminated, or access is otherwise limited).

Abstract: Various techniques for split tunneling based on content type to exclude certain network traffic from a tunnel (e.g., VPN tunnel) are disclosed. In some embodiments, a system, process, and/or computer program product for split tunneling based on content type to exclude certain network traffic from a tunnel includes monitoring session traffic received at a data appliance; determining if the session traffic is associated with a first content type; and redirecting the session traffic if the session traffic is associated with the first content type based on a policy.

Abstract: Virtual private network (VPN) service provider infrastructure (SPI) receives a request to access a VPN from a client device. The VPN SPI selects an Internet Protocol (IP) address for access to the VPN by the client device from a pool of IP addresses. The VPN SPI provides access to the VPN for the client device via the IP address. The VPN SPI receives one or more handshake notifications from the client device. The VPN SPI determines that a threshold time period has passed since a latest-in-time handshake notification of the one or more handshake notifications. The VPN SPI disconnects the client device from the VPN in response to determining that the threshold time period has passed. The VPN SPI adds the IP address to the pool of IP addresses in response to disconnecting the client device from the VPN.

Abstract: A client-side virtual private network (VPN) chaining architecture can provision multiple sessions for multiple VPN clients that are configured to communicate packet traffic in parallel between an end-user device and one or more destinations. The client-side chaining architecture can capture packet traffic per specific users/apps and process (e.g., drop) or reroute the captured packet traffic for different VPN clients. For example, packet traffic can be rerouted from a main VPN client to a secondary VPN client. As such, there can be multiple VPN clients that are simultaneously chained in various ways to the same end-user device.

Abstract: Techniques for load balancing encrypted traffic based on security parameter index (SPI) values of packet headers and sets of 5-tuple values of the packet headers are described herein. Additionally, techniques for including quality of service (QoS)-type information in SPI value fields of packet headers are also described herein. The QoS-type information may indicate a particular traffic class according to which the packet is to be handled. Further, techniques for pre-configuring a backend host such that encrypted traffic may be migrated to the backend host from another backend host without causing temporary service disruptions are also described herein.