Abstract: Systems, methods, and related technologies for improving classification use multiple classification resources. Network traffic from a network may be accessed and an entity may be selected. One or more values associated with one or more properties associated with the entity may be determined. The one or more values may be accessed from the network traffic. A first classification result of the entity based on accessing one or more local profiles is determined by a processing device. In response to the first classification result meeting a condition, one or more values associated with one or more properties associated with the entity may be sent (e.g., to a cloud based classification resource). A second classification result may be received. The second classification result may be determined based one accessing at least one remote profile. At least one of the first classification result or the second classification result may be stored.

Abstract: Described herein are improved systems and methods for provisioning of private computer networks and application software as well as providing private SaaS.

Abstract: In one aspect, a computerized method of an application routing service includes the step of using a deep-packet inspection (DPI) technique on a first network flow to identify an application. The method includes the step of storing an Internet-protocol (IP) address and a port number used by the application and an identity of the application in a database. The method includes the step of detecting a second network flow. The method includes the step of identifying the IP address and the port number of the application in the second network flow. The method includes the step of looking up the IP address and the port number in the database. The method includes the step of identifying the application based on the IP address and the port number.

Abstract: An identity provider (IdP) service interoperates with a Virtual Private Network (VPN) client. The IdP service receives a login request originating from the VPN client to establish a VPN tunnel between the VPN client and a VPN host, the login request indicating a user of the VPN client. The IdP service provides a response to the login request. The response includes at least both first information including an indication that the user of the VPN client is an authorized user and second information including an indication of a VPN policy for the VPN tunnel, the VPN policy including a VPN client policy to be utilized during the VPN tunnel by the VPN client and a VPN host policy to be utilized during the VPN tunnel by the VPN host.

Abstract: A network device comprising: a processor, an input/output device coupled to the processor, and a memory coupled with the processor, the memory comprising executable instructions that when executed by the processor cause the processor to effectuate operations including instantiating at least one node comprising a packet processor and a network interface, the packet processor configured to process a packet header at a network layer, wherein the at least one node includes a common configuration; extracting virtual network function parameters through an inference engine; generating a virtual network function template based on the virtual network function parameters, wherein the virtual network function template instantiates at least one virtual network function by assembling the at least one virtual network function from the at least one node; and automatically configures the virtual network function for onboarding onto a platform.

Abstract: A first network device includes a processor and a memory having computer readable instructions stored thereon that, when executed by the processor, cause the first network device to obtain a Flow Specification (FlowSpec) rule with redirect indication information. The redirect indication information includes identification information identifying a first virtual private network (VPN) instance configured on a second network device. The indication information also includes instructions for the second network device to redirect data stream matching the FlowSpec rule to the first VPN instance. The first network device is also caused to advertise the FlowSpec rule with the redirect indication information to the second network device.

Abstract: A method comprising: receiving a configuration file that identifies a plurality of first log patterns, each of the first log patterns being associated with a respective component of an application and a respective malfunction of the respective component of the application; retrieving, by an application monitor, one more execution logs that are generated while the application is being executed; identifying, by the application monitor, a malfunction of the application based on the configuration file and the one or more execution logs, the malfunction being identified in response to a given one of the plurality of first log patterns matching an execution log pattern that is identified in the one or more execution logs; and reporting, by the application monitor, the malfunction to a technical support system.

Abstract: A method for processing a live-streaming interaction video comprises sending a data transmission request to a first anchor terminal and a second anchor terminal in response to a response message from the first anchor terminal; receiving first live-streaming data, first interaction information, second live-streaming data and second interaction information; acquiring target live-streaming data by fusing the first live-streaming data, the first interaction information, the second live-streaming data with the second interaction information; and sending the target live-streaming data to multiple audience terminals.

Abstract: A method for a device comprises enrolling a specified application installed on the device into a chain of trust provided by a private key infrastructure. In the chain of trust, a child certificate is attested as valid by an attestor associated with a parent certificate in the chain of trust. Enrolling includes generating an application certificate 20-A for verifying that the specified application is installed on the device 2. The application certificate is a descendant certificate of the device certificate associated with the device and the chain of trust.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform, including a processor and a memory; and executable instructions encoded in the memory to provide a client-only virtual private network (VPN) including a VPN client and a VPN server on a single physical device, wherein the VPN client is configured to communicatively couple to the VPN server and to provide proxied Internet protocol (IP) communication services via the VPN server.

Abstract: Systems, methods, and apparatus, including computer-readable media, for enhanced network communication using multiple network connections. In some implementations, a networking apparatus concurrently maintains connectivity to a network through each of multiple network transports. The networking apparatus receives one or more packets to be transmitted over the network and classifies the one or more packets to determine a class of service. The networking apparatus selects one of the multiple network transports to transmit the one or more packets based on (i) the class of service for the one or more packets and (ii) measures of expected latency for transmission of the one or more packets over the respective multiple network transports. The networking apparatus transmits the one or more packets using the selected network transport.

Abstract: A method in a virtual private network (VPN) service environment, the method including receiving, from a user device, device information indicating parameters associated with the user device during an established VPN connection, determining, based at least in part on the device information, a VPN server for providing one or more VPN services to the user device during the established VPN connection, determining, based at least in part on the device information and server information associated with the VPN server, respective durations of time associated with performing each of a plurality of processes related to configuring the VPN connection, configuring a progress indicator configured to indicate an amount of time remaining to configure the VPN connection, and transmitting, to the user device, information associated with the progress indicator to enable display of the progress indicator on a screen associated with the user device. Various other aspects are contemplated.

Abstract: Certain embodiments described herein are generally directed to systems and methods for deterministic load balancing of processing encapsulated encrypted data packets at a destination tunnel endpoint. For example, certain embodiments described herein relate to configuring a destination tunnel endpoint (TEP) with an encapsulating security payload (ESP) receive side scaling (RSS) mode to assign each incoming packet, received from a certain source endpoint (EP), to a certain RSS queue based on an identifier that is encoded in an SPI value included the packet.

Abstract: A method of accessing a network comprises providing, via a first container establishing a first tunnel between a computing device and a network server, a health-check status of the computing device to the network server, and accessing, via a second container establishing a second tunnel between the computing device and the network server, the network at a level of access based on the health-check status of the computing device.

Abstract: Systems, methods, and related technologies for determining a risk associated with a network portion are described. The determination of risk associated with a network portion may include accessing network traffic from a network and determining an entity type associated with at least one entity communicatively coupled to the network. A network portion associated with the at least one entity can be determined. A risk associated with the at least one entity can be determined. A risk associated with the network portion associated with the at least one entity can be determined based on the risk associated with the at least one entity. The risk associated with the network portion can then be stored.

Abstract: An example embodiment may include a computational instance and a computing device within a remote network management platform. The computing device may be configured to: receive, from a client device of the managed network, a request to redirect, to a second URL, future requests addressed to a first URL; provide, to the client device, instructions to generate a certificate that binds an identity of the entity that operates the managed network to the first URL; receive, from the client device, the certificate; store the certificate and a corresponding cryptographic key; and generate a mapping between the first URL and the second URL. The computational instance may be configured to, in response to receiving a content request referencing the destination, generate a content response containing content from the destination, where any hyperlinks to the second URL in the content are replaced with hyperlinks to the first URL.

Abstract: A method for providing a notification system in a virtual private network (VPN), the method comprising configuring a VPN server to receive, from a user device, an indication that data of interest is to be requested, the indication including domain information associated with a host device capable of providing the data of interest; and configuring the VPN server to transmit, based at least in part on the domain information, a notification indicating to the user device that the data of interest to be received from the host device potentially includes harmful content. Various other aspects are contemplated.

Abstract: A manager for providing services to clients includes persistent storage and an orchestration manager. The persistent storage includes protection policies. The orchestration manager obtains a backup from a client of the clients based on a protection policy of the protection policies; makes a determination that an application catalog associated with the client is not stored in backup storages; in response to making the determination: obtains the application catalog from the client; stores the application catalog in the backup storages; and stores the obtained backup in the backup storages.

Abstract: In one embodiment, an electronic device maintains one or more tunnel-based overlays for a communication network. The communication network includes two or more physical provider networks. The device maintains a mapping between a particular application and the one or more overlays for the communication network. The device adjusts the mapping between the particular application and the one or more overlays for the communication network. The device causes one or more routers in the communication network to route traffic for the particular application according to the adjusted mapping between the application and the one or more overlays for the communication network.

Abstract: A secured system includes at least one semiconductor chip comprising information processing circuitry. An array of contact pads is disposed on a surface of the chip and is electrically coupled to the information processing circuitry. The secured system includes one or more semiconductor chiplets. Each chiplet comprises at least a portion of at least one hardware trusted platform module that cryptographically secures the information processing circuitry. An array of electrically conductive microsprings is disposed on a surface of the chiplet and is electrically coupled between the hardware trusted platform module and the contact pads.

Abstract: A method includes obtaining, by a first network device comprising a processor, characteristic information from an encrypted packet received from a second network device based on a determination that the first network device cannot decrypt the encrypted packet. The first network device is free from having an internet protocol security (IPsec) security association (SA), and the second network device has the IPsec SA. The method also includes generating, by the first network device, generating an informational exchange packet when the first network device obtains, based on the characteristic information, an internet key exchange (IKE) SA corresponding to the characteristic information. The informational exchange packet instructs the second network device to delete the IPsec SA on the second network device. The method further includes sending, by the first network device, the informational exchange packet to the second network device.

Abstract: An apparatus includes a non-volatile memory (NVM) device coupled to a host, the NVM device including a processing device to: receive a communication packet from a server via the host computing system that is coupled to the NVM device and communicatively coupled to the server, the communication packet comprising clear text data that requests to initiate secure communications; perform a secure handshake with the server, via communication through the host computing system, using a secure protocol that generates a session key; receive data, via the host computing system, from the server within a secure protocol packet, wherein the data is inaccessible to the host computing system; authenticate the data using secure protocol metadata of the secure protocol packet; optionally decrypt, using the session key, the data to generate plaintext data; and store the plaintext data in NVM storage elements of the NVM device.

Abstract: Systems and methods herein recognize that form factors executing personal computer (PC) operating systems experience limited connectivity when traveling between WiFi connections and/or wired connections. Not only does this limit research capabilities of the PC form factor while between WiFi and/or wired connections, but the limitations place data integrity at risk. Systems and methods herein monitor for conditions that cause data integrity risks and seamlessly implement solutions that resolve, reduce, and/or manage identified data integrity risk conditions at least by simplifying a user's ability to identify and connect to networks, which offer data integrity risk solutions.

Abstract: The present embodiment relates to method and system for dynamically identifying the optimal servers from among a plurality of VPN servers. The method and system to score or rank the plurality of VPN servers through mathematical operations to produce a scored list of servers. The servers are dynamically scored based on several server conditions including but not limited to server location, server hub score, server creation time, server load, and other like information. The method and system further calculate server penalty scores for a plurality of VPN servers and dynamically identifies optimal servers based on the least server penalty score. Further, the method and system provide means for the VPN service provider to direct their users to connect with the optimal servers consistently.

Abstract: The present disclosure generally relates to enabling efficient implementation of honeypot devices in a honeypot service environment. Each honeypot device can be implemented as a virtualized device, executing software modified from a production version of a device such that interactions with the honeypot device closely match interactions with a production device. By using virtualization, each honeypot device can be reset to a known good state when a potential security breach occurs. Because network-based attacks are often wide-spread, the honeypot service environment can deduplicate attacks that occur at a large number of devices, discarding duplicate attack traffic to reduce overall load on the environment. While deduplication can be inappropriate for production environments (given the corresponding data loss), deduplication in a honeypot environment can reduce load while still enabling detection of a network attack.

Abstract: A system and associated methods provide digital identity and strong authentication management services for Internet users. The system includes a central, cloud-based, online service, referred to as a central service, which can manage user accounts. The system also includes dedicated, always-on, always-connected, cryptographically unique devices, referred to as beacons, located within the physical residences of its users. The central service associates each beacon with the residence address of its user by physically sending a unique address verification code by postal mail to the user's residence. The user presents the unique code to the beacon, and the beacon cryptographically confirms its identity and the unique code sent to the residence address back to the central service. The beacons can attest to users' identities and provide seamless strong authentication to third-party online service providers on behalf of those users.

Abstract: Method, systems, and devices for providing a multi-function router. A router may receive, process, and forward data packets between a physical network interface and a logical network interface. The router may also run a virtualized machine that uses the logical network interface mapped statically or dynamically to the physical network interface.

Abstract: The present embodiment relates to method and system for establishing, by an individual VPN customer or a plurality of VPN customers, a multi-path failure-resistant connectivity to a VPN service while ensuring no unencrypted customer traffic is ever exposed in a public network. The additional aspects of the method and system disclosed is the constant connectivity assessment executed and the automatically triggered recovery mechanism incorporated.

Abstract: Systems and methods for supporting inter subnet control plane protocol for consistent multicast membership and connectivity across multiple subnets in a high performance computing environment. In accordance with an embodiment, by associating a multicast group with an inter-subnet partition, and enforcing a dedicated router port for the multicast group, multicast loop avoidance can be provided for between connected subnets. Because only a single router port is selected as being capable of handling the MC packet, no other router port in the subnet can then pass a multicast packet back to the originating subnet.

Abstract: Certain embodiments herein are directed to enabling service interoperability functionality for wireless fidelity (WiFi) Direct devices connected to a network via a wireless access point. A WiFi Direct device may identify various other WiFi Direct devices on a WiFi network for performing a requested service, such as printing content or displaying content to a screen. In so doing, the device may share information associated with an access point to which the device is connected with the other devices, which may also share information associated with an access point to which they are connected. In this way, WiFi Direct devices may discover their connectivity with respect to other devices to utilize a broader array of connection options for implementing a desired service, and hence, may leverage application programming interface (API) modules directed at providing service interoperability functionality between software applications and services requested by the software applications.

Abstract: Online entities oftentimes desire to ascertain information about their audience members. To determine information about audience members and their activities, online transactions including information about transactions performed by audience members are collected. One or more audience analysis processes are applied to the online transactions to determine the collection of online transactions performed by a given audience member. With an accurate assignment of online transaction to the audience member, the audience member and associated transactions may be classified as a legitimate or illegitimate.

Abstract: Disclosed herein are methods, devices, and apparatuses, including computer programs stored on computer-readable media for managing access to an account in a blockchain system. One of the methods includes: receiving, from a first account of the blockchain system, a request for accessing a second account of the blockchain system; determining an account level of the first account based on the request; determining an account level of the second account; determining whether the account level of the first account satisfies an account condition based on the account level of the second account; and permitting the request for accessing the second account based on a determination that the account level of the first account satisfies the account condition.

Abstract: The disclosure relates generally to methods, systems, and apparatuses for managing network connections. A system for managing network connections includes a storage component, a decoding component, a rule manager component, and a notification component. The storage component is configured to store a list of expected connections for a plurality of networked machines, wherein each connection in the list of expected connections defines a start point and an end point for the connection. The decoding component is configured to decode messages from the plurality of networked machines indicating one or more connections for a corresponding machine. The rule manager component is configured to identify an unexpected presence or absence of a connection on at least one of the plurality of network machines based on the list of expected connections. The notification component is configured to provide a notification or indication of the unexpected presence or absence.

Abstract: A network and a device can support secure sessions with both (i) a post-quantum cryptography (PQC) key encapsulation mechanism (KEM) and (ii) forward secrecy. The device can generate (i) an ephemeral public key (ePK.device) and private key (eSK.device) and (ii) send ePK.device with first KEM parameters to the network. The network can (i) conduct a first KEM with ePK.device to derive a first asymmetric ciphertext and first shared secret, and (ii) generate a first symmetric ciphertext for PK.server and second KEM parameters using the first shared secret. The network can send the first asymmetric ciphertext and the first symmetric ciphertext to the device. The network can receive (i) a second symmetric ciphertext comprising “double encrypted” second asymmetric ciphertext for a second KEM with SK.server, and (ii) a third symmetric ciphertext. The network can decrypt the third symmetric ciphertext using the second asymmetric ciphertext.

Abstract: A technique for executing a service in a local area network through a wide area communication network by way of an access gateway. This access gateway allows devices of the local area network to access the wide area communication network. A service tunnel is configured between the access gateway and a tunnels termination point. This termination point conveys data originating from the local area network and received by using the tunnel to an instance of the service specific to the local area network and conveys data received from this instance to the local area network by using the tunnel. The service is thereafter executed by this instance in the guise of device of the local area network.

Abstract: In some embodiments, a method receives address information for two or more paths between a first network device and a second network device. A connection is established between the first network device and the second network device to determine one or more security keys for the first network device and the second network device. Then, the method installs the one or more security keys with the address information for the two or more paths. The one or more security keys are used to provide a security service on one or more packets that are sent or received between the first network device and the second network device using the address information for the two or more paths.

Abstract: A security object management system may include a management module including a device processor and a non-transitory computer readable medium including instructions stored thereon, and executable by the processor, for performing the following steps: accessing a database having stored therein data regarding a plurality of security objects, wherein the data includes ownership data regarding the assignment of rights associated with the security objects; and receiving user input to change the reassignment of rights of at least one of the security objects from one user to another user of the system.

Abstract: Example implementations relate to mobile virtual private network (mVPN) configuration. For example, a system for mVPN configuration may include a configuration selector to intercept an internet protocol (IP) packet in a mobile virtual private network (mVPN) and select a mVPN configuration for the IP packet using a lookup table. The system may further include a configuration adapter to adapt the IP packet according to the selected mVPN configuration.

Abstract: Some embodiments provide novel methods for performing services for machines operating in one or more datacenters. For instance, for a group of related guest machines (e.g., a group of tenant machines), some embodiments define two different forwarding planes: (1) a guest forwarding plane and (2) a service forwarding plane. The guest forwarding plane connects to the machines in the group and performs L2 and/or L3 forwarding for these machines. The service forwarding plane (1) connects to the service nodes that perform services on data messages sent to and from these machines, and (2) forwards these data messages to the service nodes. In some embodiments, the guest machines do not connect directly with the service forwarding plane. For instance, in some embodiments, each forwarding plane connects to a machine or service node through a port that receives data messages from, or supplies data messages to, the machine or service node.

Abstract: The invention relates to a computer-implemented system and method for selective dynamic encryption and decryption of data. The method may comprise the steps of identifying confidential data elements in a data table (e.g., confidential columns in a table) that contain confidential information; storing in a metastore behind a firewall the locations of the confidential data elements; intercepting a query to the database to add unencrypted confidential data elements; encrypting the unencrypted confidential data elements in computer memory; and transmitting to the public cloud the data table including the encrypted specific data elements and other data elements that have not been encrypted. The reverse process can be implemented for retrieving and selectively decrypting data stored in the cloud.

Abstract: Systems, methods, and computer-readable storage media are provided for managing application traffic. A routing policy defines the data flow path between the client device (which uses a virtual private network (VPN) client) and the appropriate network-based service. Based on various factors associated with the user, the client device, and the destination (e.g. network-based service), the routing policy will direct the VPN client to communicate with either a public DNS (via the public Internet) or to a private DNS (via the private Intranet). The resulting IP addresses will be used to establish a particular route (either over a public Internet or private Intranet) between the client device and the network-based service in accordance to the routing policy.

Abstract: Example methods are provided for a network device to perform packet capture in a software-defined networking (SDN) environment. One example method may comprise detecting an egress packet that includes an inner header addressed from a first node to a second node; and identifying a security policy applicable to the egress packet by comparing one or more fields in the inner header with one or more match fields specified by the security policy. The method may further comprise: based on the security policy, capturing the egress packet in an unencrypted form; performing encryption on the egress packet to generate an encrypted packet that includes the egress packet in an encrypted form; and sending the encrypted packet to the second node.

Abstract: An automatic updating system includes an off-line management server, an in-line management server, a production management server configured to calculate a non-operating time in each time period, and a data analysis server. The off-line management server installs update-software transmitted from a manufacturer server in a corresponding off-line robot based on the transmitted update-software, evaluates the installed update-software, and determines whether or not it is possible to update the in-line robot by the update-software based on the evaluation. The data analysis server schedules the timing of the update of the software so that the update by the update-software, which has been determined to be updatable, is carried out within the non-operating time of the in-line robot. The in-line management server updates the software of the in-line robot at the timing scheduled by the data analysis server.

Abstract: Systems and methods for providing application services to a customer are provided. Customer-managed computing resources on a customer network may facilitate the provision of application services to a client device coupled to the customer network. Application instances providing the application services may execute either on the customer-managed computing resources or on computing resources managed by the service provider. Application services may be rendered to the customer while sensitive customer data maintains residency on storage resources on the customer network. Application instances may receive requests for services from the customer, and generate corresponding requests for particular data of the sensitive customer data. These requests may be conveyed to the endpoints on customer network capable of fulfilling the requests.

Abstract: An information handling system includes a processor, a baseboard management controller (BMC) agent that establishes a Transport Layer Security (TLS) session including a first cryptographic parameter shared between the BMC and the BMC agent, receives a request to register the BMC agent with the BMC via the TLS session, and provides a second cryptographic parameter to the BMC agent. The BMC establishes a second TLS session including a third cryptographic parameter, determines that the second TLS session is suspected of being from a malicious agent, and renegotiates with the BMC agent using the second cryptographic parameter within the TLS session to share a fourth cryptographic parameter between the BMC and the first BMC agent in response to determining that the second TLS session is suspect.

Abstract: Provided is a process that establishes user identities within a decentralized data store, like a blockchain. A user's mobile device may establish credential values within a trusted execution environment of the mobile device. Representations of those credentials may be generated on the mobile device and transmitted for storage in association with an identity of the user established on the blockchain. Similarly, one or more key-pairs may be generated or otherwise used by the mobile device for signatures and signature verification. Private keys may remain resident on the device (or known and input by the user) while corresponding public keys may be stored in association with the user identity on the blockchain. A private key is used to sign representations of credentials and other values as a proof of knowledge of the private key and credential values for authentication of the user to the user identity on the blockchain.

Abstract: A distributed security system and method are disclosed that enable access to known threat events from threat intelligence feeds when the system includes public cloud components. A cloud-based security policy system stores observable events for security incidents detected by and sent from user devices within an enterprise network. The observable events include observable indicators for characterizing the observable events. The threat events within the feeds include threat indicators for characterizing the threat events. An on-premises connector within the enterprise network downloads the observable indicators from the security policy system and the threat indicators from the feeds. In response to determining that any observable indicators match any threat indicators, the on-premises connector provides access to the threat events and/or the observable events having the matching indicators.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network; the method comprises configuring at least a given one of the first and second security edge protection proxy elements to apply application layer security to one or more information elements in a received message from a network function before sending the message to the other one of the first and second security edge protection proxy elements.

Abstract: A first network device of a network receives first traffic and second traffic, and assigns a first priority to the first traffic and a second priority to the second traffic. The first network device provides, to a second network device, a first message requesting whether the second network device can process the first traffic, and receives, from the second network device, a first response with a first value indicating that the second network device can process the first traffic. The first network device establishes, with the second network device, a path that includes a first security association and a second security association. The first network device provides, to the second network device, the first traffic with the first priority, via the first security association of the path, and the second traffic with the second priority, via the second security association of the path.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for validating network activity. One of the methods includes receiving data identifying network activity for an online account; determining one or more users associated with the online account; determining, for each of the one or more users, a current physical activity in which the user is participating; determining, for each of the current physical activities, a likelihood that the corresponding user initiated the network activity while participating in the current physical activity; determining, for each of the current physical activities, whether the corresponding likelihood satisfies a threshold likelihood; and in response to determining that at least one of the corresponding likelihoods satisfies the threshold likelihood, providing an alert about the network activity to one of the one or more users associated with the online account.