Abstract: Disclosed is a synchronisation method and apparatus. The method includes steps described below. A control plane (CP) entity determines content to be counted, an object and a reporting policy for performing a synchronisation operation, where the synchronisation operation includes at least one of: a working status synchronisation operation or a resource status synchronisation operation; and the CP entity sends a request for the synchronisation operation to a user plane (UP) entity, where the request carries configuration information about the content to be counted, the object and the reporting policy for the synchronisation operation. Further disclosed are a network element and a computer-readable storage medium.

Abstract: Enforcing shadow stack violations at module granularity, rather than at thread or process granularity. An exception is processed during execution of a thread based on code of an application binary, which is enabled for shadow stack enforcement, that calls an external module. The exception results from a mismatch between a return address popped from the thread's call stack and a return address popped from the thread's shadow stack. Processing the exception includes determining that the exception resulted from execution of an instruction in the external module, and determining whether or not the external module is enabled for shadow stack enforcement. Based at least on these determinations, execution of the thread is terminated when the external module is enabled for shadow stack enforcement, or the thread is permitted to continue executing when the external module is not enabled for shadow stack enforcement.

Abstract: A segmentation server enables user-based management of a segmentation policy. Administrators belonging to different user groups may have different limited visibility into traffic flows controlled by the segmentation policy and may be assigned different privileges with respect to viewing, creating, and modifying rules of the segmentation policy. Thus, the burden of administering the segmentation policy may be distributed between administrators associated with different user groups that each may have responsibility for a different segment.

Abstract: Described herein are techniques that provide privacy protection for a user by preventing user device tracking via device fingerprints. A communication may be received from a user device that includes metadata having information related to the user device. An intended recipient of the communication may be identified. Based on one or more of the user device or the recipient, a determination may be made as to what data within the metadata should be scrambled or selectively replaced. The data may then be overwritten with alternative data that may be selected at random, and the communication is forwarded to the recipient.

Abstract: Techniques disclosed herein relate to migrating virtual computing instances such as virtual machines (VMs). In one embodiment, VMs are migrated across different virtual infrastructure platforms by, among other things, translating between resource models used by virtual infrastructure managers (VIMs) that manage the different virtual infrastructure platforms. VM migrations may also be validated prior to being performed, including based on resource policies that define what is and/or is not allowed to migrate, thereby providing compliance and controls for borderless data centers. In addition, an agent-based technique may be used to migrate VMs and physical servers to virtual infrastructure, without requiring access to an underlying hypervisor layer.

Abstract: Systems and methods are provided for managing network devices using policy graph representations. In some embodiments, the method includes receiving configurations for a plurality of network devices; extracting one or more policies from the configurations; extracting a label hierarchy from the configurations, the label hierarchy describing an organization of nodes in a network comprising the network devices; generating a connectivity of a network comprising the network devices based on the one or more policies and the label hierarchy; generating a policy graph representation of the connectivity of the network; and displaying the policy graph representation of the connectivity to a user.

Abstract: There is provided a threat control method on a computer system including: collecting one or more events from a first endpoint, each event identifying one or more attributes associated to the event; detecting a security threat related to one or more of the collected events; searching matching events from one or more further endpoints, wherein the matching event includes at least part of the same attributes than the one or more events related to the detected security threat; and in case a matching event with at least part of the same attributes is found, identifying the associated endpoint as being related to a security threat similar to what was earlier detected.

Abstract: The disclosed computer-implemented method for managing devices may include (i) intercepting outbound network traffic that is directed to an original target network destination, and (ii) redirecting the outbound network traffic to a virtual computing node within a publicly available on-demand cloud computing platform for the virtual computing node to apply a management policy to the outbound network traffic prior to the outbound network traffic arriving at the original target network destination, where a management service directs the performance of both configuring the computing device to redirect the outbound network traffic to the virtual computing node within the publicly available on-demand cloud computing platform and configuring the virtual computing node within the publicly available on-demand cloud computing platform to apply the management policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: If authentication information used for communication has not been determined in a case where authentication is required in communication with a network device, a communication unit of a management system attempts the authentication processing with the network device by using information for one piece each in order from among shared authentication information that has been managed. If the authentication has succeeded, a storage unit stores the authentication information used in the authentication in association with the network device. If the authentication information to be used for the communication has been stored in a case where the authentication is required in communication with the network device, the communication unit performs communication using the stored authentication information without performing an attempt.

Abstract: A plurality of policies to be enforced in a network environment via a plurality of devices are determined. A topology of the plurality of devices within the network environment is also determined. For each policy of the plurality of policies, a device of the plurality of devices is selected as the location at which to enforce the policy of the plurality of policies. Selecting the device for each policy of the plurality of policies includes correlating the policy of the plurality of policies with another of the plurality of policies and correlating the policy of the plurality of policies with the topology.

Abstract: This disclosure describes techniques for providing manufacturer usage description (MUD) solution to automatically update network access policy for client application software. The method may include embedding metadata in the application binary. The metadata may include MUD uniform resource identifiers (URIs) that may point to MUD files describing the application's network access requirements. The MUD files may be hosted by application vendor's MUD servers. The system may include a network policy server that is able discover the MUD URIs. The MUD URIs may be discovered based on extracting the MUD URIs from the metadata and/or being provision with the set of MUD URIs for trusted applications. The method may include enterprise wide policy and individual host policy for implementation of the MUD files.

Abstract: A system for identifying and determining whether a particular cookie may include personal data, in any embodiment described herein, is configured to analyze collected cookies to determine whether the collected cookies may be used to directly or indirectly identify a particular individual. The system may, for example: (1) generate one or more virtual profiles; (2) use the one or more virtual profiles to access a plurality of websites; (3) collect cookie data for the plurality of websites for the one or more virtual profiles; and (4) analyze the cookie data to determine whether a particular website of the plurality of websites utilizes one or more cookies which may potentially include personal data. The system may then generate a report of the analysis, and display the report to an administrator or other individual associated with the particular website.

Abstract: Aspects of the disclosure relate to various systems and techniques that provide methods and systems for identifying log event for computing systems. For example, receiving a log event of an application and identifying at least one key word and determining a number of instances in which the computing device has received the log event based on the at least one key word. Further, determining a value for the leg event based on the determined number of instances where the value is representative of an inverse relationship between the number of instances of receipt of the log event and a criticality of that log event and initiating an action to address the event indicated by the log event based on a comparison between the determined value and a threshold.

Abstract: A system, method, and non-transitory computer-readable storage medium for identifying customization changes have been disclosed. The system comprises a processor and a memory that includes instructions executable by the processor to cause the system to identify a baseline script of a plurality of baseline scripts from a baseline instance that corresponds to a custom script of a plurality of custom scripts from a customized instance. The customized instance is a customized version of the baseline instance. The instructions are executable to cause the system to compare the baseline script to the custom script to identify one or more changes between the baseline script and the custom script, to determine an amount of change using the one or more identified changes, and to generate a graphical user interface that includes an identifier of the baseline script, an identifier of the custom script, and a graphical indication of the amount of change.

Abstract: Systems and methods are provided for managing server loads that accounts for various measures of risk associated with different workloads assigned to servers. The systems and methods may include a memory storing instructions for server load management operations, and a processor configured to execute the stored instructions. The processor may receive a workload, determine a value associated with the workload indicating a predetermined importance of the workload, receive information for a plurality of active servers in a server cluster associated with the processor, determine risk levels associated with the active servers based on the received information, and assign the received workload to one of the active servers based on the determined value and the determined risk levels.

Abstract: An application code updating apparatus is disclosed. The apparatus comprises a processor to receive application deployment code defining an application to be deployed in a cloud-computing environment; determine, from the application deployment code, an identity of a cloud-based repository from which to retrieve the application; obtain, from a database, an authentication credential for the identified repository; generate, based on the authentication credential, an access token to provide access to the repository; and update the application deployment code to include the generated access token. A method and a machine-readable medium are also disclosed.

Abstract: Techniques for deployment of policies to computing devices are described herein. The techniques can include a server deploying a passive policy to the computing devices. After deploying the passive policy, data is collected from each of the computing devices regarding operation of the computing device. The server monitors, based on comparing the passive policy to the collected data, compliance of each computing device with the passive policy. The server determines, based on the monitoring, a set of the computing devices that exhibit a policy violation associated with the passive policy. The server deploys an active policy to the set of computing devices. The active policy corresponds to the passive policy, and deploying the active policy causes one or more actions that correspond to the policy violation to be performed on each of the set of computing devices.

Abstract: Provided is an intrusion detection technique configured to: obtain kernel-filter criteria indicative of which network traffic is to be deemed potentially malicious, determine that a network packet is resident in a networking stack, access at least part of the network packet, apply the kernel-filter criteria to the at least part of the network packet and, based on applying the kernel-filter criteria, determining that the network packet is potentially malicious, associate the network packet with an identifier of an application executing in userspace of the operating system and to which or from which the network packet is sent, and report the network packet in association with the identifier of the application to an intrusion-detection agent executing in userspace of the operating system of the host computing device, the intrusion-detection agent being different from the application to which or from which the network packet is sent.

Abstract: A computer-implemented method, computer program product and computing system for: receiving platform information from a plurality of security-relevant subsystems; processing the platform information to generate processed platform information; identifying more threat-pertinent content included within the processed content; and routing the more threat-pertinent content to a threat analysis engine.

Abstract: A device 1 for managing utilized services, which serves to manage an external service that is utilized when a user website provided by a user server 14 is accessed, is equipped with a CSP tag generation unit 9 for generating a CSP tag, which is a content security policy tag that allows access only to a prescribed domain and is stipulated by the World Wide Web Consortium.

Abstract: A method performed by a computing system includes detecting that a removable data volume has been attached to the computing system, the removable data volume being identified by a unique label. The method further includes, in response to determining that a portion of the unique label matches a predefined value, invoking a catalog container based on a rule within a first rule database. The method further includes, with the catalog container, obtaining metadata stored on the removable data volume, the metadata including characteristics of a first application associated with a first piece of data that is stored on the removable data volume. The method further includes, with the catalog container, creating an application container having the first application with the characteristics. The method further includes, with the application container, processing the removable data volume.

Abstract: An example system includes a vehicle having an Ethernet based network and a controller area network (CAN) based network; a CAN vehicle control device disposed onboard the vehicle and structured to control operation of a component of the vehicle; an Ethernet vehicle control device disposed onboard the vehicle and structured to electrically communicate with the CAN vehicle control device; an Ethernet switch disposed onboard the vehicle and having a plurality of physical ports connected to the Ethernet based network; a CAN gateway disposed onboard the vehicle and connected to the CAN based network and the Ethernet switch; and a network convergence circuit defined at least in part by the Ethernet switch and/or the CAN gateway, and structured to facilitate electronic communications between the Ethernet vehicle control device and the CAN vehicle control device.

Abstract: A Software Defined Network (SDN) comprises a plurality of resources including Network Elements (NEs) and network links connecting the NEs. A method comprises receiving a request to provision an SDN Datapath in the SDN. The request comprises performance metrics for the SDN Datapath and a geographic constraint to be applied to resources used in provisioning the SDN Datapath. The method further comprises assembling a candidate set of resources to provision the SDN Datapath and initiating provision of the SDN Datapath using resources selected from the candidate set. Assembling a candidate set of resources to provision the SDN Datapath comprises obtaining a geographic location attribute of resources in the SDN and populating the candidate set with those resources having a geographic location attribute satisfying the received geographic constraint.

Abstract: A method and apparatus for testing and simulating an access control policy are disclosed. Evaluating an access control policy may be performed by utilizing a deny statement that causes the access request to be rejected despite actions indicated in the access request being authorized. Further, an independent simulation environment may be utilized for testing access control policy evaluation.

Abstract: A policy-based printing system is implemented to allow access to a private domain to print using a public domain. The private domain includes private servers that store documents. The public domain includes servers and a printing device. A public policy server uses a domain list and a protocol connection with a private authentication server to validate a user and identify which private domain to access. The public policy server retrieves a policy from a private policy server that configures the parameters for printing using the public domain. The print job data is provided to a public file server until the public policy server confirms that the print job can be sent to the printing device.

Abstract: Systems and methods for managing data security are described. In an embodiment, the method comprises receiving a data access request from a first application that runs in a first operating environment of a mobile device, wherein the authentication request contains credentials of the first application, communicating with a second application that runs in a second operating environment in parallel to the first environment of the mobile device, wherein the second application is a trusted application that runs in a secure environment, and wherein the communicating includes transferring the credentials of the first application to the second application, and receiving data from the trusted application responsive to the data access request, based on the credentials of the first application.

Abstract: A method and system for policy-driven traffic management in cloud-based multi-tenant systems is disclosed. Each end user device within each tenant is provided policies to specify priority based upon, for example, end-to-end performance, bandwidth or service capacity, service or link availability, or security. Different routes are provided for each policy. An application can request a route to an Internet service according to the policy to be assigned a route.

Abstract: A method may include obtaining a dialogue of a user and a pre-trained language model. The method may include obtaining a corpus of dialogues and a corpus of response materials. The method may include modifying the pre-trained language model. The method may include identifying a dialogue topic of the dialogue of the user and identifying a set of response topics. The method may include selecting a set of response materials from the corpus of response materials. The method may include determining a first plurality of probabilities and, for each response material of the set of response materials, a respective second plurality of probabilities. The method may include comparing the first plurality of words with each respective second plurality of words associated with each respective response material of the set of response materials. The method may include selecting a response material of the set of response materials based on the comparison.

Abstract: A method for providing a set of certificates encoding authorisations, the method comprising processing respective ones of multiple authorisation requests at a trusted signing authority apparatus to verify respective digital signatures applied to the requests, the multiple authorisation requests received over a first communication link between the trusted signing authority apparatus and an administration apparatus, validating one or more authorisation request parameters of respective ones of the authorisation requests, generating a certificate encoding an authorisation at the trusted signing authority apparatus and transmitting the generated certificate to the administration apparatus or a requesting apparatus over a second communication link.

Abstract: Embodiments described herein relate generally to network-based threat detection mechanisms. Specifically, embodiments described herein describe a communication mechanism that filters (e.g., allows or blocks) received communications according to an iterative security list.

Abstract: An OT-IT (operational technology-information technology) service of a provider network allows operators to configure gateway connectors for data sources (e.g., machines at an industrial site) and allows developers to specify workflows that consume data from the data sources. To do so, the OT-IT service provides an operator interface to receive topology data for the client's remote network. The OT-IT service configures connectors for data sources based on the topology data and deploys the connectors to gateway devices. The OT-IT service also provides a developer interface to present available data sources and to receive specifications for workflows that consume data from the data sources. The OT-IT service deploys the workflows to execution locations. The OT-IT service then configures the gateways to send tagged data from the connectors to the workflows for processing.

Abstract: Managing an authenticated user session. A method includes a resource provider computer system subscribing to a conditional access termination service for an entity configured to obtain resources from the resource provider computer system through a user session. The resource provider computer system receives an event, related to resource requests, for the entity from the conditional access termination service. The resource provider computer system receives a request for resources from the entity. The resource provider computer system evaluates the request with respect to the event. The resource provider computer system responds to the request based on evaluating the request with respect to the event.

Abstract: Heuristic based approach to authentication of requests in a stateless protocol environment. Heuristics may be applied to a request to calculate a trust level for the request. The trust level for a request may at least in part be based on request parameters for the request and one or more previously received requests in a user context profile. Thus, historical request metadata may be used in calculating a trust value of a received request. If the trust value for a request exceeds a trust threshold, the request may be authenticated without forwarding the request to an authentication server. Thus, for requests in which the trust value exceeds the trust threshold, system performance may be improved by not requiring computational overhead and/or network bandwidth to be used in authentication. In this regard, the format of the request may still comport with the stateless protocol, but authentication may be made more efficient.

Abstract: A system can receive a guardrail policy request that specifies a guardrail policy to assess for deployment on a server to protect at least a specific port of the server. The system can execute a fingerprint clustering machine learning model using server fingerprint data to generate cluster data that identifies a virtual machine cluster that includes a plurality of virtual machines executed by the server. The system can execute a traffic discovery machine learning model using server traffic data and the cluster data to generate a confidence score indicative of whether deployment of the guardrail policy would have an adverse impact on the server. The system can execute a risk assessment machine learning model using the application type data to generate a risk assessment score. The system can evaluate the confidence score and the risk assessment score and can determine whether the guardrail policy should be deployed on the server.

Abstract: Embodiments of systems and methods for real-time monitoring and policy enforcement of active applications and services are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution by the processor, cause the IHS to: provide a hardware-rooted, Operating System (OS)-agnostic resource monitoring agent; receive, at the resource monitoring agent from a remote resource monitoring service via an out-of-band channel, a resource enforcement policy; determine, by the resource monitoring agent, that an application is using or attempting to use a resource in a manner that conflicts with the resource enforcement policy; and stop or prevent the application from using the resource in response to the determination.

Abstract: A database protection system (DPS) is configured to dynamically-optimize security rule validation throughput based on evaluating resource consumption data collected from prior validations. In particular, the DPS analyzes collected resource consumption information and determines which security rules in a set should then be active. To this end, the DPS is configured with multiple security rules engines (SREs), and each is configured to evaluate the same set of security rules. When an SRE applies a validation (to a request or response flow), an associated collector collects and analyzes associated resource consumption data. This data is provided to an optimizer, which receives similar resource consumption data from other SREs. Based on the resource consumption data collected from the SRE collector(s), the optimizer dynamically optimizes security rules validation in real-time, e.g., by dynamically switching on or off given security rule(s) in the set of security rules at given one(s) of the SREs.

Abstract: An example system includes a vehicle having a first network zone and a second network zone of a different type than the first network zone, a converged network device (CND) interposed between the zones, where the CND includes a policy management circuit that interprets a policy including a network regulation description, a configuration circuit that configures network interface circuit(s) in response to the policy, and the interface circuit(s) that regulate communications between end points of the network zones.

Abstract: A system is provided and includes a securable resource, a locking element configured to assume a locked condition in which the securable resource is locked and an unlocked condition in which the securable resource is unlocked, a controller and a physical authentication interface. The controller is receptive of an instruction to authorize users to unlock the securable resource and configured to perform operating system (OS) level authentication of the users and OS level control of the locking element in accordance with the instruction to authorize users and the OS level authentication. The physical authentication interface is configured to enable or disable a capability of the controller to perform the OS level authentication.

Abstract: Systems and methods are described herein for extrapolating trends in trust scores. A trust score may reflect the trustworthiness, reputation, membership, status, and/or influence of the entity in a particular community or in relation to another entity. An entity's trust score may be calculated based on data from a variety of data sources, and this data may be updated periodically as data is updated and new data becomes available. However, it may be difficult to update a trust score for an entity due to a scarcity of information. The trust score for such entities may be updated based on trends observed for the updated trust scores of other entities over a similar period of time. In this manner, trust scores may be updated for entities for which updated data is not available.

Abstract: Methods, devices, and systems for fire system rule generation are described herein. In some examples, one or more embodiments include a memory, and a processor to execute instructions stored in the memory to receive a rule input condition and a rule output condition for a fire control system of a facility, generate a fire system rule for the facility based on the rule input condition and the rule output condition, and transmit the fire system rule to a fire control panel of the fire control system of the facility.

Abstract: A system is provided and includes a securable resource, a locking element configured to assume a locked condition in which the securable resource is locked and an unlocked condition in which the securable resource is unlocked, a first controller, which is receptive of an instruction to authorize users to unlock the securable resource, and a common interface to which the first controller and additional controllers, which are independent from the first controller and one another, are tied. The first controller is configured to authenticate the users and to perform operating system (OS) level control of the locking element in accordance with the instruction to authorize users and an authentication of the users by the common interface.

Abstract: Some embodiments provide a method for a network management and control system that manages a virtual infrastructure deployed across a plurality of sites. The method receives a definition of an application to be deployed in the virtual infrastructure. The application definition specifying a first set of the sites at which to deploy the application. Based on the definition of the application, the method assigns the application to a set of security zones defined for the virtual infrastructure. Each respective security zone is restricted to a respective set of the sites. The method deploys the application in a second set of sites based on the first set of sites and the sets of sites to which the set of security zones are restricted.

Abstract: Disclosed are various approaches for enforcing policies for unmanaged applications. A user supplied script can be evaluated to determine whether an application is installed on a computing device. In response to a determination that the application is installed on the computing device, a request can be sent to a management service for at least one policy applicable to the application. The policy can be evaluated to determine whether the application complies with the policy.

Abstract: A method for a gradual credential disablement is provided. The method includes receiving, at data processing hardware, a request for access to a resource. The request includes a request authenticator. The method also includes comparing, by the data processing hardware, the request authenticator against a security credential associated with the resource. The method further includes determining, by the data processing hardware, whether the request authenticator satisfies the security credential. When the request authenticator satisfies the security credential, the method includes granting or denying, by the data processing hardware, access to the resource based on a request failure rate associated with the security credential.

Abstract: A method for enhancing automated transaction machine (ATM) security surveillance. The method consists of receiving a set of data from a financial device and generating a template for the financial device. The method generates an analysis by analyzing a portion of the received set of data. The method then determines a likelihood factor that the analyzed first portion is associated with a security threat, wherein if the likelihood factor is above a threshold then the method generates a second analysis by analyzing a second portion of the received first set of data and revises the likelihood factor based on the second analysis. The method generates a notice if the first likelihood factor exceeds a second threshold and then updates the template with the analysis and the likelihood factor and receives a second set of data from the monitoring device. The method updates the template with the second set of data.

Abstract: A computing device includes a processor and a machine-readable storage medium storing instructions. The instructions are executable by the processor to: cause a file management sub-system to detect a request to access a particular file belonging to a specific user entity, and to send an authorization request to a security sub-system; cause the security sub-system to check user metadata for the specific user entity in response to the authorization request, to determine whether the file is expired based on the user metadata for the specific user entity, and to, in response to a determination that the file is expired based on the metadata, send a denial of the authorization request to the file management sub-system; and cause the file management sub-system to, in response to the denial, block access to the particular file.

Abstract: A data packet processing method and apparatus, where a storage apparatus disposed on a network side stores a correspondence between an identifier and data flow characteristic information. When configuring a policy for a data packet including a first identifier, a network-side device requests the storage apparatus for data flow characteristic information corresponding to the first identifier. A policy and charging enforcement function (PCEF) receives a data packet that is sent by a user equipment (UE), matches the data packet against the data flow characteristic information, and when the data packet matches the data flow characteristic information, executes a policy on the data packet according to policy information corresponding to the first identifier.

Abstract: Systems and methods support secure transfer of data between workspaces operating on an IHS (Information Handling System). Upon a request for access to a first managed resource, such as protected data, a first workspace is deployed according to a first workspace definition. Upon a request for access to a second managed resource, a second workspace is deployed according to a second workspace definition. In response to an indication of a portion of the protected data from the first workspace being copied to a buffer supported by the IHS and of a request to paste the copied portion of the protected data to the second workspace, the protections provided by the second workspace are evaluated. If the protections of the second workspace are inadequate, an updated second workspace definition is selected that specifies additional protections. The second workspace is updated according to the updated second workspace definition and the transfer is permitted.

Abstract: A system to control access to domains, servers, or content, among other things. There may be individualized or global policies. Policy servers or other devices may interface with databases, DNS servers, firewalls, programmable virtualized routers, or dynamic host configuration protocol servers, among other devices to dynamically update various policy enforcement elements.

Abstract: The invention relates to a communication network having at least one network element (NE), via which data associated with the communication are conducted.