Abstract: Some embodiments of the invention provide a method for performing intrusion detection operations on a host computer. The method receives a data message sent by a machine executing on the host computer. For the data message's flow, the method identifies a set of one or more contextual attributes that are different than layers 2, 3 and 4 header values of the data message. The identified set of contextual attributes are provided to an intrusion detection system (IDS) engine that executes on the host computer to enforce several IDS rules. The IDS engine uses the identified set of contextual attributes to identify a subset of the IDS rules that are applicable to the received data message and that do not include all of the IDS rules enforced by the IDS engine. The IDS engine then examines the subset of IDS rules for the received data message to ascertain whether the data message is associated with a network intrusion activity.

Abstract: An apparatus for preventing unauthorized software or firmware upgrades between two or more computing devices connected on a data bus includes a cryptographic engine, memory, and at least one processor coupled with the cryptographic engine and memory. The cryptographic engine stores cryptographic metadata for authorized upgrade images for updating at least one target computing device coupled to the data bus. The cryptographic metadata includes a manifest list of upgrade images. The processor is configured to monitor the data bus for transmissions of striped update hashes from a maintenance device, to receive signed striped hashes corresponding to an upgrade image file transmitted by the maintenance device, to validate the striped update hashes using information in the manifest list, to log that an unauthorized upload has been attempted when at least one of the striped update hashes fails validation, and to perform a mitigation action(s) in response to the attempted unauthorized upload.

Abstract: A method for ensuring secure wireless communication of a first device in a communication system includes: retrieving information about a type of trustiness of a first communication link of a first access technology and about a type of trustiness of a second communication link of a second access technology, wherein a second device and the first device are configured to communicate data with each other via the first communication link and the second communication link; determining, by a processor of the first device and/or a processor of the second device, security levels based on the information about the type of trustiness of the first communication link and about the type of trustiness of the second communication link.

Abstract: A non-transitory computer-readable storage medium storing a program that causes a processor included in an authorization server to execute a process, the process includes storing an association relationship between a plurality of users who are owners of data, and a consent portal with which each of the plurality of users performs user registration, when consent of a user to access to data of a first condition is asked for by a client, detecting a target user who is an owner of data that matches the first condition, extracting a consent portal with which the target user performs user registration, from the association relationship, and obtaining an intention of consent or non-consent to access to the data, from the target user by using the extracted consent portal, and controlling an access by the client to data in the resource server, in accordance with the obtained intention.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described. In some embodiments, a client Information Handling System (IHS) may include a processor and a memory, the memory having program instructions that, upon execution by the processor, cause the client IHS to: receive, from a workspace orchestration service, one or more files or policies configured to enable the client IHS to instantiate a first workspace based upon a first workspace definition; allow a user to execute a non-vetted application in the first workspace; determine that the first workspace is compromised; and receive, in response to the determination, from the workspace orchestration service, one or more other files or policies configured to enable the client IHS to instantiate a second workspace based upon a second workspace definition, where the second workspace definition allows execution of a vetted application corresponding to the non-vetted application.

Abstract: Systems and methods include obtaining a plurality of parameters associated with a host; determining a fingerprint of the host utilizing the plurality of parameters; and providing the fingerprint to cloud service for enrollment and management of the host in the cloud service. The cloud service can include microsegmentation of the host. The cloud service can include any of Internet access for the host and private resource access by the host.

Abstract: The technology disclosed relates to a DHCP relay-based steering logic for policy enforcement on IoT devices. In particular, the technology disclosed provides a steering logic that is interposed between a plurality of special-purpose devices on a network segment of a network and a DHCP server on the network segment. The steering logic is configured to intercept DHCP requests broadcasted to the DHCP server by special-purpose devices in the plurality of special-purpose devices, forward the intercepted DHCP requests to the DHCP sever 522, receive, from the DHCP server, DHCP responses to the intercepted DHCP requests, receive, from a device classification logic, a positive determination that the special-purpose devices are special-purpose devices and not general-purpose devices, modify the received DHCP responses by replacing the default gateway with an inline secure forwarder on the network segment, and send the modified DHCP responses to the special-purpose devices.

Abstract: The technology disclosed relates to a DHCP server-based steering logic for policy enforcement on IoT devices. In particular, the technology disclosed provides a steering logic running on a DHCP server on a network segment of a network. The steering logic is configured to receive DHCP requests broadcasted to the DHCP server by a plurality of special-purpose devices on the network segment, access DHCP responses generated by the DHCP server for the DHCP requests, receive, from a device classification logic, a positive determination that special-purpose devices in the plurality of special-purpose devices are special-purpose devices and not general-purpose devices, modify the accessed DHCP responses by replacing the default gateway with an inline secure forwarder on the network segment, and send the modified DHCP responses to the special-purpose devices.

Abstract: Techniques are disclosed for automatically inferring software-defined network policies from the observed workload in a computing environment. The disclosed techniques include monitoring network traffic flow originating from network interfaces corresponding to containers that execute components of an application, recording details of a new network connection or a change in the existing network connection, obtaining information concerning the components of the application, identifying metadata for a component involved in the new network connection or the change in an existing network connection based on a comparison of the details of the new network connection or a change in the existing network connection and the information concerning the components of the application, generating a network policy for the component using at least the metadata for the component, and integrating the network policy for the component into a deployment package for the application.

Abstract: Systems and methods are described herein for managing peering relationships and applying peering policy between service providers and content distribution networks. Aspects discussed herein relate to establishing secure peering connections between service providers to exchange application and/or network information. In some embodiments, an application peering manager may apply peering policy based on token information or other suitable information configured to uniquely identify an application and/or subscriber. In other embodiments, policy enforcement points or other elements residing within a network may be configured to accept and/or apply peering policy to application sessions.

Abstract: Techniques are described for providing users of a data intake and query system with pre-trained ML models capable of identifying malicious threats (e.g., malware, botnets, ransomware, etc.) in users' computing environments based on an analysis of Domain Name System (DNS) log data collected from DNS servers in users' environments. DNS log data is ingested by a data intake and query system and processed to obtain searchable timestamped event data. This event data can then be used as input to ML models provided by a security ML application described herein to detect potential occurrences of malicious activity within users' computing environments.

Abstract: A cloud-based security service that includes external evaluation for accessing a third-party application. The security service receives a request to access a third-party application from a client device. The security service enforces a set of one or more access policies configured for the third-party application including an external evaluation rule. As part of enforcing the external evaluation rule, the security service transmits an external evaluation request to an external endpoint defined in the external evaluation rule. The external evaluation request includes an identity of a user associated with the request. The security service receives the result of the external evaluation. If the external evaluation passed, the security service grants access to the third-party application based at least in part on its passing.

Abstract: A request to perform a prediction using a machine learning model of a specific entity is received. A specific security key for the machine learning model of the specific entity is received. At least a portion of the machine learning model is obtained from a multi-tenant machine learning model storage. The machine learning model is unlocked using the specific security key and the requested prediction is performed. A result of the prediction is provided from a prediction server.

Abstract: An enclave manager of a network enclave obtains a request to retrieve configuration information and state information corresponding to compute devices and network devices comprising a network enclave. The request specifies a set of parameters of the configuration information and the state information usable to generate a response to the request. The enclave manager evaluates the compute devices, the network devices, and network connections among these devices within the network enclave to obtain the configuration information and the state information. Based on the configuration information and the state information, the enclave manager determines whether the network enclave is trustworthy. Based on the parameters of the request, the enclave manager generates a response indicating a summary that is used to identify the trustworthiness of the network enclave.

Abstract: Various embodiments include a method for deploying field device into an Internet of Things (IoT). The method may include: acquiring information from a field device using an edge device; transmitting the acquired information to a cloud platform; wherein the information comprises data and an industrial IoT model; converting the industrial IoT model into a graph; performing similarity analysis based on the graph; classifying the industrial IoT model based on the similarity analysis; generating a first industrial IoT model comprising a type or an example; performing data mapping on the first industrial IoT model; and operating the field device as part of the IoT.

Abstract: An image matching system for determining visual overlaps between images by using box embeddings is described herein. The system receives two images depicting a 3D surface with different camera poses. The system inputs the images (or a crop of each image) into a machine learning model that outputs a box encoding for the first image and a box encoding for the second image. A box encoding includes parameters defining a box in an embedding space. Then the system determines an asymmetric overlap factor that measures asymmetric surface overlaps between the first image and the second image based on the box encodings. The asymmetric overlap factor includes an enclosure factor indicating how much surface from the first image is visible in the second image and a concentration factor indicating how much surface from the second image is visible in the first image.

Abstract: A server system obtains, for machines in a distributed system, system risk information, such as information identifying open sessions between respective users and respective machines, information identifying vulnerabilities in respective machines; and administrative rights information identifying groups of users having administrative rights to respective machines. The server system determines security risk factors, including risk factors related to lateral movement between logically coupled machines, and generates machine risk assessment values for at least a subset of the machines, based on a weighted combination of the risk factors. A user interface that includes a list of machines, sorted in accordance with the machine risk assessment values is presented to a user.

Abstract: Systems and methods provide for provisioning services for an unmanned aerial system (UAS) in a 3GPP network, enabling communication for command and control in 5G systems, and enabling UAS service for identification and operation in a 3GPP system.

Abstract: Systems and methods for anomaly detection in workspaces are disclosed. For example, sensor data from sensors associated with a device is gathered and compared with contextual data associated with the device, the environment in which the device is situated, and/or sensitive data that is being accessed to determine whether an anomaly is detected indicating that the environment is unsecure for accessing the sensitive information. An automated action is performed to mitigate unsecure use of the sensitive information based at least in part on the detected anomaly.

Abstract: Systems and methods for automated actions for application policy violations are disclosed. For example, policy violation evaluation components may monitor requests and/or responses from one or more applications to identify content policy violations. When a violation is identified, an automated decision engine utilizes data representing the policy violation along with, in example, contextual information about the policy violation to identify a rule from a rules database that is associated with the policy violation. An action is determined from the selected rule, and a command is generated to perform the action in response to the policy violation.

Abstract: A method for a well intervention program is provided. The method includes selecting, from a number of well intervention mandates generated by a number of originators in an oil and gas industry hierarchy, mid-level mandates based on respectively originator rankings, wherein each of the number of well intervention mandates relates to a well intervention activity of the well intervention program, generating, based on respective pre-defined cycle times of the mid-level mandates, a most frequent timeframe, performing, based on a pre-determined audit criterion and over the most frequent timeframe, an audit of the well intervention program to generate an audit result, and presenting the audit result to the number of originators.

Abstract: Systems and methods for accessing credentials from a blockchain are provided. A computing device requests for a server to process a transaction. In response to the request, the server transmits a server public key to the computing device. A key generator of the computing devices uses the user private key and the server public key to generate a user public key. The user public key includes permissions to access credentials that are stored on blockchain. The server receives the user public key and generates a request for credentials to blockchain. The request includes the user public key and the server private key. The blockchain receives the request and generates an identity token. The identity token includes credentials that are specified in the user public key. The blockchain transmits the identity token to the server and the server uses the identity token to processes the transaction.

Abstract: A method of asset verification implemented by a computing device as part of an asset verification system. The asset verification utilizes unique identifying information of the asset. The method collects asset information from a user, collects asset information from the computing device, generates a unique identifier from the asset information, adds the unique identifier and the asset information to a blockchain, and stores the asset information in a distributed storage system.

Abstract: Validating microservice calls is provided. It is determined whether a microservice call to a microservice hosted by a computer is valid based on a policy in a proactive condition map of a validation proxy that matches the microservice call. In response to determining that the microservice call is invalid based on the policy in the proactive condition map that matches the microservice call, the microservice call is blocked to the microservice. It is determined whether the microservice call needs to be redirected to another microservice based on the policy. In response to determining that the microservice call does need to be redirected to another microservice based on the policy, the microservice call is redirected to the other microservice with a callback to the microservice.

Abstract: A system and method for analyzing in-page behavior. A method includes recording sessions of users browsing a website, wherein a session is time-ordered collection of a user's interactions with one or more webpages belonging to the website; analyzing recorded sessions to generate session insights, wherein the session insights are based in part on user experience factors, wherein each user experience factor relates to behavior of a user within each webpage visited during a session; and reporting the generated experience insights.

Abstract: A unified platform may comprise a combination of independent frameworks that have been integrated and configured to collaboratively operate seamlessly. In some aspects, the unified platform may comprise one or more of an authentication and authorization framework, a dynamic user interface framework, a workflow state management framework, a notification and active data loss and prevention (DLP) engine framework, and an orchestration engine framework. Each of the frameworks included in the unified platform may comprise one or more of the plurality of computing devices executing computer-readable program instructions.

Abstract: Methods, systems, and computer readable media for message validation in fifth generation (5G) communications networks are disclosed. One method occurring at a first network node of a first network comprises: obtaining, from at least one authentication and key agreement (AKA) procedure related message associated with a user device communicating via a second network, authentication information identifying the user device; storing the authentication information in a data store for validating subsequent messages; receiving a request message associated with the user device; determining, using the authentication information, that the request message is invalid; and in response to determining that the request message is invalid, performing an invalid message action.

Abstract: A computing system for generating tamper-proof electronic messages is disclosed herein. A service provider application receives an electronic message from a client application. The electronic message comprises an authorization provider (AuP) token that includes a public key of a local signing authority (LSA) and a signed payload that has been signed by the LSA using a private key of the LSA that forms a cryptographic key pair with the public key, the signed payload comprising an indication of a programmatic task to be executed by the service provider application. Responsive to validating the AuP token in the electronic message, the service provider application extracts the public key from the electronic message. Responsive to validating the signed payload based upon the extracted public key of the LSA, the service provider application executes the programmatic task.

Abstract: A system and a method for modeling topic-based message-oriented middleware (MoM) are provided. The method commences with connecting with a MoM system and converting information associated with the MoM system into a standardized object model. The standardized object model may include a topic-based node associated with a topic, at least one producer application, and at least one consumer application. The at least one producer application provides one or more messages related to the topic to the topic-based node. The at least one consumer application receives the one or more messages from the topic-based node. The method continues with generating a standardized graph of relationships between producers and consumers over a period of time. The method further includes creating a policy, periodically analyzing the standardized graph for at least one deviation from the policy, and issuing an alert in response to detecting the at least one deviation.

Abstract: In implementations of NGAC graph evaluations, a computing device implements a next generation access control (NGAC) graph that includes user elements representing users, object elements representing resources, and multiple policy classes. Policy binding nodes can be modeled as user attributes in the NGAC graph for each of the multiple policy classes, and each policy binding node is assigned to a corresponding one of the multiple policy classes. A user element is assigned as a member of a policy binding node, and the policy binding node delineates at least one policy permission on an object element and grants the policy permission on the object element to the user element. The computing device implements a policy decision module to evaluate the NGAC graph with a graph evaluation procedure to determine graph analysis information relative to at least one of the user element, the granted policy permission, or the object element.

Abstract: Provided herein are systems and methods for targeted attack protection using predictive sandboxing. In exemplary embodiments, a method includes retrieving a Uniform Resource Locator (URL) from a message of a user and performing a preliminary determination to see if the URL can be discarded if it is not a candidate for sandboxing. The exemplary method includes computing a plurality of selection criteria factors for the URL if the URL passes the preliminary determination, each selection criteria factor having a respective factor threshold. The method can further include determining if any of the selection criteria factors for the URL exceeds the respective factor threshold for the respective selection criteria factor. Based on the determining, if any of the selection criteria factors exceeds the factor threshold for the selection criteria factor, the exemplary method includes automatically placing the URL in a sandbox for analysis.

Abstract: An example method for discovering and grouping application endpoints in a network environment is provided and includes discovering endpoints communicating in a network environment, calculating affinity between the discovered endpoints, and grouping the endpoints into separate endpoint groups (EPGs) according to the calculated affinity, each EPG comprising a logical grouping of similar endpoints for applying common forwarding and policy logic according to logical application boundaries. In specific embodiments, the affinity includes a weighted average of network affinity, compute affinity and user specified affinity.

Abstract: A method including determining, by a first device having an established virtual private network (VPN) connection with a VPN server and an established meshnet connection with a second device in a mesh network, a transmission packet to be transmitted by the first device; and determining, by the first device, whether the transmission packet is to be transmitted by utilizing the VPN connection or by utilizing the meshnet connection based at least in part on determining a destination associated with the transmission packet. Various other aspects are contemplated.

Abstract: The present disclosure relates to systems and methods for a machine-learning platform for the safe serialization of a machine-learning application. Individual library components (e.g., a pipeline, a microservice routine, a software module, and an infrastructure model) can be encrypted using one or more keys. The keys can be stored in a location different from the storage location of the machine-learning application. Prior to incorporation of the library component into a machine-learning model, one or more keys can be retrieved from the remote storage location to authenticate that the one or more encrypted library components are authentic. The process can reject any of the one or more component, when the encrypted library component fails authentication. If a component is rejected, the system can roll back to a previous, authenticated version of the library component. The authenticated library components can be compiled into machine-learning software.

Abstract: A computer may receive editing instructions that specify one or more changes to filters in an existing access control list or a template for an access control list. Then, the computer may dynamically generate the clone access control list by applying the editing instructions to the existing access control list or the template for the access control list. For example, the computer may provide the editing instructions to a computer network device (such as a switch or a router) that are applied to the existing access control list or the template for the access control list while the computer network device is processing data packets. Alternatively, the computer may apply the editing instructions to the existing access control list or the template for the access control list that is not currently installed on the computer network device, and may provide the access control list to the computer network device.

Abstract: Systems, methods, and storage media useful in a computing platform to automatically generate and deploy access control list (ACL) rules for one or more firewalls in a data center are provided. The computing platform is vendor-agnostic and generates ACL rules in multiple syntaxes depending on the firewall needing updating. The platform traverses a data center mapping structure to identify one or more firewalls to be updated for a destination IP address and source IP address and automatically generates the ACL rule in the syntax for the one or more firewalls identified.

Abstract: Systems and methods for policy based agentless file transfer in zero trust private networks. Various systems and methods include receiving a request for a file transfer; determining a file transfer protocol; evaluating one or more criteria associated with the request, the criteria being associated with any of an end user and the contents of the file; and allowing or denying the file transfer based on the evaluating. Responsive to an end user's policy including a requirement for file inspection, the steps can further include sending the file to a sandbox for inspection, and receiving a result of the inspection from the sandbox.

Abstract: There are provided systems and methods for a data access notification alert mechanism that monitors for any data access request at a user database of the service provider and sends an electronic notification message to the user when such data access request is detected. Specifically, the data access notification alert mechanism may be implemented with a server, which in turn provides an application programming interface (API) to be integrated with the service provider server, and the API may be called by the service provider database to send a message to the user when a database query to the user information is received at the database.

Abstract: Apparatuses, methods, systems, and program products are disclosed for endpoint-based security. An apparatus includes a network module that is configured to receive, at an end user device, a request for content from a network source. An apparatus includes a policy module that is configured to compare a network source of requested content against a policy that is stored on an end user device prior to the content being allowed on the end user device. An apparatus includes an action module that is configured to modify at least one header in a request for content based on a requirement for a network source.

Abstract: A method including monitoring, by a processor associated with a first device having an established VPN connection with a VPN server and an established meshnet connection with a second device, communication of transmission packets to be transmitted by the first device; receiving, by the processor, a transmission packet to be transmitted by the first device; determining, by the processor, a destination associated with the transmission packet based at least in part on metadata included in the transmission packet; and routing, by the processor, the transmission packet for transmission via the VPN connection or for transmission via the meshnet connection based at least in part on determining whether the second device is the destination associated with the transmission packet. Various other aspects are contemplated.

Abstract: Embodiments for a system and method for secure authentication of backup clients in a way that eliminates the need to create users for backup client authentication anywhere in the backup ecosystem, and which eliminates the need for credentials, such as passwords that need protection, updating and synchronization. Such embodiments use a short-term token, such as a JSON web token, for both client and server authentication within the system, and verifies that the tokens grant access using the public key corresponding to the private key assigned to the directory objects by the creator of the directory objects.

Abstract: A method including determining, by a first device having an established virtual private network (VPN) connection with a VPN server and an established meshnet connection with a second device in a mesh network, a transmission packet to be transmitted by the first device; and transmitting, by the first device, the transmission packet to the second device utilizing the meshnet connection based at least in part on determining that a destination associated with the transmission packet is the second device or to the VPN server utilizing the VPN connection based at least in part on determining that the destination associated with the transmission packet is a device other than the second device. Various other aspects are contemplated.

Abstract: A method including configuring a security device to receive, from a user device, a transmission packet; configuring the security device to determine, based on a destination IP address, whether the user device is permitted to transmit the transmission packet; configuring the security device to determine, based on determining that the user device is permitted to transmit the transmission packet, whether the user device is permitted to transmit to a port associated with the destination IP address; configuring the security device to determine, based on determining that the user device is permitted to transmit to the port, whether the user device is permitted to utilize a protocol utilized by the user device; and configuring the security device to determine, based on determining that the user device is permitted to utilize the protocol, whether the user device is permitted to utilize a web application utilized by the user device is disclosed.

Abstract: In an embodiment, a data platform creates an application in a data-provider account. The application includes one or more APIs corresponding to one or more underlying code blocks. The data platform shares provider data with the application in the data-provider account, and also installs, in a data-consumer account, an application instance of the application. The application instance includes one or more APIs corresponding to the one or more APIs in the application in the data-provider account. The data platform shares consumer data with the application instance in the data-consumer account, and invokes one or more of the APIs of the application instance to execute respective associated underlying code blocks, which are not visible to the data-consumer account. The data platform also saves output of the one or more respective associated underlying code blocks locally within the data-consumer account.

Abstract: Presented herein are systems and methods for processing tokens in identity assertions for access control to resources. A server may receive, via an interface from a gateway, a request to permit a customer device to access a resource associated with the server. The request may include an identifier for the customer device and a first token used to authenticate the customer device at the gateway. The server may generate, responsive to validating the first token, a second token to be used to authorize the customer device at the server for access to the resource. The server may store, on a database, an association identifying the identifier, the first token, and the second token. The server may perform the server, an action to permit the customer device access to the resource associated with the server based on the association maintained on the database.

Abstract: A method is provided for the remote management of a device connected to a residential gateway, including, when performed by the gateway: intercepting a request coming from the device including an address of a first server for which the request is intended, the purpose of the request being to obtain an address of a second server with which the device must be connected; determining a processing operation to be applied to the request, an identifier of the device contained in the request and configuration information obtained from an operator, the configuration information including information representing a set of devices, the plurality of processing operations including a processing operation applied when the device belongs to the set, including responding to the request without contributing the first server. When the processing to be applied is a redirection, a response is provided to the request containing the address of the second server.

Abstract: A technique includes accessing, by a computer, a container image that is built at least in part inside a virtual machine instance; and accessing, by the computer, an image of the virtual machine instance. Pursuant to the technique, the container image and the image of the virtual machine instance are scanned for security issues; and a result of the scanning is displayed by the computer.

Abstract: A method for identifying an active administration function (ADMF) in a lawful interception deployment that utilizes an ADMF set comprising a plurality of ADMFs can be implemented by a network element. The method can include exchanging lawful interception signaling with a first ADMF when the first ADMF is the active ADMF. The method can also include receiving an auditing request message from one of the plurality of ADMFs in the ADMF set and sending a ping request message to each ADMF in the ADMF set. The method can also include receiving a ping response message from a second ADMF among the plurality of ADMFs in the ADMF set and identifying the second ADMF as the active ADMF in response to receiving the ping response message. The method can also include exchanging second lawful interception signaling with the second ADMF when the second ADMF is the active ADMF.

Abstract: Systems, method, and non-transitory computer readable storage medium are provided for configuring an information computing machine during execution of a kernel image. The system can create a file system from a base file system image in system memory of the computing system, apply configuration files from a bundle image to the file system in memory, copy files from a persistent file system stored in the storage resource to memory, validate the files from the persistent file system, and apply validated files to the file system in memory. The base file system image and bundle image can be verified by comparing a signed hash of the image with a hash generated by the initial file system and checking the hash signature against a public certificate included in the initial filesystem. The system can further execute /sbin/init and start application services.

Abstract: A method including configuring a security device to receive registration information indicating groups of user devices; configuring the security device to receive policy information indicating respective filtering policies for each group of user devices; configuring the security device to receive a transmission packet for transmission to a destination device over an open internet; configuring the security device to determine, based on the registration information, the group of user devices to which the user device belongs; configuring the security device to determine, based on the policy information and on determining the group to which the user device belongs, whether the user device is permitted to transmit the transmission packet; and configuring the security device to selectively block transmission of the transmission packet based on determining whether the user device is permitted to transmit the transmission packet is disclosed.