Abstract: Methods to securely remediate a captive portal are provided. In these methods, a processor of a user device detects a connection, via a network, to a captive portal. Based on the detected connection to the captive portal, the processor launches a dedicated secure web browser, and selectively restricts access of the user device to the network in order to only allow, via the dedicated secure web browser, communications related to remediation with the captive portal.

Abstract: This disclosure describes a cyber-security protocol for validating messages being exchanged between two devices of an autonomous vehicle. The protocol includes the independent generation of multiple encryption or session keys by both devices. The encryption keys are generated based on a random number provided by each device. In some embodiments, the random numbers can be accompanied by a shared secret key installed on both devices that can help prevent an unauthorized device from creating a shared set of encryption keys with one of the devices. Including a hash generated using one of the encryption keys and a message sequence counter value in each message can help prevent the injection of previously transmitted messages as a means of disturbing operation of the autonomous vehicle.

Abstract: Systems, methods, and computer media for securing software applications are provided herein. Using deceptive endpoints, attacks directed to API endpoints can be detected, and attackers can be monitored or blocked. Deceptive endpoints can be automatically generated by modifying valid endpoints for an application. Deceptive endpoints are not valid endpoints for the application, so if a deceptive endpoint is accessed, it is an indication of an attack. When a deceptive endpoint is deployed, accessing the deceptive endpoint can cause an alert to be generated, and an account, user, or device associated with accessing the deceptive endpoint can be blocked or monitored.

Abstract: Systems and methods for determining whether a voice biometrics credential provides a reliable mechanism for authenticating a user are provided. The method includes receiving at least one set of voice data from the user; determining, based on the received at least one set of voice data, a value of at least one parameter that corresponds to a user-specific voice biometrics credential; obtaining at least one user-specific item of information; accessing at least one business rule that relates to the user; and determining, based on the at least one set of voice data, the at least one user-specific item of information, and the at least one business rule, whether the user-specific voice biometrics credential is usable for authenticating the user.

Abstract: One example method includes correlating trust scoring with authentication levels. Trust scores are protected in a computing system such that devices can be validated. Authentication levels are based on the verified trust scores.

Abstract: A machine data validation system can track and validate the integrity of machine data generated by machines. The system can generate hashes for the items and batch hashes that can be validated using an immutable data store, such as a blockchain. The system can implement a tiered blockchain structure to efficiently store and reference the hashes to validate the machine data at different times or upon request from an end-user.

Abstract: Establishing secure communications by sending a server certificate message, the certificate message including a first certificate associated with a first encryption algorithm and a second certificate associated with a second encryption algorithm, the first certificate and second certificate bound to each other, signing a first message associated with client-server communications using a first private key, the first private key associated with the first certificate, signing a second message associated with the client-server communications using a second private key, the second private key associated with the second certificate, the second message including the signed first message, and sending a server certificate verify message, the server certificate verify message comprising the signed first message and the signed second message.

Abstract: Generally discussed herein are devices, systems, and methods for improving cloud resource security. A method can include obtaining a cloud resource management log that details actions performed by users of cloud resources in a cloud portal, the actions including entries comprising at least two of a user identification (ID) of a user of the users, an operation of operations performed on the cloud resource, a uniform resource identifier (URI) of a cloud resource of the cloud resources that is a target of the operation, or a time the operation was performed. The method can include determining a respective score for each action in the cloud resource management log, comparing the respective score to a specified criterion, and providing an indication of anomalous action in response to determining the respective score satisfies the specified criterion.

Abstract: Aspects of a storage device including a memory and an encryption core are provided. The storage device may be configured for providing secure data storage, as well as one or more post-processing operations to be performed with the data. The encryption core, which may be configured to decrypt data, may control execution of one or more post-processing operations using the data. A read command received from a host device may include a tag associated with data identified by the read command. When encrypted data is retrieved from memory according to the read command, the encryption core may decrypt the encrypted data and provide the decrypted data for post-processing based on the tag. A corresponding post-processing operation may return a result when executed using the decrypted data. Rather than raw data identified by the read command, the result may be delivered to the host device in response to the read command.

Abstract: System and methods of brokering trust across multiple Authentication and Authorization methods in a multi-domain, multi-operator, private and public cloud networks are identified. A Digital Trust Broker (DTB) is disclosed that brokers trust between infrastructure authentication methods that use digital certificates (PKI) and operator/enterprise Authentication/Authorization methods through interaction with multiple operator/service provider control and management platforms. The Digital Trust Broker interacts with vendor management and security platforms for associating device manufacturing, assembly, supply-chain, and logistics attributes for assuring trust of compute, network, storage and other system components that a high security enterprise or service provider acquires and installs in their networks. Additionally, methods of generating enhanced certificates for secure network slices and other Cloud and SDN hosted virtual network functions as trust assured services are also disclosed.

Abstract: A system including a processor and a non-transitory, tangible computer-readable medium in which computer program instructions are stored, which instructions, when read by a computer, cause the computer to process access permission type-specific access permission requests from enterprise users in an enterprise, the system including access permission type-specific access permission request receiving functionality operable for receiving at least one request for at least one access permission type-specific access permission of at least one user to at least one data element in the enterprise, and access permission type-specific access permission request output providing functionality operable for employing information pertaining to ones of the enterprise users having similarities to the at least one user with respect to at least the access permission type-specific access permission to the data elements in order to provide an output indication of perceived appropriateness of grant of the request.

Abstract: Techniques for generating and executing an execution plan for a machine learning (ML) model using one of an edge device and a non-edge device are described. In some examples, a request for the generation of the execution plan includes at least one objective for the execution of the ML model and the execution plan is generated based at least in part on comparative execution information and network latency information.

Abstract: The present disclosure relates generally to authentication of voice communications. Methods performed by a user device for mutually authenticated communications can include creating a first communication channel with a backend, creating a secure session across a second communication channel with the backend, receiving a first identification message from the backend via the second communication channel, receiving a second identification message from the backend via the first communication channel, sending an attestation that the second identification message matches the first identification message to the backend via the second communication channel, receiving a second step authorization instruction from the backend via the second communication channel, assessing the identity of the user, and delivering an authorization response to the backend via the second communication based of the assessed identity of the user.

Abstract: An immersion cooling system includes an electronic component, a thermally conductive dielectric liquid, and a tank defining a tank interior configured to receive the electronic component and the thermally conductive dielectric liquid for cooling the electronic component. The immersion cooling system also includes a wall positioned external to the tank to coordinate with the tank to define an overflow gap extending between the tank and the wall. The overflow gap is configured to receive an overflow of the thermally conductive dielectric liquid from the tank interior.

Abstract: Systems and methods for dynamic IP address whitelisting are disclosed. These techniques allow for better management of IP addresses and improve computer system and network security. In one embodiment, a system may execute a first task, at a first frequency, that includes determining, based on registered account activities corresponding to registered accounts with a service provider, at least one IP address associated with at least one registered account with the service provider. The first task may further include adding the at least one IP address to a dynamic whitelist (e.g., allowlist) of IP addresses. The system may execute a second task, at a second frequency, that includes removing, from the dynamic whitelist, at least one existing IP address identified as inactive. Thus, in various embodiments, inactive IP addresses can be removed from a whitelist while active IP addresses are periodically re-verified.

Abstract: A method and system for automatically associating an Internet addressable endpoint device of an end-user with an account of the end-user at a remote system supporting a plurality of Internet addressable endpoint devices each associated with a respective end-user.

Abstract: A method to determine, by a computing system, a trust score for a network entity in a computer network, the trust score for the network entity indicating a level of trust in the network entity; and modifying, by the computing system, a traffic pattern of the computer network based on the trust score for the network entity.

Abstract: A computer-implemented method and system for global device management architecture with regional autonomy for devices on a cellular network are disclosed. The computer implemented method for optimizing device management architecture for IoT devices includes providing device information to a server in a master node for registering a device with the master node; providing rules to assign the device to at least one node based on the device information; assigning the device to the at least one node in response to the rules; and automatically configuring the device to connect the device to the assigned node.

Abstract: Methods, systems, and apparatuses for improved content delivery are described herein. During delivery of content to one or more user devices of a content distribution network (CDN), a content session may be created for each user device. During each content session, each user device may send one or more upstream communications, such as heartbeat signals and bitrate requests, to the CDN. A monitoring module of the CDN may aggregate the upstream communications into session data. The monitoring module may use the session data to determine an impairment associated with content delivery to the one or more user devices.

Abstract: An image forming device includes a receiver and a switcher. The receiver receives data for executing a function of storing specific data in a preset private box. The switcher switches between first and second register modes when the function to be executed by using the data received by the receiver is copied into the image forming device. The first register mode is a mode in which a private box is manually registered in the image forming device. The second register mode is a mode in which a private box is automatically registered in the image forming device.

Abstract: This application provides a message processing method, an access controller, and a network node. The method includes: an access controller receives a first message used to obtain Internet Protocol (IP) address information for a user-side device and a first access loop identifier of a first network node, where the first message and the first access loop identifier are sent by the first network node, the first access loop identifier is not carried in the first message; the access controller obtains an authentication, authorization and accounting (AAA) message according to the first access loop identifier, wherein the AAA message comprises the first access loop identifier; and the access controller sends the AAA message to an AAA server.

Abstract: Embodiments of the invention are directed to systems, methods and computer program products for dynamic resource interaction allocation based on geographic positioning and usage category information associated with a resource interaction system. The invention receives a base positional location and category of usage for a resource interaction system. The invention determines a set of parameters to be used for interactions having characteristics meeting the determined base positional location and category of usage information. When it receives a proposed interaction from a requesting system containing geographic information and usage category information associated with the proposed interaction, it determines whether the geographic information and usage category information associated with the proposed interaction correspond to the base positional location and category of usage for the resource interaction system.

Abstract: Novel tools and techniques for are provided for implementing a hybrid spectrum access system and access probe framework. A system includes a base station coupled to a network, a spectrum access system, and user equipment coupled to the base station and the spectrum access system. The user equipment is configured to transmit, to the base station, a first network access request following a first access sequence while transmitting signals under a first power limit. If no response is obtained from the base station, the user equipment is configured to transmit a second network access request above the first power limit, but under a second power limit. The user equipment is configured to obtain spectrum access from the spectrum access system and transmit a second network access request to the base station.

Abstract: A wireless network device, for use within a wireless network, comprising: a processor; a memory; and an interface for receiving and transmitting data; wherein the wireless network device is adapted to: determine a first cost associated with communication between the wireless network device and a client device to which the wireless network device is connectable; determine a second cost associated with communication between the client device and a further wireless network device to which the client device is connectable; determine whether the first cost or the second cost is the lower cost; and if the second cost is the lower cost, the wireless network device is adapted to guide the client device to communicate with the further network device.

Abstract: Methods and systems for providing a wireless communication service are disclosed. A device identifier for a wireless communication service can be used to generate a connection profile (e.g., communication profile, wide-area network profile, service profile, network profile, etc.) for the wireless communication service that requires credentials for authentication. The connection profile can be generated in response to a user accessing or signing up for the wireless communication service. The connection profile can comprise a username that includes and/or mirrors the device identifier and a password generated by inputting the device identifier into a predefined function. The connection profile also can comprise an authentication identifier. A service provider applies a specific type of authentication for devices that provide the authentication identifier as part of an authentication request message.

Abstract: A method for detecting unauthorized eavesdropping. A first subscriber determines a transit time for the transmission of data to a second subscriber, adds the random value to the transit time to obtain a waiting time, waits for the waiting time, creates a data packet containing a time stamp and transmits this data packet to the second subscriber. The second subscriber records the time it receives the data packet and compares it with the time stamp contained in the data packet, determines that the data packet has arrived either: before the time indicated in the time stamp, more than a predefined tolerance time after the time indicated in the time stamp, or before or more than a predefined tolerance time after a time at which it can be expected in the second subscriber as an indication that communication between the first subscriber and the second subscriber is being eavesdropped on.

Abstract: Disclosed herein are systems and methods for continuous user authentication during access of a digital service. In an exemplary aspect, a continuous authentication module may receive, at a computing device, initial authentication credentials of the user. The initial authentication credentials enable access to a service via the computing device. While the service is being accessed, the continuous authentication module may continuously monitor whether an unauthorized user has replaced the user in accessing the service by comparing usage attributes of the service with historic usage attributes associated with the user. In response to determining that the unauthorized user has replaced the user, the continuous authentication module may cease the access to the service via the computing device.

Abstract: A system for providing security to a fleet of vehicles, the system comprising: a plurality of modules, each module configured to monitor messages propagating in an in-vehicle network of a vehicle comprised in the fleet; a memory having data characterizing messages, and software executable to: identify an anomaly in communications over the in-vehicle communication network; and instruct a communication interface, configured to support communication with an entity external to the vehicle, to transmit monitoring data responsive to the messages; and a processor configured to execute the software in the memory; and a data monitoring and processing hub external to the vehicles comprised in the fleet and operable to receive transmission of monitoring data from the plurality of modules.

Abstract: A method for handling a security procedure in a MC communication system is provided. The method includes selecting, by a MC service server, the security procedure, including a signaling procedure parameter during a key management procedure, and indicating, by the MC service server, the selected security procedure to protect at least one MC service signaling field by including the signaling procedure parameter to at least a MC service client during the key management procedure.

Abstract: A method for distributing an application for an edge computing device performed by a computing device according to an embodiment of the present invention includes selecting a cluster including two or more edge devices from among a plurality of edge devices, distributing a first application to a second edge device included in the cluster, modifying routing information such that a service request incoming to a first edge device included in the cluster is transmitted to the second edge device, and replacing the first application running in the first edge device with a second application.

Abstract: Unstructured data items are stored at an object storage service. A filtering requirement to be used to generate a result set for an access request is determined. Using a transformed representation of the filtering requirement, a target set of tokens of the filtering requirement which are to be obfuscated within a log record is identified. A log record that comprises substitute tokens for the target set of tokens is generated and stored.

Abstract: A system for providing network services is provided. The system includes a device configured to interface with the network to receive a container, where the container is configured to interface with an operating system of the device and a plurality of applications operating on the device. The container is further configured to interface with a network services provider of one or more network services and one or more third party service providers.

Abstract: An information processing apparatus includes a processor configured to receive, from a first user, data and data identification information for identifying the data, generate association information that associates the data identification information with cloud-storage identification information for identifying a cloud storage for storing the data from among multiple cloud storages, and store the data in the cloud storage.

Abstract: A quantum entanglement communication service can be provided by detecting a request to access data stored at a first computer. In response to detecting the data access request, a request can be generated to request that a server computer generate an entangled particle pair. Measurement data can be received, the measurement data corresponding to a measurement observed after interacting a first bit of a token stored at a second computer with a first entangled particle from the entangled particle pair. An operation to perform on a second entangled particle of the entangled particle pair at the first computer can be determined and performed. A state of the second entangled particle can be measured to obtain a value, and a bit string can be generated, where the bit string can include a number that corresponds to the value.

Abstract: A method for controlling the admission of slices in a virtualized telecommunication network and the congestion generated between services with different priorities instantiated on the slices and likely to share a given quantity of resources comprising the following steps of: defining a priority scale to be assigned to the network slices, defining a low priority threshold, determining the quantity of available and used network resources sp(t) and xp(t), determining the quantity of resources allocated to slices with a priority lower than the low priority threshold and which may be temporarily assigned to new slices with a priority higher than the threshold, and determining the slices likely to be accepted into the network, taking into account the available resources and the priority of the slices.

Abstract: Described herein are methods and a system for managing devices in remote data centers using a cloud service user interface (UI). The cloud service UI receives device management requests to device management application program interface (API). At the cloud service side, the device management requests to device management application program interface (API) are intercepted and converted to device cloud management REST interfaces. The device cloud management REST interfaces to a remote data center of devices, and converted to device native API used to manage a specific device.

Abstract: Systems, devices, media, and methods are presented for transmitting shared visual content between networked devices with a linked source for the visual content by accessing and presenting visual content, receiving a network location for a network resource associated with the visual content, linking the network location to the visual content to generate linked visual content, and cause presentation of the linked visual content in a draft message within a graphical user interface.

Abstract: Generally discussed herein are devices, systems, and methods for improving phishing webpage content detection. A method can include identifying first webpage content comprises phishing content, determining, using a reinforcement learning (RL) agent, at least one action, generating, based on the determined at least one action and the identified first webpage content, altered first webpage content, identifying that the altered first webpage content is benign, generating, based on the determined at least one action and second webpage content, altered second webpage content, and training, based on the altered second webpage content and a corresponding label of phishing, a phishing detector.

Abstract: Systems and methods are provided for monitoring and logging all activity occurring in a system. The logged activity may include keystroke entries input into the system, user and/or application interactions with the system, access restriction conflicts, and the like. The logged activity may be stored in at least two datastores, at least one of which is an immutable, append-only datastore. Storage of the logged activity in the immutable, append-only datastore is performed using hash algorithms. Attempts at manipulating or at hiding malicious or unauthorized activity can be recognized due to all activity being captured in the immutable, append-only datastore.

Abstract: The disclosed embodiments can be used to automate the acquisition and management of user consents for one or more campaigns, thus reducing the possibility of unintended violations of consent requirements as compared with existing systems. In accordance with the disclosed embodiments, each user consent may be associated with at least three different values. The consent management system may be configured to filter consent values for various users and send user-consent requests to certain users based on their filtered user-consent values. In some disclosed embodiments, a user may provide consent to allow communications of the user's information to certain “connected parties.” The connected parties, moreover, may need to separately provide user consent(s) as necessary to effectuate communications for a campaign in compliance with one or more laws, rules, or regulations.

Abstract: An attack communication detection device that is robust against a deviation from the design value of a communication interval is provided.

Abstract: A traceback solution is provided. For a network of autonomous systems, the traceback solution traces the autonomous system path taken by traffic flows. Every link in the traceback path is created, verified, and audited by autonomous systems. Multiple autonomous systems may take part in the process, making the system robust against fake information. The database used to store the validated traceback paths is a decentralized and distributed storage. Multiple copies of the database may be maintained by the network of autonomous systems. The database may be accessible by any participating autonomous system; and is not accessible from outside the network of autonomous systems. The traceback solution achieves both validation and non-repudiation property among the ASes. The traceback solution mitigates some important attack scenarios that might be targeted specifically at the traceback solution.

Abstract: A computer-implemented method comprises receiving an input associated with the arrival of an entity, performing a classification on the input to determine a purpose of the arrival of the entity, and based on a determined classification of the purpose of the arrival of the entity, invoking an action.

Abstract: Some embodiments of the invention provide a method of facilitating routing through a software-defined wide area network (SD-WAN) defined for an entity. A first edge forwarding node located at a first multi-machine site of the entity, the first multi-machine site at a first physical location and including a first set of machines, serves as an edge forwarding node for the first set of machines by forwarding packets between the first set of machines and other machines associated with the entity via other forwarding nodes in the SD-WAN. The first edge forwarding node receives configuration data specifying for the first edge forwarding node to serve as a hub forwarding node for forwarding a set of packets from a second set of machines associated with the entity and operating at a second multi-machine site at a second physical location to a third set of machines associated with the entity and operating at a third multi-machine site at a third physical location.

Abstract: A system, method, and computer-usable medium are disclosed for generating a cyber behavior profile comprising monitoring user interactions between a user and an information handling system; converting the user interactions into electronic information representing the user interactions, the electronic information representing the user interactions comprising temporal detail corresponding to the user interaction; and generating a user behavior profile based upon the electronic information representing the user interactions, the generating the user profile including a layer of detail corresponding to the temporal detail corresponding to the user interaction.

Abstract: In one embodiment, a device in a network observes traffic between a client and a server for an encrypted session. The device makes a determination that a server certificate should be obtained from the server. The device, based on the determination, sends a handshake probe to the server. The device extracts server certificate information from a handshake response from the server that the server sent in response to the handshake probe. The device uses the extracted server certificate information to analyze the traffic between the client and the server.

Abstract: A method may include receiving a digital certificate through a secure connection from a network access server, the secure connection passing through a network address translation device, validating the digital certificate with a policy management system, and establishing a secure tunnel between the network access server and the policy management system when the digital certificate is validated. Also, receiving, through the secure tunnel and from the network access server, a remote authentication dial-in user service access request having a network access server internet protocol address, validating the network access server with the network access server internet protocol address by the policy management system, and allowing a remote authentication dial-in user service traffic when the internet protocol address of the network access server is validated and closing the secure tunnel when the validating the network access server fails.

Abstract: Methods, systems, computer-readable media, and apparatuses for determining partitions and virtual processes in a simulation are presented. A plurality of partitions of a simulated world may be determined, and each partition may correspond to a different metric for entities in the simulated world. A plurality of virtual processes for the simulated world may also be determined. The system may assign a different virtual process to each partition. An indication of the partitions may be sent to one or more partition enforcer services, and an indication of the virtual processes may be sent to a virtual process manager.

Abstract: A network system includes a refrigerator, a terminal, and a server that is capable of communicating with the refrigerator and the terminal and that provides, to the terminal, at least information based on an opening/closing operation of a door of the refrigerator. When the refrigerator starts an eco-mode, the server restricts an operation related to the watching service.

Abstract: A method in a virtual private network (VPN) environment, the method including determining, by a VPN server, an encrypted authentication packet based at least in part on utilizing an encryption key and a nonce to encrypt one or more fields of an initial authentication packet; transmitting, by the VPN server to an authentication server, the encrypted authentication packet to enable VPN authentication of a device requesting VPN services from the VPN server; determining, by the authentication server, a response regarding the VPN authentication based at least in part on decrypting the one or more fields utilizing a decryption key and the nonce; and transmitting, by the authentication server to the VPN server, the response regarding the VPN authentication. Various other aspects are contemplated.