02nd week of 2021 patent applcation highlights part 70 |
Patent application number | Title | Published |
20210014187 | ELECTRONIC MESSAGING PLATFORM THAT ALLOWS USERS TO CHANGE THE CONTENT AND ATTACHMENTS OF MESSAGES AFTER SENDING - Systems, methods, and computer media for manipulating electronic messages are provided herein. A system for editing electronic messages can include at least one processor, and an application. The application can be configured to, by the at least one processor, send an electronic message from a sender to a recipient, edit the message after it has been sent to the recipient to create an edited message, retain a relative location of the message in the recipient's inbox while the edited message is created, send the edited message from the sender to the recipient, and place the edited message in the relative location of the message in the recipient's inbox. | 2021-01-14 |
20210014188 | Time-Based Computer Control - A computer system includes a calendar containing appointments. The system also includes one or more logic modules. Each logic module specifies a condition and a corresponding action. The profile may be applied to context data, such as data representing the current time, to perform the actions specified by the logic modules in response to detecting that the context data satisfies the conditions specified by the logic modules. In particular, the actions specified by the logic modules may be performed in response to detecting that the current time falls within the time period of an appointment on the calendar. | 2021-01-14 |
20210014189 | GROUP MANAGEMENT METHOD, TERMINAL, AND STORAGE MEDIUM - Disclosed is a chat group management method, including: detecting a message receiving mode corresponding to a chat group; obtaining a degree of interest of a user for chat group messages and an activity degree of the user in the chat group in accordance with a determination that the message receiving mode corresponding to the chat group is a mute-notification receiving mode; determining an importance ranking for the chat group according to the degree of interest and the activity degree; and updating the chat group's position among a plurality of chat groups in accordance with the importance ranking. | 2021-01-14 |
20210014190 | ELECTRONIC DEVICE, SERVER, AND CONTROL METHOD AND LOCATION INFORMATION PROVIDING METHOD FOR THE ELECTRONIC DEVICE - A first electronic device of the present invention comprises at least one communication circuitry, at least one display, at least one memory configured to store instructions, and at least one processor operatively coupled with the at least one communication circuitry and the at least one display. The processor is configured to (1) access to a first server for a navigation service through an application for the navigation service linked with a first account for accessing to a second server, (2) receive a user input through the application, (3) transmit, via the first server to a second electronic device of a second user that is authenticated through the application linked with a second account for accessing to the second server, a message, (4) periodically transmit, via the first server to the second electronic device, information, and (5) display a positional relationship between the two electronic devices over an electronic map. | 2021-01-14 |
20210014191 | ELECTRONIC DEVICE, SERVER, AND CONTROL METHOD AND LOCATION INFORMATION PROVIDING METHOD FOR THE ELECTRONIC DEVICE - Provided is an electronic device which periodically transmits current location information to the location information service providing server in case of executing grouping applications, produces group including at least one member, selected by a user, of address list information received from the location information service providing server, requests messages requesting group participation to the member included in the group through the social network service providing server in case of generating predetermined events, and periodically receives the location information from the member accepting the group participation and displays the received location information on a map. | 2021-01-14 |
20210014192 | ADDRESS RESOLUTION HANDLING AT LOGICAL DISTRIBUTED ROUTERS - Example methods for a network device to perform address resolution handling. The method may comprise: in response to a first distributed router (DR) port of a first DR instance detecting an address resolution request from a second DR port of a second DR instance, generating a modified address resolution request that is addressed from a first address associated with the first DR port instead of a second address associated with the second DR port. The modified address resolution request may be broadcasted within a logical network that is connected to the first DR instance through network extension. The method may also comprise: in response to detecting an address resolution response that includes protocol-to-hardware address mapping information associated with an endpoint located on the logical network, generating and sending a modified address resolution response towards the second DR port of the second DR instance. | 2021-01-14 |
20210014193 | GATEWAY APPARATUS, METHOD, PROGRAM, AND RECORDING MEDIUM - An example object is to appropriately provide, to a terminal apparatus, both a service via a packet data network gateway and a service for Mobile Edge Computing (MEC) in an Evolved Packet Core (EPC) network. A first communication processing unit | 2021-01-14 |
20210014194 | NETWORK ADDRESS TRANSLATION - A Network Address Translation (NAT) method, apparatus and device are provided. Based on the method, a target IP address and its reference port are obtained from a NAT resource pool, wherein the reference port is a port in a consecutive port range of the target IP address; a first five-tuple corresponding to a packet is generated based on the target IP address, the reference port and an original five-tuple of the packet, and a second five-tuple is obtained by masking first-class bits of two classes of ports of the first five-tuple respectively; a target five-tuple is determined in a plurality of consecutive hash buckets of a hash table based on a hash result of the second five-tuple; and the target five-tuple and the original five-tuple are recorded in the hash table and a corresponding result table, and the packet is NAT-processed based on the target five-tuple. | 2021-01-14 |
20210014195 | REAL TIME DYNAMIC CLIENT ACCESS CONTROL - A system and method for facilitating controlled access by a client device to one or more services provided by a server are disclosed. The client device's access to the services provided by the server may be dynamically controlled by a controller, which may generate instructions to an agent to effectuate the access control. The agent may be configured to control one or more access components associated with the server. The instructions generated by the controller may instruct the agent to cause the access control components to grant or remove the client device's access to the services provided by the server. In some implementations, the controller may generate such instructions based on a status of a session established between the controller and the client device. | 2021-01-14 |
20210014196 | SECURE ELECTRIC POWER DELIVERY SYSTEM PROTECTION DURING CYBER THREATS - Systems and methods may maintain protection of electric power delivery systems in the event of an attack on protection and/or control features of the power system. Primary protective functions may be physically isolated from other functions in primary protection relays. Integrators may facilitate non-primary protection functions and disconnect all communication with primary protection relays in the event of an attack. Primary protection relays maintain protection functions even during the attack or unavailability of the integrators. | 2021-01-14 |
20210014197 | DYNAMIC ENDPOINT ISOLATION IN A CRYPTOGRAPHICALLY-SEGMENTED NETWORK - In a cryptographically-segmented network, a server establishes a cryptographically-segmented communication channel for use by authorized endpoints in an operationally-deployed configuration. In response to a received endpoint-isolation command to isolate a first endpoint, the server de-authorizes the first endpoint from the channel of the operationally-deployed configuration. In response to the de-authorization, the server issues a configuration instruction to the first endpoint to join a first cryptographically-segmented isolation communication channel that is communicatively coupled with at least one monitoring endpoint configured to monitor operation of the first endpoint via the first cryptographically-segmented isolation communication channel. | 2021-01-14 |
20210014198 | NETWORK SECURITY SYSTEM AND METHOD WITH MULTILAYER FILTERING - A solution for analyzing and filtering an email message destined to a computing resource in a computer network that has been security processed by a cloud-based email security system. The solution includes establishing a communication link with the cloud-based email security system, receiving an email message by an on-premises email security (OPES) system hosted in a demilitarized zone in the computer network, determining whether the received email message is sent from an authorized node in the cloud-based email security system, forwarding the received email message to an on-premises email security gateway located in the demilitarized zone, analyzing the forwarded email message, and sending the forwarded email message to a mail server in the computer network. | 2021-01-14 |
20210014199 | SYSTEM AND METHOD FOR THE PROTECTED TRANSMISSION OF DATA - A system for transmitting and receiving data, in particular for a rail vehicle, includes at least one in-vehicle control unit for processing and generating data, at least one external server unit with a communication device for establishing a communication connection with at least one in-vehicle interface, and at least one in-vehicle interface for transmitting data generated by the at least one in-vehicle control unit and for receiving data transmitted by the at least one external server unit. The at least one in-vehicle control unit and the at least one in-vehicle interface are interconnected so as to transmit data through an electronic filter device. | 2021-01-14 |
20210014200 | ASSESSING RISK ASSOCIATED WITH FIREWALL RULES - Techniques for assessing risk associated with firewall rules are provided. In one implementation, a method includes receiving a request for the network to apply a firewall policy rule to control traffic to a machine associated with the network, wherein the firewall policy rule comprises information that identifies a remote address from which the traffic can originate and a type of the traffic. The method further includes determining a remote address risk value representative of a first degree of security risk associated with allowing the traffic to access the machine in response to the traffic being determined to originate from the remote address; determining a traffic type risk value representative of a second degree of security risk associated with allowing the type of traffic to access the machine; and determining a total risk value based on a combination of the remote address risk value and the traffic type risk value. | 2021-01-14 |
20210014201 | GEOLOCATION-AWARE, CYBER-ENABLED INVENTORY AND ASSET MANAGEMENT SYSTEM WITH AUTOMATED STATE PREDICTION CAPABILITY - A system and method for geolocation-aware, cyber-enabled infrastructure inventory and asset management with state prediction capability. The system tracks tangible and intangible assets, including states associated with each asset such as the location, condition, and value of each asset. Physical assets may be cyber-enabled by attaching wireless computing devices to some or all of the physical assets to provide data about the physical assets using sensors of the computing devices, including but not limited to, such data as location, conditions of storage, and hours of operation or use. Data for each item is stored in a multi-dimensional time series database, which keeps a historical record of the states of each item. Unknown or future states can be predicted by applying predictive models to the time series data. Parametric evaluations of current and predicted future states can be used to optimize the assets against an objective. | 2021-01-14 |
20210014202 | METHOD FOR DECODING SECURE SOCKET LAYER FOR SECURITY OF PACKET TRANSMITTED IN PRESET OPERATING SYSTEM - The present invention relates to a method of relaying secure socket layer (SSL) communication between a client and a server, decoding a packet, and transmitting the decoded packet to a security device. | 2021-01-14 |
20210014203 | ONE-TOUCH INLINE CRYPTOGRAPHIC DATA PROCESSING - Methods, systems, and use cases for one-touch inline cryptographic data security are discussed, including an edge computing device with a network communications circuitry (NCC), an enhanced DMA engine coupled to a memory device and including a cryptographic engine, and processing circuitry configured to perform a secure exchange with a second edge computing device to negotiate a shared symmetric encryption key, based on a request for data. An inline encryption command for communication to the enhanced DMA engine is generated. The inline encryption command includes a first address associated with a storage location storing the data, a second address associated with a memory location in the memory device, and the shared symmetric encryption key. The data is retrieved from the storage location using the first address, the data is encrypted using the shared symmetric encryption key, and the encrypted data is stored in the memory location using the second address. | 2021-01-14 |
20210014204 | SECURE SESSION CAPABILITY USING PUBLIC-KEY CRYPTOGRAPHY WITHOUT ACCESS TO THE PRIVATE KEY - A first server receives a set of cryptographic parameters from a second server. The set of cryptographic parameters is received from the second server as part of a secure session establishment between a client device and the second server. The first server accesses a private key that is not stored on the second server. The first server signs the set of cryptographic parameters using the private key. The first server transmits the signed set of cryptographic parameters to the second server. The first server receives, from the second server, a request to generate a premaster secret using a value generated by the second server that is included in the request and generates the premaster secret. The first server transmits the premaster secret to the second server for use in the secure session establishment between the client device and the second server. | 2021-01-14 |
20210014205 | SYSTEMS AND METHODS FOR SECURING INFORMATION - The present disclosure pertains to a system configured to prepare and use prediction models for predicting existence of fingerprints among encrypted traffic. Some embodiments may: obtain a machine learner configured to identify statistical differences between pseudo-randomness associated with encrypted user data and higher-entropy randomness associated with a set of other data; determine at least a portion of a path traversed by the encrypted user data in the network based on the identification; and secure the network based on the determination. | 2021-01-14 |
20210014206 | SEARCHING CONTENT ASSOCIATED WITH MULTIPLE APPLICATIONS - Disclosed are examples of searching for content associated with multiple applications. In various examples, a first application can obtain a search query and maintain a list of applications available to provide content. The first application can send a request to a second application identified in the list, the request including a key that indicates the first application is authorized to request the second application to search for content. The first application can obtain a search result from the second application based on the request and present the search result in a user interface in the first application. | 2021-01-14 |
20210014207 | Method and Apparatus for Providing Enhanced Streaming Content Delivery with Multi-Archive Support Using Secure Download Manager and Content-Indifferent Decoding - A system, apparatuses and methods are provided to download and process data and other content streamed over a wide area network using one or more dynamically fetched, material specific, data handlers (e.g., download assistants). A download assistant fetches a data stream from a remote location and processes the streamed data iteratively using buffers and multi-threaded processes through the decoder (e.g., codec), allowing source material-specific processing of the data as it is streamed from one or more download sources as well as content-indifferent and platform-indifferent decoding. To minimize versioning issues, payload construction for secure delivery is simplified to packing and encrypting a directory tree containing any number of files or other digital media into an archive and, when needed, dividing a payload into multiple files or archives with a descriptor that lists the archives. | 2021-01-14 |
20210014208 | SECURELY AUTHORIZING ACCESS TO REMOTE RESOURCES - Methods and an apparatus are provided for securely authorizing access to remote resources. For example, a method is provided that includes receiving a request to determine whether a user device communicatively coupled to a resource server is authorized to access at least one resource hosted by the resource server and determining whether the user device communicatively coupled to the resource server is authorized to access the at least one resource hosted by the resource server based at least in part on whether the user device communicatively coupled to the resource server has been issued a management identifier. The method further includes providing a response indicating that the user device communicatively coupled to the resource server is authorized to access the at least one resource hosted by the resource server in response to a determination that the user device communicatively coupled to the resource server is authorized to access the at least one resource hosted by the resource server. The method yet further includes providing a response indicating that the user device communicatively coupled to the resource server is not authorized to access the at least one resource hosted by the resource server in response to a determination that the user device communicatively coupled to the resource server is not authorized to access the at least one resource hosted by the resource server. | 2021-01-14 |
20210014209 | MANAGING ANONYMOUS NETWORK CONNECTIONS - Managing anonymous network connections. In one aspect managing anonymous network connections by providing anonymous authentication credentials to a plurality of devices in a hierarchical network, registering a first set of devices at a first data aggregator, determining that the first set of devices at the first aggregator numbers less than a first threshold value, registering the first set of devices with a second aggregator upstream in the hierarchy from the first aggregator, causing data from the first set of devices to be received at the second aggregator. | 2021-01-14 |
20210014210 | Environment-Aware Security Tokens - The technology described in this document can be embodied in a computer implemented method that includes receiving, at a processing device, information about one or more assets associated with a network of devices. The method also includes generating, for at least one of the assets, a security token that is based at least on a portion of the received information about the corresponding asset. The security token can be configured to identify a home network defined for the asset, and to restrict access to the corresponding asset upon detecting an occurrence of an unauthorized activity involving the asset. The method further includes storing, in a storage device, information about the security token and information linking the security token to the corresponding asset, and initiating integration of the security token with the corresponding asset. | 2021-01-14 |
20210014211 | SECURE ACCOUNT MODIFICATION - One or more implementations of the present specification provide information processing methods, apparatuses, and devices, and computer readable storage mediums. In an implementation, an information processing method includes: when a user is in a non-login state, receiving an account operation request and identity identification information sent by a terminal device of the user; querying account information corresponding to the identity identification information in response to the account operation request; sending a first display instruction to the terminal device when the account information is found, so that the terminal device displays an account operation interface for the account operation request, where the account operation interface is used to receive account operation interaction data of the user and an identity credential corresponding to the identity identification information. | 2021-01-14 |
20210014212 | WEB INTEGRATION, TIMING, ACCESS, AND DISTRIBUTION CONTROL - The present disclosure provides systems and techniques for improved back-end integration of third-party content and an administrative framework allowing for user experience management for a computer-based environment. Described herein, for example, are approaches to improving secure access to multiple web-based systems, integrating web-based content, and controlling timing of web interaction. The problems addressed herein relate to coordinating access and delivery of web content from and to multiple sources and multiple users in an integrated and time-controlled manner. | 2021-01-14 |
20210014213 | SYSTEMS AND METHODS FOR TIERED AUTHENTICATION INCLUDING POSITION-BASED CREDENTIALS - The present disclosure relates to systems and methods for implementing tiered authentication using position-based credentials. A system for authenticating a user with position-based credentials may include one or more memories storing instructions and one or more processors configured to execute the instructions to perform operations. The operations may include receiving a login request associated with the user from a first user interface device; receiving a first location associated with the first user interface device; receiving a second location associated with a second user interface device; when a Lebesgue distance between the first location and the second location is below a first threshold, authenticating the user; when the Lebesgue distance is above the first threshold and below a second, larger threshold, prompting the first interface device for a first credential; and when the Lebesgue distance is above the second threshold, prompting the first interface device for a second credential. | 2021-01-14 |
20210014214 | SYSTEMS AND METHODS FOR SIMULATED SINGLE SIGN-ON - A system provides access to a third-party application by a user without revealing at least one sign-on credential used to access the application to the user. The system includes an access management server and a permission server. The access management server hosts a user portal. In response to a user input from the user portal requesting to access the application, the access management server requests, from the permission server, confirmation of user's permission to access the application. The permission server determines whether access is confirmed using stored permission data, which includes applications the user is currently permitted to access. If the permission server confirms the user's permission, the access management server redirects the user to a sign-on page of the application, automatically enter the sign-on credentials in an anonymized format that is not readable by the user, and automatically submits the sign-on credentials. | 2021-01-14 |
20210014215 | AUTOMATIC LOGIN TOOL FOR SIMULATED SINGLE SIGN-ON - A system provides for automatically populating a sign-on page with sign-on credentials and automatically submitting the sign-on credentials without revealing at least one of the sign-on credentials to a user. The system includes an access management server which stores sign-on credentials for accessing the application. An application access tool, which is associated with a browser extension of a web browser executed on the user's device, provides a network address for a sign-on page of the application, and the system automatically redirects the user to this sign-on page. The system uses a source code database to identify object identifiers in html source code of the sign-on page that corresponds to form fields or other objects in the sign-on page for appropriately entering and submitting sign-on credentials in the sign-on page. The credentials are entered in an anonymized format that is not readable to the user. | 2021-01-14 |
20210014216 | ADMINISTRATION PORTAL FOR SIMULATED SINGLE SIGN-ON - A system manages security policy data used to provide access by a user to third-party applications without revealing sign-on credentials to the user. The system includes an access management server that hosts an administration portal for configuring the security policy data. The security policy data includes, for each user, a list of applications to which the user may request access and the corresponding sign-on credentials for accessing each of the applications. In response to inputs provided at the administration portal, the system associates applications with credentials and subsequently associates the credentials with a user. Before these associations are used to update the security policy data, a request for confirmation of user permission is sent to a permission server, which stores current permission data for users. If permission for the user is confirmed, security policy data is updated according to the associations provided via the administration portal. | 2021-01-14 |
20210014217 | TECHNOLOGIES FOR SECURING NETWORK FUNCTION VIRTUALIZATION IMAGES - Technologies for securing a virtualization network function (VNF) image includes a security server to generate a wrapping cryptographic key to wrap a private key of the VNF image and replace the private key with the wrapped private key to secure the private key. During operation, the VNF image may be authenticated by a network function virtualization (NFV) server as needed. Additionally, the signature of the VNF image may be updated each time the VNF image is shutdown to ensure the continued authenticity of the VNF image. | 2021-01-14 |
20210014218 | SYSTEMS AND METHODS FOR USE IN SHARING DIGITAL IDENTITIES - Systems and methods are provided for using an identity provider (IDP) to implement enrollment of a user to a relying party. One exemplary method includes receiving a login credential for a user from a relying party in connection with enrolling the user to the relying party, where the user is associated with a digital identity and the digital identity includes personal identifying information (PII) of the user. The method also includes generating a one-time-passcode (OTP) and transmitting the OTP to a communication device bound to the digital identity associated with the user, receiving an OTP from the relying party, and when the OTP generated by the computing device matches the OTP received from the relying party, compiling an enrollment file for the user including at least a portion of the PII of the user. The method then includes transmitting the enrollment file to the relying party. | 2021-01-14 |
20210014219 | System and Method for Managing the Multi-factor Authentication Data of a User - A system for managing multi-factor authentication of a user includes: one or more source components for obtaining multi-factor authentication data by one or more of: receiving multi-factor authentication data via a network; generating multi-factor authentication data using an algorithm, and a user providing multi-factor authentication data; a routing component for associating the multi-factor authentication codes from the one or more source components with an appropriate user account; a database comprising multi-factor authentication data wherein components of the multi-factor authentication data are stored in association with a particular user account; and one or more delivery components for providing the multi-factor authentication data to a user on a user device. | 2021-01-14 |
20210014220 | TRUSTED CONTAINER - A secure identifier is derived, using a secured microcontroller of a computing device, that is unique to a pairing of the computing device and a particular domain. Secure posture data corresponding to attributes of the computing device is identified in secured memory of the computing device. The secure identifier and security posture is sent in a secured container to a management device of the particular domain. The particular domain can utilize the information in the secured container to authenticate the computing device and determine a security task to be performed relating to interactions of the computing device with the particular domain. | 2021-01-14 |
20210014221 | USER-SPECIFIC SESSION TIMEOUTS - Techniques for described for generating session-related timeout parameters that are user-specific in value. A user-specific timeout parameter offers several advantages over a static timeout parameter, including minimized the risk of session hijacking, fewer stale sessions to manage, and timeout parameters that more closely match the user's actual behavior. A value for a timeout parameter can therefore depend on information stored for a specific user. The stored information can indicate user behavior observed over a period of time encompassing multiple sessions and/or multiple accesses to the same or different resources. In certain embodiments, a value for a timeout parameter is determined by a prediction engine implemented using a machine learning (ML) model. The ML model may determine the timeout parameter based on information obtained records associated with the user for whom the timeout parameter value is being determined, as well as information from records associated with other users. | 2021-01-14 |
20210014222 | SYSTEM AND APPARATUS FOR BIOMETRIC IDENTIFICATION OF A UNIQUE USER AND AUTHORIZATION OF THE UNIQUE USER - A verification device provides an approach to identification and authorization by requiring an authorized biometric presence before permitting the input of a sequence of signals. Furthermore, the device may be configured to recognize incorrect inputs, and to respond by transmitting an alert code while providing limited functionality to convince an unauthorized user that access has been granted until a location of the device has been determined. | 2021-01-14 |
20210014223 | BIOMETRICS HUB FOR PROCESSING BIOMETRICS DATA FOR AUTHORIZED REMOTE DEVICES - A biometrics hub may establish a first schedule for processing first biometric data of a user, establishing a second schedule for processing second biometric data of the user, storing the first biometric data that is received from a first biometric device via a first persistent session, and store the second biometric data that is received from a second biometric device via a second persistent session. The biometrics hub may further transmit at least one of the first biometric data or the second biometric data to an authorized remote device in accordance with the first schedule or the second schedule. In one example, the transmitting includes establishing a session with the authorized remote device, sending the at least one of the first biometric data or the second biometric data to the authorized remote device via the session with the authorized remote device, and closing the session with the authorized remote device. | 2021-01-14 |
20210014224 | HOME REALM DISCOVERY WITH FLAT-NAME USERNAMES - Methods, systems, apparatuses, and computer program products are provided for automatically determining a home realm. An authentication request receiver interface may receive a request to access a resource and a device identifier from a client device. An authenticator may be enacted in response to receiving the request to access the resource that includes a home realm discoverer and an authentication user interface (UI) provider. The home realm discoverer may determine, based at least on the device identifier, the home realm from a plurality of realms. The authentication UI provider may provide, to the client device, an authentication UI via which a flat-name username can be submitted. Based at least on a flat-name user name and the determined home realm, access to the resource may be granted. In this manner, a user may input a flat-name username during sign-in, rather than inputting a realm or an entire e-mail address. | 2021-01-14 |
20210014225 | COMMUNICATION CONTROL APPARATUS, COMMUNICATION CONTROL METHOD, AND COMMUNICATION CONTROL PROGRAM - A communication control apparatus includes a collection control unit, an analysis unit, and a coordination unit. The collection control unit collects communication performed with a device connected to a subordinate network, and controls communication performed by the device based on a first control condition; The analysis unit analyzes the communication collected by the collection control unit to extract device identification information indicating characteristics of the communication performed by the device. The analysis unit specifies a device name of the device and the first control condition corresponding to a normal communication range extracted from the device identification information, based on the device identification information. The coordination unit transmits at least part of first shared information in which the device name and the first control condition specified by the analysis unit and the device identification information are associated with each other, to an outside of the subordinate network. | 2021-01-14 |
20210014226 | WEARABLE DEVICE-BASED IDENTITY AUTHENTICATION METHOD AND SYSTEM - A wearable device-based identity authentication method and system, comprising: a user terminal initiates an authentication request to a target server and provides device information of the user terminal, the target server generates a temporary session, and sends a temporary session ID and the device information to a quantum key distribution network; the quantum key distribution network generates identification information, searches a wearable device bound to the user terminal, and sends the identification information to the wearable device; the wearable device receives and provides the identification information to the user terminal, the user terminal acquires the identification information, and sends verification information to the wearable device and then to the quantum key distribution network; the quantum key distribution network generates an authentication result and sends to the target server; and the target server generates an identification authentication result and sends to the user terminal. | 2021-01-14 |
20210014227 | SPLIT-TIERED POINT-TO-POINT INLINE AUTHENTICATION ARCHITECTURE - Systems and methods for authenticating presumptively incompatible elements in a digital network are provided. A method may include receiving an access request from a client node in the network. The access request may be requesting access to an application in the network. The access request may be associated with a uniform resource identifier (“URI”). The method may include extracting a target application from the URI. The method may include determining an authentication protocol that is supported by the target application. The method may include generating, based on the authentication protocol, a series of one or more authentication tests that, in combination, satisfy the authentication protocol. The authentication tests may satisfy the authentication protocol even when the client node natively supports a different authentication protocol. The method may include executing the series of authentication tests to authenticate the client node vis-à-vis the target application. | 2021-01-14 |
20210014228 | METHOD OF DELEGATING DATA EDITING AUTHORITY OF PRODUCT ITEMS - A method of delegating data editing authority of product items is provided, which includes the steps of: selecting a plurality of product items in a database in a data management system, which is done by a first party, and then defining the plurality of product items as a plurality of authorized items; generating an authorization code corresponding to the authorized items, and generating a notification message corresponding to the authorization code; a second party responds to the notification message through the electronic device; obtaining the authorized items from the database according to the authorization code corresponding to the notification message responded by the second party, and then transferring the authorized items to the electronic device so as to revise the content of the authorized items. Thereby, the transmission of data is more convenient. | 2021-01-14 |
20210014229 | Protecting Enterprise Computing Resources by Implementing an Optical Air Gap System - Aspects of the disclosure relate to protecting enterprise computing resources by implementing an optical air gap system. A computing platform may receive, from an external communications server, a message. The computing platform then may generate an image representation of the message received from the external communications server. Subsequently, the computing platform may execute an optical character recognition (OCR) process on the image representation of the message, which may produce a recreated message. Then, the computing platform may validate contents of the recreated message. Based on validating the contents of the recreated message, the computing platform may send, to an enterprise communications server, the recreated message, and sending the recreated message to the enterprise communications server may cause the enterprise communications server to deliver the recreated message to at least one enterprise user computing device. | 2021-01-14 |
20210014230 | UNAUTHORIZED CONTROL SUPPRESSION METHOD, UNAUTHORIZED CONTROL SUPPRESSION DEVICE, AND ONBOARD NETWORK SYSTEM - A method for use in a network system is provided. The network system includes a plurality of electronic controllers that transmits and receives, via a network, a plurality of frames. The plurality of frames includes at least one control frame that instructs predetermined control to an object of control. The method receives, sequentially, the plurality of frames from the network, and determines whether the predetermined control, instructed by the control frame received in the receiving, is to be suppressed, based on a set of frames received in the receiving. The set of frames is received in the receiving within a predetermined period preceding a time of reception of the control frame. | 2021-01-14 |
20210014231 | DIGITAL DATA ACCESS CONTROL AND AUTOMATED SYNTHESIZATION OF CAPABILITIES - A computer system for controlling access to digital data and algorithms, including a multitude of local systems provided at a plurality of remote locations. At least a first subset of the multitude of local systems comprises at least one data acquisition device adapted to generate and provide raw digital data. At least a second subset of the multitude of local systems comprises at least one data processing unit having a memory with a memory capacity and a processor with a computing capacity to process raw digital data to generate processed digital data to be presented to one or more of a plurality of users of the system. The system also includes a filter system, wherein at least one filter is assigned at each local system, each filter having a filter setting for restricting and prohibiting data transfer between the assigned local system and other local systems. | 2021-01-14 |
20210014232 | DYNAMIC PASSCODES IN ASSOCIATION WITH A WIRELESS ACCESS POINT - A method includes receiving, at an access point, an access request from a first device after an expiration of a first passcode. The access request is encrypted based on the first passcode. The method includes making a determination by the access point before an expiration of a usage time of a first passcode usage list that an identifier of the first device is included in the first passcode usage list. The method also includes, in response to making the determination, generating, at the access point, data representing a second passcode by encrypting the second passcode using the first passcode; and sending the data representing the second passcode from the access point to the first device. | 2021-01-14 |
20210014233 | DYNAMICALLY ENFORCING CONTEXT SENSITIVE NETWORK ACCESS CONTROL POLICIES - The present disclosure envisages enforcing micro-segmentation policies on a user computer that intermittently migrates between a secured enterprise network and an unsecured network, for instance, a public network. The present disclosure envisages switching between appropriate micro-segmentation policies, in-line with the change in the current location of the user device, the change triggered by the user device migrating from the enterprise network to an unsecured network or vice-versa. The present disclosure envisages selectively enforcing micro-segmentation policies upon a user device based on the current location thereof, such that the micro-segmentation policies and the corresponding access permissions assigned to the user device differ in line with the current location of the user device, thereby exposing sensitive enterprise resources, forming a part of the enterprise network, in a selective and restricted manner, in line with the micro-segmentation policies enforced upon the user device based primarily on the current location of the user device. | 2021-01-14 |
20210014234 | PERSONAL-PUBLIC SERVICE SET IDENTIFIERS - Embodiments are directed to techniques for secure network connectivity. The techniques including a system having a credential server storing a Personal-Public (PP) Service Set Identifier (SSID) profile configured according to registration information provided from a personal computing device. The system further including a Wireless Access Point (WAP) communicatively coupled to the credential server and configured to implement a PP SSID connection using the PP SSID profile to create a single-device, single-use, password-protected, unadvertised, and encrypted networking channel between the personal computing device and the Internet. | 2021-01-14 |
20210014235 | MANAGEMENT OF COLLABORATIVE CONTENT ITEM MODIFICATION - Systems and methods for concurrent modification of content are provided. In response to a verified request received from a user content is copied to a first storage media as a first version of the content uniquely identified by a first identifier, the verified request being based on verification of the user's credentials. In response to the user editing the first version of the content, the edited copy of the content is stored in the content management system in association with a second identifier uniquely identifying the edited copy of the content as a second version of the content. In response to receiving a notification that a plurality of users no longer request access to the content stored in the content management system, the first version of the content is deleted from the first storage media. | 2021-01-14 |
20210014236 | System, Device, and Method for Detection of Proxy Server - Devices, systems, and methods of detecting whether an electronic device or computerized device or computer, is communicating with a computerized service or a trusted server directly and without an intermediary web-proxy, or indirectly by utilizing a proxy server or web-proxy. The system searches for particular characteristics or attributes, that characterize a proxy-based communication session or channel and that do not characterize a direct non-proxy-based communication session or channel; or conversely, the system searches for particular characteristics or attributes, that characterize a direct non-proxy-based communication session or channel and that do not characterize a proxy-based communication session or channel; and based on these characteristics, determines whether or not a proxy server exists and operates. | 2021-01-14 |
20210014237 | Meeting Join for Meeting Device - Various embodiments enable an application on a first device to log into an online meeting in association with a trusted entity, such as a trusted user. Once trust is established between the trusted entity and the meeting domain, such as an enterprise domain, permissions can be assigned to a meeting device, by virtue of the trust relationship with the trusted entity, to enable the meeting device to join the meeting as a participant, thus allowing the meeting device to bypass an initial join process such as a meeting lobby and the like. By virtue of the assigned permissions, the meeting device may take control of the meeting and control the experience for others in the meeting as a fleeting organizer or some other permission-centric role. | 2021-01-14 |
20210014238 | GEO-FENCE AUTHORIZATION PROVISIONING - A system includes a communication module that receives a request to post content to an event gallery associated with an event. The request in turn includes geo-location data for a device sending the content, and identification data identifying the device or a user of the device. The system further has an event gallery module to perform a first authorization operation that includes determining that the geo-location data corresponds to a geo-location fence associated with an event. The event gallery module also performs a second authorization operation that includes using the identification data to verify an attribute of the user. Finally, based on the first and second authorization operations, the event gallery module may selectively authorize the device to post the content to the event gallery. | 2021-01-14 |
20210014239 | METHOD TO IMPROVE ANTI-MALWARE SCAN RESPONSIVENESS AND EFFECTIVENESS USING USER SYMPTOMS FEEDBACK - Methods, apparatus, systems and articles of manufacture for improving anti-malware scan responsiveness are disclosed. A storage device or storage disk comprising instructions which, when executed, cause processor circuitry to at least: in response to a performance issue on a user computing device, determine a symptom association with the performance issue based on a user input from the user computing device, the user input corresponding to highlighting an area of a window associated with the performance issue, the window having been displayed on the display by an operating system of the user computing device, identify a scan parameter for a targeted anti-malware scan based on positive results of malware scans from other user computing devices that experienced the symptom, and transmit the scan parameter to the user computing device to facilitate a targeted anti-malware scan of the user computing device based on the scan parameter. | 2021-01-14 |
20210014240 | MALWARE INFECTION PREDICTION - A computer implemented method of protecting a target subnet in a hierarchy of subnets of a computer network from malware attack, the subnet including a set of network connected devices, the method including generating a dynamical system for each subnet in the network, each dynamical system modelling a rate of change of a number of network connected devices in the subnet that are: susceptible to infection by the malware; infected by the malware; protected against infection by the malware; and remediated of infection by the malware, the dynamical systems being based on rates of transmission of the malware between pairs of subnets; evaluating a measure of risk of infection of the target subnet at a predetermined point in time based on the dynamical system for the target subnet; and responsive to the measure of risk meeting a predetermined threshold, deploying malware protection measures to devices in the target subnet. | 2021-01-14 |
20210014241 | MALWARE BARRIER - A computer implemented method of protecting a portion of a computer network from malware attack, the computer network including a network connected devices organized into hierarchical subnets modelled by a tree data structure in which each subnet is represented as a node in the tree, each node having a connection to parent node save for a root node, the method including performing protective actions on devices in subnets associated with a first subset of nodes to provide protection against the malware, prioritizing devices in the subnets associated with a second subset of nodes so as to provide a barrier of subnets protected against the malware to impede the propagation of the malware to devices in subnets associated with each of the first subset of nodes. | 2021-01-14 |
20210014242 | PROTECTION AGAINST MALICIOUS ATTACKS PROPAGATED VIA EMAILS - An aspect of the present disclosure protects users from malicious attacks propagated via emails. In one embodiment, a reputation server identifies a (first) set of recipients of an email who have opened the email, and then computes a reputation score for the email based on hygiene scores of the set of recipients. The hygiene score of a recipient is a measure of the infections caused due to the recipient's interactions with prior email communications, while the computed reputation score indicates a probability of malicious attacks being propagated via the email The reputation server then provides the reputation score for the email to another (second) set of recipients of the email. When the email contains a link or an attachment, the reputation server identifies the (first) set of recipients who have opened the email and accessed the link or the attachment contained in the email. | 2021-01-14 |
20210014243 | METHOD AND SYSTEM FOR ANTIVIRUS SCANNING OF BACKUP DATA AT A CENTRALIZED STORAGE - Disclosed herein are systems and method for anti-virus scanning of backup data at a centralized storage. In an exemplary aspect, a method may receive, at the centralized storage, a backup slice from each respective computing device in a plurality of computing devices, wherein the centralized storage comprises, for each respective computing device, a respective backup archive including a plurality of backup slices. The method may mount the received backup slice as a virtual disk. The method may detect, for the respective computing device, a change between the mounted virtual disk and any number of previous backup slices and may evaluate the change against behavioral rules to identify malicious behavior. In response to determining that the change exhibits malicious behavior, the method may execute a remediation action to prevent an attack on the plurality of computing devices or the centralized storage. | 2021-01-14 |
20210014244 | MALWARE DETECTION AND PREVENTION SYSTEM - Aspects of the present disclosure involve systems and methods computing devices to access a public network posing as a user to the network to detect one or more malware programs available for downloading through the network. More particularly, a malware detection control system utilizes a browser executed on a computing device to access a public network, such as the Internet. Through the browser, sites or nodes of the public network are accessed by the control system with the interactions with the sites of the public network designed to mimic or approximate a human user of the browser. More particularly, the control system may apply the one or more personality profiles to the browser of the computing device to access and interact with the nodes of the public network. Further, the control system may monitor the information retrieved from the network sites to detect the presence of malware within the nodes. | 2021-01-14 |
20210014245 | IN-STREAM MALWARE PROTECTION - A protector server located in the Web traffic between an end-user computer and a Web site intercepts requests for Web pages from the Web site. The server inserts protection code into a Web page returned to the user computer which executes within the user browser. The code disables malware executing within the user browser by establishing itself as an event handler, finding likely malware in the stack, and disabling it. The code thwarts host-based malware by establishing itself as an event handler, and encrypting data fields of forms before the form is submitting to the operating system of the user computer. The code detects a Web inject attack by calculating a fingerprint for a form on the Web page and sending that fingerprint to the server. The server compares that fingerprint with one previously calculated for the form and generates an alert if different. The code detects a phishing attack by sending a notification to the server indicating within which domain it is executing. The server generates an alert if the received domain is different from an expected domain. The server provides a Web application firewall. | 2021-01-14 |
20210014246 | IN-STREAM MALWARE PROTECTION - A protector server located in the Web traffic between an end-user computer and a Web site intercepts requests for Web pages from the Web site. The server inserts protection code into a Web page returned to the user computer which executes within the user browser. The code disables malware executing within the user browser by establishing itself as an event handler, finding likely malware in the stack, and disabling it. The code thwarts host-based malware by establishing itself as an event handler, and encrypting data fields of forms before the form is submitting to the operating system of the user computer. The code detects a Web inject attack by calculating a fingerprint for a form on the Web page and sending that fingerprint to the server. The server compares that fingerprint with one previously calculated for the form and generates an alert if different. The code detects a phishing attack by sending a notification to the server indicating within which domain it is executing. The server generates an alert if the received domain is different from an expected domain. The server provides a Web application firewall. | 2021-01-14 |
20210014247 | METHODS, SYSTEMS, ARTICLES OF MANUFACTURE AND APPARATUS FOR PRODUCING GENERIC IP REPUTATION THROUGH CROSS-PROTOCOL ANALYSIS - Methods, apparatus, systems and articles of manufacture for producing generic Internet Protocol (IP) reputation through cross-protocol analysis are disclosed. An example apparatus includes a data collector to gather a first data set representing IP telemetry data for a first protocol, the data collector to gather a second data set representing IP telemetry data for a second protocol different from the first protocol. A label generator is to generate a training data set based on records in the first data set and the second data set having matching IP addresses, the training data set to include combined label indicating whether each of the respective matching IP addresses is malicious. A model trainer is to train a machine learning model using the training data set. A model executor is to, responsive to a request from a client device, execute the machine learning model to determine whether a requested IP address is malicious. | 2021-01-14 |
20210014248 | METHOD AND DEVICE FOR INTRUSION DETECTION IN A COMPUTER NETWORK - Device and method for intrusion detection in a computer network. A data packet is received at an input of a hardware switch unit, an actual value from a field of the data packet being compared in a comparison by a hardware filter with a setpoint value for values from the field, the field including data link layer data or network layer data, a value for a counter determined as a function of a result of the comparison being provided by the hardware switch unit, and a computing device determining a result of the intrusion detection as a function of the value of the counter in the hardware switch unit and independently of information from the data packet, in particular, without an evaluation of information from the data packet by the computing device. | 2021-01-14 |
20210014249 | Packet Transmission Method and Apparatus - A packet transmission method and an apparatus pertain to the field of network technologies. The method includes obtaining, by a terminal device, a source IP (Internet Protocol) address in a to-be-transmitted packet and N IP addresses of the terminal device, where N is an integer, and when the source IP address in the to-be-transmitted packet is different from any one of the N IP addresses of the terminal device, determining that the source IP address in the to-be-transmitted packet is forged, and prohibiting transmitting the to-be-transmitted packet. The application can solve the problem that a virus such as Trojan in the terminal device may be prevented from forging a source IP address of another device to randomly transfer an attack packet in the network to improve network security. | 2021-01-14 |
20210014250 | LEARNING MALICIOUSNESS IN CYBERSECURITY GRAPHS - Systems and methods for utilizing statistical relational learning techniques in order to predict factors for nodes of a node graph, such as a node graph that represents attacks and incidents to a computing system, are described. In some embodiments, the systems and methods identify certain nodes (of a node graph) as representing malicious attributes of an email or other threat artifact received by a computing system or network and utilize relational learning to predict the maliciousness of attributes represented by other nodes (of the node graph). | 2021-01-14 |
20210014251 | SYSTEMS AND METHODS FOR PROTECTING DEVICES FROM MALWARE - Disclosed herein are systems and method for protecting an endpoint device from malware. In one aspect, an exemplary method comprises performing, by a light analysis tool of the endpoint, a light static analysis of a sample, terminating the process and notifying the user when the process is malware, performing light dynamic analysis when the process is not malware based on the light static analysis, when the process is clean based on the light dynamic analysis, enabling the process to execute, when the process is malware, terminating the process and notifying the user, and when the process is suspicious pattern, suspending the process, setting a level of trust, sending the sample to a sandbox, terminating the process and notifying the user when the process is a malware based on received final verdict, enabling the process to resume executing when the process is determined as being clean based on the final verdict. | 2021-01-14 |
20210014252 | DOMAIN CLUSTERING FOR MALICIOUS CAMPAIGN IDENTIFICATION - A method for identification of malicious domains is provided. The method extracts a set of domain information from one or more input streams. The set of domain information includes a set of domains and a set of domain characteristics describing each domain. The method clusters the set of domains to generate a set of campaign clusters of related domains. The clusters are based on the set of domain characteristics. The method modifies the set of campaign clusters with a set of threat intelligence ratings to generate a set of enriched campaign clusters. A portion of the set of threat intelligence ratings correspond to one or more domains within the set of campaign clusters. The method determines a cluster designation for each campaign cluster of the set of enriched campaign clusters and distributes the cluster designations for each campaign cluster to one or more threat intelligence resource. | 2021-01-14 |
20210014253 | DEVICE AND METHOD FOR INTRUSION DETECTION IN A COMMUNICATIONS NETWORK - A method and a device for anomaly detection, the device including at least one port and a processing unit. The at least one port is designed to process, in particular to send or to receive, a data packet. The processing unit is designed to check, as a function of a first piece of information concerning the physical port at which the data packet is processed, and as a function of a second piece of information from at least one protocol header of the data packet, whether or not the data packet to be processed, including this second piece of information, is allowed to be processed at this physical port. An anomaly is detected when it is determined that the data packet is not allowed to be processed at the physical port. | 2021-01-14 |
20210014254 | DEVICE AND METHOD FOR ANOMALY DETECTION IN A COMMUNICATIONS NETWORK - A device and a method for anomaly detection in a communications network, at least two messages at a port of the communications network being observed, a property of a communication behavior of a network user being determined as a function of the at least two messages, a deviation of the property from an expected property being determined, and the presence of an anomaly being detected when the deviation differs from an allowable deviation. The expected property defines a communication behavior of the at least one network user as a function of an in particular static network architecture of the communications network. | 2021-01-14 |
20210014255 | METHOD AND DEVICE FOR INTRUSION DETECTION IN A COMPUTER NETWORK - A device and method for intrusion detection in a computer network. A data packet is received at an input of a hardware switch unit, an output of the hardware switch unit is selected for sending the data packet or a copy as a function of security layer information from the data packet and of a hardware address, context information for the data packet being determined, an actual value from a field being compared in a comparison by a hardware filter with a setpoint value for values from this field, the field including security layer data or mediation layer data, and an interrupt for a computing device being triggered as a function of a result of the comparison, an analysis for detecting an intrusion pattern in a network traffic in the computer network, triggered by the interrupt, being carried out as a function of the context information for the data packet. | 2021-01-14 |
20210014256 | AUTOMATED INTELLIGENT DETECTION AND MITIGATION OF CYBER SECURITY THREATS - Methods and apparatuses are described for automated intelligent detection and mitigation of cyber security threats. A server receives application log data from application servers and analyzes the log data to identify indicia of potential cyber security threats. The server executes a trained threat modeler against the log data and the indicia of potential cyber security threats to identify indicia of actual cyber security threats. The server determines whether a remediation action exists for the identified actual cyber security threats. If a remediation action exists: the server executes the remediation action at the application servers to resolve the actual cyber security threat. If a remediation action does not exist: the server generates remediation parameters based upon the indicia of the actual cyber security threat, generates source code for a software package based upon the remediation parameters, and executes the software package at the application servers to resolve the cyber security threat. | 2021-01-14 |
20210014257 | METHOD AND DEVICE FOR INTRUSION DETECTION IN A COMPUTER NETWORK - Device and method for intrusion detection in a computer network. A data packet is received at an input of a hardware switch unit, an output of the hardware switch unit being selected for sending the data packet or a copy as a function of data link layer information from the data packet and of a hardware address from a memory of the hardware switch unit. An actual value from a field of the data packet is compared by a hardware filter with a setpoint value for values from this field, the field including data link layer data or network layer data, and the data packet or a copy of the data packet being provided to a computing device as a function of a result of the comparison. The analysis for detecting an intrusion pattern in a network traffic in the computer network id carried out by the computing device. | 2021-01-14 |
20210014258 | COGNITIVE INFORMATION SECURITY USING A BEHAVIORAL RECOGNITION SYSTEM - Embodiments presented herein describe a method for processing streams of data of one or more networked computer systems. According to one embodiment of the present disclosure, an ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network is received. A neuro-linguistic model of the information security data is generated by clustering the ordered stream of vectors and assigning a letter to each cluster, outputting an ordered sequence of letters based on a mapping of the ordered stream of normalized vectors to the clusters, building a dictionary of words from of the ordered output of letters, outputting an ordered stream of words based on the ordered output of letters, and generating a plurality of phrases based on the ordered output of words. | 2021-01-14 |
20210014259 | CYBERSECURITY SYSTEM - A computing device determines a peer group identifier and supplements netflow records with the peer group identifier. An authentication event block object is received that was sent to a first source window. The authentication event block object includes a user identifier, an IP address, and a peer group identifier. Members of the peer group are identified based on an expected network activity behavior. The user identifier and the peer group identifier are stored in association with the IP address in a cache. A netflow event block object sent to the first source window is received that includes a netflow packet IP address. Netflow data is parsed from the netflow event block object into a netflow record. When the stored IP address matches the netflow packet IP address, the netflow record is supplemented with the user identifier and the peer group identifier. The supplemented netflow record is output to summary data. | 2021-01-14 |
20210014260 | MULTI-APPLICATION RECOMMENDATION ENGINE FOR A REMOTE NETWORK MANAGEMENT PLATFORM - A remote network management platform may include persistent storage containing: (i) data related to a managed network, and (ii) a persona of a user. The remote network management platform may also include a platform application associated with a web-based user interface and using a portion of the data. The remote network management platform may also include a recommendation engine with access to a set of rules or a machine learning (ML) model corresponding to the platform application. The recommendation engine may be configured to: (i) read, from the persistent storage, the portion of the data and the persona; (ii) apply, to the portion of the data and the persona, the set of rules or the ML model to generate one or more recommendations; and (iii) transmit, by way of the web-based user interface and to the user, representations of the one or more recommendations. | 2021-01-14 |
20210014261 | ONLINE STATIC SECURITY ASSESSMENT UNDER THE QSS MODEL - An online static security assessment (SSA) method based on a quasi steady-state (QSS) model is applied to a power system. An input to the method includes a post-contingency state of the power system for each of a set of contingencies. The following operations are performed for each contingency. Using the QSS model of the post contingency state of the power system, a steady-state voltage magnitude is calculated for each bus in the power system by solving a system of equations. The system of equations is formulated according to a time-domain stability model of the power system and includes nonlinear differential algebraic equations (DAE) with continuous and discreet variables. The derivative terms of short-term state variables in the DAE are set to zero. The method compares the calculated voltage magnitude with a limit, classifies each contingency as secure, critical or insecure, and determines a control action in response to the classification. | 2021-01-14 |
20210014262 | ALERT FREQUENCY CONTROL DEVICE AND COMPUTER READABLE MEDIUM - If an attack activity that belongs to any of a plurality of phases of a cyber-attack is detected, a calculation unit calculates an occurrence interval of an attack scenario, using activity interval data. The activity interval data indicates each occurrence interval of one or more attack activities for each phase. The attack scenario is composed of one attack activity of a phase to which a detected attack activity belongs and one attack activity of each phase before the phase to which the detected attack activity belongs. A determination unit determines necessity or non-necessity of an alert, based on the occurrence interval of the attack scenario. | 2021-01-14 |
20210014263 | SYSTEM AND METHOD FOR EXTRACTING CONFIGURATION-RELATED INFORMATION FOR REASONING ABOUT THE SECURITY AND FUNCTIONALITY OF A COMPOSED INTERNET OF THINGS SYSTEM - Embodiments provide a system and method for extracting configuration-related information for reasoning about the security and functionality of a composed system. During operation, the system determines, by a computing device, information sources associated with hardware and software components of a system, wherein the information sources include at least specification sheets, standard operating procedures, user manuals, and vulnerability databases. The system selects a set of categories of vulnerabilities in a vulnerability database, and ingests the information sources to obtain data in a normalized format. The system extracts, from the ingested information sources, configuration information, vulnerability information, dependency information, and functionality requirements to create a model for the system. The system displays, on a screen of a user device, one or more interactive elements which allow the user to view or select the information sources and the categories of vulnerabilities, initiate ingesting the information sources, and view the extracted configuration information. | 2021-01-14 |
20210014264 | SYSTEM AND METHOD FOR REASONING ABOUT THE OPTIMALITY OF A CONFIGURATION PARAMETER OF A DISTRIBUTED SYSTEM - Embodiments provide a system and method for reasoning about the optimality of a configuration parameter of a distributed system. During operation, the system obtains a multi-layer graph for a system with a plurality of components, wherein the multi-layer graph comprises a configuration subgraph, a vulnerability subgraph, and a dependency subgraph. The system determines, based on the multi-layer graph, constraint relationships associated with configuration parameters for the components, wherein the constraint relationships include security constraints and functionality constraints. The system computes an unsatisfiable core which comprises a set of mutually incompatible constraints. The system resolves, based on a strategy and over multiple iterations, the unsatisfiable core by analyzing one pair of mutually incompatible constraints per a respective iteration, to obtain a new unsatisfiable core which comprises a smaller number of mutually incompatible constraints than the computed unsatisfiable core or a previously computed unsatisfiable core from a most recent iteration. | 2021-01-14 |
20210014265 | EVALUATING EFFECTIVENESS OF SECURITY CONTROLS IN ENTERPRISE NETWORKS USING GRAPH VALUES - Implementations are directed to an agile security platform for enterprise-wide cyber-security and performing actions of receiving, from an agile security platform, analytical attack graph (AAG) data representative of one or more AAGs, each AAG representing one or more lateral paths within an enterprise network for reaching a target asset from one or more assets within the enterprise network, determining, for each instance of a plurality of instances of the AAG, a graph value representing a measure of hackability of the enterprise network at respective times, providing a profile of the enterprise network based on a set of graph values determined for instances of the AAG, the profile representing changes in graph values over time, determining an effectiveness of one or more security controls based on the profile, and selectively executing one or more remedial actions in response to the effectiveness. | 2021-01-14 |
20210014266 | SYSTEM AND METHOD FOR GENERATING AND IMPLEMENTING A REAL-TIME MULTI-FACTOR AUTHENTICATION POLICY ACROSS MULTIPLE CHANNELS - Systems and methods for generating and implementing a real-time multi-factor authentication policy across multiple channels, are configured to: during a pre-authentication stage: receive, via a user interface, information defining one or more scenarios; receive, via the user interface, information defining one or more authentication flows; for each of the one or more scenarios, map one of the one or more authentication flows to a given scenario; and generate a multi-factor authentication policy associated with each of the one or more scenarios; and during a real-time authentication stage: upon receiving an interaction, identify, by a decision engine, a relevant scenario of the one or more scenarios; implement, by the decision engine, the multi-factor authentication policy associated with the relevant scenario; and determine, by the decision engine, an authentication result. | 2021-01-14 |
20210014267 | LOCAL PORT MANAGING METHOD AND DEVICE, PACKET-ORIENTED DATA NETWORK, DIGITAL STORAGE MEDIA, AND COMPUTER PROGRAM PRODUCT - A method for managing local ports in a packet-oriented data network is proposed, wherein packets are assigned to a selected local port, and assignment of a local port is controlled based on observation of transmission on the network. The invention also relates to a local port managing device, a packet-oriented data network, a digital storage media, and a computer program product. | 2021-01-14 |
20210014268 | ANTI-REPLAY DEVICE BASED ON MEMORY SPACE INTERCHANGE - Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting and disabling replay attacks. One of the methods includes receiving a transaction to be completed in a blockchain. A current working section of memory storing transaction information that is designated for use in identifying past transactions already processed is determined, where the memory also stores a backup section providing, when used in combination with the current working section, an alternating memory section storage scheme for the transaction information. From the current working section, whether the transaction has previously been processed is determined. When it is determined that the transaction has previously been processed, the transaction is bypassed. When it is determined that the transaction has not previously been processed the transaction is processed and transaction information for the transaction is written into the current working section. | 2021-01-14 |
20210014269 | USER ACTIVITY-TRIGGERED URL SCAN - There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; a user-space application including instructions to interact with a web site via a uniform resource locator (URL); and a security agent including instructions to: intercept an interaction of the user-space application with the web site; determine that the intercepted interaction is to send sensitive information to the web site; suspend the interaction; and assign a reputation to the URL. | 2021-01-14 |
20210014270 | IDENTIFYING SPAM USING NEAR-DUPLICATE DETECTION FOR TEXT AND IMAGES - Embodiments described herein provide systems, methods, and computer storage media for detecting spam using by comparing hash values of content. In embodiments, hash values are generated based on the type of content and compared to other hash values in storage buckets. The similarity of content is determined by calculating the distance between two hash values and determining whether the distance exceeds a distance index. Counter values associated with hash values in storage are incremented when the distances between hash values exceed the distance index. Spam indications are communicated when the counter values for associated with hash values exceed a count threshold. | 2021-01-14 |
20210014271 | SYSTEMS AND METHODS FOR AIDA BASED A/B TESTING - Systems and methods are described by which a serving module of a campaign controller identifies a first version of a model which the campaign controller uses to communicate a first simulated phishing communication to a plurality of users. The campaign controller receives a first response from a first user to the simulated phishing communication and a second response from a second user to the simulated phishing communication and determines that the first and second responses are corresponding, for example are the same or similar. The serving module assigns a first user to a first group of users and a second user to a second group of users and identifies a second version of the model to use for the first user and a third version of the model to use for the second user. | 2021-01-14 |
20210014272 | PRE-ROUTING INTRUSION PROTECTION FOR CLOUD BASED VIRTUAL COMPUTING ENVIRONMENTS - Embodiments of the present invention provide a novel and non-obvious method, system and computer program product for pre-routing network security for cloud computing. In an embodiment of the invention, a pre-routing network security method for cloud computing includes receiving in a routing component, such as a load balancer, of a cloud computing environment that includes at least two different virtualized containers, a stream of packets targeting a destination network address and, before processing the stream of packets in the routing component, diverting the stream of packets to a packet inspector executing in one of the virtualized containers. Then, only a fraction of the packets of the diverted stream of packets are received in the routing component from the packet inspector, and, the fraction of the packets are then processed in the router such that the fraction of the packets are routed to the destination network address. | 2021-01-14 |
20210014273 | METHOD AND APPARATUS OF AUTOMATIC GENERATION OF A CONTENT SECURITY POLICY FOR A NETWORK RESOURCE - Methods and apparatuses for automatic determination of a content security policy for a network resource are described. A proxy server receives from a first authenticated client device a first request for a first network resource, retrieves the first network resource and transmits a first response to the first client device that includes a content tracker that causes the client device to report information on additional network resources identified when the first client device interprets the first network resource. A content security policy is determined based on the reported information. The proxy server receives, from a second client device, a second request for the first network resource. The proxy server transmits, to the second client device, a second response that includes the content security policy that is determined based on the information on the additional network resources. | 2021-01-14 |
20210014274 | GROUP OPTIMIZATION FOR NETWORK COMMUNICATIONS - Disclosed embodiments are related to grouping sets of intercommunicating objects to minimize the number of rules/policies needed to be stored to enforce those rules/policies. Given a set of objects communicating with each other using different services, embodiments group these objects to minimize the total number of final rules that are implemented. This allows an original set of policies to be reduced into a smaller set of policies, which conserves computational resources. Other embodiments may be described and/or claimed. | 2021-01-14 |
20210014275 | SYSTEM AND METHOD FOR A CLOUD COMPUTING ABSTRACTION LAYER WITH SECURITY ZONE FACILITIES - In embodiments of the present invention improved capabilities are described for a virtualization environment adapted for development and deployment of at least one software workload, the virtualization environment having a metamodel framework that allows the association of a policy to the software workload upon development of the workload that is applied upon deployment of the software workload. This allows a developer to define a security zone and to apply at least one type of security policy with respect to the security zone including the type of security zone policy in the metamodel framework such that the type of security zone policy can be associated with the software workload upon development of the software workload, and if the type of security zone policy is associated with the software workload, automatically applying the security policy to the software workload when the software workload is deployed within the security zone. | 2021-01-14 |
20210014276 | NETWORK MANAGEMENT APPARATUS, AND NETWORK MANAGEMENT METHOD - The network management apparatus includes a processor coupled to memory and configured to calculate a communication route of traffic that each of a plurality of edge routers transfers to an attack target device that is attacked from outside the network, select a first router where the communication routes of a plurality of flows of traffic that is transferred to the attack target device merge, instruct the first router to restrict transfer of the traffic of the attack, detect a change in traffic of the attack in response to a restriction on transfer of the traffic of the attack, and identify an edge router of an inflow source from a part of the plurality of edge routers or the edge router of the inflow source of the traffic of the attack from rest of the plurality of edge routers. | 2021-01-14 |
20210014277 | Methods and Systems for Protecting a Secured Network - Methods and systems for protecting a secured network are presented. For example, one or more packet security gateways may be associated with a security policy management server. At each packet security gateway, a dynamic security policy may be received from the security policy management server, packets associated with a network protected by the packet security gateway may be received, and at least one of multiple packet transformation functions specified by the dynamic security policy may be performed on the packets. | 2021-01-14 |
20210014278 | MULTI-TENANT AUTHENTICATION FRAMEWORK - Disclosed are various embodiments for a multi-tenant authentication framework. In one embodiment, a particular user class to which a client device belongs is determined based at least in part on location-identifying information of the client device, and the client device is authenticated for access to a network resource using a particular authentication service corresponding to the particular user class. | 2021-01-14 |
20210014279 | NETWORK-ACCESSIBLE SERVICE FOR EXECUTING VIRTUAL MACHINES USING CLIENT-PROVIDED VIRTUAL MACHINE IMAGES - Techniques are described for managing communications between multiple intercommunicating computing nodes, such as multiple virtual machine nodes hosted on one or more physical computing machines or systems. In some situations, users may specify groups of computing nodes and optionally associated access policies for use in the managing of the communications for those groups, such as by specifying which source nodes are allowed to transmit data to particular destinations nodes. In addition, determinations of whether initiated data transmissions from source nodes to destination nodes are authorized may be dynamically negotiated for and recorded for later use in automatically authorizing future such data transmissions without negotiation. This abstract is provided to comply with rules requiring an abstract, and it is submitted with the intention that it will not be used to interpret or limit the scope or meaning of the claims. | 2021-01-14 |
20210014280 | DATA PROCESSING AND SCANNING SYSTEMS FOR GENERATING AND POPULATING A DATA INVENTORY - In particular embodiments, a data processing data inventory generation system is configured to: (1) generate a data model (e.g., a data inventory) for one or more data assets utilized by a particular organization; (2) generate a respective data inventory for each of the one or more data assets; and (3) map one or more relationships between one or more aspects of the data inventory, the one or more data assets, etc. within the data model. In particular embodiments, a data asset (e.g., data system, software application, etc.) may include, for example, any entity that collects, processes, contains, and/or transfers personal data (e.g., such as a software application, “internet of things” computerized device, database, website, data-center, server, etc.). The system may be configured to identify particular data assets and/or personal data in data repositories using any suitable intelligent identity scanning technique. | 2021-01-14 |
20210014281 | MANAGING NETWORK CONNECTIONS BASED ON THEIR ENDPOINTS - The disclosure relates generally to methods, systems, and apparatuses for managing network connections. A system for managing network connections includes a storage component, a decoding component, a rule manager component, and a notification component. The storage component is configured to store a list of expected connections for a plurality of networked machines, wherein each connection in the list of expected connections defines a start point and an end point for the connection. The decoding component is configured to decode messages from the plurality of networked machines indicating one or more connections for a corresponding machine. The rule manager component is configured to identify an unexpected presence or absence of a connection on at least one of the plurality of network machines based on the list of expected connections. The notification component is configured to provide a notification or indication of the unexpected presence or absence. | 2021-01-14 |
20210014282 | SYSTEMS AND METHODS FOR CLOUD-BASED FEDERATED RECORDS RETENTION COMPLIANCE ORCHESTRATION, VALIDATION AND ENFORCEMENT - Through a cloud-based centralized user interface, a federated compliance system presents a policy of interest and representations of disparate systems that match the policy of interest to a user. The disparate systems, which operate in a distributed network computing environment, can include cloud-based repositories and off-cloud repositories. The federated compliance system can pull the cloud-based repositories through a cloud orchestrator and the off-cloud repositories through an off-cloud orchestrator over a secure tunnel. The federated compliance system utilizes user-provided information on the policy of interest to determine various categories of attributes from different repository schemas employed by the disparate systems. A federated retention policy mapper, implemented as a compliance service, maps the attributes to a common schema, creates a federated retention policy, and stores it in a federated space in the distributed network computing environment. A policy change can be automatically propagated across the disparate systems using the federated retention policy. | 2021-01-14 |
20210014283 | SYSTEM AND METHOD FOR GENERATING EVIDENCE FOR THE SUPERIORITY OF A DISTRIBUTED SYSTEM CONFIGURATION - The system generates evidence of a recommended configuration for a distributed system based on a plurality of configuration parameters. The system displays, on a screen of a user device, the evidence, which includes a list of configuration parameters, including a name, a current value, and a recommended value for a respective configuration parameter. The recommended value is obtained based on a strategy for optimizing security, functionality, or both. The system further displays interactive elements which allow the user to: view a resolution of a pair of mutually incompatible constraints resulting in the recommended value for the respective configuration parameter, wherein the resolution includes a name of the configuration parameter removed from the list and a reason for the removal; and view information associated with each of the pair of mutually incompatible constraints, wherein the information includes a name, a goal, a security impact, and a description of the constraint. | 2021-01-14 |
20210014284 | Security Negotiation in Service Based Architectures (SBA) - The disclosure provides techniques for negotiating security mechanisms between security gateways ( | 2021-01-14 |
20210014285 | ON-DEMAND SECURITY ASSOCIATION MANAGEMENT - An ingress network element obtains data from a source endpoint associated with the ingress network element. The data identifies a destination endpoint remote from the ingress network element. The ingress network element provides a map request identifying the destination endpoint to a mapping server. The ingress network element obtains a map reply including a network address of an egress network element associated with the destination endpoint and a security association. The ingress network element encrypts the data for the destination endpoint with the security association according to a cryptographic policy based on the source endpoint, the destination endpoint, and the availability of cryptographic resources on the network. The ingress network element provides the encrypted data to the egress network element. | 2021-01-14 |
20210014286 | SELECTIVE SERVICE CONTROL TO MOBILE IP NETWORK - Systems and methods are described for managing services of a computing device over a mobile network where requests for managed or unmanaged services are translated to corresponding IP addresses sent to the computing device and corresponding requests sent to the translated IP addresses are either permitted, rated, quality controlled or secured if the computing device has a valid data plan or is otherwise permissioned for using the mobile network, are denied if filtered and if the computing device does not have a valid data plan or is not otherwise permissioned and the request corresponds to the first address, and are permitted, rated, quality controlled or not secured even if the computing device does not have a valid data plan or is not otherwise permissioned if the request corresponds to the second address. | 2021-01-14 |