The techniques described herein increase the throughput of a single VPN connection by creating multiple outbound and/or inbound Security Associations (SAs). For instance, two or more different SAs can encrypt outbound data packets to be sent over the VPN connection to a remote device. Moreover, two or more different SAs can decrypt inbound data packets received over the VPN connection from the remote device. Each of the SAs can be bound to a different processing core via the use of a Security Parameter Index (SPI) identifier. Consequently, inbound data packets communicated over a single VPN connection from a remote device to a physical host in a VPN gateway can be distributed amongst multiple processing cores for decryption purposes. Further, outbound data packets to be communicated over the single VPN connection from the physical host to the remote device can be distributed amongst multiple processing cores for encryption purposes.

The present invention relates to the field of networking and API/application security. In particular, the invention is directed towards methods, systems and computer program products for deep learning based API traffic analysis and network security. The invention provides an automated approach to threat and/or attack detection by machine learning based accumulation and/or interpretation of various API/application traffic patterns, identifying and mapping characteristics of normal traffic for each API, and thereafter identifying any deviations from the normal traffic parameter baselines, which deviations may be classified as anomalies or attacks.

Methods, apparatus, systems and articles of manufacture are disclosed to facilitate end-user defined policy management. An example apparatus includes an edge node interface to detect addition of a networked user device to a service gateway, and to extract publish information from the networked user device. The example apparatus also includes a device context manager to identify tag parameters based on the publish information from the networked user device, and a tag manager to prohibit unauthorized disclosure of the networked user device by setting values of the tag parameters based on a user profile associated with a type of the networked user device.

A cross-network communication system includes a plurality of client networks. The cross-network communication system includes a Service Negotiation Plane configured to forward messages between the plurality of client networks via a plurality of control interfaces, each of which corresponds to one of the plurality of client networks. Each of the plurality of control interfaces includes a first data guard that belongs to the corresponding client network. The first data guard is configured to prevent exfiltration of classified information or permit only particular types of messages to traverse the Service Negotiation Plane.

In a secret computation system, each of the three or more secret computation servers is configured to transmit, to the auxiliary server, carry computation information for computing a carry indicating whether or not digit carry occurs when a share of arithmetic operation is added as a binary number. The auxiliary server is configured to compute the carry based on the carry computation information received and compute an adjustment value used for computing the share of the arithmetic operation from a share of logical operation by using the computed carry. The auxiliary server distributes the computed adjustment value to the three or more secret computation servers. Each of the three or more secret computation servers is configured to convert the share of the logical operation to the share of the arithmetic operation by using a distributed value of the adjustment value.

A block chain defining authority and access to confidential data may not be encrypted, and the access to the block chain can be regulated by the block chain itself and an access control server operating in an enterprise information technology (IT) environment. To incorporate authority defined in multiple sources, such as the block chain and the access control server, a token can be created containing multiple layers of permissions, i.e. constraints, coming from multiple sources. Each additional permission attenuates the authority granted by the token. When a processor controlling the access to the block chain receives the token, the processor can check the validity of the token and the authority granted by the token to determine whether the requester is authorized to access at least a portion of the block chain.

Described herein are systems and techniques for privacy-preserving unsupervised learning. The disclosed system and methods can enable separate computers, operated by separate entities, to perform unsupervised learning jointly based on a pool of their respective data, while preserving privacy. The system improves efficiency and scalability, while preserving privacy and avoids leaking a cluster identification. The system can jointly compute a secure distance via privacy-preserving multiplication of respective data values x and y from the computers based on a 1-out-of-N oblivious transfer (OT). In various embodiments, N may be 2, 4, or some other number of shares. A first computer can express its data value x in base-N. A second computer can form an ×N matrix comprising random numbers m.sub.i,0 and the remaining elements m.sub.i,j=(yjN.sup.i-m.sub.i,0) mod . The first computer can receive an output vector from the OT, having components m.sub.i=(yx.sub.i N.sup.i-m.sub.i,0) mod .

A method, apparatus, and a computer-readable medium for network device protection. The method includes: intercepting present network data related to a present data connection of a user apparatus; analyzing the present network data; and in response to determining that the user apparatus utilizes a privacy feature in the present data connection implemented by a first internet relay and a second internet relay, blocking the present data connection.

A secure executable container executed by an endpoint device receives a request by an originating entity for initiating a secure peer-to-peer transfer of a data object to at least a second network entity via a second network device in a secure data network. The secure executable container establishes a two-way trusted relationship between the originating entity and the endpoint device, and between the endpoint device and the second network device. The secure executable container generates a root data object containing metadata identifying the data object and comprising a list identifying message objects containing respective data chunks of the data object, and causes the second network device to execute a secure autonomic synchronization of the root data object via the secure data network, enabling the second network entity to execute the secure peer-to-peer transfer of at least a selected portion of the data object as a hyperlinked hypercontent object.

Two-way secure channels are provided between two parties to a communication with certification being provided by one party. One method comprises providing, by a first entity that provides a certificate authority, a first signed certificate to a second entity, wherein the first signed certificate is signed by the certificate authority and wherein the second entity generates a first request to sign a second certificate generated by the second entity, wherein the first request is generated by the second entity using a first credential generated by the second entity; receiving, from the second entity, (i) the first request to sign the second certificate, and (ii) the first signed certificate; and providing, in response to the certificate authority verifying the first signed certificate, a second signed certificate, signed by the certificate authority, to the second entity; wherein one or more additional communications between the first entity and the second entity use the two-way channel.