A packet-filtering system described herein may be configured to filter packets with encrypted hostnames in accordance with one or packet-filtering rules. The packet-filtering system may resolve a plaintext hostname from ciphertext comprising an encrypted Server Name Indication (eSNI) value. The packet-filtering system may resolve the plaintext hostname using a plurality of techniques. Once the plaintext hostname is resolved, the packet-filtering system may then use the plaintext hostname to determine whether the packets are associated with one or more threat indicators. If the packet-filtering system determines that the packets are associated with one or more threat indicators, the packet-filtering system may apply a packet filtering operation associated with the packet-filtering rules to the packets.

A packet-filtering system described herein may be configured to filter packets with encrypted hostnames in accordance with one or packet-filtering rules. The packet-filtering system may resolve a plaintext hostname from ciphertext comprising an encrypted Server Name Indication (eSNI) value. The packet-filtering system may resolve the plaintext hostname using a plurality of techniques. Once the plaintext hostname is resolved, the packet-filtering system may then use the plaintext hostname to determine whether the packets are associated with one or more threat indicators. If the packet-filtering system determines that the packets are associated with one or more threat indicators, the packet-filtering system may apply a packet filtering operation associated with the packet-filtering rules to the packets.

A system and method for provisionally authenticating a host moving from a source port of a switch device to a destination port of the switch device is disclosed. The host is initially authenticated at the source port and blocked from forwarding network traffic at the destination port. During a provisional authentication session, an authentication agent executing on the switch intercepts one or more authentication packets sourced by the host and headed for the destination port of the switch device and redirects the authentication packets to an authentication server for validating the host at the destination port of the switch device. The switch device removes the block at the destination port in response to receiving an acknowledgment of successful authentication at the destination port from the authentication server.

A data retention probe for a packet-switched, mobile telecommunications network employs interfaces to connect to interfaces carrying traffic on a mobile network side of a gateway node and on a global internet side of the gateway node. A FPGA creates for each packet at least one fingerprint of one or more fields that are unchanged as part of the address translation performed by the gateway node and to create informative metadata for those packets. A processing unit: (1) receives from the FPGA the fingerprints and metadata and maintains flow records for each flow of packets seen on each side of the gateway node; and (2) compares the fingerprints and, where a match is found, determines those packets to be part of the same communication session and creates a record correlating internal IP address or a subscriber identifier to external IP address and port number.

A system that enables hanging lawful interception (LI) resources to be cleaned up includes a triggering function set comprising a plurality of triggering functions. The system also includes a data store comprising a plurality of auditing records corresponding to the plurality of triggering functions in the triggering function set. Each auditing record comprises a claimant attribute. Each triggering function sends an update request to the data store in response to being notified about a failed triggering function within the triggering function set. Each update request comprises a request to change ownership of the auditing record corresponding to the failed triggering function. A triggering function is selected as a new owner of the auditing record corresponding to the failed triggering function based at least in part on a match between the claimant attribute in the auditing record and a claimant field in the update request sent by the triggering function.

A method and arrangements providing QoS-aware routing of received session flows of separate communication sessions comprising Communication Content achieved and received from Lawful Interception of target sessions. The method comprises sorting each separate communication session into one of two groups, a first routing group and a second routing group, according to certain criteria wherein QoS is at least one of the criteria. Further, the method comprises routing communication sessions sorted into the first routing group via a regular handover interface and routing communication sessions sorted into the second routing group via an additional handover interface to a Law Enforcement Agency.

Generally, this disclosure provides devices, systems and methods for subframe restricted Channel State Information (CSI) reporting with Rank Indicator (RI) inheritance. A User Equipment (UE) device may include an RI generation module to generate RIs based on a received CSI configuration from an evolved Node B (eNB) of a serving cell of the UE. The UE may also include an RI Reference Process CSI generation module to generate a first Reference CSI including a first selected RI of the generated RIs, the first selection based on a first subframe set of the received CSI configuration, and to generate a second Reference CSI including a second selected RI of the generated RIs, the second selection based on a second subframe set of the received CSI configuration. The UE may further include a Linked Process CSI generation module to generate a linked CSI including an inherited RI from the first Reference CSI.

In some example embodiments, there may be provided an apparatus including at least one processor and at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to at least: obtain information to enable selection of an access node for a non-GPP access; query a server to determine whether the country at which the access node is located requires lawful interception of communications; and select, based at least on the obtained information and/or a response to the query, the access node for the non-3GPP access. Related systems, methods, and articles of manufacture are also described.

Provided are systems and methods for employing remote forensics and data security services over public and private networks by obtaining full access to digital data from the non-transitory computer-readable media of geographically dispersed computing devices such that the entire physical or logical media from each device is fully accessible to one or more user computers over the network. This is achieved via WebSocket technology implemented in point-to-point connection configurations, WebSocket technology implemented in network based digital data software switch configurations, and in combinations thereof. Application of these systems and methods are generally employed for the purpose of conducting remote examinations and remediation efforts upon electronic data comprising non-transitory computer-readable media on a network accessible computing device. As a few examples, the application of these systems and methods may be applied for the purposes of data sharing, remote computer support, data recovery, data loss prevention, data backup, eDiscovery (electronic discovery), digital forensics, remote monitoring, audit compliance, incident response, security incident remediation, and mobile device data management purposes. Examples of computing devices include, but are not limited to, workstations, laptops, tablets, smart phones, network routers, network switches, mobile computing devices, electronic sensors, and any device comprising the Internet of Things (IoT).

Techniques for utilizing an enterprise traffic interception service (TIS) to enforce policies that mandate how clients access software as a service (SaaS) offered by service providers and selectively intercept enterprise network traffic utilizing a domain name service (DNS) and a single sign-on (SSO) service on a per-client per-service basis. The TIS may include a DNS server, an identity provider service, a TLS inspecting proxy, and/or a policy server. The DNS server may handle requests to resolve an address of a service, and identify a policy, stored in the policy server, to redirect the client based on the identity of the client and the service. The identity provider service may later query the policy server during client authorization for the service to verify that the client request is in line with the policy and allow or deny access to the service.