Abstract: This application relates to a graph data processing method performed by a distributed computer node cluster including a plurality of computer devices, each computer device distributed on a respective computing node of the distributed computer node cluster, the method including: obtaining subgraph data divided from to-be-processed graph data; performing a computation task on the subgraph data to obtain corresponding global data and local data; writing the global data to a blockchain network, the global data of the blockchain network being updated by the distributed computing node cluster; obtaining latest global data from the blockchain network; and iteratively performing, according to the obtained latest global data and the local data, the computation task on the subgraph data without obtaining a computation result until an iteration stopping condition is met.

Abstract: Security policies are made dependent on location of a device and the location of a device is determined and the appropriate security policy applied without providing the device's location to a server. A device determine its location and identifies a security policy identifier mapped to a zone including the location. The device requests the security policy corresponding to the identifier from a server and implements it. The device may also store a database of the security policies and implement them according to its location. Devices registered for a user evaluate whether locations detected for the devices correspond to impossible travel by the user. Objects encoding geolocation data of a device may be encrypted with a private key of the device and the public key of another to prevent access by an intermediary server.

Abstract: The technology disclosed relates to a DHCP relay-based steering logic for policy enforcement on IoT devices. In particular, the technology disclosed provides a steering logic that is interposed between a plurality of special-purpose devices on a network segment of a network and a DHCP server on the network segment. The steering logic is configured to intercept DHCP requests broadcasted to the DHCP server by special-purpose devices in the plurality of special-purpose devices, forward the intercepted DHCP requests to the DHCP sever 522, receive, from the DHCP server, DHCP responses to the intercepted DHCP requests, receive, from a device classification logic, a positive determination that the special-purpose devices are special-purpose devices and not general-purpose devices, modify the received DHCP responses by replacing the default gateway with an inline secure forwarder on the network segment, and send the modified DHCP responses to the special-purpose devices.

Abstract: Based on the interaction data and response data, an interaction monitoring platform may determine a first known sentiment and a second known sentiment, identify a first pattern and a second pattern in the interaction data, and generate a first pattern-level sentiment and a second pattern-level sentiment based on the known sentiments and the identified patterns. A binary indicator may indicate which identified patterns are exhibited in a subset of the interaction data. The platform may train a gradient boosting model using known sentiment as a target variable and using binary indicators and pattern-level sentiments as input data. The platform may predict a sentiment corresponding to a subset of interaction data with unknown sentiment that exhibits one or more of the first pattern or the second pattern based on a binary indicator and the trained gradient boosting model.

Abstract: Methods, devices and systems are disclosed for inter-app communications between software applications on a mobile communications device. In one aspect, a computer-readable medium on a mobile computing device comprising an inter-application communication data structure to facilitate transitioning and distributing data between software applications in a shared app group for an operating system of the mobile computing device includes a scheme field of the data structure providing a scheme id associated with a target software app to transition to from a source software app, wherein the scheme id is listed on a scheme list stored with the source software app; and a payload field of the data structure providing data and/or an identification where to access data in a shared file system accessible to the software applications in the shared app group, wherein the payload field is encrypted.

Abstract: Access privileges of at least one identity to resources are adjusted within an authorization system of a computing environment. Over a detection period, accesses by the identity to the resources are detected and a usage score is computed as a usage function of a measure of use by the identity of access privilege(s) it has been granted to at least one of the resources relative to a measure of a set of possible grantable privileges. In accordance with a least privilege security policy, and according to the usage score, the set of access privileges granted to the identity may then be adjusted.

Abstract: Systems and methods may provide for receiving web content and determining a trust level associated with the web content. Additionally, the web content may be mapped to an execution environment based at least in part on the trust level. In one example, the web content is stored to a trust level specific data container.

Abstract: Some embodiments provide a novel secure method for suppressing address discovery messaging. In some embodiments, the method receives an address discovery record that provides a network address associated with a machine connected to a network. The method then identifies a set of one or more rules for evaluating the received address discovery record to determine whether the address discovery record or its provided network address should be distributed to one or more hosts and/or devices associated with the network. The method then processes the set of rules to determine whether the received address discovery record violates a rule in the set of rules so as to prevent the distribution of its provided network address. When the address discovery record violates a rule, the method discards it in some embodiments.

Abstract: Systems and methods for dynamically mitigating a DDOS attack. In an aspect, the technology relates to a computer-implemented method for dynamically mitigating a distributed-denial-of-service (DDOS) attack. The computer-implemented method may include detecting a DDOS attack directing malicious traffic to a target, identifying one or more source locations of the malicious traffic, and in response to detecting the DDOS attack, activating one or more scrub clusters in the identified one or more source locations of the malicious traffic. The method may further include directing traffic intended for the target to the to the activated one or more scrub clusters, detecting an end of the DDOS attack, and in response to detecting the end of the DDOS attack, deactivating the one or more scrub clusters to release hardware resources.

Abstract: Provided is a verification level control method, the method comprises checking a history of verification or a history of re-authentication of a verification target, setting an abnormal suspicious area according to a change in frequency of access to a partial area within an access permission area of the verification target, based on the checked verification history or re-authentication history and verifying the verification target by reflecting whether the verification target is located in the set abnormal suspicious area, wherein the re-authentication is performed in an explicit authentication method in which the verification target needs to perform a separate action for the re-authentication.

Abstract: A policy-based browser system for managing browser extensions used to access functionalities on a web browser in a cloud-based multi-tenant system. The policy-based browser system includes a client device, a web server configured to provide the functionality of the browser extension on a web browser of the client device, and a mid-link server. The network traffic from the client device is monitored to identify traffic patterns, risk is determined associated with the browser extension based on the traffic patterns, and a correlation of the browser extension with a plurality of browser extensions. A policy for the browser extension is identified based on the risk. The policies specify access to the browser extensions based on the risk associated with the browser extensions. The browser extensions are categorized based on the policies and the risk. An authorization corresponding to the browser extension is determined based on the policy.

Abstract: A method for controlling access to a set of data is provided. The method includes receiving, via an interface, a request from an agent to access the set of data in a database; extracting an access criterion relating to a predefined data access constraint and a predetermined data access policy from the request; and determining whether the agent is granted access to the set of data using the criterion, where the access criterion is based on an attribute that is associated with an element within the set of data.

Abstract: Secure selective token-based access control includes receiving a data access request from over a computer communications network, extracting a token from the request, selecting a decryption key for use in decrypting the token and attempting decryption of the token using the decryption key. Thereafter, on condition that the decryption key successfully decrypts the token into decrypted data, a creation date of the token in the decrypted data may be read and a rule applied to the creation date, the rule determining whether or not to expire the token. Finally, in response to a determination by the application of the rule to expire the token based upon the creation date of the token, the token is expired from subsequent use in authorizing servicing of the data access request, but otherwise the data access request is authorized for servicing.

Abstract: The present disclosure relates to methods and systems for protecting cloud resources. The methods and systems may use a virtual gatekeeper resource to enforce secure access controls to cloud resources for a list of privileged operations. The cloud resources and the virtual gatekeeper resource may be in different security domains within a cloud computing system and the cloud resources may be linked to the virtual gatekeeper resource. A request may be sent to perform a privileged operation on the cloud resource. Access may be provided to the virtual gatekeeper resource in response to approval of the request and the access to the virtual gatekeeper resource may be used to perform the privileged operation on the cloud resource.

Abstract: In general, this disclosure describes an IoT access control exchange for IoT devices. Verifiable credentials can be generated and used to grant access to IoT devices definitively identified using a Decentralized Identifier (DID). DIDs for IoT devices are registered by the IoT exchange hub acting as an Identity Hub. An organization interested in obtaining data from a collection of devices, the IoT Access Customer, contacts the IoT device owner agent via their mutual agents and obtains a verifiable credential with a request for access. The access request is submitted to the IoT exchange hub. The IoT exchange hub either enforces the access request itself if the devices do not have enough resources or submits the verifiable credential with the access request to the devices for them to enforce access. The IoT access customer agent, IoT device owner agent, and IoT exchange hub similarly identify themselves and prove authentication using DIDs.

Abstract: A method, system, and computer program product for prioritizing endpoints to be checked during a change window based on certain criteria. The method may include receiving a request for processing from a plurality of servers. The method may also include determining a priority for each server of the plurality of servers based on specified criteria, where the specified criteria includes at least compliance-check history. The method may also include determining whether each server belongs to one or more groups. The method may also include determining a notification order for the plurality of servers based on the priority and whether each server belongs to the one or more groups. The method may also include sending a notification to each server in the notification order.

Abstract: Systems and methods are disclosed for prioritizing a list of applications. The systems and methods include identifying, with a messaging application, a list of applications that are configured to share authentication information with the messaging application; determining a priority value of each application on the list of applications; generating for display, with the messaging application, a graphical user interface that represents a selection of applications from the list of applications based on the priority value of each application on the list; and for each application represented in the graphical user interface, generating for display a user-selectable option to authorize the messaging application to share authentication information with the respective application.

Abstract: A dynamic privileged access governance system and associated processes are disclosed. The dynamic privileged access governance system and processes are cloud-native and adapt to the dynamic nature of the cloud systems.

Abstract: Methods for speaker role determination and scrubbing identifying information are performed by systems and devices. In speaker role determination, data from an audio or text file is divided into respective portions related to speaking parties. Characteristics classifying the portions of the data for speaking party roles are identified in the portions to generate data sets from the portions corresponding to the speaking party roles and to assign speaking party roles for the data sets. For scrubbing identifying information in data, audio data for speaking parties is processed using speech recognition to generate a text-based representation. Text associated with identifying information is determined based on a set of key words/phrases, and a portion of the text-based representation that includes a part of the text is identified. A segment of audio data that corresponds to the identified portion is replaced with different audio data, and the portion is replaced with different text.

Abstract: Systems, methods, and software described herein provide enhancements for implementing security actions in a computing environment. In one example, a method of operating an advisement system to provide actions in a computing environment includes identifying a security incident in the computing environment, identifying a criticality rating for the asset, and obtaining enrichment information for the security incident from one or more internal or external sources. The method also provides identifying a severity rating for the security incident based on the enrichment information, and determining one or more security actions based on the enrichment information. The method further includes identifying effects of the one or more security actions on operations of the computing environment based on the criticality rating and the severity rating, and identifying a subset of the one or more security actions to respond to the security incident based on the effects.