Abstract: In a computer-implemented method for improving a static analyzer output, a processor receives a labeled data set with labeled true vulnerabilities and labeled false vulnerabilities. A processor receives pretrained contextual embeddings from a contextual embeddings model. A processor maps the true vulnerabilities and the false vulnerabilities to the pretrained contextual embeddings model. A processor generates a fine-tuned model with classifications for true vulnerabilities.

Abstract: A system may include a traffic interception module configured to intercept network traffic of a host device. A traffic virtualization module may be configured to generate a virtual file on the host device containing the intercepted network traffic. A security system interface module may be configured to provide the virtual file to a secure digital security system over a virtualized file interface coupling the host device to the secure digital security system, and to receive instructions to allow or to deny the network traffic from the secure digital security system over the virtualized file interface. A traffic access management module may be configured to allow or to deny the network traffic based on the instructions.

Abstract: A system and method for determining a point in time compliance status of a computing system with a security guideline standard (SGS) wherein the computing system has a command line shell available through a native operating system, the method comprising inputting into a host computer of the computing system a SGS package that represents a scripted SGS that is a non-text file and is encrypted that provides instructions for an evaluation of a computing system's compliance with the SGS under consideration wherein the SGS package performs at least a portion of an automated evaluation of a compliance status at the point in time of the computing system under consideration when the SGS package is decrypted by the computing system; sending a command query from the decrypted SGS package to the selected device of the computer system; compiling in a locally hosted database of the host computer compliance results sent from the selected device of the computing system in response to the command query from the decrypted SGS

Abstract: An end-user computing device can include a theft detector that maintains a registered host device list containing identifiers of at least one registered host device. The theft detector can have root access to operations of the end-user device and the theft detector can provides a secure reboot request in response to detecting a possible theft condition. The end-user computing device can also include a boot loader that executes a secure reboot of the end-user device in response to a secure reboot request from the theft detector. The secure reboot of the end-user device resets the end-user device to prevent access to the end-user device.

Abstract: A method for an access network of a telecommunications network includes: in a first step, a first authentication, authorization and accounting (AAA)-related message is sent by an authentication server entity and received by an access orchestrator entity, the first AAA-related message comprising: at least one standardized message attribute according to an access protocol; and at least one vendor-specific message attribute; in a second step, subsequent to the first step, the access orchestrator entity sends a second AAA-related message to a service edge entity, the second AAA-related message solely comprising the at least one standardized message attribute according to the access protocol; and in a third step, subsequent to the first step and prior to, during or after the second step, the access orchestrator entity sends at least one third AAA-related message to the service edge entity, the at least one third AAA-related message corresponding to a message according to an application programming interface (API)

Abstract: Systems and methods for dynamic, hyper context-based microsegmentation are described. In one aspect, a computing device is detected on a network. A network hyper context is assigned to the computing device based on network properties and computing device properties associated with the computing device. A policy defining a segment identifier identifying a network segment and corresponding to the network hyper context is accessed. The segment identifier is assigned to the computing device. The computing device is segmented onto the network responsive to detecting the computing device.

Abstract: Integrated controls frameworks are disclosed. In one embodiment, in an information processing apparatus comprising at least one computer processor, a method for using an integrated control framework for an application comprising a plurality of application modules may include: (1) defining an application profile, an application model, and a target cloud environment for an application; (2) identifying a plurality of security, resiliency, and controls requirements for the target cloud environment; (3) configuring a plurality of security controls for the application based on the plurality of security, resiliency, and controls requirements; and (4) deploying the security controls to the target cloud environment.

Abstract: A method includes storing first authentication information and second authentication information, the first authentication information being information for a user to access a first information processing device, the second authentication information including third authentication information and forth authentication information, the third authentication information being information for the user to access a second information processing device, and the fourth authentication information being information for the user to access a third information processing device; acquiring first index information from the second information processing device based on the third authentication information; acquiring second index information from the third information processing device based on the fourth authentication information; and generating a list including the first index information with a first indication, and the second index information with a second indication different from the first indication.

Abstract: A service provider provides flexible access to services using an identity provider. The service provider is associated with a custom access policy used by the identity provider to authenticate access requests associated with client devices for services of the client system. The custom access policy describes a set of access levels corresponding to variable levels of access to services of the service provider. The identity provider authenticates access requests by client devices using one or more device signals from the client devices. In some embodiments, the identity provider determines a device trust score for the client device using the one or more device signals. The identity provider provides an authentication response to the client system based on the custom access policy. The client system uses the authentication response to determine an access level for the client device from the set of access levels described by the custom access policy.

Abstract: Various embodiments of the present technology can include systems, methods, and non-transitory computer readable media configured to receive information about a plurality of regions contained within a hierarchy of a computer network environment, wherein the plurality of regions are assigned respective prime numbers. A first prime number assigned to a first region of the plurality of regions is determined. A second prime number assigned to a second region of the plurality of regions, wherein the second prime number is different from the first prime number is determined. A nearest common region in the hierarchy that includes the first region and the second region based on the respective prime numbers is identified. A security policy associated with the nearest common region is determined.

Abstract: This disclosure describes techniques including, by a domain name service (DNS), receiving a name resolution request from a client computing device and, by the DNS, providing a nonce to the client computing device, wherein a service is configured to authorize a connection request from the client computing device based at least in part on processing the nonce. This disclosure further describes techniques include a method of validating a connection request from a client computing device, including receiving the connection request, the connection request including a nonce. The techniques further include determining that the nonce is a valid nonce. The techniques further include, based at least in part on determining that the nonce is a valid nonce, authorizing the connection request and disabling the nonce.

Abstract: Provided herein are identification of a distributed denial of service attack and automatic implementation of preventive measures to halt the distributed denial of service attack. At substantially the same time as the attack, valid users/customers (e.g., devices) are provided quality of service and continued access to a website experiencing the distributed denial of service attack. Further, service to temporary or unknown users (e.g., devices) with public access to the website is suspended during the duration of the distributed denial of service attack.

Abstract: A method of providing a secure development operations system that can accommodate multiple projects, multiple tenants, and multiple security classifications includes creating a first sub-program with the first sub-program being part of a first project and designating the first sub-program with a first security classification label. The method also includes transferring the first sub-program to a first repository of the development operations system with the first repository being configured to contain sub-programs associated with the first project and transferring a copy of the first sub-program to a second repository of the development operations system. The second repository is configured to contain sub-programs from multiple projects and sub-programs that have different security classification labels.

Abstract: Systems and methods of performing identity verification across different geographical or jurisdictional regions are provided. In one exemplary embodiment, a method by a first network node comprises sending, by the first network node located in a first geographical or jurisdictional region, to a second network node located in a second geographical or jurisdictional region, an indication of an identity verification associated with a certain identity based on personally identifiable information of that identity received by the first network node from the second network node. Further, the identity verification is determined based on whether the PII data of the certain identity corresponds to PII data of at least one of a plurality of identities associated with the first region and stored in one or more databases located in the first region and on identity verification rule(s) associated with the first region.

Abstract: Provided is a process for mobile-initiated authentications to web services. Credential values of the user are established within a trusted execution environment of the mobile device and representations are transmitted to a server. The user of the mobile device may authenticate with the mobile device to the server, which may convey access to a web-based service from a relying device. The server may pass credentials corresponding to the web-service received from the mobile device and verified to permit user access to the web-service to the relying device. The relying device presents credentials to the web-service to login, authenticate, or otherwise obtain user-level permission for the user on the relying device. The user of the mobile device may authenticate with the mobile device to the server, and may initiate the authentication process from the mobile device, without inputting credentials corresponding to the web-service on the relying device.

Abstract: A policy management server manages a segmentation policy and policy constraints. The segmentation policy comprises a set of segmentation rules that each permit connections between specified groups of workloads that provide or consume network-based services. The policy constraints comprise a set of constraint rules that determine compliance of the segmentation rules. A workflow process may be initiated to resolve non-compliant rules by enabling an administrator to approve or deny the rule. In a large enterprise managing significant numbers of workloads, the policy constraints may be employed to ensure that overly permissive segmentation rules are not being created. This facilitates creation of a robust and narrowly tailored segmentation policy that reduces exposure of the enterprise to network-based security threats.

Abstract: Disclosed herein are embodiments of systems, methods, and products that execute tools to identify non-malicious faults in source codes introduced by engineers and programmers. The tools may execute a machine learning model on the source codes to perform sentiment analysis and pattern analysis on information associated with the source codes to generate annotated source code files identifying anomalies based on the sentiment analysis and the pattern analysis. One or more threat levels are then identified and ranked based on the one or more anomalies and a ranked list of the one or more threat levels is displayed on a graphical user interface of a computer.

Abstract: Systems, computer program products, and methods are described herein for mapping information security configurations across technology platforms. The present invention is configured to electronically receive, from a computing device associated with a technology infrastructure, one or more responses to one or more queries; extract one or more security information and event management (SIEM) fields from the one or more responses; map the one or more SIEM fields to a generic content schema of a common information security model; generate a unique SIEM map for the technology infrastructure based on at least mapping the one or more SIEM fields to the generic content schema of the common information security model; generate a use case for the technology infrastructure using the common information security model; and transform the use case generated using the common information security model using the unique SIEM map.

Abstract: Attestation support in cloud computing environments is described. An example of an apparatus includes one or more processors to process data, including data related to hosting of workloads for one or more tenants; an orchestration element to receive a request for support of a workload of a tenant according to a selected membership policy, the orchestration element to select a set of one or more compute nodes to provide computation for the workload; and a security manager to receive the membership policy and to receive attestations from the selected compute nodes and, upon determining that the attestations meet the requirements of the membership policy, to add the one or more compute nodes to a group of compute nodes to provide computation for the workload.

Abstract: A method for verifying a material data chain (MDC) that is maintained by a creator is disclosed. The method includes receiving an unverified portion of the MDC from the creator including a set of consecutive material data blocks (MDBs). Each respective MDB includes respective material data, respective metadata, and a creator verification value. The method includes modifying a genomic differentiation object assigned to the verification cohort based on first genomic regulation instructions (GRI) that were used by the creator to generate the creator verification value. For each MDB in the unverified portion, the method includes determining a verifier verification value based on the MDB, a preceding MDB in the MDC, and a genomic engagement factor (GEF) determined with respect to the MDB. The GEF corresponding to an MDB is determined by extracting a sequence from the metadata of a MDB and mapping the sequence into the modified genomic differentiation object.