Abstract: A system for managing connection from a smartphone 1 provided to a child to specific connection destinations via the Internet, comprising: a filter server 9 for restricting packet transmission to the Internet based on a destination of the packet and a source IP of the smartphone 1; a VPN server 6 for establishing a tunnel connection 27 between the VPN server 6 and the smartphone 1, wherein the tunnel connection 27 passes all communication traffic from the smartphone 1, and also transmitting to the filter server the packet which passed through the tunnel connection 27; and an API server 8 connected to the VPN server 6 for confirming existence of the tunnel connection 27 at predetermined timing and, when lack of the existence is determined, blocking the Internet connection itself of the information communication device.

Abstract: Responsive to a user instruction or a security breach occurring in an enterprise computing environment, an emergency shutdown and restore module is adapted to obtain and evaluate an identity population definition to determine a population of identities (e.g., a forensic team) associated with accounts distributed across applications in the enterprise computing environment. The emergency shutdown and restore module is further adapted to determine source systems of such accounts and communicate with those source systems via source-specific connectors. The emergency shutdown and restore module can respectively request the source systems to shut down access to the applications by the accounts associated with the population of identities, or to exclude the accounts associated with the population of identities in shutting down access to the applications. After performing a security breach analysis, the emergency shutdown and restore module can request the source systems to restore access respectively.

Abstract: A computer-implemented method, computer program product and computing system for: establishing connectivity with a plurality of security-relevant subsystems within a computing platform; and mapping one or more data fields of a unified platform to one or more data fields of each of the plurality of security-relevant subsystems.

Abstract: Transaction authorization systems may include a transaction processor and an authorization server system. The transaction processor obtains transaction requests authorizations for those requests from the authorization server system. The transaction processor may require an authorization be provided within a threshold time; otherwise, the transaction may be processed without authorization. The authorization server system may be hosted using one or more nodes in a distributed system. Degradation of the performance of the distributed system may cause the performance of the authorization server system to fall below the required performance threshold and transactions may not be authorized before automatic processing. Transaction authorization systems may monitor the health of the individual nodes and/or the distributed system and automatically adjust the routing of authorizations based on current and/or future performance degradation.

Abstract: Trusted execution of a workload payload is brokered among multiple trusted execution platforms. The workload payload is received from a source computing system and includes input data, trusted execution code, and one or more trusted execution policies. At least one of the multiple trusted execution platforms is selected based on the one or more trusted execution policies. A brokered payload is generated to include executable trusted execution code and the input data. The brokered payload is communicated to the selected at least one trusted execution platform. A brokered result generated from the brokered payload by the selected at least one trusted execution platform is received. A workload result based on the brokered result is returned to the source computing platform.

Abstract: A multitenant infrastructure server (MTIS) is configured to provide an environment to execute a computer routine of an arbitrary application. The MTIS receives a request from a webtask server to execute the computer routine in a webtask container. The computer routine is executed in the webtask container at the MTIS. Upon successful execution of the computer routine, a result set is returned to the webtask server. If the execution of the computer routine is unsuccessful, an error notification is returned to the webtask server. The resources consumed during the execution of the computer routine are determined. The webtask container is destroyed to prevent persistent storage of the computer routine on the MTIS.

Abstract: The invention relates to a computer-implemented system for recovering data in case of a computer network failure. The invention also relates to a computer-implemented method for recovering data in case of a computer network failure, preferably by making use of the computer-implemented system according to the invention. The invention further relates to a non-transitory computer-readable program storage device, comprising computer readable instructions executable by one or more processors to perform the computer-implemented method according to the invention.

Abstract: This disclosure describes techniques for selectively placing and maintaining sensitive workloads in subsystems that achieve a minimum level of trustworthiness. An example method includes identifying at least one trustworthiness requirement associated with an application and transmitting, to a first subsystem, a request for at least one trustworthiness characteristic of the first subsystem and at least one second subsystem connected to the first subsystem. A response indicating the at least one trustworthiness characteristic is received from the first subsystem. The example method further includes determining that the at least one trustworthiness characteristic satisfies the at least one trustworthiness requirement; and causing the application to operate on a mesh comprising the first subsystem and the at least one second subsystem.

Abstract: A principal database is described in which each entry includes one principal identity, and one or more alias identities that may each have an authorization scope. Principal identity attributes include a principal identifier and login credentials, and alias identity attributes include an authorization scope and login credentials. Responsive to successfully authenticating the user for a first application (a multiple-identity application), based on the alias identity login credentials, an access token containing both the alias identity attributes and the principal identity attributes is transmitted to the first application, causing the first application to grant a scope of access based on the authorization scope. Responsive to a request to authenticate the user for a second application (a single-identity application), the access token is transmitted to the second application without re-authenticating the user, causing the second application to grant a scope of access based on the principal identifier.

Abstract: A method for securing an electronic control unit (ECU). The method may include generating a granular security control adjustment authorization ticket (G-SCAAT) for securing the ECU according to a plurality of security parameters determined based on to a role selected for a corresponding user. The G-SCAAT may include security values to be used in controlling the ECU to operate according to the security parameters.

Abstract: A method for transmitting an application programming interface API request includes receiving, by a first API gateway, a first API request; obtaining, by the first API gateway, a first forwarding label corresponding to the first API request, where the first forwarding label includes a first target security domain identifier, and a security domain identifier of the first API gateway is different from the first target security domain identifier. The method also includes determining an address of a second API gateway according to a mapping relationship between the first target security domain identifier and the address of the second API gateway. The method additionally includes sending the first API request to the second API gateway based on the address which is a next-hop API gateway of the first API gateway that sends the first API request to an API gateway corresponding to the first target security domain identifier.

Abstract: A comprehensive cybersecurity platform includes a cybersecurity intelligence hub, a cybersecurity sensor and one or more endpoints communicatively coupled to the cybersecurity sensor, where the platform allows for efficient scaling, analysis, and detection of malware and/or malicious activity. An endpoint includes a local data store and an agent that monitors for one or more types of events being performed on the endpoint, and performs deduplication within the local data store to identify “distinct” events. The agent provides the collected metadata of distinct events to the cybersecurity sensor which also performs deduplication within a local data store. The cybersecurity sensor sends all distinct events and/or file objects to a cybersecurity intelligence hub for analysis. The cybersecurity intelligence hub is coupled to a data management and analytics engine (DMAE) that analyzes the event and/or object using multiple services to render a verdict (e.g., benign or malicious) and issues an alert.

Abstract: A TEE system that includes a first platform that runs a first TEE, a second platform that runs a second TEE, and a merging unit that is adapted to merge a first output from the first TEE of the first platform, with a second output from the second TEE of the second platform, so as to form an output of the TEE system. The first TEE and the second TEE are based on different implementations. In this way, the security of the system is improved, as a malicious actor even be able to access “t” machines, still would not be able to retrieve the secret unless there are multiple exploitable TEE vulnerabilities on all executing TEE platforms at the same time.

Abstract: A compromised data exchange system extracts data from websites using a crawler, detects portions within the extracted data that resemble personally identifying information (PII) data based on PII data patterns using a risk assessment module, and compares a detected portion to data within a database of disassociated compromised PII data to determine a match using the risk assessment module. A risk score may be assigned to a data item within the database in response to determining the match. In some embodiments, URL data may also be detected in the extracted data. The detected URL data represents further websites that can be automatically crawled by the system to detect further PII data.

Abstract: A wireless communications system comprises a subscriber user equipment and a mobile expert user equipment. The subscriber user equipment is configured to log in to a subscription account application installed on the subscriber user equipment using subscriber credentials, wherein the subscriber credentials are pre-registered with a telecommunications service provider associated with a retail store, determine that the subscriber user equipment is located within a coverage area associated with the retail store after logging in to the subscription account application, and transmit an authentication message indicating an identity of a subscriber using the subscriber user equipment and indicating that the subscriber is pre-registered with the telecommunications service provider. The mobile expert user equipment is configured to obtain subscriber data describing a subscriber associated with the subscriber user equipment after the subscriber user equipment transmits the authentication message.

Abstract: An information processing apparatus which anonymizes data composed of records including one or more items through statistical processing, includes a memory and a processor to execute classifying respective records constituting the data into one or more sets based on masking target items indicating items to be masked among the items, a dictionary which expresses categories of item values in a tree structure for each of the masking target items, a selected hierarchy level indicating a hierarchy level selected in the tree structure for each of the masking target items, and the number of records included in the data, and calculating the number of records N of each set and a ratio of records belonging to a set including N records, and dividing the data into one or more pieces of data in a case where the ratio of the records belonging to the set including N records satisfies a predetermined condition.

Abstract: A computer-implemented process, computer program product, and system for dynamic change of a password under a brute force attack. A computer processor determines a quantity of consecutive unsuccessful attempts to access the targeted item protected by a password. Responsive to the quantity of consecutive unsuccessful attempts to access the targeted item exceeding a predefined threshold, the computer processor acquires a new password for access to the targeted item, wherein the new password is based on a more complex set of password generation rules than a current password. The computer processor changing the current password of the targeted item to the new password, and in response to changing the current password of the targeted item to the new password, the computer processor sends an encrypted message regarding the new password to a user associated with the targeted item.

Abstract: An apparatus and method for generating a system call whitelist for an application container. The method may include determining whether a container is based on machine code or non-machine code by analyzing the internal configuration of the running container, identifying system calls included in an application through binary static analysis or static analysis of source code selected depending on the determination of whether the container is based on machine code or non-machine code, and generating a whitelist based on the numbers of all of the identified system calls.

Abstract: Systems and methods for concurrent modification of content are provided. In response to a verified request received from a user content is copied to a first storage media as a first version of the content uniquely identified by a first identifier, the verified request being based on verification of the user's credentials. In response to the user editing the first version of the content, the edited copy of the content is stored in the content management system in association with a second identifier uniquely identifying the edited copy of the content as a second version of the content. In response to receiving a notification that a plurality of users no longer request access to the content stored in the content management system, the first version of the content is deleted from the first storage media.

Abstract: Implementations disclosed describe a system and a method to execute a virtual machine on a processing device, receive a request to access a memory page identified by a guest virtual memory address (GVA) in an address space of the virtual machine, translate the GVA to a guest physical memory address (GPA) using a guest page table (GPT) comprising a GPT entry mapping the GVA to the GPA, translate the GPA to a host physical address (HPA) of the memory page, store, in a translation lookaside buffer (TLB), a TLB entry mapping the GVA to the HPA, modify the GPT entry to designate the memory page as accessed, detect an attempt by an application to modify the GPT entry; generate, in response to the attempt to modify the GPT entry, a page fault; and flush, in response to the page fault, the TLB entry.