Abstract: Aspects of the disclosure relate to deploying and utilizing a dynamic record identification and analysis computer system with event monitoring components. A computing device may receive account reconnaissance data identifying a first plurality of user accounts that have experienced at least one event associated with account security concern characteristics. The computing platform may analyze event history data associated with the first plurality of user accounts to identify one or more common interactions associated with a subset of the first plurality of user accounts. The computing platform may identify a point of compromise among the subset of the first plurality of user accounts. Subsequently, the computing platform may search enterprise user account records to identify a second plurality of user accounts that have at least one event associated with the point of compromise. The computing platform may add the second plurality of user accounts to an alert table.

Abstract: Implementations include actions of providing a first transaction hash including a digital representation of a digital record between a first peer and a second peer within a digital records platform, the platform provided by the first peer as a host peer, and the transaction hash being generated based on one or more documents underlying the digital record, receiving one or more edits to at least one document from the second peer, updating the first transaction hash to provide: a second transaction hash, and a transaction hash history including the first transaction hash and the second transaction hash, receiving approval of the digital record from each of the first peer and the second peer, and executing a consensus protocol by a notary service of a third node to update transaction objects across the first node and the second node, the updating indicating that the transaction objects are consistent.

Abstract: Systems and methods are described for modifying input and output (I/O) to an object storage service by implementing one or more owner-specified functions to I/O requests. A function can implement a data manipulation, such as filtering out sensitive data before reading or writing the data. The functions can be applied prior to implementing a request method (e.g., GET or PUT) specified within the I/O request, such that the data to which the method is applied my not match the object specified within the request. For example, a user may request to obtain (e.g., GET) a data set. The data set may be passed to a function that filters sensitive data to the data set, and the GET request method may then be applied to the output of the function. In this manner, owners of objects on an object storage service are provided with greater control of objects stored or retrieved from the service.

Abstract: Introduced here are security management platforms configured to estimate the risk posed by a public communication activity that involves an internal Internet Protocol (IP) address that resides on an internal network. Initially, a security management platform can examine network data to detect a public communication activity involving an internal IP address and an external IP address. Thereafter, the security management platform can probe the external IP address by transmitting a query designed to elicit a response, and then evaluate a risk posed by the public communication activity by analyzing response(s) received from the external IP address, if any, responsive to the query. For example, the security management platform may be able to determine whether a service determined to be vulnerable to unauthorized access is running on the external IP address.

Abstract: A request for a transaction between a client system and a server system may be processed. The transaction may be associated with transmission of data between the client system and the server system. The data may be encrypted using a transient encryption key to form encrypted data. The transient encryption key may be a synced-clock random number configured to automatically change when a designated time interval elapses. The encrypted data may be transmitted between the client system and the server system.

Abstract: A computer system applies security policies to web traffic while maintaining privacy. A network security agent is authenticated by a client application to dynamically obtain one or more security policies, wherein the client application and the network security agent are configured to execute on a device and the network security agent is capable of communicating with a source of security policies. Connection information is obtained that includes a request to initiate an encrypted connection with a destination entity. The client application determines whether the encrypted connection between the client application and the destination entity is permitted according to the security policy and based on the connection information. The encrypted connection between the client and the destination entity is established in response to determining that the encrypted connection is permitted. Embodiments may further include a method and computer program product for applying security policies to web traffic.

Abstract: A computer implemented method of applying a unified search for a match of one or more features in a plurality of encrypted records, comprising using one or more processors of a server associated with a database comprising a plurality of encrypted records. The processor(s) is adapted for receiving a query for searching one or more plaintext features in the plurality of encrypted, searching for a match of the one or more plaintext features using a first search methodology and a second search methodology and outputting an indication of matching encrypted records according to the match. Wherein the second search methodology is asymptotically faster than the first search methodology and wherein the first search methodology is used for searching a subset of the plurality of encrypted records selected based on status indication associated with each encrypted record.

Abstract: Systems and methods are disclosed for managing access to vulnerability data in large scale operations, such as by synchronizing access to vulnerability data for active developers who have recently modified source code. For example, source vulnerability scanner (SVS) access may be granted to source code developers identified in a source control management system (SCM) as having made modifications within some recent timeframe, and may further revoke access for stale user accounts. This efficiently implements the information security principle of least privilege, and may easily scale to operations involving hundreds or thousands of active developers and asset owners, and tens of thousands of network assets ? and even larger operations.

Abstract: A system, method, and computer program product for self-identification of a device. The disclosure utilizes generation of a public/private key pair, within the device itself, and completes at least a portion of an authentication process within the device itself using a securely stored private key that never leaves the device. By not transferring the private key away from the device, potential vulnerabilities of known systems due to transfer of identification information during or after manufacturing is effectively eliminated.

Abstract: An administration server may receive a first signal from a communication device, the first signal including device identification information, first-type information and second-type information, in a case where the first signal is received, execute a provision process for providing a service, receive a second signal from the communication device after the first signal has been received, wherein the second signal includes the device identification information and the second-type information but does not include the first-type information, in a case where the second signal is received, execute a first notification process, receive a third signal from the communication device after the first signal has been received, wherein the third signal includes the device identification information and includes neither the first-type information nor the second-type information and in a case where the third signal is received, execute a second notification process.

Abstract: A system and method for the prevention, mitigation, and detection of cyberattack attacks on computer networks by identifying weaknesses in directory access object allowances and providing professionals with centralized graph-centric tools to maintain and observe key security and performance insights into their security posture. The system uses an interrogation agent to collect Active Directory configuration parameters and activity information about a forest and the devices operating within. Cyber-physical graphs and histograms using persisted time-series data provides critical information, patterns, and alerts about configurations, attack vectors, and vulnerabilities which enable information technology and cybersecurity professionals greater leverage and control over their infrastructure.

Abstract: A single architected instruction to produce a signature for a message is obtained. The instruction is executed, and the executing includes determining a sign function of a plurality of sign functions supported by the instruction to be performed. Input for the instruction is obtained, and the input includes a message and a cryptographic key. A signature is produced based on the sign function to be performed and the input. The signature is to be used to verify the message.

Abstract: A transfer module, such as a single board computer having wireless communication capabilities, may be attached to an image guided surgery (“IGS”) navigation system. Images, video, and data stored on the IGS navigation system may be moved to and stored on the transfer module in an encrypted format. The transfer module may connect to a secure network or other secure wireless communication and transfer encrypted IGS medical procedure data to a physician device, a hospital system device, or other device. After validation, the physician device or other device may decrypt and display the data. The transfer module may be useful for IGS navigation systems having no preexisting wireless capabilities; and for those having wireless capabilities that are less secure than those provided by the modified IGS navigation system. The transfer module may also wirelessly transmit IGS medical procedure data to a cloud storage system for subsequent access by end users.

Abstract: Techniques for key distribution are provided. A first symmetric key is generated for a first downstream site, and a second symmetric key is generated for a second downstream site. The first symmetric key is transmitted to the first downstream site, and the second symmetric key is transmitted to the second downstream site. Upon receiving an indication that the first symmetric key was successfully deployed at the first downstream site, the first symmetric key is deployed on a first network node of an upstream site. Finally, upon determining that the second symmetric key was not successfully deployed at the second downstream site, techniques include refraining from deploying the second symmetric key to a second network node of the upstream site, where the second network node continues to communicate with the second downstream site using an original symmetric key.

Abstract: Provided are a key derivation method and device. The method includes: acquiring a slice identifier corresponding to a network slice to which a user equipment is currently attached, where the slice identifier uniquely identifies the network slice; and transmitting the slice identifier to a designated communication device. The slice identifier is configured to instruct the designated communication device to derive, according to the slice identifier, an intermediate key required by the network slice. By means of the technical solution described above, the problem in the related art that a slice function cannot be implemented normally due to the fact that different network slices probably use the same intermediate key may be solved, and different network slices may correspond to different intermediate keys, thereby avoiding a case that the slicing function cannot be implemented normally caused by allocating the same intermediate key to different network slices.

Abstract: Provided is a system-on-chip that may perform a message encryption operation based on a transport layer security (TLS) scheme. The system-on-chip may include an authentication unit configured for exchanging a key used for the message encryption operation and performing authentication for a subject to perform communication, an advanced encryption standard (AES) engine core configured for performing a function of encrypting a message using a key or decrypting the encrypted message and a function of encrypting the key or decrypting the encrypted key, and a controller configured for controlling the AES engine core and the authentication unit based on a real time operating system (RTOS) and firmware for performing the message encryption operation.

Abstract: The disclosed computer-implemented method may include mapping an internal network to identify various nodes of the internal network. The method may further include determining where at least some of the internal network nodes identified in the mapping are located. The method may also include receiving a request for metadata service information from an application hosted on a cloud server instance. The method may then include providing a response to the received request for metadata service information if the determined location of the requesting node is approved or preventing a response to the received request for metadata service information if the determined location of the requesting node is not approved. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A user permission system manages and regulates access to secure data at one or more third-party data sites. The system may provide access to one or more databases or other data structures based on user authentication and access rules that have been established, such as by a user associated with the data being accessed at the third party data store. Access may be provided via an API to the third-party data site, along with access credentials of a user with data stored with the third-party data site, allowing the system to access data on behalf of the user.

Abstract: Embodiments of the invention are directed to a system, method, or computer program product structured for generation and validation of secure authentication codes. In some embodiments, the system is structured for fetching screen coordinates for a user device, generating a keypad layout, and numbering the keypad layout to produce an authentication keypad. The system is also structured for generating an authentication string, generating a final authentication code hash from the authentication string and a pattern of the authentication string as input into the authentication keypad, and transmitting the authentication keypad and authentication string to a user device.

Abstract: An authentication-target apparatus stores a first authentication-target key, a second authentication-target key, a first password, a second password, identification information of the authentication-target apparatus, the first key identification information, and the second key identification information. An authentication apparatus performs a first authentication session using a password corresponding to key identification information common to the authentication-target apparatus and the authentication apparatus. When the first authentication session is successful, the authentication apparatus performs a second authentication session using an authentication-target key corresponding to a common key identification information.