Abstract: Techniques are described for automatically performing lifecycle operations to mitigate identified threats via an intrusion detection (IDS) system and a lifecycle operations manager (LOM). In one example, a notification from an IDS is received at a LOM, the notification indicating a malicious activity associated with a particular application included in an enterprise software environment monitored by the IDS. The application can be associated with a first endpoint accessible via a navigation target, where the navigation target sends requests received at the navigation target to the first endpoint. In response to receiving the notification, automatically and without user input, the LOM executes at least one countermeasure operation including creating a new copy of the application, associating the new copy of the application with a different second endpoint, and updating the navigation target to cause the navigation target to send requests to the new copy of the application at the second endpoint.

Abstract: In one embodiment, a method includes receiving a first identifier and a private key after a network device has been included in a data center switch fabric control plane, authenticating the network device based on the private key, sending a second identifier to the network device, and sending a control signal to the network device based on the second identifier. The first identifier is associated with the network device and unique within a segment of the data center switch fabric control plane. The second identifier is unique within the segment of the data center switch fabric control plane.

Abstract: Detecting unauthorized access to a device is detected in embodiments of the disclosed technology. After downloading a webpage, code is executed in a browser to scan network ports and determine which ports are open. Further webpage content sent from a web server is determined and/or modified in embodiments of the disclosed technology based on which ports are open. In some embodiments, when a particular port or ports are already in use it is determined that a malfeasant actor has access to the end user device and as such, sensitive data or secure data which is intended for a specific user is no longer sent to the end user device.

Abstract: Systems for managing content in a cloud-based service platform. Embodiments operate using a server in a cloud-based environment. The server is configured to interface with one or more storage devices that store content objects. The server is further configured to carry out a protocol between the server and a user interface that supports access to the storage devices. In example configurations, the server is capable of processing at least three different access requests types that are raised from a user interface. A first access type corresponds to an access request type by a registered user. A second access type corresponds to an access request type to permit an application that is invoked by operation of the user interface to be run on the server and to produce further content objects. A third access type corresponds to an access request type that uses an inherited user profile to run a microservice.

Abstract: User authentication techniques are provided for multiple authentication sources and for non-binary authentication decisions. An authentication request is received from an application server to authenticate a user for access to a protected resource. Pre-flow rules and the authentication request are evaluated to dynamically determine a plurality of authentication servers to invoke for the authentication request and an order for the invocation. A first authentication server is contacted to obtain a first authentication result for the user. In-flow rules and the first authentication result are evaluated to determine if additional authentication of the user should be performed. A second authentication server is contacted based on the determined invocation order and/or a result of the in-flow rules to obtain a second authentication result for the user. Decision rules and the first and second authentication results are evaluated to determine an authentication decision.

Abstract: The systems, methods and apparatuses described herein provide a computing device configured for ensuring its proximity to a communication partner. In one aspect, the computing device may comprise a communication port and a processor. The processor may be configured to receive a request from the communication partner via the communication port, send a response to the request to the communication partner, generate a secondary value that includes a selected portion of the request and a selected portion of the response, generate authenticating data to authenticate the secondary value and send the generated secondary value and authenticating data to the communication partner via the communication port. In another aspect, the communication partner is configured to ensure proximity of the computing device.

Abstract: Systems, methods, and computer-readable media for migrating to and maintaining a white-list network security model. Network traffic identified from permit-all access logs can be analyzed to determine whether it should be white-listed, and if so, a specific permit-access, without logging, policy is generated for the identified network traffic. The addition of specific permit-access policies is repeated on permit-all access logs, at which point, permit-all access policy is converted into deny-all access. In some examples, a system or method can obtain hit counts, from both hardware (eg: TCAM) and software tables, for the specific permit-access policy to determine existence of identified network traffic over a period of time. After analyzing hit counts, the specific permit-access policy can either continue to exist or be removed to maintain a white-list network security model.

Abstract: Steganography is leveraged to store additional data in the existing data on any given electronic storage. For example, a first request to store a first electronic file is received. Based on the first request, a determination is made as to whether one or more second electronic files meet one or more predefined criteria for being a carrier file for steganography. If the one or more second electronic files meet the one or more predefined criterion for being a carrier file, the first electronic file is electronically stored into the one or more second electronic files using steganography.

Abstract: Aspects of the disclosure provide systems and methods for recognizing an assigned passenger. For instance, dispatching instructions to pick up a passenger at a pickup location are received. The instructions include authentication information for authenticating a client computing device associated with the passenger. A vehicle is maneuvered in an autonomous driving mode towards the pickup location. The client device is then authenticated. After authentication, a set of pedestrians within a predetermined distance of the vehicle are identified from sensor information generated by a sensor of the vehicle and location information is received over a period of time from the client device. The received location information is used to estimate a velocity of the passenger. This estimated velocity is used to identify a subset of set of pedestrians that is likely to be the passenger. The vehicle is stopped to allow the passenger to enter the vehicle based on the subset.

Abstract: According to one embodiment, a management device includes a management tree storage and one or more processors. The management tree storage stores therein a binary tree including a plurality of nodes that are assigned with respective node keys. The processors update at least one of the node keys. The processors selects at least one of a first subtree and a second subtree, the first subtree and the second subtree being subtrees including leaf nodes of the binary tree, the leaf nodes corresponding to respective communication devices included in a group, the first subtree including only leaf nodes with the respective node keys assigned thereto not having been updated, the second subtree including only leaf nodes with the respective node keys assigned thereto having been updated. The processors transmit a group key encrypted using a node key assigned to a root node of the selected subtree.

Abstract: Systems and methods are provided for improving communications between infrastructures using RPCs. An authoritative endpoint in a first infrastructure receives a registration request from a non-authoritative server in a second infrastructure through a transport layer on which a remote procedure call (RPC) layer depends. This request establishes a connection with the authoritative endpoint. The authoritative entity authenticates and registers the non-authoritative entity, and receives RPCs from client devices through the non-authoritative entity. The authoritative entity provides responses to the RPCs through the non-authoritative entity over the established connection. The authoritative entity also performed load-shedding operations, such as notifying the non-authoritative entity of a time to live of the connection. The RPC requests and responses sent over the connection may be chunked into frames, each frame identifying a stream to which it belongs.

Abstract: Disclosed herein are system, method, and computer program product embodiments for data anonymization in an in-memory database. An embodiment operates by receiving an indication to perform data anonymization based on one or more quasi attributes of a data set. The data set is sorted based on the one or more quasi attributes. The sorted data set is grouped into a first plurality of groups. A particular group that does not include enough records to satisfy an anonymization threshold is identified from amongst the first plurality of groups. The particular group is combined with another group of the first plurality of groups.

Abstract: This document describes techniques and devices for radar-based authentication. The techniques describe a radar-based authentication component that is configured to recognize biometric characteristics associated with a person or gestures performed by the person. Then, by comparing the biometric characteristics or gestures with an authentication library, an authentication state may be determined which allows or restricts access to a device or application.

Abstract: A data analysis system receives potentially undesirable electronic communications and automatically groups them in computationally-efficient data clusters, automatically analyze those data clusters, automatically tags and groups those data clusters, and provides results of the automated analysis and grouping in an optimized way to an analyst. The automated analysis of the data clusters may include an automated application of various criteria or rules so as to generate an ordered display of the groups of related data clusters such that the analyst may quickly and efficiently evaluate the groups of data clusters. In particular, the groups of data clusters may be dynamically re-grouped and/or filtered in an interactive user interface so as to enable an analyst to quickly navigate among information associated with various groups of data clusters and efficiently evaluate those data clusters.

Abstract: In an example, a threat intelligence controller is configured to operate on a data exchange layer (DXL). The threat intelligence controller acts as a DXL consumer of reputation data for a network object, which may be reported in various different types and from various different sources. Of the devices authorized to act as reputation data producers, each may have its own trust level. As the threat intelligence controller aggregates data from various providers, it may weight the reputation reports according to trust level. The threat intelligence engine thus builds a composite reputation for the object. When it receives a DXL message requesting a reputation for the object, it publishes the composite reputation on the DXL bus.

Abstract: A security system comprises a personal digital key (PDK), a reader and a computing device. The PDK is a portable, personal transceiver that includes a controller and one or more passwords or codes. The computing device includes a detection engine, vault storage and a set up module. The detection engine detect events relating to the access of any files and third-party systems by the computing device and receives information from the reader as to whether the PDK is present/linked. The detection engine controls whether a user is able to access any of the functionality provided by the computing device based upon whether the PDK is in communication with the reader or not. The present invention also includes a number of methods such as a method for initializing the security system, a method for setting up a computing device, and a method for controlling access to computing resources.

Abstract: A method and system for authenticating a user includes providing an invocation element capable of being activated by a single user action, receiving an indication that the invocation element has been activated, obtaining a location of a wireless device associated with the user, determining whether the wireless device is associated with an authorized user, approving the user to use the application based on a predetermined location criterion, and producing an indication that the user has been authenticated.

Abstract: A request to send, to a third-party platform that is separate from a content sharing platform, a notice pertaining to an unauthorized media item may be provided, the unauthorized media item being an unauthorized copy of an authorized media item of a user associated with a user device, the user being a rights holder of the unauthorized media item and the authorized media item may be provided to a content sharing platform by a user device. A user interface identifying a set of versions of the authorized media item may be received from the content sharing platform. A selection of one or more of the set of versions of the authorized media item via the user interface to the content sharing platform may be provided, causing the content sharing platform to generate a notice identifying the unauthorized media item to the third party platform.

Abstract: The present disclosure is directed to a content protection system using biometric authentication. In general, a user may be authenticated using sensed biometric data prior to receiving content from a content provider. An example device may comprise a biometric identification (BI) module and a content delivery (CD) module. The CD module may cause the BI module to sense biometric data from a user of the device. Authentication data may be generated based on the biometric data. In one embodiment, the authentication data may comprise a key generated from the biometric data. The authentication data may then be sent to the content provider, and upon authentication, the content provider may deliver the content to the device. The CD module may also be able to register new users with the content provider and/or allow users to purchase content not already licensed to the user.

Abstract: A system is provided that includes one or more computing servers and a processing circuit for analyzing data transactions of the computing servers. Each of the computing servers is configured to provide respective services to remote users. The processing circuit is configured to analyze data transactions of at least one of the computing servers, which is associated with a user account. A security policy of the user account includes conditions that are indicative of unauthorized access when the conditions are satisfied by various characteristics of the analyzed data transactions. The processing circuit is configured to determine a threat level as function of the characteristics of the data transactions and the conditions of the security policy. In response to the threat level exceeding a first threshold level indicated in the security policy of the user account, the processing circuit performs an action for the user account that is associated with the first threshold level.