Abstract: A method for obtaining a cluster feature code includes: determining a plurality of key nodes from respective nodes in a cluster; obtaining plaintexts of feature codes of the respective key nodes; according to the plaintexts of the feature codes of the respective key nodes, obtaining ciphertexts of the feature codes of the respective key nodes, by utilizing a first-level public key; calculating a check code according to the ciphertexts of the feature codes of the respective key nodes; and according to the check code, obtaining the cluster feature code, by utilizing a second-level public key. By means of the present application, the scope of influence on the entire system when system nodes change is reduced.

Abstract: Systems, computer program products, and methods are described herein for dynamic exposure monitoring. The present invention is configured to determine a resource associated with a network environment, wherein the resource is associated with an exposure portfolio; determine one or more monitoring requirements associated with the resource, wherein the one or more monitoring requirements are determined based on the exposure portfolio; implement a first subset of one or more resource monitoring tools based on at least the one or more monitoring requirements of the resource; determine a change in the exposure portfolio of the resource; determine a change in the one or more monitoring requirements based on at least the change in the exposure portfolio of the resource; trigger a dynamic modification to the one or more resource monitoring tools; and implement the second subset of the one or more resource monitoring tools on the resource.

Abstract: Disclosed herein is a system for enabling a default label to be configured for a network location created to store files. The default label can be assigned at a time when the files are uploaded to the network location. An owner of the network location can define the default label to be assigned to the files. Whenever an unlabeled file is uploaded to the network location, the unlabeled file automatically inherits the default label. Furthermore, the system is configured to consider an order of label priority when determining whether to assign a default label to a previously labeled file to be uploaded to the network location. The system is configured to upgrade a file with a preassigned label of lower priority to the default label, while permitting another file to be stored without a label change if the preassigned label is of higher priority compared to the default label.

Abstract: A method for verifying an execution environment provided by a configurable hardware module, where the execution environment is used for execution of at least one hardware-application, includes receiving a hardware-application 16. The hardware-application includes configuration data describing an instantiation as a hardware-application component on the configurable hardware module. A received hardware-application is instantiated as the hardware-application component in the execution environment. The execution environment of the configurable hardware module that executes the hardware-application component in the respective execution environment is analyzed by an instantiated hardware-application component. The hardware application component communicates with a characterizing unit providing characterizing parameters for the execution environment of the configurable hardware module.

Abstract: A method for authorizing a field value of a form field by means of a third-party field is provided. The method includes selecting one or more grantees; selecting a form to be authorized, and displaying fields which need control authorization of the permission to view field values by means of third-party fields; selecting one or more third-party fields for each field respectively, where the third-party field includes one or more options; and authorizing a viewing permission of a field value of an authorized field of form data corresponding to each option of each third-party field respectively.

Abstract: A device, system and method for linking encrypted data sets using common encrypted identifiers in encrypted space. A first and second parties' encrypted data sets may include first and second respective encrypted data and associated first and second respective encrypted identifiers. The first and second encrypted identifiers may be converted into a first and second respective sets of a plurality of elemental identifier components. Each of the plurality of elemental identifier components in each component set characterizes a distinct numeric property of the corresponding converted encrypted identifier. The first and second sets of the plurality of elemental identifier components may be composed, component-by-component, to generate a plurality of component-specific results.

Abstract: Embodiments of the present disclosure relate to generating a high level security policy for a data repository without knowledge of the access control, entitlement, and other models of the data repository. A set of abstractions that define a security policy language may be generated based on data in a data repository collection. The set of abstractions may define a security policy language, which may be provided to a security administrator who can define a security policy with the security policy language. The security policy may be translated into a common physical language to generate a common physical policy. The processing device may then translate the common physical policy into a set of commands for each of one or more data repositories that the data repository collection is comprised of.

Abstract: An illustrative method includes a data protection system determining that data stored by a storage system is under a possible attack, detecting a modify request with respect to the storage system while the data stored by the storage system is under the possible attack, determining that the modify request may be related to the possible attack, and performing, in response to determining that the modify request may be related to the possible attack, a remedial action with respect to the modify request.

Abstract: Method, device, and system of detecting a mule bank account, or a bank account used for terror funding or money laundering. A method includes: monitoring interactions of a user with a computing device during online access with a bank account; and based on the monitoring, determining that the bank account is utilized as a mule bank account to illegally receive and transfer money, or is used for money laundering or terror funding. The method takes into account one or more indicators, such as, utilization of a remote access channel, utilization of a virtual machine or a proxy server, unique behavior across multiple different accounts, temporal correlation among operations, detection of a set of operations that follow a pre-defined mule account playbook, detection of multiple incoming fund transfers from multiple countries that are followed by a single outgoing fund transfer to a different country, and other indicators.

Abstract: Technologies for token-based access authorization to an application program interface (API) include an access management server to receive a service request message from an application executed by a remote computing device. The service request message includes a digitally signed license token previously generated by the access management server and distributed to the remote computing device. The service request message also includes a request from the executed application to access data or a service of the resource server via an exposed API. The access management server verifies the digital signature of the digitally signed license token and generates a digitally signed Security Assertion Markup Language (SAML) token. The digitally signed SAML token is transmitted to the resource server for verification and local caching. The resource server receives the service request message and determines whether access to the requested data or service is authorized based on the locally-cached SAML token.

Abstract: In accordance with some embodiments, a method and system for establishing the trustworthiness of software and running systems by analyzing software and its provenance using automated means. In some embodiments, a risk score is produced. In some embodiments, software is analyzed for insecure behavior or structure. In some embodiments, parts of the software are hardened by producing possibly multiple different versions of the software with different hardening techniques applied, and a choice can be made based on user or environmental needs. In some embodiments, the software is verified and constraints are enforced on the endpoint using techniques such as verification injection and secure enclaves. In some embodiments, endpoint injection is managed through container orchestration.

Abstract: Authentication techniques are described to allow a person to be authenticated to interact with an organization, where a type of authentication can be determined based on an environment in which the person is located. For example, an authentication server can collect a status information related to a safety setting of a mobile device. The safety setting can be enabled, e.g., if a person is driving a vehicle. When enabled, the safety setting can prevent the person from performing one or more operations on the mobile device. Based on the collected status information, the authentication server can request the person to provide user information via the mobile device so that the authentication server can determine whether the person is authenticated to interact with an organization.

Abstract: An illustrative method includes a data protection system identifying one or more input operations and one or more output operations performed between a source and a storage system, identifying an anomaly in a relationship between the one or more input operations and the one or more output operations, and determining, based on the identifying of the anomaly, that the storage system is possibly being targeted by a security threat.

Abstract: An illustrative method includes determining an encryption indicator for a first recovery dataset by determining a difference in an amount or percentage of incompressible data associated with the first recovery dataset compared to an amount or percentage of incompressible data associated with a second recovery dataset that temporally precedes the first recovery dataset, the encryption indicator representative of data within or represented by the first recovery dataset that cannot be compressed more than a threshold amount; and performing, based on the encryption indicator for the first recovery dataset, an action with respect to the second recovery dataset, wherein the second recovery dataset is usable to restore data maintained by a storage system to a second state corresponding to a second point in time that temporally precedes a first point in time corresponding to the first recovery dataset.

Abstract: An illustrative method includes a data protection system detecting a request to perform a restricted operation with respect to a recovery dataset configured to be used by a storage system to recover from a data corruption event within the storage system, monitoring, in response to the request, for an occurrence of a predetermined set of one or more authorization events performed with one or more hardware tokens, and preventing the restricted operation from being executed until the each of the one or more authorization events included in the predetermined set occurs.

Abstract: Disclosed are various approaches for authenticating a user through a voice assistant device and creating an association between the device and a user account. The request is associated with a network or federated service. The user can use a client device, such as a smartphone, to initiate an authentication flow. A passphrase is provided to the client device can captured by the client device and a voice assistant device. Audio captured by the client device and voice assistant device can be sent to an assistant connection service. The passphrase and an audio signature calculated from the audio can be validated. An association between the user account and the voice assistant device can then be created.

Abstract: A method at a computing device within an Intelligent Transportation System, the method comprising: determining, at the computing device, whether a short-term certificate is available to sign a message; if the short-term certificate is available, signing the message with a private key associated with the short-term certificate; if the short-term certificate is not available, signing the message with a private key associated with a long-term certificate; and sending the message to a recipient.

Abstract: A system and method for generating a cryptographic key using a sequence of data segments selected by a user from one or more data resources. Raw data from the one or more data resources corresponding to each of the selected data segments, and the sequence in which such data segments are selected, is extracted and processed to generate a key. The key can be used for any cryptographic and authentication purpose. By enabling a user to select the sequence of data segments from the one or more data resources in any manner the user desires, the user can create a strong key, but also easily remember the underlying data resource and chosen sequence. This technique provides enhanced security while maintaining ease of creation and use of such security.

Abstract: Systems and methods for controlling access to data in applications using client-side encryption. In that regard, in some examples, a first application (e.g., an email application, calendar application, messaging application, word processing application, file storage application, etc.) hosted from a particular web domain may be configured to invoke a second application hosted from a different origin (e.g., a different web domain or subdomain) to handle receiving and encrypting any sensitive information from a client entered through a client application (e.g., a web browser), and to handle decrypting information to be provided to the client through the client application. This second application may be loaded in an inline frame or similar subwindow or subroutine configured to prevent or limit the first application from having access to sensitive information in the second application.

Abstract: A public key infrastructure (PKI) ecosystem includes a first organization computer system having a first processor, a first memory, and a first organization process including instructions that are (i) encoded in the first memory, and (ii) executable by the first processor. The ecosystem further includes a second organization computer system having a second processor and a second memory, a digital ledger, and domain name system security extensions (DNSSEC). When executed, the first instructions cause the first processor to create at least one public/private PKI keypair for a first domain name, in the DNSSEC, register the first domain name and create a certificate authority (CA), register the CA in the blockchain, using the CA, create a certificate for a first entity, register the certificate in the blockchain and/or the DNSSEC, and assert, to the second organization computer system, trust in the first entity based on the registered certificate.