Abstract: Methods and systems for automatic provisioning of security policies for content streaming control within a Content Delivery Network (CDN) are provided. According to one aspect, a method for automatic provisioning of security policies for content streaming control by a network node within a CDN that supports at least one streaming media protocol comprises: obtaining a manifest, the manifest being generated in response to a user requesting a streaming content from the CDN; determining a first security policy associated with the user and/or the requested streaming content in accordance with the manifest; updating a set of firewall rules for implementing security policies in accordance with the determined first security policy; and applying the updated set of firewall rules to validate requests from the user for the streaming content. The policies are dynamically configured and may be sparsely provisioned, e.g., downloaded only to the pertinent nodes and activated only when necessary.

Abstract: A machine learning (ML) based web application firewall (WAF) is described. Transformation(s) are applied to raw data including normalizing and generating a signature over the normalized data. The signature and the normalized data are vectorized to create a first and second vector of integers that are input into an ML model that includes a first stage that operates on the first vector of integers to identify candidate signature tokens that are commonly associated with different classes of attack, and a second stage that operates on the candidate signature tokens and the second vector of integers and conditions attention on the second vector of integers on the candidate signature tokens. The ML model outputs a score that indicates a probability of the raw data being of a type that is malicious. A traffic processing rule is enforced that instructs a WAF to block traffic when the score is above a threshold.

Abstract: Methods, systems, and apparatuses are described herein for improving the accuracy of authentication questions using e-mail processing. A request for access to an account may be received from a user device. A plurality of organizations may be identified. One or more e-mail associated with the account may be identified. The e-mails may be processed to identify one or more organizations that correspond to transactions conducted by a user. A modified plurality of organizations may be generated by removing, from the plurality of organizations, the one or more organizations. An authentication question may be generated and provided to the user device. A response to the authentication question may be received, and the user device may be provided access based on the response.

Abstract: Techniques are disclosed relating to credential managers. In some embodiments, a computing device maintains a credential manager that stores, in a protected manner, a set of credentials for authenticating a user and metadata about the credentials. The computing device stores an instance of the metadata externally to the credential manager. The computing device uses the externally stored metadata to determine whether the set of credentials includes a particular credential associated with a service and, in response to determining that the set of credentials includes the particular credential, displays an indication of the particular credential. In some embodiments, the computing device receives a selection of the displayed indication by the user and, in response to the selection, sends a request for the particular credential to the credential manager.

Abstract: A method, computing device, and non-transitory machine-readable medium for detecting malware attacks and mitigating data loss. In various embodiments, an agent is implemented in the operating system of a storage node to provide protection at the bottommost level in a data write path. The agent intercepts write requests and observes file events over time to detect anomalous behavior. For example, the agent may monitor incoming write requests and, when an incoming write request is detected, determine whether the file is associated with a malware attack risk based on an analysis of an encryption state of data in the file.

Abstract: A memory system component comprises transaction handling circuitry to receive memory access transactions. Each memory access transaction specifies at least: an issuing domain identifier which indicates an issuing security domain specified by an issuing master device for the memory access transaction, where the issuing security domain is one of a plurality of security domains; a target address; and a security check indication which indicates whether it is already known that the memory access transaction would pass a security checking procedure. The security checking procedure determines whether the memory access transaction indicating said issuing security domain is authorised to access the target address, based on control data indicative of which of the plurality of security domains are allowed to access the target address. The memory system component comprises control circuitry to determine, on the basis of the security check indication, whether the security checking procedure still needs to be performed.

Abstract: A runtime application self protection (RASP) plug-in logic monitors for, and prevents, outbound network connections that are initiated by server application logic and that are not intended by the application logic. The RASP plug-in has access to information generally available only to the application logic and identifies specific vulnerabilities within the application logic that can be patched. The vulnerabilities are identified by (i) data identifying the portion(s) of the application logic that is the source of the vulnerability and (ii) data identifying the authenticated user, if any, that is the source of the attack. The RASP plug-in catches and identifies specific attacks on the application logic in real-world, production operation.

Abstract: Aspects of the disclosure relate to dynamic message analysis using machine learning. Using one or more automated methods, a computing platform may identify relationships between message sender domains and message recipient domains. After identifying the relationships, the computing platform may apply a security scoring process to a message sender domain to compute a weighted security score for the message sender domain. The computing platform may determine a weighted grade for the message sender domain based on the weighted security score for the message sender domain. Based on the weighted grade for the message sender domain, the computing platform may execute one or more enhanced protection actions associated with the message sender domain.

Abstract: Predictive rendering (also referred to herein as speculative rendering) is disclosed. The predictive rendering is performed by an endpoint browser in response to a user input made by a user. The predictive rendering is verified using a surrogate browser that is executed on a remote server. The verification can be performed asynchronously.

Abstract: In one embodiment, a network security device is configured to monitor data traffic between a first device and a second device. The network security device may be configured to intercept a first initial message of a first encrypted handshaking procedure for a first secure communication session between the first device and the second device, the first initial message specifying a hostname that has been encrypted using first key information associated with the network security device, decrypt at least a portion of the first initial message using the first key information to determine the hostname, re-encrypt the hostname using second key information associated with the second device, and send, to the second device, a second initial message of a second encrypted handshaking procedure for a second secure communication session between the network security device and the second device, the second initial message specifying the hostname re-encrypted using the second key information.

Abstract: A method includes retrieving, by a workspace client on a computing device, a first set of resource associations from a workspace server. The first set of resource associations identify one or more data file-types executable by each application on a virtualization server. The method also includes generating, by the workspace client, from the first set of resource associations, a second set of resource associations. The second set of resource associations identify a subset of applications on the virtualization server operable to perform operations on each of the one or more data file-types. The method further includes obtaining, by a storage provider client on the computing device, the second set of resource associations. The storage provider client is configured to enable one or more applications on the virtualization server to execute at least one data file accessible from a storage provider.

Abstract: An encryption mechanism used on cooperative multi-band wireless STA architecture that enables full duplex operations. In encrypting a frame, an AAD can be constructed by using a selected MAC address, which may not be associated with a band to be used for transmitting the frame in an upcoming TXOP. An STA that supports simultaneous transmission in a multi-band operation uses the same MAC address to encrypt the frames to be transmitted on different bands. An AAD is constructed by using a same MAC address corresponding to one of the transceivers. A transmit STA may specify band information used for encryption in the MAC header, which serves to signal the receive STA to decrypt the frame by using the proper information.

Abstract: Methods, systems, storage media for authentication are described. On the methods includes receiving, at a smart contract on a distributed ledger, a signed authentication challenge. The method includes verifying the identity of the user who signed authentication challenge. The method includes raising an event that indicates that the user has been authenticated; wherein a server listens for events from the smart contract, and associates a session between the browser and the server with the user based on the event.

Abstract: A method for detecting potential information fabrication attempt on a webpage, the method comprising: providing the webpage to a user device, by processing circuitry, the webpage comprising instructions executable by a webpage accessing software of the user device for detecting the potential information fabrication attempt; wherein execution of the instructions by the webpage accessing software results in: detecting the potential information fabrication attempt upon detecting that a first size of a viewport divided by a second size of a window of the webpage accessing software on a display screen of the user device has been reduced, resulting in a scaled-down viewport on the display screen.

Abstract: In an embodiment, a list of domains is received that includes one or more categories for each domain. The categories are assigned to each domain using a classifier that is trained using features extracted from webpages known to be associated with particular categories. An administrator creates access rules for users, or groups of users, that control the categories of domains that each user is permitted to access or not access. When a user makes a request for a webpage, access rules associated with the user are retrieved, and one or more categories associated with the domain of the requested webpage are determined using the list of domains. If any of the one or more categories of the domain violate an access rule associated with the user, the request for the webpage is denied. Otherwise the user is allowed to access the webpage.

Abstract: The present disclosure relates to centralized volume encryption key management for edge devices with trusted platform modules (TPM)s. In some aspects a volume encryption key is generated for a gateway device. A sealing authorization policy is also generated for the gateway device. The sealing authorization policy is generated based on a predetermined platform configuration register (PCR) mask and expected PCR values. The volume encryption key and the sealing authorization policy are transmitted from the management service to the gateway device to provision the gateway device with the volume encryption key.

Abstract: A human challenge can be presented in an augmented reality user interface. A user can use a camera of a smart device to capture a video stream of the user's surroundings, and the smart device can superimpose a representation of an object on the image or video stream being captured by the smart device. The smart device can display in the user interface the image or video stream and the object superimposed thereon. The user will be prompted to perform a task with respect to one or more of these augmented reality objects displayed in the user interface. If the user properly performs the task, e.g., selects the correct augmented reality objects, the application will validate the user as a person.

Abstract: A technique to cache content securely within edge network environments, even within portions of that network that might be considered less secure than what a customer desires, while still providing the acceleration and off-loading benefits of the edge network. The approach ensures that customer confidential data (whether content, keys, etc.) are not exposed either in transit or at rest. In this approach, only encrypted copies of the customer's content objects are maintained within the portion of the edge network, but without any need to manage the encryption keys. To take full advantage of the secure content caching technique, preferably the encrypted content (or portions thereof) are pre-positioned within the edge network portion to improve performance of secure content delivery from the environment.

Abstract: A technique to cache content securely within edge network environments, even within portions of that network that might be considered less secure than what a customer desires, while still providing the acceleration and off-loading benefits of the edge network. The approach ensures that customer confidential data (whether content, keys, etc.) are not exposed either in transit or at rest. In this approach, only encrypted copies of the customer's content objects are maintained within the portion of the edge network, but without any need to manage the encryption keys. To take full advantage of the secure content caching technique, preferably the encrypted content (or portions thereof) are pre-positioned within the edge network portion to improve performance of secure content delivery from the environment.

Abstract: The present disclosure pertains to provisioning of credentials, and in particular to provisioning of authentication credentials to a computer device for accessing a cloud platform computer system. The computer device obtains sensor data and sends a request including a device identifier to a provisioning server using a provisioning server network address. The computer device receives a response, from the provisioning server, including a platform credential and a platform server network address of a platform server. The computer device stores the platform credential. The computer device sends the sensor data and the platform credential to the platform server using the platform server network address.