Abstract: Inverse imbalance subspace searching techniques are used to detect potential malware among samples of network communication data. A large number of samples of network communication data, such as proxy log data and/or network flows, are received and analyzed by a malware detection system. A number of the samples are associated with known malware, while other unlabeled samples are either benign or may be associated with unknown malware. An inverse imbalance subspace search may be performed, in which the sample sets are divided into subsets based on random feature thresholds, and each subset is evaluated based on the ratio of known malware samples to unlabeled samples. Unlabeled samples within subsets having high malware sample ratios may be identified, aggregated, and processed as potential malware.

Abstract: A method for electing a representative node device is performed at a blockchain system, including: obtaining voting transaction data from the node devices, the voting transaction data being used for voting for one or more node devices of the blockchain system as representative node devices; generating and storing the voting transaction data into a target blockchain of the blockchain system when a plurality of node devices of the blockchain system verify the voting transaction data by consensus; and when a quantity of blocks in the target blockchain generated using the voting transaction data reaches a preset quantity, determining an election result according to quantities of votes of the node devices determined from the voting transaction data, the election result identifying a plurality of representative node devices in the blockchain system being configured to generate new blocks for the target blockchain and perform verification on the new blocks by consensus.

Abstract: A policy-based browser system for managing browser extensions used to access functionalities on a web browser in a cloud-based multi-tenant system. The policy-based browser system includes a client device, a web server configured to provide the functionality of the browser extension on a web browser of the client device, and a mid-link server. The network traffic from the client device is monitored to identify traffic patterns, risk is determined associated with the browser extension based on the traffic patterns, and a correlation of the browser extension with a plurality of browser extensions. A policy for the browser extension is identified based on the risk. The policies specify access to the browser extensions based on the risk associated with the browser extensions. The browser extensions are categorized based on the policies and the risk. An authorization corresponding to the browser extension is determined based on the policy.

Abstract: Methods, systems, and computer readable media for network security are described. In some implementations, security tasks and roles can be allocated between an endpoint device and a firewall device based on tag information sent from the endpoint, the tag information including one or more characteristics of a traffic flow, information of resource availability, and/or reputation of a process associated with a traffic flow.

Abstract: In some implementation, a system for identifying malicious attacks on a convolutional neural network (CNN) model includes a target computing system that performs classification of objects using a CNN model, and an attack identification computing system that identifies an injected neural attack. The attack identification computing system can be configured to generate, based on the CNN model and associated parameters, an ecosystem of CNN models by modifying original weights of the parameters associated with the CNN model; update the original weights of the parameters with the modified weights; store, in a secure data store, the updated weights of the parameters; generate, based on the updated weights, an update file for the CNN model; update, using the update file, the CNN model; and transmit the updated CNN model to a targeting computing system configured to detect neural attacks by an attacker computing system based on the updated CNN model.

Abstract: The present disclosure relates to a wireless token capable of representing a user network, the token being used to automatically provision an IoT enabled device to connect to the user network. Functions required to achieve this include: authenticate the token with the user network, and responsive to said authentication, obtain and store configuration information for enabling the token to communicatively couple one or more devices at or within a defined proximity to the token, with the user network; responsive to a wireless signal received from a given device among the one or more devices, establish a temporary secure communication channel between the given device and the token; and provide the configuration information from the token to the given device using the temporary secure communication channel, wherein the configuration information enables the given device to establish a connection with and operate in the user network based on the obtained configuration information.

Abstract: Provided are a computer program product, system, and method for determining key server type and key server redundancy information to enable encryption. A first key server type for a first protocol is indicated in a key server type field in response to determining a current protocol used to communicate with the key server comprises the first protocol. A query information request is submitted to the key server to determine a key server type in response to determining that the current protocol comprises the second protocol. The second key server type indicated in the response to the query information request is indicated in the key server type field in response to the response indicating the second key server type. The first or second type of key server indicated in the key server type field is used to determine information to include in a key retrieval request.

Abstract: A system may include a first processing component arranged in a secure domain of the system. The system may include a second processing component arranged outside of the secure domain of the system. The system may include one or more hardware accelerators to perform operations in association with providing communication security for the system. The one or more hardware accelerators may be accessible by the first processing component via a channel in the secure domain. The one or more hardware accelerators may be accessible by at least the second processing component via a channel outside of the secure domain.

Abstract: In a method to utilize a secure public cloud, a computer receives a domain manager image and memory position-dependent address information in response to requesting a service from a cloud services provider. The computer also verifies the domain manager image and identifies a key domain key to be used to encrypt data stored in a key domain of a key domain-capable server. The computer also uses the key domain key and the memory-position dependent address information to encrypt a domain launch image such that the encrypted domain launch image is cryptographically bound to at least one memory location of the key domain. The computer also encrypts the key domain key and sends the encrypted domain launch image and the encrypted key domain key to the key domain-capable server, to cause a processor of the key domain-capable server to create the key domain. Other embodiments are described and claimed.

Abstract: Disclosed are techniques for performing forensic analysis of computer systems in a cloud network. The techniques can include using a scalable, cloud-based, specialized computer architecture for performing the forensic analysis of computer systems.

Abstract: Secure selective token-based access control includes receiving a data access request from over a computer communications network, extracting a token from the request, selecting a decryption key for use in decrypting the token and attempting decryption of the token using the decryption key. Thereafter, on condition that the decryption key successfully decrypts the token into decrypted data, a creation date of the token in the decrypted data may be read and a rule applied to the creation date, the rule determining whether or not to expire the token. Finally, in response to a determination by the application of the rule to expire the token based upon the creation date of the token, the token is expired from subsequent use in authorizing servicing of the data access request, but otherwise the data access request is authorized for servicing.

Abstract: A method for controlling access to a set of data is provided. The method includes receiving, via an interface, a request from an agent to access the set of data in a database; extracting an access criterion relating to a predefined data access constraint and a predetermined data access policy from the request; and determining whether the agent is granted access to the set of data using the criterion, where the access criterion is based on an attribute that is associated with an element within the set of data.

Abstract: The present disclosure relates to methods and systems for protecting cloud resources. The methods and systems may use a virtual gatekeeper resource to enforce secure access controls to cloud resources for a list of privileged operations. The cloud resources and the virtual gatekeeper resource may be in different security domains within a cloud computing system and the cloud resources may be linked to the virtual gatekeeper resource. A request may be sent to perform a privileged operation on the cloud resource. Access may be provided to the virtual gatekeeper resource in response to approval of the request and the access to the virtual gatekeeper resource may be used to perform the privileged operation on the cloud resource.

Abstract: In general, this disclosure describes an IoT access control exchange for IoT devices. Verifiable credentials can be generated and used to grant access to IoT devices definitively identified using a Decentralized Identifier (DID). DIDs for IoT devices are registered by the IoT exchange hub acting as an Identity Hub. An organization interested in obtaining data from a collection of devices, the IoT Access Customer, contacts the IoT device owner agent via their mutual agents and obtains a verifiable credential with a request for access. The access request is submitted to the IoT exchange hub. The IoT exchange hub either enforces the access request itself if the devices do not have enough resources or submits the verifiable credential with the access request to the devices for them to enforce access. The IoT access customer agent, IoT device owner agent, and IoT exchange hub similarly identify themselves and prove authentication using DIDs.

Abstract: Disclosed herein are methods, systems, and processes for probabilistically identifying anomalous levels of honeypot activity. A honeypot dataset associated with a honeypot network is received and a representative usage value is determined from the honeypot dataset. The representative usage value is identified as being associated with anomalous behavior if the representative usage value deviates from an expected probability distribution. A remediation operation is initiated in the honeypot network in response to the identification of the representative usage value as being associated with the anomalous behavior by virtue of the representative usage value deviating from the expected probability distribution.

Abstract: A method, system, and computer program product for prioritizing endpoints to be checked during a change window based on certain criteria. The method may include receiving a request for processing from a plurality of servers. The method may also include determining a priority for each server of the plurality of servers based on specified criteria, where the specified criteria includes at least compliance-check history. The method may also include determining whether each server belongs to one or more groups. The method may also include determining a notification order for the plurality of servers based on the priority and whether each server belongs to the one or more groups. The method may also include sending a notification to each server in the notification order.

Abstract: A dynamic privileged access governance system and associated processes are disclosed. The dynamic privileged access governance system and processes are cloud-native and adapt to the dynamic nature of the cloud systems.

Abstract: Systems and methods are disclosed for prioritizing a list of applications. The systems and methods include identifying, with a messaging application, a list of applications that are configured to share authentication information with the messaging application; determining a priority value of each application on the list of applications; generating for display, with the messaging application, a graphical user interface that represents a selection of applications from the list of applications based on the priority value of each application on the list; and for each application represented in the graphical user interface, generating for display a user-selectable option to authorize the messaging application to share authentication information with the respective application.

Abstract: Methods for speaker role determination and scrubbing identifying information are performed by systems and devices. In speaker role determination, data from an audio or text file is divided into respective portions related to speaking parties. Characteristics classifying the portions of the data for speaking party roles are identified in the portions to generate data sets from the portions corresponding to the speaking party roles and to assign speaking party roles for the data sets. For scrubbing identifying information in data, audio data for speaking parties is processed using speech recognition to generate a text-based representation. Text associated with identifying information is determined based on a set of key words/phrases, and a portion of the text-based representation that includes a part of the text is identified. A segment of audio data that corresponds to the identified portion is replaced with different audio data, and the portion is replaced with different text.

Abstract: An apparatus includes multiple ports, packet communication processing circuitry coupled to the ports, and a processor that is configured to receive, from the packet communication processing circuitry, metadata that is indicative of a temporal pattern of control messages communicated via one or more of the ports, and to identify a network attack by applying anomaly detection to the temporal pattern of the control messages.