Abstract: The present disclosure provides a system and method of providing a security service by means of a network operator management system in a security management system, the method including receiving a high-level first security policy from an I2NSF (interface to Network Security Functions) user; receiving an available security service from a developer's management system; creating a low-level second security policy corresponding to the first security policy on the basis of the security service; and transmitting a packet including the second security policy for setting the created second security policy to each of a plurality of NSFs (Network Security Function) to an NSF instance, wherein the network operator management system and the NSFs are respectively connect to an I2NSF NSF-laving interface, and the second security policy includes at least one or more of 1) blocking SNS access during business hours, 2) blocking a malicious VoIP (Voice over Internet Protocol) or a malicious VoCN (Voice over Cellular Network)

Abstract: Methods and apparatus for private network peering in virtual network environments in which peerings between virtual client private networks on a provider network may be established by clients via an API to a peering service. The peering service and API 104 may allow clients to dynamically establish and manage virtual network transit centers on the provider network at which virtual ports may be established and configured, virtual peerings between private networks may be requested and, if accepted, established, and routing information for the peerings may be specified and exchanged. Once a virtual peering between client private networks is established, packets may be exchanged between the respective client private networks via the peering over the network substrate according to the overlay network technology used by the provider network, for example an encapsulation protocol technology.

Abstract: A digital credential issuing system and method use public storage and encryption to provide a more secure digital credential issuing process because there is no direct interaction between the credential issuer and an entity requesting a new credential. The new credential may be secured, such as by using encryption, so that the newly issued credential may be uploaded to the public storage and then decrypted and used by only the particular entity for which the new credential is intended.

Abstract: A data platform for managing an application as a first-class database object. The data platform includes at least one processor and a memory storing instructions that cause the at least one processor to perform operations including detecting a data request from a browser for a data object located on the data platform, executing a stored procedure, the stored procedure containing instructions that cause the at least one processor to perform additional operations including instantiating a User Defined Function (UDF) server, an application engine, and the application within a security context of the data platform based on a security policy determined by an owner of the data object. The data platform then communicates with the browser using the application engine as a proxy server.

Abstract: Aspects of the disclosure relate to a dynamic event securitization and neural network analysis system. A dynamic event inspection and securitization computing platform comprising at least one processor, a communication interface, and memory storing computer-readable instructions may securitize event data prior to authorizing execution of the event. A neural network event analysis computing platform comprising at least one processor, a communication interface, and memory storing computer-readable instructions may utilize a plurality of event analysis modules, a neural network, and a decision engine to analyze the risk level values of data sharing events. The dynamic event inspection and securitization computing platform may interface with the neural network event analysis computing platform by generating data securitization flags that may be utilized by the neural network event analysis computing platform to modify event analysis results generated by the event analysis modules.

Abstract: The present invention discloses a method and a device for performing authenticated ranging measurement by a first radio node. The method comprises receiving a first ranging signal from the second radio node; determining a first ranging parameter based on the first ranging signal; determining a range based on the first ranging parameter; and authenticating the second radio node based on the first ranging signal and authentication setup information comprising a condition on the first ranging signal.

Abstract: This disclosure describes methods to distribute intrusion detection in a network across multiple devices in the network, such as across routing/switching or other infrastructure devices. For example, as a packet is routed through a network infrastructure, an overlay mechanism may be utilized to indicate which of a total set of intrusion detection rules have been applied to the packet. Each infrastructure device may evaluate which rules have already been applied to the packet, using a result of the evaluation to determine where to route the packet in the network infrastructure for application of additional intrusion detection rules. Additionally, each infrastructure device may record a result of its application of the portion of intrusion detection rules directly into the packet.

Abstract: A method for enrolling a node in a network including steps of: providing a hub having a network communications element, established ownership, an owner, a private key and a public key; providing a first node having a network communications element, established ownership status, a network location status, a private key and a public key; scanning an environment to identify active hub devices; selecting a most likely hub device from among identified hub devices; receiving a hub public key from the selected hub; encrypting a string using the received public key; sending the encrypted string; receiving a decrypted copy of the string; validating the hub; sending an authentication request through the hub, the request including the public key of the first node; receiving an encrypted string; decrypting the string using the node's private key; sending the decrypted string through the hub; and updating the network location status of the node.

Abstract: Techniques for management of sensitive data using static code analysis are described. A method of management of sensitive data using static code analysis includes obtaining a representation at least a portion of code, statically analyzing at least the portion of code to generate one or more candidate vectors based at least on one or more patterns, sending the one or more candidate vectors to a sensitive data model, and receiving an inference response indicating, for each of the one or more candidate vectors, whether at least a portion of the candidate vector includes sensitive data and a corresponding confidence score.

Abstract: Data privacy in screen sharing during Web conferencing includes selecting a third-party application executing in contemporaneously with a conferencing application. Screen sharing is activated during a Web conference in the conferencing application so as to share a display screen of the third-party application with different attendee computers over a computer communications network. An interface to the application is then queried with the attendees in order to receive access control data for the attendees. Then, a protected data field is identified in the display screen and determined whether one of the attendee computers is associated with one of several access control rules based upon the access control data that prohibits display of content in the protected data field. The data field is masked in the shared display screen for the one of the attendee computers while displaying remaining portions of the shared display screen in the one of the attendee computers.

Abstract: A method for integrating third-party encryption managers with cloud services includes receiving, at data processing hardware, an operation request requesting a cryptographic operation on data comprising an encryption operation or a decryption operation. When the operation is an encryption operation, the method includes transmitting a data encryption key associated with the data to a remote entity. The remote entity encrypts the data encryption key with a key encryption key and transmits the encrypted data encryption key to the data processing hardware. When the operation is a decryption operation, the method includes transmitting the encrypted data encryption key to the remote entity which causes the remote entity to decrypt the encrypted data encryption key with the key encryption key and transmit the decrypted data encryption key and transmit to the data processing hardware.

Abstract: In one aspect, a computerized method for implementing dual-layer computer-system security in a private enterprise computer network includes the step of generating a user profile, wherein the user has access to the private enterprise computer network, wherein the user profile comprises an information comprises a specified user usage of the private enterprise computer network. The computerized method includes the step of setting a specified trigger value with respect to the specified user usage of the private enterprise computer network. The computerized method includes the step of detecting that the user usage exceeds the trigger value. The computerized method includes the step of modifying an access privilege of the user to the private enterprise computer network.

Abstract: An apparatus, related devices and methods, having a memory element operable to store instructions; and a processor operable to execute the instructions, such that the apparatus is configured to determine, based on operating system workload demands, whether a high-demand application is running and, based on a determination that a high-demand application is running, apply an optimization policy that modifies a security application, wherein the optimization policy modification includes reducing a protection applied by the security application.

Abstract: Provided is a user authentication management device including a login request receiver that receives a login request from a user from a plurality of inputters via a path corresponding to each of the plurality of inputters, an authentication scheme selector that selects any one of a plurality of authentication schemes and provides identification information of a user related to the received login request to the selected authentication scheme to perform user authentication, and a user information storage that stores a user authentication result received from the selected authentication scheme as user information related to the user, in which the authentication scheme selector selects an authentication scheme predetermined corresponding to a path through which the login request is received.

Abstract: An embodiment of a blockchain-based cryptographic key generation method and system that leverages existing values locally available within a distributed ledger to generate cryptographic keys independent of a third-party server is disclosed herein.

Abstract: Aspects include receiving an outbound payload for output to a requestor as part of a response to a call by the requestor to an application programming interface (API). Clear data in the outbound payload is selected for encryption based on policy information. The clear data is encrypted to generate encrypted data, and the encrypted data is inserted into the outbound payload in place of the clear data to generate an updated outbound payload. The response, including the updated outbound payload, is sent to the requestor.

Abstract: A security system for a vehicle network of a vehicle is provided. The vehicle network includes a gateway and domain controllers for specific areas of the vehicle. The security system may validate messages sent from the gateway. The security system may also utilize split decryption keys in order to decrypt messages in the vehicle network. The security system may also utilize asymmetrical encryption keys in order to secure data within the vehicle network.

Abstract: A data storage device providing secure data storage for a software application executed by an operating system in a computer system including a file system operation interceptor that detects requests for file system operations in respect of data for the application; a file system operation analyzer that is responsive to the interceptor and that analyses an intercepted file system operation request to identify attributes associated with the file system operation; a comparator that compares the attributes with a predefined security policy definition; a cryptographic unit that encrypts and/or decrypts data using one or more cryptographic functions; wherein the cryptographic unit is operable in response to the comparator to perform an encryption or decryption operation on the data and effect the performance of the requested file system operation by the operating system.

Abstract: A method, comprising: obtaining a data item that is associated with an IoT device, the IoT device including one or more of a sensor, an actuator, or an energy source; obtaining, from a blockchain-based attestation system, a trust score that is associated with the data item, the trust score being generated by using a consensus-building mechanism that is provided by the blockchain-based attestation system; when the trust score satisfies a predetermined condition, using the data item; and when the trust score fails to satisfy the predetermined condition, discarding the data item, wherein the IoT device is configured to operate as a node in the blockchain-based attestation system, and the blockchain-based attestation system includes one or more other IoT devices that are part of the same IoT device network as the IoT device.

Abstract: A method for protecting documents includes assigning electronic marks to a document. The electronic marks include a symmetric encryption key and a symmetric encryption algorithm. Access activity with respect to the document is monitored continuously and in real-time. In response to receiving a request from a user to access the document, validity of a digital certificate of the user is checked. Access to the document is denied and a notification is sent to a server indicating an attempted unauthorized access to the document, in response to determining that the digital certificate of the user is not valid. Attributes of the electronic marks are analyzed, in response to that the digital certificate of the user is valid. The document is automatically decrypted, if an attribute of encryption is indicated in the electronic marks, based on the symmetric encryption key and the symmetric encryption algorithm is included in the electronic marks.