Abstract: Systems and methods for initiating an action based on electronic activities of a user. Generally, a computing device receives a policy for enabling cryptographically secure tracking of electronic activities of a user and a particular electronic computing device. The policy can include definitions for a multiple actions to be taken with respect to certain electronic activities resulting from interaction by the user with the at least one computing device. The computing device can identify a particular electronic activity resulting from user interaction with the at least one computing device. The computing device can determine a particular action to take by applying the policy to the particular electronic activity. The computing device can initiate the particular action with respect to the particular electronic activity.

Abstract: Described systems and techniques store, at a first time, first system service verification data that includes a first capture of a system services table having at least one system service entry, and a first portion of a system service identified in the at least one system service entry. At a second time, second system service verification data may be stored that includes a second capture of the system services table and a second portion of the system service identified in the at least one system service entry. At least one mismatch between the first system service verification data and the second system service verification data may be determined. At least one security notification message identifying the at least one mismatch with respect to at least one of the second capture of the system services table and the second portion may thus be generated.

Abstract: Access to a shared library API is restricted for a customer application by a security system. A profile for each of a plurality of trusted applications is generated and stored in a security database. When a customer application attempts to access the shared library API, the customer application is verified by extracting a customer application profile for the customer application, comparing the customer application profile with each stored trusted application profile, and verifying that the customer application can access the shared library API based on the comparison. Based on the verification, the customer application may be allowed to or access to the shared library API or may be prevented from accessing the shared library API.

Abstract: A quantum communications system may include a transmitter node, a receiver node, and a quantum communications channel coupling the transmitter node and receiver node. The transmitter node may include a pulse transmitter, a pulse divider downstream from the pulse transmitter, and at least one first waveplate upstream from the pulse divider and configured to alter a polarization state of pulses travelling therethrough. The receiver node may include at least one second waveplate being a conjugate of the at least one first waveplate, a pulse recombiner upstream from the at least one second waveplate, and a pulse receiver downstream from the at least one second waveplate.

Abstract: Disclosed is an improved approach to implement a mechanism to provide customer control over access to cloud infrastructure by the cloud provider's operator employees. This mechanism allow customer controlled access to any cloud infrastructure that belongs to or is otherwise allocated to the customer.

Abstract: Unauthorized use of user credentials in a network is detected. Data indicative of text strings being used to access resources in the network is accessed. Regex models are determined for the text strings. Troupings of the regex models are determined based on an optimization of a cumulative weighted function. A regex model having a cumulative weighted function that exceeds a predetermined threshold is identified. An alert is generated when the cumulative weighted function for the identified regex model exceeds the predetermined threshold.

Abstract: A transient blockchain proxy server consolidates many individual requests to add data to a blockchain by aggregating hashed data from these requests and sending the aggregated hashed data to the blockchain network as a single request. The blockchain network adds a new block to the blockchain with the aggregated hashed data and returns a transaction identifier for the new block to the transient blockchain proxy server, which passes the transaction identifier back to all the requestors who then can directly use the blockchain network to verify the hashed data using the transaction identifier. The transient blockchain proxy server buffers all incoming requests until one of the pending requests reaches a send timepoint that is the blockchain network delay plus a buffer time before a guaranteed time of verification. All incoming requests are then consolidated and sent as a single transaction to the blockchain network. Tiered verification-time services are enabled.

Abstract: Disclosed herein is a system for minimizing the amount of time it takes to process and understand an unstructured, text-heavy document that includes important security-related information. The system uses a model that implements natural language processing techniques to semantically analyze an unstructured, text-heavy document, in order to identify notable security features useable to resolve the security issues in a more effective and efficient manner (e.g., without the need for a technical security professional). More specifically, the system receives an unstructured document that includes text which may be provided by multiple different security providers. The system is configured to apply the model to various text segments (e.g., a phrase, a sentence, a paragraph, etc.) included in the unstructured document to identify notable security features. The model can then associate the notable security features with a prescribed set of mitigation actions that can be implemented to resolve a security issue.

Abstract: A multi-API security policy that covers multiple API calls of a transaction is dynamically enforced at runtime, without access to the specification or code of the APIs. Calls made to APIs of the transaction are logged, and the logs are read. Data objects used by the APIs are identified. Specific data labels are assigned to specific fields of the data objects, consistently identifying data fields of specific types. Linkages are identified between specific ones of the multiple APIs, based on the consistent identification of specific types of data fields. An API call graph is constructed, identifying a sequence of API calls made during the transaction. The call graph is used to enforce the security policy, by tracking the flow of execution of the multi-API transaction at runtime, and detecting actions that violate the security policy. Security actions are taken responsive to the detected actions that violate the policy.

Abstract: Methods and apparatus for protecting a physical unclonable function (PUF) generator are disclosed. In one example, a PUF generator is disclosed. The PUF generator includes a PUF cell array, a PUF control circuit and a reset circuit. The PUF cell array comprises a plurality of bit cells. Each of the plurality of bit cells is configurable into at least two different stable states. The PUF control circuit is coupled to the PUF cell array and is configured to access each of the plurality of bit cells to determine one of the at least two different stable states upon a power-up of the plurality of bit cells, and generate a PUF signature based on the determined stable states of the plurality of bit cells. The reset circuit is coupled to the PUF cell array and is configured to set the plurality of bit cells to represent their initialization data based on an indication of a voltage tempering event of a supply voltage of the PUF cell array.

Abstract: Disclosed herein are system, method, and computer program product embodiments for displaying roles of an identity and access management (IAM) together with their corresponding compliance status of the assigned security policies with respect to a set of security rules. The method includes selecting a first role and a second role administered by an entity of the IAM system. Afterwards, the method includes determining, based on a set of security rules, a first compliance status of the first role associated with a first set of security policies; and a second compliance status of the second role associated with a second set of security policies. In addition, the method includes displaying on a GUI, the first role and the second role together with a first compliance status and a second compliance status.

Abstract: A device may receive data identifying malicious behavior by a compromised endpoint device associated with a network and may receive user identity data identifying a user of the compromised endpoint device associated with the network. The device may receive endpoint device data identifying the compromised endpoint device and other endpoint devices associated with the network and may receive network device data identifying network devices associated with the network. The device may utilize the data identifying malicious behavior, the user identity data, and the endpoint device data to generate, based on an identity of the user, a security policy to isolate the malicious behavior. The device may cause the security policy to be provided to the network devices and the other endpoint devices based on the network device data and the endpoint device data.

Abstract: Aspects described herein may allow for authenticating a user by generating a customized set of authentication questions based on patterns that are automatically detected and extracted from user data. The user data may include transaction data collected over a period of time. By automatically detecting user patterns that correspond to user behavior over a period of time, an authentication system may be able to generate information that is recognizable to an authentic user but difficult to guess or circumvent for any other user.

Abstract: A network node selectively encrypts messages between a user plane node and a control plane node in a network system. The user plane node and the control plane node negotiate a connection and indicate an encryption level for the connection. The encryption level is selected from an Information Element (IE) level, a message level, or a feature level. The user plane node and the control plane node selectively encrypt at least a portion of the messages between the user plane node and the control plane node based on the encryption level for the connection.

Abstract: The present embodiments relate to identifying and mitigating memory bit flips in a cloud infrastructure service. The cloud infrastructure service can provide a monitoring system to monitor low level memory space to detect bit flips by the DRAM instances in the cloud infrastructure service. The bit flips detected in various DRAM computing instances can be processed to verify that the bit flips are sustained (e.g., and possibly relating to a Rowhammer attack) rather than transitory bit flips occurring in DRAM computing devices. Responsive to validating a set of bit flips at one or more computing instances, workloads associated with the affected computing instances can be migrated to other computing instances in the cloud infrastructure service.

Abstract: Disclosed are implementations, including a method that includes monitoring dataflow streams in a network comprising multiple computing nodes, and determining network security characteristics for a dataflow stream, from the monitored dataflow streams, relating to security, authentication, and access events for accessing, via the dataflow stream, one or more of the multiple nodes. The method further includes determining potential violations by the dataflow stream of security policies defined for operation of the network, access functionality for the network, or identity attributes used by the network, based, at least in part, on the determined network security characteristics for the dataflow stream, and based on network-operation data comprising one or more of network security data, network identity data, and network access data. The network-operation data is stored in one or more data storage units in the network, and is configured to manage network access and operation for the multiple computing nodes.

Abstract: A method, controller, and non-transitory computer-readable medium of a distributed crypto-ledger network, including receiving an instruction to perform an operation between a first user and a second user, the first user corresponding to a first entity that is a member of the distributed crypto-ledger network, the instruction comprising a destination address corresponding to the second user, querying a top-level name registry with the destination address to determine a second entity associated with the destination address, the second entity being a different member of the crypto-ledger network, and executing the operation between the first user and the second user by transmitting execution instructions to the first entity and the second entity, the execution instructions causing a first entity controller to modify data stored on a first distributed crypto-ledger of the first entity, and causing a second entity controller to modify data stored on the second distributed crypto-ledger of the second entity.

Abstract: Systems, related methods and other means for providing the securing of web site source code are provided herein. The system and methods may be configured to poll a client device and/or to otherwise determine whether a debugging console is active on a client device and deny access to the JavaScript and source code if the debugging console is active. Additionally or alternatively, the system and methods may receive a request to access the source code form a client device, and may determine whether the request is from a trusted referrer and whether the debugging console is active. When the request is from an untrusted referrer, and/or when the debugging console is active the system and method can deny access to the source code. When the request is from a trusted referrer and the debugging console in inactive, the system and method can grant access to the source code.

Abstract: A computer-implemented method of monitoring security of a set of computing devices in a distributed system, the distributed system having a plurality of computing devices, in communication with one another over a network, by a security software running in a computer node. The method includes comparing an app signature of the application running in a selected one of the set of computing devices to a reference app signatures generated from a respective functional replica of the application.

Abstract: Systems and/or methods of the present disclosure enable ledger interoperability using a controller to perform an operation between a first user and a second user on separate entity-specific distributed ledgers, where the separate entity-specific distributed ledgers are both operatively linked to a membered common distributed ledger. The controller burns a first quantity of first entity-specific tokens from the first entity-specific distributed ledger and mints a second quantity of the common tokens on the membered common distributed ledger, where the first quantity of first entity-specific tokens and the second quantity of the common tokens represent an equivalency. The controller moves the second quantity of common tokens from a first encrypted storage to a second encrypted storage of the membered common distributed ledger, burns the second quantity of the common tokens and mints a third quantity of the second entity-specific tokens on the second entity-specific distributed ledger to complete the operation.