Abstract: A computational instance of a remote network management platform may execute a remote access call for a license consolidation server. The remote access call may contain instructions for obtaining concurrent license usage statistics from the license consolidation server. In response to obtaining the concurrent license usage statistics, the computational instance may update a software configuration with the concurrent license usage statistics, where the software configuration contains a license rights allocation for the concurrent software application. Based on the concurrent license usage statistics and the license rights allocations, the computational instance may generate a representation of a graphical user interface that contains an overview pane indicating a utilization of the concurrent software application. Then the computational instance may transmit, to a client device, the representation of the graphical user interface.

Abstract: Some embodiments provide a method for applying a security policy defined for a logical network to an MHFE that integrates physical workloads (e.g., physical machines connected to the MHFE) with the logical network. The method applies the security policy to the MHFE by generating a set of ACL rules based on the security policy's definition and configuring the MHFE to apply the ACL rules on the network traffic that is forwarded to and/or from the physical machines. In order to configure an MHFE to implement the different LFEs of a logical network, some embodiments propagate an open source database stored on the MHFE, using an open source protocol. Some embodiments propagate a particular table of the database such that each record of the table creates an association between a port of an LFE stored in a logical forwarding table and one or more ACL rules stored in an ACL table.

Abstract: Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.

Abstract: In an approach for securing container workloads, a processor encrypts workload binaries. A processor uploads the workload binaries to a software repository. A processor encrypts a workload definition. A processor replaces the workload definition with a mock workload definition. A processor references the encrypted workload definition in the mock workload definition. A processor submits the mock workload definition to a master node.

Abstract: Controlling access to nodes in a relational graph at query time by using an approximate membership query (AMQ) filter and ordered queries based on historic grants or denials of access according to security context enables a more efficient querying of the relational graph while preserving access controls. Security contexts that grant or deny access to a node are stored in an associated AMQ filter and are queried according to the subject's security context in an order based on the frequency at which the security contexts have previously granted or denied access to nodes in the relational graph.

Abstract: Systems and methods for integrative legacy context management are disclosed herein. An example computer hardware system may include at least one processing unit coupled to a memory, and the memory may be encoded with computer executable instructions that when executed cause the at least one processing unit to receive a set of credentials associated with a user from a user device, cross-reference the set of credentials with a first set of credentials of an agent associated with the user to determine whether the set of credentials is valid; and if the set of credentials is valid, provide a second set of credentials of the agent to the user device in response to a request for the second set of credentials from the user device.

Abstract: Systems and methods for a multitenant computing platform. Original data is generated through operation of a computing platform system on behalf of an account of the computing platform system, and the original data is moderated according to a data retention policy set for the account. The moderated data is stored at the computing platform system. The computing platform system moderates the generated data by securing sensitive information of the generated data from access by the computing platform system, and providing operational information from the generated data. The operational information is accessible by the computing platform system during performance of system operations.

Abstract: Presented herein are methodologies for implementing multi-domain cloud security and ways to partition end-points in data center/cloud network topologies into hierarchical domains to increase security and key negotiation efficiency. The methodology includes receiving, from a first endpoint, at a cloud security protocol stack, a packet encrypted in accordance with a cloud security key negotiated between the first endpoint and a second endpoint; extracting a cloud security globally unique domain-id from the packet; querying a cloud security domain repository using the cloud security globally unique domain-id as an index to identify a first cloud security domain, among a plurality of cloud security domains, to which the first endpoint and the second endpoint belong; and selecting the first cloud security domain to process the packet.

Abstract: Provided is an apparatus (TFDC) for operating a software-configured processing unit (SDS) for a device, in particular a field device (TFD), wherein the apparatus, according to a prescribed and/or prescribable architecture, includes at least one processor (CPU) and a number of hardware units, having: a security unit (IOS; MS) configured to cause a change in the arrangement of the data bit sequence of at least one data stream provided and/or routed to the processing unit (SDS) to protect the hardware units from manipulation. The processing unit is trustworthy, i.e., is protected from manipulation and attack from the outside. The data stream arrives at the device. A “number” here and above denotes a number of one or more.

Abstract: A method, a device, and a non-transitory storage medium are described in which a privacy management service is provided. The privacy management service may be included in an in-home device. The privacy management service may multiple levels of privacy relating to traffic received from end devices that are connected to an external network via the in-home device. The privacy management service may include a smart speaker service. The privacy management service may allow a user to configure a privacy level of an end device. The privacy management service may include machine learning logic that may filter sensitive information included in received traffic.

Abstract: Disclosed are embodiments directed to security methods applied to connections between components in a distributed (networked) system including medical and non-medical devices, providing secure authentication, authorization, patient and device data transfer, and patient data association and privacy for components of the system.

Abstract: Various examples described herein are directed to systems and methods for securing data. A security system may receive a first record comprising a plurality of record fields, where the plurality of record fields includes a first record field and the first record field includes a first record field data. The security system may access a source setup record corresponding to the first record from a source setup table and determine that the source setup record comprises data referencing the first record field. The security system may access first token data corresponding to the first record field data and replace the first record field data at the first record field with the first token data. The security system may store the first token data at a token table and writing the first token data to the first record field to replace the first record field data.

Abstract: A security system for a programmable electronic device of a vehicle, the electronic device including an interface that can be used for accessing and/or programming the electronic device by means of an external access. The security system includes a sensor configured to detect a position and/or orientation of the electronic device with respect to the vehicle, and a security module. The security module is configured to determine coincidence based on of the position and/or orientation of the electronic device with respect to the vehicle detected by the sensor and an expected position and/or orientation of the electronic device with respect to the vehicle, and in the event of a detected coincidence prevent access and/or programming of the electronic device.

Abstract: A method, apparatus and computer program product are disclosed to provide for the selective establishment and use of secure communication channels to facilitate the exchange of data objects containing potentially sensitive information in a network environment. In some example implementations, upon detection that the processing of a network entity request implicates the exchange of non-public information amongst one or more other network entities, one or more secure communication channels are established between a secure transfer system and the relevant network entities such that non-public information neither passes to nor resides on system components associated with non-secure network entities.

Abstract: The present disclosure relates to a realtime urban traffic status monitoring method based on privacy-preserving compressive sensing, including the following steps: step S1: dividing vehicle data under privacy preserving into two parts, and sending the two parts to two different road side units (RSU) for preprocessing; step S2: outsourcing, by the two different RSUs, preprocessed vehicle data to two cloud platforms (CP) respectively, and designing a data encryption execution protocol based on a finally expected operation result and interactive operation between the two CPs, to encrypt the data; and step S3: receiving, by a navigation service provider (NSP), encrypted data from the CPs, decrypting the received encrypted data, and estimating an urban traffic status by using a compressive sensing technology.

Abstract: An electronic device includes one or more sensors, a user interface having one or more user interface output devices, and one or more processors operable with the one or more sensors and the user interface. The one or more processors receive, from the user interface, a command to power OFF the electronic device. Upon failing to detect, with the one or more sensors, an authorized user of the electronic device as a source of the command to power OFF the electronic device, the one or more processors disable the one or more user interface output devices while leaving the one or more sensors operational.

Abstract: A system and method for cross-domain parallel inspection of data packets in transit between domains of differing security classification incorporating sequential cryptographic control is disclosed. In embodiments, the system includes first and second random number generators, each generating a one-time pad for transmission to both a corresponding front-end cryptographic engine and a parallel guard engine. The cryptographic engines double encrypt the data packet in sequence according to the one-time pads, storing the encrypted packet in a holding register. Each guard engine inspects the data packet in parallel, indicating approval by transmitting a release to the holding register and sending its one-time pad to a back-end cryptographic engine. When the holding register receives both releases, the double encrypted packet is sequentially decrypted by the back-end cryptographic engines in reverse order according to the one-time pads received from the guard engines.

Abstract: A processing system includes a first processing circuit including a first PLC configured to receive a red signal, a plurality of first processors operated by the first PLC to process the red signal, and a first hypervisor configured to control operation of the first processors. The processing system includes a second processing circuit physically separated from the first processing circuit that includes a second PLC configured to receive a black signal, a plurality of second processors operated by the second PLC to process the black signal, and a second hypervisor configured to control operation of the second processors. The processing system includes a configuration controller configured to identify an operation to be performed by at least one of the first or second processing circuit and cause at least one of the corresponding first hypervisor or second hypervisor to allocate respective first processors or second processors to perform the operation.

Abstract: Systems and methods for software license management using a distributed ledger are disclosed. A method for software license management may include: receiving, from an agent executed by an electronic device in a computer network, a request for a new software license for the electronic device or for a user; determining that there are no available tokens for associated with the software license in a license inventory; obtaining a license for the software; generating a token for the license, wherein the token comprises an identification of a license type and a software identifier; writing the token to a license distributed ledger with an indication that the token is available; reserving the token for the electronic device or the user and writing the reservation to the license distributed ledger; and adding a second token for the license to an electronic wallet associated with the electronic device or the user.

Abstract: Embodiments decrypt a list of ciphertexts by determining one or more constraints for plaintext messages that were converted to the list of ciphertexts using a block cipher when generating the ciphertexts. Embodiments model the constraints as an optimization problem and solve the optimization problem using one or more Satisfiability Modulo Theories (“SMT”) solvers to generate an SMT solution, where the solution includes the plaintext messages.