Abstract: Systems and methods for assessing an application access risk are provided. An example method commences with collecting data concerning relationships between an application, one or more client devices, and one or more users in a computing environment. The method includes updating a graph database including nodes and edges. The nodes represent the application, the one or more client devices, and the one or more users and the edges represent relationships between the application, the one or more client devices, and the one or more users. The method continues with enriching the graph database by associating the nodes with metadata including information concerning the one or more users accessing the application from the one or more client devices. The method further includes analyzing the graph database to identify a subset of nodes used to access the application and displaying a graphical representation of the subset of nodes.

Abstract: A first permission allocated to a first identity may be identified. Permission usage information may be analyzed. The permission usage information may include permission usage history information and permission usage pattern data. An estimated probability of a future usage of the first permission by the first identity may be forecasted based, at least in part, on the permission usage information. A first recommendation relating to allocation of the first permission to the first identity may be determined based, at least in part, on the estimated probability. The first recommendation may be a recommendation for the first identity to retain the first permission or a recommendation to deallocate the first permission from the first identity. An indication of the first recommendation may be provided to a user.

Abstract: Disclosed are systems, methods, and non-transitory computer-readable storage media for identifying accounts having shared credentials. In some implementations, a content management system can collect user login context data when a user logs in to or accesses a user account of the content management system. For example, the content management system can collect client device data, client application data, internet protocol (IP) address data, and/or other data from the user's device when the user logs in to the user account. The content management system can analyze the login context data to determine patterns that indicate that the user account login credentials are being shared among multiple users.

Abstract: An illustrative method includes identifying, based on an output of a machine learning model that receives data associated with an operation of a hardware component as an input, an anomaly in the data, determining that the anomaly is representative of an issue associated with the hardware component, and performing, based on the determining that the anomaly is representative of the issue associated with the hardware component, a remedial action that affects a performance of the operation of the hardware component.

Abstract: A microprocessor for mitigating side channel attacks includes a memory subsystem having at least a data cache memory and configured to receive a load operation that specifies a load address. The processor performs speculative execution of instructions and executes instructions out of program order. The memory subsystem, in response to detecting that the load address misses in the data cache memory: detects a condition in which the load address specifies a location for which a valid address translation does not currently exist or permission to read from the location is not allowed, and prevents cache line data implicated by the missing load address from being filled into the data cache memory in response to detection of the condition.

Abstract: Systems and methods to control data access and usage by storing a permitted use of a set of data items. The permitted use identifies: a set of computer resources to be used to operate on the set of data items; rules for operating on the data items; and a data product to be generated from the set of computer resources operating on the set of data items. A project space provides the set of computer resources to operate on the set of data items according to the permitted use, wherein the data product is to be transferred from the project space to a user device separate from the system; and a usage monitor records operations of the set of computer resources on the set of data items in the project space for compliance with the permitted use. A data air-lock mechanism implements dynamic permissions rules based on actual usages.

Abstract: Systems and methods are provided for protecting a plurality of electronic devices via a control server. The control server, for example, can receive one or more indications that a first electronic device is considered malicious and add it to a security threat list. Then the control server can communicate the security threat list to others of the electronic devices, networked for communication with each other, such that the other electronic devices reject all communication from any device listed on the security threat list. Next, upon receiving indication from an approved security patch-providing source that a security patch has been applied to the first electronic device, the control server can remove the first electronic device from the security threat list and communicate the updated security threat list to the other electronic devices indicating that it is safe for these electronic devices to again receive communication from the first electronic device.

Abstract: Disclosed herein are systems and methods that allow for secure access to websites and web-based applications and other resources available through the browser. Also described are systems and methods for secure use and retention of user credentials, as well as methods for dynamic authentication of users and integrity checking of service providers in online environments. Thus, described in the present specification are systems and methods for constructing and destroying private, secure, browsing environments (a secure disposable browser), insulating the user from the threats associated with being online for the purposes of providing secure, policy-based interaction with online services.

Abstract: A method, computing device and computer program product generate a temporary password to control access to a record created in response to an electronic message. An electronic message is parsed to separately identify a plurality of fields that provide different types of information. Record(s) are accessed from a database that are associated with the information provided by at least one field. An action to be initiated by the electronic message is determined to either be taken or to be rejected based upon information provided by the field(s) of the electronic message and also based upon information from the record(s) accessed from the database. If the action is rejected, a record of the electronic message is created for transmission along with information regarding the rejection. A temporary password is also generated to control access to the record created regarding the electronic message and its rejection. The response includes the temporary password.

Abstract: A technique is provided that enables native authentication to cloud services by employing identity management of on-premise applications from the cloud. More specifically, a Web-service interface built on an innovative orchestration of platform-independent container technology is created. An identity management application is made available inside a container and which therefore can execute in any cloud-service provider. Specifically, this application can communicate back into a business' on-premise applications, using the Representation State Transfer (REST) application programming interface architecture. The container is published to the cloud for users to download. Thus, for example, by way of this technique, a user can log onto any cloud application with using the same logon information the user uses on-premise.

Abstract: A method of operating an Internet of Things device is described. In the method, an electrical power is supplied to electrical circuitry in the Internet of Things device. The Internet of Things device is communicatively coupled to a computer network using circuitry of a transceiver and a communications module of the Internet of Things device. A detecting circuit is operated to indirectly monitor a level of activity of the communications module. If the level of activity of the communications module is determined to exceed a threshold value, a volume of communications between the Internet of Things device and the computer network is curtailed.

Abstract: In one embodiment, a device including a processor, and a memory to store data used by the processor, wherein the processor is operative to run a manufacturer usage description (MUD) controller operative to obtain a MUD profile of an Internet of Things (IoT) device from a MUD server, the MUD profile of the IoT device including: access rights of the IoT device, and any one or more of the following a default device username and/or a default device password of the IoT device, a recommended/required device password complexity of the IoT device, at least one service that should be enabled/disabled on the IoT device, and/or allowed security protocols and/or ciphers for communication to and/or from the IoT device, enforce security of the IoT device according to the MUD profile of the IoT device. Related apparatus and methods are also described.

Abstract: A network device includes a transmitter and a receiver to establish a secure connection with one or more network nodes as part of a Autonomic Control Plane (ACP) network. The network device also includes a processor coupled to the transmitter and receiver. The processor receives a request from an application to initiate a connection with a destination network node. The processor also receives packets from the application for transmission toward the destination network node. When the packets from the application are unencrypted, the processor end-to-end encrypts the unencrypted packets without notifying the application. The transmitter then transmits the encrypted packets towards the destination network node across the ACP network.

Abstract: A data security system, including a security manager computer making network application programming interface (API) calls to a cloud-based service that (i) performs data exchange transactions for end users, and (ii) includes a mechanism for an end user to invoke in order to report a transaction received by the end user to a central authority as being a potentially harmful or deceptive transaction, the API calls remotely controlling the cloud-based service so that the security manager computer accesses transactions that have entered the cloud-based service, and a data inspector operative to analyze a transaction as being harmful or deceptive, by applying machine learning, wherein the security manager computer controls the cloud-based service so as to transmit transactions reported by the mechanism to the security manager, instead of or in addition to the central authority, for analysis by the data inspector.

Abstract: Disclosed herein are systems and methods for preventing anti-forensics actions. In one exemplary aspect, a method may identify a suspicious object from a plurality of objects on a computing device and monitor actions performed by the suspicious object. The method may intercept a first command by the suspicious object to create and/or modify a digital artifact on the computing device and subsequent to intercepting the first command, intercept a second command by the suspicious object to delete at least one of the suspicious object and the digital artifact. In response to intercepting both the first command to create and/or modify the digital artifact and the second command to delete at least one of the suspicious object and the digital artifact, the method may block the second command, and may store the suspicious object and the digital artifact in a digital repository.

Abstract: A method for a user/an employee in a system to acquire an email account is disclosed in the present invention, including: relating a role-nature email account to a role according to work content of the role in the system, wherein during the same period, one role can only be related to one role-nature email account, and one role-nature email account can only be related to one role; said role is an independent individual not a group/a class, and during the same period, one role can only be related to a unique user, while one user is related to one or more roles; and creating a relation between a user and a role, wherein for any user, a role-nature email accounts related to all roles related to said user are used as role-nature email accounts of the user and/or an employee corresponding to the user.

Abstract: A data storage system can consist of a network controller connected to a data storage device and a remote host. An attack mitigation strategy may be generated with an attack module connected to the network controller in response to detected data storage conditions in the data storage device. The attack mitigation strategy can be executed with the attack module by sending separate first and second security queries to the data storage device over time. At least a powered move attack can then be identified based on the second security query.

Abstract: A system is provided with a software controller; a storage platform capable of storing stored blocks of data and having a central processing unit; a controller monitoring and isolation tool embedded in the software controller; and a storage monitoring and isolation tool embedded in the storage platform that is capable of locking down a memory partition on the storage platform. The system also includes a memory for storing computer instructions and a host computer coupled with the memory, wherein the host computer, responsive to executing the computer instructions, performs certain operations. The operations include extracting orchestration configurations through the controller monitoring and isolation tool and relaying the orchestration configurations to the storage monitoring and isolation tool.

Abstract: Efficient virus detection and removal are realized by changing a mode of collecting logs in accordance with a network usage status. A configuration includes a processing monitoring unit that executes processing of monitoring a data communication network, and the processing monitoring unit includes a system load monitoring unit that monitors an available bandwidth of a network and a virus monitoring unit that collects log information corresponding to a communication message and performs virus detection. The virus monitoring unit changes a mode of collecting log information in accordance with information regarding the available bandwidth of the network acquired by the system load monitoring unit. In a case where a virus is detected and the available bandwidth is neither equal to nor larger than a predetermined threshold, only limited log information corresponding to a high-priority communication message is collected.

Abstract: A vehicular control apparatus is used in an onboard system provided with a plurality of information processors mutually connected via a communication bus, and includes a storage section for storing information, and an arithmetic section for executing a process based on the information stored in the storage section. The information contains first management information relating to a security abnormality as a communication data abnormality owing to security attack from outside the onboard system, and second management information relating to a safety abnormality as a communication data abnormality owing to an abnormality in the onboard system. The first management information contains first limit condition information indicating a first limit condition for executing a security coping with the security abnormality. The second management information contains second limit condition information indicating a second limit condition for executing a safety coping with the safety abnormality.