Abstract: A method of utilizing a distributed ledger for a cloud service access control. The method may include receiving, by an identity and access management (IAM) service, an identifier of a client of a cryptographically protected distributed ledger; transmitting, to a proxy service, a subscription request for distributed ledger transactions initiated by the client; receiving, from the proxy service, a transaction notification comprising an identifier of the client, an identifier of an autonomous agent, and an identifier of a cloud service; receiving, from the cloud service, a validation request with respect to an action request submitted by the autonomous agent; validating, using the transaction notification, the action request; and notifying the cloud service of validity of the action request.

Abstract: An anomaly detection system is disclosed capable of reporting anomalous processes or hosts in a computer network using machine learning models trained using unsupervised training techniques. In embodiments, the system assigns observed processes to a set of process categories based on the file system path of the program executed by the process. The system extracts a feature vector for each process or host from the observation records and applies the machine learning models to the feature vectors to determine an outlier metric each process or host. The processes or hosts with the highest outlier metrics are reported as detected anomalies to be further examined by security analysts. In embodiments, the machine learnings models may be periodically retrained based on new observation records using unsupervised machine learning techniques. Accordingly, the system allows the models to learn from newly observed data without requiring the new data to be manually labeled by humans.

Abstract: A first correspondence table in a terminal device stores a first correspondence between an identifier of a process running on the terminal device and an identifier of a data stream created by the process. A second correspondence table stores a second correspondence between an identifier of an application and an identifier of a process created by the application. The terminal device receives an identifier of a first data stream from a network security device, finds, in the first correspondence table, a first record where the identifier of the first data stream is stored to obtain an identifier of a process in the first record, finds, in the second correspondence table, a second record where the identifier of the process in the first record is stored to obtain an identifier of an application from the second record, and sends the identifier of the application to the network security device.

Abstract: Some embodiments establish for an entity a virtual network over several public clouds of several public cloud providers and/or in several regions. In some embodiments, the virtual network is an overlay network that spans across several public clouds to interconnect one or more private networks (e.g., networks within branches, divisions, departments of the entity or their associated datacenters), mobile users, and SaaS (Software as a Service) provider machines, and other web applications of the entity. The virtual network in some embodiments can be configured to optimize the routing of the entity's data messages to their destinations for best end-to-end performance, reliability and security, while trying to minimize the routing of this traffic through the Internet. Also, the virtual network in some embodiments can be configured to optimize the layer 4 processing of the data message flows passing through the network.

Abstract: A method for determining an access right of a user terminal to a first network, wherein the user terminal (110) includes a subscription of a second network (150). The method includes: receiving (310) an access request message (240) including a data record for a user name and a data record for a password; determining (320) that the records are in a pre-determined format and that at least one of them includes data from which a subscriber identity for the second network is derivable; generating (330) an authentication request message from the access server (140) to a server (160) configured to perform authentication related tasks in the second network; receiving (340) information on the outcome of the authentication of the subscriber in the second network, generating (350) an acknowledgement to the user terminal (110) indicating right to access to the first network.

Abstract: This disclosure is directed to detecting cybersecurity attacks in data processing systems. Methods, systems, and computer program products perform operations including determining baseline event clusters using baseline event data obtained from deterministic target systems. The operations also include determining a baseline cumulative trajectory of an event over time based on the baseline event clusters. The operations further include determining operational event clusters using operational event data from the deterministic target systems. Additionally, the operations include determining an operational cumulative trajectory of the event over time based on the operational event clusters. Further, the operations include detecting a cyber-attack by comparing the baseline cumulative trajectory of the event with the operational cumulative trajectory of the event.

Abstract: Implementations include receiving flow data representative of communication traffic of the network, determining that at least one blacklisted Internet protocol (IP) address is present in the flow data, and in response: providing a set of high-dimensional flow representations of network traffic by processing historical flow data through a deep learning (DL) model, providing a set of low-dimensional flow representations of the network traffic based on the set of high-dimensional flow representations, and labeling at least a portion of the set of low-dimensional flow representations to provide a sub-set of labeled low-dimensional flow representations and a sub-set of unlabeled low-dimensional flow representations, and identifying a host associated with an unlabeled low-dimensional flow representation as a potentially malicious host, and in response, automatically executing a remedial action with respect to the potentially malicious host.

Abstract: A system for establishing and maintaining a chain of trust can include a root of trust (RoT) executing a root trusted server that pushes authenticated code and data into memory of a given node in a plurality of nodes. The RoT can also record a memory address range of a static portion of the authenticated code and a corresponding static data in the given node and cause the given node to execute the authenticated code in response to the pushing to establish a trusted relationship between the trusted server of the RoT and the given node. The root trusted server also monitors the given node to ensure that the given node executes trusted operations. The authenticated code in the memory of the given node can include a trusted server that pushes authenticated code into memory of another node in the plurality of nodes.

Abstract: The disclosed technologies include methods for generating a calibration model using data that is selected to match the conditions of a particular trial that involves an automated comparison of data samples, such as a comparison-based trial performed by an audio-based recognition, identification, or detection system. The disclosed technologies also include improved methods for selecting candidate data used to build the calibration model. The disclosed technologies further include methods for evaluating the performance of the calibration model and for rejecting a trial when not enough matched candidate data is available to build the calibration model. The disclosed technologies additionally include the use of regularization and automated data generation techniques to further improve the robustness of the calibration model.

Abstract: Embodiments of the present invention provide for a method, system, and apparatus for processing content during scan and/or remediation processing. The method includes receiving a scan request or a remediation request. Content from a datastore referencing one or more controls as well as one or more of a compliance value, remediation value, and an ignore switch corresponding to each control is then loaded. If a scan request is received, the computing environment is scanned to determine all controls in the computing environment and the current setting of each. Thereafter, a subset of controls is determined, where the current setting of each control in the subset is out of compliance, the out of compliance state for each control is not to be ignored, and a remediation value for the corresponding control is listed in the loaded content. Thereafter, information regarding each control is determined, captured, and then stored.

Abstract: A system and method for responding to incidents in an enterprise network is disclosed. The system tracks incidents by creating, in an incident Manager, incident objects for each incident. Each incident object includes details for the incidents, also known as incident characteristics. The system also creates one or more indicators of compromise (IOCs) associated with the incident characteristics for each incident. When processing a new incident or an update to an incident, the system compares IOCs associated with the incident object for the incident being processed to stored IOCs for other incidents to determine if other incidents are related to the incident being processed. In embodiments, the system can then generate tasks for responding to new incidents based on incident characteristics of and IOCs associated with the new incidents, and can regenerate tasks for responding to incidents based on updates to incident characteristics of and IOCs associated with the incidents.

Abstract: The present invention discloses a computer implemented method for developing an anomaly detector which is adapted to detect/predict anomaly in one or more network terminals and optimize the behavior of the network terminals. The said method is adapted to collect and monitor the behavior of the network terminals and compare it with the behavior profile of the network terminals in order to detect the anomaly parameter. The behavior profile is the normal interaction of the software and hardware components of the network terminals. A system for implementation and execution of such anomaly detector is also disclosed.

Abstract: A method for securing data by embedding the data in a data structure and utilizing a sensor device to detect transfer of the data structure. The data is embedded such that the data is only accessible by first executing an executable program. If the executable program determines that the device attempting to access the data (the accessing device) does not have permission to access the data, then the executable program destroys all or a portion of the data. If the data structure is transferred to another device, a sensor device positioned to detect the data structure when transferred will identify the data. If the sensor device determines that the data structure is not permitted to be transferred, then the sensor device destroys all or a portion of the data.

Abstract: Secure memory sharing between enclaves (virtual machines) and virtual input/output adapters includes, in response to a request for an enclave to create a virtual input/output adapter, creating a virtual input/output adapter associated with the enclave, creating a non-sharable micro-enclave, to contain only data, nested within the enclave to use with the virtual input/output adapter, generating a key by a memory encryption engine of an ultravisor for the virtual input/output adapter for use by only the virtual input/output adapter, in response to a request to obtain data from the enclave by the virtual input/output adapter, exchanging the key with the non-sharable micro-enclave, in response to receiving the key, decrypting memory of only the non-sharable micro-enclave associated with the virtual input/output adapter to obtain the data, and sending the data from the non-sharable micro-enclave nested within the enclave to the virtual input/output adapter.

Abstract: In some embodiments, a network regulator device protects a local network of client systems (e.g. Internet-of-things devices such as smartphones, home appliances, wearables, etc.) against computer security threats. When introduced to the local network, some embodiments of network regulator take over some network services from a router, and automatically install the network regulator as gateway to the local network. The network regulator then carries out an automatic device discovery procedure and distribute device-specific utility agents to the protected client systems. An exemplary utility agent detects when its host device has left the local network, and in response, sets up a virtual private network (VPN) tunnel with a security server to maintain protection of the respective device.

Abstract: A content distribution system includes content receivers that provide a plurality of blockchain databases that store transaction records associated with subscriber requests for content, and a computer system that processes those transaction records and enables authorized content receivers to output requested content.

Abstract: A method, computer program product, and system includes a processor(s) obtaining an authorization failure from a target application because an access request was denied based on insufficient permissions of a user. The processor(s) institutes a mock interface with a visual appearance of the target application. The mock interface displays predefined data and the target application displays dynamic data, from the server(s) executing the target application. The processor(s) obtains, via the mock interface, a request to change the permissions of the user to the target application, which includes a selection, by the user, through the mock interface, of one or more individual permissions displayed in the mock interface. The processor(s) automatically generates a customized security policy comprising the selection, where based on applying the customized security policy, repeating the access request results in authorized access to the target application.

Abstract: A method, computer program product, and system includes a processor(s) obtaining an authorization failure from a target application because an access request was denied based on insufficient permissions of a user. The processor(s) institutes a mock interface with a visual appearance of the target application. The mock interface displays predefined data and the target application displays dynamic data, from the server(s) executing the target application. The processor(s) obtains, via the mock interface, a request to change the permissions of the user to the target application, which includes a selection, by the user, through the mock interface, of one or more individual permissions displayed in the mock interface. The processor(s) automatically generates a customized security policy comprising the selection, where based on applying the customized security policy, repeating the access request results in authorized access to the target application.

Abstract: A first correspondence table in a terminal device stores a correspondence between an identifier of a process running on the terminal device and an identifier of a data stream created by the process, a second correspondence table stores a second correspondence between an identifier of an application and an identifier of a process created by the application. The terminal device receives an identifier, sent by a network security device, of a first data stream. The terminal device can find, in the first correspondence table, a first record storing the identifier of the first data stream to obtain an identifier of a process. The terminal device can find in the second correspondence table, a second record storing the identifier of the process in the first record to obtain an identifier of an application from the second record. The identifier of the application is then sent to the network security device.

Abstract: A method and system. An instruction to encrypt plaintext to generate encrypted data from the plaintext is received. The encrypted data is to be stored in a database device in response to a first request received from a client terminal to store the plaintext in the database device. The first request includes the plaintext. Ciphertext is generated by applying both an initialization vector and an encryption key directly to the plaintext. An embedding rule used to generate the encrypted data is selected from a sequence of embedding rules. The encrypted data is stored in the database device, A second request to receive the plaintext data is received from the client terminal. The plaintext is obtained from the encrypted data, by separating the encrypted data into the ciphertext and the initialization vector; and generating the plaintext by decrypting the ciphertext that was separated from the encrypted data.