Abstract: An identity authentication method is described. The method includes, when receiving a group joining request that is sent by a first terminal and that is used for joining a trusted group, generating, by a server, a first certificate for the first terminal based on a first version number, and sending them to the first terminal. The method further includes, when determining that a second terminal is removed from the trusted group, updating the first version number to a second version number; and separately generating, by the server based on the second version number, a corresponding second certificate for a terminal not removed from the trusted group; and separately sending the corresponding second certificate and the second version number to the terminal not removed from the trusted group. In this way, during authentication, a terminal may compare a version number of the other party to perform identity authentication, thereby improving authentication efficiency.

Abstract: Systems, methods, and software described herein provide for identifying and implementing security actions within a computing environment. In one example, a method of operating an advisement system to provide security actions in a computing environment includes identifying communication interactions between a plurality of computing assets and, after identifying the communication interactions, identifying a security incident in a first computing asset. The method further provides identifying at least one related computing asset to the first asset based on the communication interactions, and determining the security actions to be taken in the first computing asset and the related computing asset.

Abstract: An authorization server to issue an access token for accessing a resource provided by a resource server performs operations. A client receives an issuance request having a predetermined parameter identifying a type of access token to be issued. Based on the predetermined parameter, one of a first type or second type of access token to be verified by the resource server is issued. The first type of access token or the second type of access token is transmitted to the client from which the issuance request was received. The second type of access token is verified at the authorization server by receipt of a verification request received together with the second type of access token from the resource server. The received verification request is transmitted from the resource server based on the resource server determining that a request for service from the client includes the second type of access token.

Abstract: A method and proxy device for securing an access to a cloud-based application are presented. In an embodiment, the method includes receiving an authentication token that includes an identity of a user of a client device requesting an access to the cloud-based application. The method further includes receiving, from an agent executed in the client device, a client certificate; retrieving, from a compliance server, a device posture of the client device, wherein the device posture is retrieved respective of the received client certificate; identifying an access policy for the client device to access the cloud-based application, and determining whether to grant an access to the cloud-based application based in part on the compliance of the client device with the identified access policy. In an embodiment, the access policy is identified based at least on the retrieved device posture.

Abstract: Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.

Abstract: The Distribution Effect is proposed for the HELP PUF that is based on purposely introducing biases in the mean and range parameters of path delay distributions to enhance entropy. The biased distributions are then used in the bitstring construction process to introduce differences in the bit values associated with path delays that would normally remain fixed. Offsets are computed to fine tune a token's digitized path delays as a means of maximizing entropy and reproducibility in the generated bitstrings: a first population-based offset method computes median values using data from multiple tokens (i.e., the population) and a second chip-specific technique is proposed which fine tunes path delays using enrollment data from the authenticating token.

Abstract: Techniques are described herein for assembling/evaluating automated assistant responses for privacy concerns. In various implementations, a free-form natural language input may be received from a first user and may include a request for information pertaining to a second user. Multiple data sources may be identified that are accessible by an automated assistant to retrieve data associated with the second user. The multiple data sources may collectively include sufficient data to formulate a natural language response to the request. Respective privacy scores associated with the multiple data sources may be used to determine an aggregate privacy score associated with responding to the request. The natural language response may then be output at a client device operated by the first user in response to a determination that the aggregate privacy score associated with the natural language response satisfies a privacy criterion established for the second user with respect to the first user.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: Systems and methods are provided for generating noise in user data to generate privatized data. The systems and methods generate the privatized data by performing operations comprising: storing a set of input data; generating a noise distribution based on a two-step function, wherein a height of the two-step function is determined by a privacy parameter, a width of the two-step function is determined by minimizing a variance of the noise distribution, and wherein a mean of the two-step function is determined by a value of the set of input data to be privatized; applying the noise distribution to the set of input data to generate privatized noisy output data; and transmitting the resulting privatized noisy output data in response to a request for a portion of, or a complete set of, the input data.

Abstract: A computer system de-identifies data by selecting one or more attributes of a dataset and determining a set of data de-identification techniques associated with each attribute. Each de-identification technique is evaluated with respect to an impact on data privacy and an impact on data utility based on a series of metrics, and a data de-identification technique is recommended for each attribute based on the evaluation. The dataset is de-identified by applying the de-identification technique that is recommended for each attribute. Embodiments of the present invention further include a method and program product for de-identifying data in substantially the same manner described above.

Abstract: Methods and systems are described in the present disclosure for training a model for detecting malicious objects on a computer system. In an exemplary aspect, a method includes: selecting files from a database used for training a detection model, the selection is performed based on learning rules, performing an analysis on the files by classifying them in a hierarchy of maliciousness, forming behavior patterns based on execution of the files and parameters of the execution, training the detection model according to the analysis of the files and the behavior patterns, verifying the trained detection model using a test selection of files to test determinations of harmfulness of the test selection of files, and when the verification fails, retraining the detection model using a different set of files from the database, otherwise applying the detection model to a new set of files to determine maliciousness.

Abstract: A computer system de-identifies data by selecting one or more attributes of a dataset and determining a set of data de-identification techniques associated with each attribute. Each de-identification technique is evaluated with respect to an impact on data privacy and an impact on data utility based on a series of metrics, and a data de-identification technique is recommended for each attribute based on the evaluation. The dataset is de-identified by applying the de-identification technique that is recommended for each attribute. Embodiments of the present invention further include a method and program product for de-identifying data in substantially the same manner described above.

Abstract: A security assessment service for implementing security assessments based on security credentials utilized to access network-based services. The system implements security assessments associated with various actions attributed to different types of techniques that can be utilized for compromised security information. The processing result of the security assessment can be utilized to determine the result of the techniques associated with the security assessment, the performance of security monitoring services, and an anticipated result on a virtual network.

Abstract: Systems, methods, and software described herein provide action recommendations to administrators of a computing environment based on effectiveness of previously implemented actions. In one example, an advisement system identifies a security incident for an asset in the computing environment, and obtains enrichment information for the incident. Based on the enrichment information a rule set and associated recommended security actions are identified for the incident. Once the recommended security actions are identified, a subset of the action recommendations are organized based on previous action implementations in the computing environment, and the subset is provided to an administrator for selection.

Abstract: In some embodiments, a plurality of real-time monitoring node signal inputs receive streams of monitoring node signal values over time that represent a current operation of the industrial asset control system. A threat detection computer platform, coupled to the plurality of real-time monitoring node signal inputs, may receive the streams of monitoring node signal values and, for each stream of monitoring node signal values, generate a current monitoring node feature vector. The threat detection computer platform may then compare each generated current monitoring node feature vector with a corresponding decision boundary for that monitoring node, the decision boundary separating a normal state from an abnormal state for that monitoring node, and localize an origin of a threat to a particular monitoring node. The threat detection computer platform may then automatically transmit a threat alert signal based on results of said comparisons along with an indication of the particular monitoring node.

Abstract: A threat management facility generates a simulated phishing threat based on one or more characteristics of a network user. Based on whether the user fails to respond appropriately to the simulated phishing threat, the threat management facility may implement one or more prophylactic measures to remediate the security weakness exposed by the user's failure to respond appropriately to the simulated phishing threat. For example, a security policy for an endpoint associated with the user may be adjusted to address the security weakness. Additionally, or alternatively, the user may be enrolled in training directed at reducing the likelihood that the user will be the victim of an actual phishing attack in the future.

Abstract: A key generation device includes a generation circuit, a concealment processing unit, and a cryptography processing unit. The generation circuit generates a value dependent on hardware. When acquiring a concealed cryptographic key, the concealment processing unit generates first data by performing a mask process to the concealed cryptographic key by using the value generated by the generation circuit, generates second data by decoding the first data by a first error correction decoding method, and generates a cryptographic key by decoding the second data by a second error correction decoding method. When acquiring the concealed cryptographic key and a plain text or an encrypted text, the cryptography processing unit acquires the cryptographic key corresponding to the concealed cryptographic key from the concealment processing unit, and encrypts the plain text or decrypts the encrypted text by using the cryptographic key.

Abstract: Various methods and systems are provided for autonomous orchestration of secrets renewal and distribution across scope boundaries. A cross-scope secrets management service (“SMS”) can be utilized to store, renew and distribute secrets across boundaries in a distributed computing environment such as regional boundaries. In some embodiments, locally scoped secrets management services subscribe to receive updates from the cross-scope secrets management service. As secrets are renewed, they are automatically propagated to a subscribing local scope and distributed by the local secrets management service. In various embodiments, SMS can autonomously rollover storage account keys, track delivery of updated secrets to secrets recipients, deliver secrets using a secure blob, and/or facilitate autonomous rollover using secrets staging. In some embodiments, a service is pinned to the path where the service's secrets are stored.

Abstract: Discloses are systems, methods and computer readable mediums for automated verifications of potential vulnerabilities of one or more sites or code utilizing one or more neural networks. The systems, methods and computer readable mediums can transmit one or more scan operations to one or more sites, receive one or more responses to the one or more scan operations, tokenize the one or more responses, transmit to one or more neural networks the one or more tokenized responses, receive from the one or more neural networks verification of the one or more tokenized responses, and determine one or more confidences of the one or more verified responses.