Abstract: In an embodiment, a method comprises detecting, by a network control entity associated with a software-defined network, a network event in the software-defined network. The network control entity determines, based on the network event, an application for installation at the network control entity or in the software-defined network. The application is automatically installed at the network control entity or in the software-defined network.

Abstract: A method for execution by one or more processing modules of one or more computing devices begins by encoding data using a dispersed storage error encoding function to produce a plurality of sets of encoded data slices arranged into a plurality of chunksets of encoded data slices. The method continues by selecting a set of storage units for storing the plurality of chunksets and assigning a distributed computing task to each storage unit of the set of storage units. The method then continues by generating a unique key set for each storage unit of the storage units, encrypting each chunkset of encoded data slices with a corresponding one of the unique key sets to produce a plurality of encrypted chunksets and sending an encrypted chunkset of the plurality of encrypted chunksets and an indication of a corresponding distributed computing task to each storage unit of the set of storage units for storage of the encrypted chunksets and execution of the distributed computing task.

Abstract: A network system is provided between at least a first client site and a second client site, the first and the second client site are at a distance from one another. A client site network component is implemented at least at the first client site, the client site network component bonding or aggregating one or more diverse network connections so as to configure a bonded/aggregated connection that has increased throughput. At least one network server component may be configured to connect to the client site network component using the bonded/aggregated connection. A cloud network controller may be configured to manage the data traffic and a virtual edge providing transparent lower-link encryption for the bonded/aggregated connection between the client site network component and the network server component.

Abstract: An electronic device includes a network communications interface, a processor, and a memory configured to store instructions that, when executed by the processor, cause the processor to instantiate a set of processes; receive, over a network and via the network communications interface, a policy for network socket creation; receive, from the set of processes, a set of requests to create a first set of network sockets used to communicate over the network via the network communications interface; collect telemetry pertaining to a second set of network sockets used to communicate over the network via the network communications interface; allow or block creation of network sockets in the first set of network sockets, in accordance with the collected telemetry and the policy for network socket creation; and transmit at least part of the collected telemetry to a controller, over the network and via the network communications interface.

Abstract: An Authorization Verification Service (AVS) is disclosed that may be provided by an IoT/M2M service layer to registrants of the service layer for Dynamic Context Aware Authorization. The AVS may allow the IoT/M2M service layer entities to define dynamic limits for authorizing access to services or data. The limits may be set, for example, in terms of the number of allowed accesses. When an IoT/M2M registrant makes a request for data or services for which it has dynamic context aware authorization, the AVS may maintain records of the remaining accesses available.

Abstract: Technologies are shown for trust delegation that involve receiving a first request from a subject client and responding by sending a first token having first permissions to the subject client. A second request from a first actor includes the first token and responding involves linking the first actor to the subject client in a trust stack and sending a second token to the first actor with second permissions, the second token being a first complex token that identifies the subject client and the first actor. A third request from a second actor includes the second token and responding to the third request involves linking the second actor to the first actor in the trust stack, and sending a third token to the second actor partner with third permissions, the third token being a second complex token that identifies the first actor and the second actor.

Abstract: A method and system for processing an email having redacted content, and/or where the message content has been encrypted and recorded as encrypted, is provided.

Abstract: Methods, computer readable media, and devices for escrow of master keys and recovery of previously escrowed master keys may be disclosed. A method for escrow of master keys may include registering a root certificate authority (CA) within each of two first-party hardware security modules (HSMs), initializing each of three third-party HSMs as master escrow recovery devices, performing a bootstrap operation on an authoritative blockchain to generate three master keys, generating a first set of master key shard ciphertexts using a first one of the three master escrow recovery devices, a second set using a second one of the three master escrow recovery devices, and a third set using a third one of the three master escrow recovery devices, and storing the first, the second, and the third set of master key shard ciphertexts as opaque objects in each of the two first-party HSMs.

Abstract: A system and method for generating a column-oriented data structure repository for columns of single data types. The method includes: receiving instructions to generate a new column of a single data type for a first data structure, wherein the first data structure is a column oriented data structure; and storing, based on the instructions, the new column within the column-oriented data structure repository, wherein the column-oriented data structure repository is accessible to at least a second user account.

Abstract: Techniques for providing hybrid access control in a cloud-services computing environment are provided. In one embodiment, a method for providing hybrid access control is provided at a host computing device. The method includes obtaining access control settings including at least a first user's role-based access settings with respect to a first sub-system of a hierarchical computing-resource system. The method further includes propagating the access control settings from the first sub-system to a second sub-system; obtaining user group domains assigned to a plurality of sub-systems; and obtaining a group membership associated with the first user. The method further includes determining, based on the obtained user group domains and the obtained group membership associated with the first user, whether the first user's role-based access settings propagated to the second sub-system are to be adjusted; and making adjustments accordingly.

Abstract: A mobile device can receive input to execute a target application in a private session. The target application is a native application for a mobile platform of the mobile device. The private session is a native function of the mobile device configured to isolate data of the target application. In response to the input, the mobile device can configure a local resource of the mobile device to support the target application in the private session, instantiate a procedure that utilizes the local resource to isolate the data of the target application while in the private session, and execute the target application in the private session on the mobile device. The operation of the private session is transparent and undetectable to the target application.

Abstract: An illustrative embodiment provides a computer-implemented process for navigation through historical stored interactions associated with a multi-user view that receives a previously saved multi-user view, wherein the multi-user view comprises a set of artifact attributes, receives an identified filter from a user, and presents a filtered view to the user. The process further determines whether to amend the filtered view, and responsive to a determination to amend the filtered view, generates an amended view from the filtered view, and responsive to a determination to save the amended view, saves the amended view as one of a new view or an updated view.

Abstract: Distributed firewalls in a network are disclosed. Example firewall controllers disclosed herein are to instruct a first network node of a software-defined network to implement a first firewall instance of a distributed firewall, the first network node to implement the first firewall instance with a first virtual machine. Disclosed example firewall controllers are also to configure a second network node of the software-defined network to route network traffic through the first firewall instance and, after at least some of the network traffic is dropped by the first firewall instance, instruct the second network node to implement a second firewall instance of the distributed firewall, the second network node to implement the second firewall instance with a second virtual machine.

Abstract: Systems and methods for self-protecting and self-refreshing workspaces are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: receive, from a workspace orchestration service, one or more files or policies configured to enable the client IHS to instantiate a workspace based upon a workspace definition; determine that a context of the client IHS has been modified; in response to the determination, terminate the workspace; and receive, from the workspace orchestration service, one or more files or policies configured to enable the client IHS to re-instantiate the workspace based upon the workspace definition.

Abstract: An information providing system is an information providing system for selecting reference information that is appropriate when a user to perform a task related to a device works on the task, and has an acquiring unit for acquiring acquired data including first image data, in which a specific device and a specific identification label for identifying the specific device are photographed. The system also includes a first database that is built on machine learning, using a data structure for machine learning, which includes a plurality of items of training data that each include evaluation target information including image data, and a meta-ID linked with the evaluation target information. The image data includes an image showing the device and the identification label for identifying the device.

Abstract: Provided herein are systems and methods for sanitizing logged data packets in a distributed system prior to storing them in a remote or third-party data server. Interactions with an application are monitored and values in a data packet are extracted from the interaction. The values are classified based on a classification configuration and respective labels of the values. The values are then sanitized based on the classification to prevent exposure of secure or private data. The sanitized data packets are then logged into the remote data server. The logged data can be used to help resolve events occurring in the application. The classification configuration can be iteratively updated and the interactions repeated to capture data that was previously sanitized to aid in resolution of events. The logged data can also be used in research or analysis, such as for identifying potential improvements to the application.

Abstract: A computing system provides clock readings from an untrusted code to trusted code, where the trusted code is executed in a secure enclave and the untrusted code is executed outside the secure enclave. The computing system allocates a pointer to shared memory that is shared between the untrusted code and the trusted code. Under control of the untrusted code, the computing system periodically writes a clock reading to the shared memory. Under control of the trusted code, the computing system reads the clock reading stored in shared memory. The untrusted code cannot determine when the trusted code reads a clock reading.

Abstract: In certain embodiments, an electronic device may include: a touch-sensitive display; a processor operatively connected to the display; and a memory operatively connected to the processor, wherein the memory stores instructions which, when executed, cause the processor to: provide, through the display, a registration screen for registering an automation in the electronic device, the automation being defined as at least one action automatically executed when a designated trigger occurs; register an action in the electronic device as a feature of the automation through the registration screen, the action being selected by a user; and when the action registered as the feature of the automation corresponds to a data reference action configured to refer to data, display guidance information for a data processing action, the data processing action being configured to output a result value by using, as a first input value, an output value output as a result of executing the data reference action.

Abstract: A computer-implemented method, computer program product and computing system for: obtaining system-defined consolidated platform information for a computing platform from an independent information source; obtaining client-defined consolidated platform information for the computing platform from a client information source; and comparing the system-defined consolidated platform information to the client-defined consolidated platform information to define differential consolidated platform information for the computing platform.

Abstract: A method in a peer-to-peer network for recording maintenance data is provided. The method comprises receiving troubleshooting summary secured data (TSSD) from a plurality of sources; entering the TSSD from the plurality of sources using a Blockchain framework, wherein TSSD from a source is entered as a unique transaction in the Blockchain framework when a set of smart maintenance keys possessed by the source authorizes the entry of the TSSD; providing a first level of controlled access to a first subset of entered TSSD to an entity possessing a first level controlled access set of keys; providing a second level of controlled access to a second subset of the entered TSSD to an entity possessing a second level controlled access set of keys; and providing a third level of controlled access to all of the entered TSSD to an entity possessing a third level controlled access set of keys.

Abstract: An information providing system is an information providing system for selecting reference information that is appropriate when a user to perform a task related to a device works on the task, and has an acquiring unit for acquiring acquired data including first image data, in which a specific device and a specific identification label for identifying the specific device are photographed. The system also includes a first database that is built on machine learning, using a data structure for machine learning, which includes a plurality of items of training data that each include evaluation target information including image data, and a meta-ID linked with the evaluation target information. The image data includes an image showing the device and the identification label for identifying the device.

Abstract: Provided is a user authentication management device including a login request receiver that receives a login request from a user from a plurality of inputters via a path corresponding to each of the plurality of inputters, an authentication scheme selector that selects any one of a plurality of authentication schemes and provides identification information of a user related to the received login request to the selected authentication scheme to perform user authentication, and a user information storage that stores a user authentication result received from the selected authentication scheme as user information related to the user, in which the authentication scheme selector selects an authentication scheme predetermined corresponding to a path through which the login request is received.

Abstract: In some examples, in response to a request from a client device for information relating to a transaction stored by a blockchain, a system identifies, using information stored in a distributed storage system that stores data for the blockchain, multiple data owner entities from which permissions are to be obtained for access of the information, and determines an authorization requirement for the information based on a smart contract. The system sends authorization information based on the authorization requirement to trigger a retrieval of authorization tokens from the identified data owner entities for access of the information, and sends the information to the client device in response to receiving the authorization tokens.

Abstract: The present invention relates to methods, processes, and systems for monitoring security policy violations in a computer network. Details of such monitoring include creating a rule according to a security policy, determining if the rule is violated by a value of a variable, and recording security events and comparing the number of events to a threshold.

Abstract: Technologies are shown for trust delegation that involve receiving a first request from a subject client and responding by sending a first token having first permissions to the subject client. A second request from a first actor includes the first token and responding involves linking the first actor to the subject client in a trust stack and sending a second token to the first actor with second permissions, the second token being a first complex token that identifies the subject client and the first actor. A third request from a second actor includes the second token and responding to the third request involves linking the second actor to the first actor in the trust stack, and sending a third token to the second actor partner with third permissions, the third token being a second complex token that identifies the first actor and the second actor.

Abstract: The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside.

Abstract: A computing system may include a server, and a client computing device in communication with the server and operating a local mobile OS. One of the client computing device and the server may be configured to compare a notification message with a database of flagged terms to determine whether the notification message includes a flagged term. If the notification message includes the flagged term and the local mobile OS is in a locked state, the notification message is revised by replacing the flagged term with a placeholder term, and the revised notification message is displayed on a display.

Abstract: A content model data base stores past target information, which includes past first video information acquired in advance, reference IDs, which are linked with the past target information, and which correspond to contents, and three or more levels of degrees of content association between the past target information and the reference IDs. A first acquiring unit acquires the target information from a user terminal, a first evaluation unit looks up the content model database and acquires ID information, which includes the degrees of content association between the target information and the reference IDs, and an output unit outputs the contents corresponding to the ID information. After the output from the output unit, the ID information, acquired by the first evaluation unit, is stored in an ID history unit.

Abstract: A content model data base stores past target information, which includes past first video information acquired in advance, reference IDs, which are linked with the past target information, and which correspond to contents, and three or more levels of degrees of content association between the past target information and the reference IDs. A first acquiring unit acquires the target information from a user terminal, a first evaluation unit looks up the content model database and acquires ID information, which includes the degrees of content association between the target information and the reference IDs, and a judging unit judges the ID information. Contents that correspond to the ID information are output to the user terminal based on the result of judgment by the judging unit.

Abstract: A method for wrapped keys with access control predicates includes obtaining a cryptographic key for content. The method also includes encrypting the content using the cryptographic key and generating an encryption request. The encryption request requests that a third party cryptography service encrypts an encapsulation of the cryptographic key and an access control condition governing access to the content. The method also includes communicating the encryption request to the third party cryptography service. The encryption request includes the cryptographic key.

Abstract: A system, a method, and a computer program for protecting data traffic from a communication device against fingerprinting or privacy leakage. The method can include receiving data traffic from a communication device connected to a network, analyzing the received data traffic to determine network activity or operational characteristics of the communication device, generating forged data traffic for the network based on the determined network activity or operational characteristic of the communication device, and transmitting the forged data traffic to an external communication device that is located outside the network. The forged data traffic can add an entropy factor to the data traffic from said communication device connected to the network.

Abstract: A method for execution by one or more storage units of a dispersed storage network (DSN). The method begins by receiving, at a first storage unit, a request for a partial task. The method continues by generating a slice request, to one or more additional storage units, when the first storage unit does not contain all encoded data slices required to execute the partial task. The method continues by receiving the at least one additional encoded data slice from the one or more additional storage units and performing the partial task on the first encoded data slice and the at least one additional encoded data slice to produce at least partial results.

Abstract: A system and method for real-time attestation which attests to the untouchability of processors from external influences. The system and method comprise a security mechanism that extracts information about a program's full-control execution path and then validates that information with a highly isolated guard process during runtime, which is running in a trusted environment. This trusted guard application also acts as a remote attester client and sends the currently running control flow graph to a remote attestator server on demand.

Abstract: Systems and methods for a machine-learning driven fine-grained file access control approach are provided. According to one embodiment, a server associated with an enterprise network can obtain and store information regarding historical user behavior of users of the enterprise network by observing file access requests initiated by the users. The server receives a file access request initiated by a user, which relates to a file stored within the enterprise network in encrypted form. In response to receipt of the file access request, the server determines a risk score for the user based on multiple factors, including information regarding historical user behavior, the file access request and observed data determined based on the file access request so that based on the risk score, access to the file is permitted by returning a decryption key for the file or denied by withholding the decryption key.

Abstract: To commission an industrial automation control system, IACS, a computing device generates commands to automatically set or verify a security configuration of the IACS. The commands are generated by the computing device based on a machine-readable security baseline, and, optionally, based on a machine-readable configuration file of the IACS.

Abstract: A method performed by a computer system including: accessing a specification that specifies a plurality of modules to be implemented by the computer program for processing the one or more values of the one or more fields in the structured data item; transforming the specification into the computer program that implements the plurality of modules, wherein the transforming includes: for each of one or more first modules of the plurality of modules: identifying one or more second modules of the plurality of modules that each receive input that is at least partly based on an output of the first module; and formatting an output data format of the first module such that the first module outputs only one or more values of one or more fields of the structured data item.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system that cryptographically controls access to data. An example method may include: selecting a set of cryptographic attributes in view of a characteristic of a computing device; obtaining, by a processing device, a cryptographic key; encrypting, by the processing device, the cryptographic key in view of the set of cryptographic attributes to produce a wrapped key; and providing the wrapped key and at least one of the cryptographic attributes to the computing device, wherein the at least one cryptographic attribute facilitates deriving the cryptographic key from the wrapped key.

Abstract: A system and method of providing security for an application. A request to use an application to perform an operation using information is received from an operator by a computer system. In response to receiving the request, an operator identity assurance level of the operator and characteristics of the operation using the information are determined. An operation assurance level for the operation is determined based on the characteristics of the operation using the information. It is determined whether the operator identity assurance level of the operator satisfies the operation assurance level for the operation. The operator is allowed to use the application to perform the operation using the information in response to a determination that the operator identity assurance level of the operator satisfies the operation assurance level for the operation.

Abstract: The present disclosure is directed to systems and methods of detecting a side-channel attack detecting a translation lookaside buffer (TLB) miss on a virtual address lookup caused by the speculative execution of an instruction and determining that the physical memory address associated with the virtual address lookup contains a privileged object or a secret object. Range register circuitry determines whether the physical memory address is located in an address range containing privileged objects or secret objects. Performance monitoring counter (PMC) circuitry generates an interrupt in response to receipt of information indicative of the TLB miss and information indicative that the physical memory address contains a privileged object or a secret object. The PMC circuitry causes the storage of information associated with the speculatively executed instruction causing the virtual address lookup.

Abstract: Private network request forwarding can include receiving a request from a user for Internet services over a public network. Private network request forwarding can include analyzing the request and determining whether the request is legitimate. Private network request forwarding can include forwarding the request to an entity through a private network when it is determined that the request is legitimate, wherein the user has access to the entity through a proxy.

Abstract: Described embodiments provide systems and methods for learning across multiple application delivery controllers and updating settings across the application delivery controllers. A profile can be generated based on selection of a set of intermediary devices managed by a device. The set of intermediary devices configured to load balance data of an application hosted in different computing environments. Activity can be identified at the intermediary devices with use of a firewall. The activity having an appearance of a malicious attack on at least one intermediary device of the set. The device can determine if the activity is permissible or a violation based on a comparison of an aggregation of data records for the identified activity and a threshold. The device can provide a notification to at least one intermediary device of the set to configure the at least one intermediary device to allow the activity or prevent the activity.

Abstract: Techniques are disclosed relating to authenticating communications. A computer system may generate a master private key usable to derive user-specific private keys for a plurality of users hosted by a particular application. The computer system may generate master public configuration information usable to derive user-specific public keys for the plurality of users. The computer system may send that configuration information to a directory service accessible to applications that communicate with the particular application. The computer system may receive, from the particular application, a request for a user-specific private key for one of the plurality of users. The request may include an identifier of the user. The computer system may perform a key derivation function to generate a particular user-specific private key based on the master private key and the identifier of the user. The computer system may send the particular user-specific private key to the particular application.

Abstract: A security platform architecture is described herein. The security platform architecture includes multiple layers and utilizes a combination of encryption and other security features to generate a secure environment.

Abstract: Methods and systems are provided for preventing unauthorized communication with an end device on a network, the system comprising an external device and a communication device.

Abstract: Embodiments for providing automated selection of optimal disk types for virtualized storage by defining a minimum number of backup samples, selecting, if the minimum number of backup samples is not met for a backup operation, a solid state drive (SSD) for a virtual machine (VM) storage for a disaster recovery operation, otherwise selecting a hard disk drive (HDD) for the VM storage. The method further defines a cold HDD threshold (CHT) value and a minimal percentage of backups (PPT) value, and obtains a cold backup count based on the CHT value. It compares a ratio of the cold backup count to an amount of backups (AB) for the disaster recovery operation to the defined PPT value, and if the ratio is greater than the PPT value, it selects the SSD rather than HDD for the VM storage.

Abstract: The present disclosure relates to systems, methods, and computer-readable media for implementing an efficient and flexible policy-driven approach to securing a computing device. For example, systems disclosed herein can identify any number of security policies including configuration states associated with configuration settings of a client device. The systems disclosed herein can further enforce the security policies by performing an enforcement operation including an idempotent operation that enables a computing device to both diagnose as well as remedy security issues identified by an agent on a computing device. The systems disclosed herein further include features and functionality that enable a computing device to be compliant with multiple security standards without performing redundant enforcement operations.

Abstract: An embodiment of the present invention is directed to a Channel Dynamic Multifactor Authentication. This solution provides the capability to select a multifactor authentication channel (e.g., email, SMS, etc.) dynamically based on multiple sources of risk scoring input data. The risk decision engine may determine an optimal lowest risk delivery channel for delivery of a one-time passcode and/or implement an additional or alternative mechanism for user authentication or verification.

Abstract: A tool uses a graph-based approach to analyze scripts to determine whether the scripts pose security threats when executed. The tool breaks down scripts into component steps and generates a graph based on those steps. The tool then converts the graph into a vector and compares that vector with clusters of other vectors. Based on that comparison, the tool determines whether the script will cause a security vulnerability. If the script causes a security threat when executed, the script may be prevented from executing.

Abstract: A computing device is configured to retrieve network security configuration information from a computer network and generate a security configuration map which readily enables a user to detect defects in the security configuration with respect to a security policy. The computing device retrieves firewall configurations from security appliances in the network which operate firewalls, and processes the firewall configurations to generate a set of corresponding standardized firewall configurations. These are processed to identify enclaves containing network nodes which are associated with respective security sensitivity values based on the security policy. The computing device monitors and detects inter-node network traffic.

Abstract: Embodiments of the present disclosure relate to managing admin-controlled access of external resources to group-based communication interfaces associated with an organization, via a group-based communication system including APIs for improved external resource permissioning, provisioning, and access handling. Embodiments include methods, computer program products, apparatuses, and systems configured to receive an external resource access request, determine an organization identifier, obtain an admin response indication, set an external resource permission status for the external resource based on the admin response indication, and cause rendering of the requested group-based communication interface based on the admin response indication. Embodiments further relate to provisioning and handling requests for services associated with an external resource by managing one or more single-interface access tokens linked to a multi-interface access token.