Abstract: An information protection device includes a reception unit that receives an image of a screen displayed on a terminal connected to a certain network; an extraction unit that extracts input information for the screen from the image; a determination unit that determines whether or not the input information matches predetermined information; and a control unit that performs, when the input information is determined to be matched with the predetermined information, a control for preventing the input information from being transmitted from the network.

Abstract: An IoT/M2M service layer may be provided with the capability to protect user privacy. This functionality may allow the IoT/M2M service layer to anonymize user data, particularly when user data is shared with third party consumers. A privacy policy service may enable the IoT service layer system to generate anonymization (e.g., privacy) policies based on inputs such as legal obligations, subscriber privacy preferences, and an authorization level of the data consumer. Data anonymization policies may be output from the privacy policy service and may be sent to a data anonymization service, where raw data may be anonymized based on the one or more data anonymization policies. The output from the data anonymization service function may be a privatized (e.g., anonymized) version of data that may prevent the data consumer from discovering one or more identifying characteristics of a user.

Abstract: Transparent web browsing recording is disclosed. A request is received, at a browser isolation system, from a client browser executing on a client device, to connect with a remote resource. A surrogate browser is provided to facilitate communications between the client browser and the remote resource. A set of browsing activities associated with use of the surrogate browser by the client browser is recorded.

Abstract: In an example, an apparatus may include a validation module configured to identify a security policy update from a security as code repository, wherein the identified security policy update is a candidate for deployment to a production environment having a plurality of attributes defined by an infrastructure as code repository; identify, from the plurality of attributes and using the infrastructure as code repository, individual attributes that correspond to the identified security policy update, wherein the identified individual attributes are identical to a subset of the plurality of attributes; generate a test environment based on the identified individual attributes; following deployment of the identified security policy update to the test environment, check for security exceptions or availability exceptions using the test environment; and output validation results based on a result of the checking.

Abstract: Techniques for a context-aware secure access service edge (SASE) engine for generating security profile(s) associated with endpoint device(s) accessing the network and using the security profile(s) to evaluate a traffic flow from the endpoint device(s). The SASE engine may execute on an edge device of a computing resource network and may be configured to maintain a security profile database including an endpoint security profile mapping. Endpoint device(s) accessing the network may share endpoint, application, and/or user specific information with the SASE engine so that the SASE engine may generate a security profile specific to the endpoint, application, and/or user. Additionally, an enterprise network, associated with endpoint device(s) accessing the network, may provide default SASE security profile templates to the SASE engine.

Abstract: Techniques described herein relate to a method for managing data protection feature compatibility. The method may include identifying a host data protection feature update event associated with a host; in response to identifying the host data protection feature update event, obtaining host data protection feature information from the host; updating a host data protection feature information repository using the host data protection feature information; updating data protection feature compatibility information using the host data protection feature information and data protection manager data protection feature information; and sending data protection feature compatibility information associated with the host to the host.

Abstract: In described examples, a method of routing messages in a system on a chip (SoC) includes a secure message router receiving a message including a content, an identifier of the message's sending (origin) functional block and/or of a receiving (destination) functional block, a message secure value, a promote value, and a demote value. A context corresponding to the identifier is retrieved from a memory. The context includes an allow promote value and an allow demote value. The message secure value is increased if the promote value requests the increase and matches the allow promote value. The message secure value is decreased if the demote value requests the decrease and matches the allow demote value. Cleartext corresponding to the content is made accessible by the destination if the context secure value matches the message secure value. The message is then outputted from the secure message router to the destination.

Abstract: An example method according to some embodiments includes receiving flow data for a packet traversing a network. The method continues by determining a source endpoint group and a destination endpoint group for the packet. The method continues by determining that a policy was utilized, the policy being applicable to the endpoint group. Finally, the method includes updating utilization data for the policy based on the flow data.

Abstract: Apparatus and methods disclosed herein provide technical solutions improving the security of email messages. An email message may be encrypted so that a predetermined passcode is not required to access the email message. Apparatus and methods may route email messages through a remote portal. The email message may only be transmitted to the recipient via the portal. In some instances, the contents of an email message may not be transmitted from the portal to the recipient. Rather, the recipient may only access the email message from within the portal. Such restricted access may be preferably less complex because the recipient's computer terminal may automatically connect to the portal.

Abstract: This disclosure relates to a system and method for at source data masking and discovery of unique identifier for at-source masking. The method reads a table of production database comprising sensitive column from a source database for at source data masking. A unique identifier column is identified, and a temporary table is created which has three or more columns. Columns of temporary table comprises a sensitive column from the table of production database, a column for masked data of sensitive column and a unique identifier column. Sensitive column of the temporary table is masked using a known masking technique and the original data of the sensitive column and the masked data of the sensitive column is inserted into the temporary table. Finally, the production database is updated with the masked data of the sensitive column.

Abstract: The present disclosure provides a system for providing personalization for a target website. The system comprises: an artificial intelligence (AI) engine including one or more machine learning algorithm trained models for providing one or more personalization features; and a personalization module configured for integrating the one or more personalization features into the target website, wherein the one or more personalization features are rendered within a popup widget displayed over the target website.

Abstract: The present disclosure relates to systems and methods for identifying highly sensitive modules and taking a remediation or preventative action if such modules are accessed by malicious software. For example, the likelihood that a module is used for an exploit, and is thus sensitive, is categorized as high, medium, or low. The likelihood that a module can be used for an exploit can dictate whether, and to what degree, an application accessing the module is “suspicious.” However, in some instances, a sensitive module may have legitimate reasons to load when used in certain non-malicious ways. The system may also consider a trust level when determining what actions to take, such that an application and/or user having a higher trust level may be less suspicious when accessing a sensitive module as compared to an application or user having a lower trust level.

Abstract: A method for performing data transfer includes: obtaining source data; populating a staging table with the source data; making a first determination that the source data was successfully populated to the staging table; making a second determination that a target table is available, in which an application is directed to use data in the target table; and initiating, based on the first determination and the second determination, a data source switch of the application, in which the data source switch directs the application to use the source data in the staging table and not use the data in the target table, in which the application uses the source data in the staging table when the data source switch is successful.

Abstract: Techniques are provided for controlling access entitlement for networking device data. In one example, a geographic location of a networking device is determined. A request to access data associated with the networking device is obtained from a user device. A user parameter of a user associated with the user device is determined. An access policy that controls access to the data based on the geographic location of the networking device and the user parameter is identified. The request to access the data is permitted or denied based on the geographic location of the networking device, the user parameter, and the access policy.

Abstract: Security techniques for device assisted services are provided. In some embodiments, secure service measurement and/or control execution partition is provided. In some embodiments, implementing a service profile executed at least in part in a secure execution environment of a processor of a communications device for assisting control of the communications device use of a service on a wireless network, in which the service profile includes a plurality of service policy settings, and wherein the service profile is associated with a service plan that provides for access to the service on the wireless network; monitoring use of the service based on the service profile; and verifying the use of the service based on the monitored use of the service.

Abstract: Trusted execution of a workload payload is brokered among multiple trusted execution platforms. The workload payload is received from a source computing system and includes input data, trusted execution code, and one or more trusted execution policies. At least one of the multiple trusted execution platforms is selected based on the one or more trusted execution policies. A brokered payload is generated to include executable trusted execution code and the input data. The brokered payload is communicated to the selected at least one trusted execution platform. A brokered result generated from the brokered payload by the selected at least one trusted execution platform is received. A workload result based on the brokered result is returned to the source computing platform.

Abstract: Examples disclosed herein relate to source entities of security indicators. Some examples disclosed herein enable identifying, in a security information sharing platform, a security indicator that is originated from a source entity where the security indicator comprises an observable. Some examples further enable determining a reliability level of the source entity based on at least one of: security events, sightings of the observable, a first set of user feedback information that is submitted for the security indicator by users of the security information sharing platform, or a second set of user feedback information that is collected from external resources that are external to the security information sharing platform.

Abstract: A computer system may receive one or more requests for access to one or more cloud services and may store the one or more requests in a request log. The computer system may receive one or more access rules applicable to cloud service access rights. The computer system may aggregate the one or more requests of the request log to determine access requirements for a container, the container being configured to store one or more applications. The computer system may generate and store container access policies that define access of a container and the one or more cloud services, the container access policies based at least in part on the aggregated one or more requests and the one or more access rules. The computer system may send the container access policies to a request forwarder of a compute instance in a production environment.

Abstract: A method and a computer program product and an apparatus for securing communication in heterogeneous networks that include devices with different protection levels. The method comprises monitoring, by a security agent installed on a device, communication between the device and external devices. The method comprises determining a level of in-device protection for each device based on available protection thereof. The method further comprises employing, by the security agent, an associated security policy for communications originating from the device, based on the level of in-device protection; such as resources utilized for employing security policies for communications originating from devices are correlated with the protection levels thereof. The method may further comprise enabling sharing security workload between device having trusted security agents to improve performance efficiency thereof.

Abstract: Examples described herein relate to techniques for authenticating a client device by obtaining device-type information during an initial phase of authentication process. According to some examples, identifying a client device intending to connect to a network and sending an identity-request thereto. Receiving an identity-response from the client device along with device-type information. Identifying a device category from a set of device categories corresponding to identified device-type information. Selecting a device policy applicable to the identified device-type information. Authenticating the client device to enable access to the network and applying the selected device policy to the client device.

Abstract: The present invention relates to a method for configuring a second home automation device (D2) by means of replacing a first home automation device (D1), the method comprising the following steps: recording (ERU1) at least one set of configuration data or instructions (cfg1) associated with a unique identifier of a first home automation device (D1); receiving (ERU9) a configuration request from a second home automation device (D2); determining (ERU10) an association between the second home automation device (D2) on the one hand and the first home automation device (D1) on the other hand; determining (ERU11) at least one set of configuration data or instructions (cfg2) associated with the second home automation device (D2); sending (ERU12) at least one configuration message (MCfg) comprising the at least one set of configuration data or instructions (cfg2) to the second home automation device (D2).

Abstract: Systems and methods are disclosed for managing online advertising data secure sharing. One method includes receiving, at a server, a request for proprietary data from a data consumer, the request including a data consumer identifier; retrieving, from a database of proprietary data, proprietary data based on the request; determining, by the server, whether the retrieved proprietary data is at least one of: designated to be processed and designated to have privileges set; processing, by the server, the proprietary data when the server determines the proprietary data is designated to be processed; setting one or more privileges to the proprietary data using the certificate associated with the data consumer identifier when the server determines the proprietary data is designated to have privileges set; encrypting the proprietary data using the certificate associated with the data consumer identifier; and transmitting the encrypted proprietary data to the data consumer.

Abstract: An information security monitoring system can import indicators of compromise (IOC) definitions in disparate formats from third-party source systems, convert them into editable security definitions in an internal system format, and provide a user interface for composing or editing these security definitions with enhancements, including complex security definitions such as those having a nested Boolean structure and/or those that reference one or more security definitions, a behavioral rule, and/or a vulnerability description. One or more whitelists can be added to handle exceptions. Each composed or modified security definition is then compiled into an executable rule. The executable rule, when evaluated, produces a result indicative of an endpoint security action needed in view of an endpoint event that meets the composed or modified security definition.

Abstract: Embodiments decrypt or partially decrypt an encoded message or a private key, the encoded message or private key encoded by a public-key cryptography algorithm. Embodiments encode the public-key cryptography algorithm using a language of a program synthesizer and construct a grammar for the program synthesizer. Embodiments train the program synthesizer with training data comprising input-output pairs and execute the trained program synthesizer to generate a mathematical formula. Embodiments validate the generated mathematical formula and then perform the decrypting using the trained and validated program synthesizer.

Abstract: In one embodiment, a method comprises: tracking, by a first security agent executed within a user network device, a plurality of wireless data networks that are available for connection by the user network device for secure communications with a second network device in a secure peer-to-peer data network, and maintaining a history of each of the wireless data networks; determining for each of the wireless data networks, by the first security agent, a corresponding risk assessment that identifies a corresponding risk in encountering a cyber threat on the corresponding wireless data network; and supplying, to a second security agent executed within the user network device, a recommendation for connecting to a wireless data link identified as avoiding the cyber threat during the secure communications, wherein the user network device has a two-way trusted relationship with the second network device in the secure peer-to-peer data network.

Abstract: A computerized method for restricting communications between virtual private cloud networks comprises creating a plurality of security domains. Each of the plurality of security domains identifies gateways associated with one or more virtual private cloud networks. Also, the method features generating transit routing data stores in accordance with each of the plurality of security domains; determining whether a connection policy exists between at least a first security domain and a second security domain of the plurality of security domains; and precluding communications between gateways associated with the first security domain and gateways associated with the second security domain in response to determining that no connection policy exists between the first security domain and the second security domain.

Abstract: An example operation may include one or more of monitoring, by a blockchain node, a delivery of a service to a first node from a second node based on a service contract and an order retrieved from a blockchain, determining, by the blockchain node, an incremental charge for a partial delivery of the service based on the monitoring, and executing, by the blockchain node, a smart contract to issue the incremental charge for the partial delivery of the service, and responsive to a resolution of a dispute raised for the incremental charge, add the incremental charge to an incremental invoice.

Abstract: A device may include a processor configured to establish a data traffic flow for a user equipment (UE) device and determine per flow descriptor attributes associated with the data traffic flow, wherein the per flow descriptor attributes identify at least a source, a destination, and a protocol associated with the data traffic flow. The processor may be further configured to determine at least one additional per flow descriptor attribute for the data traffic flow and send the per flow descriptor attributes and the at least one additional per flow descriptor attribute to a network exposure device of a core network, wherein the network exposure device is configured to communicate with servers outside the core network.

Abstract: Methods and apparatus for allowing an individual to preserve his/her privacy and control the use of the individual's images and/or personal information by other, without disclosing the identity of the individual to others, are described. In various embodiments the individual seeking privacy provides his/her identifying information, images, and sharing preferences indicating desired level of privacy to a control device which is then stored in a customer record. The control device can be queried to determine if an image or other information corresponds to a user who has restricted use of his/her image or other information in a public manner. Upon receiving a query the control device determines using the stored customer record whether an individual has authorized use of his or her image. Based upon the determination a response is sent to the querying device indicating whether the use of the image and/or individual's information is authorized.

Abstract: The present invention relates to a system method of provisioning mobile device security settings to provide authorized users with secure access. The system and method uses a generated, computer-readable authentication code that is read by a mobile device. The authentication code enables an unprovisional mobile device to request security credentials to enable a user of the mobile device to connect to a secured system.

Abstract: A solution is proposed for reviewing a control of access in an information technology system. A corresponding method comprises retrieving an indication of granted accesses to objects, being granted to subjects according to policies based on attributes. Virtual roles (each defined by one or more of the attributes) are determined according to a correlation among access types of the granted accesses and the attributes of the subjects being granted them. A computer program and a computer program product for performing the method are also proposed. Moreover, a system for implementing the method is proposed.

Abstract: Techniques for associating manufacturer usage description (MUD) security profiles for Internet-of-Things (IoT) device(s) with secure access service edge (SASE) solutions, providing for automated and scalable integration of IoT devices with SASE frameworks. A MUD controller may utilize a MUD uniform resource identifier (URI) emitted by an IoT device to fetch an associated MUD file from a MUD file server associated with a manufacturer of the IoT device. The MUD controller may determine that a security recommendation included in the MUD file is to be implemented by a cloud-based security service provided by the SASE service and cause the IoT device to establish a connection with a secure internet gateway associated with the cloud-based security service. Additionally, or alternatively, the MUD file may include SASE extensions indicating manufacturer recommended cloud-based security services. Further, cloud-based security services may be implemented if local services are unavailable.

Abstract: An authentication model dynamically adjusts authentication factors required for access to a remote resource based on changes to a risk score for a user, a device, or some combination of these. For example, the authentication model may conditionally specify the number and type of authentication factors required by a user/device pair, and may dynamically alter authentication requirements based on changes to a current risk assessment for the user/device while the remote resource is in use.

Abstract: A system, method, and computer program product are provided for consent management. A method may include receiving a first data request for user data associated with a user, the user data stored in a user data database; communicating a consent request to the requester system; receiving a consent response from the requester system; storing consent data associated with the consent response for the user data requested in the first data request in an immutable ledger; receiving a consent verification request from the user data database, the consent verification request based on a second data request for the user data from the requester system to the user data database; verifying the consent verification request based on the consent data; and communicating a consent verification response to the user data database, the consent verification response indicating consent from the user to share the user data with the requester system.

Abstract: A device that is configured to receive user activity information that includes information about user interactions with a network device for a plurality of users. The device is further configured to input the user activity information into a first machine learning model that is configured to receive user activity information and to output a set of bad actor candidates based on the user activity information. The device is further configured to filter the user activity information based on the set of bad actor candidates. The device is further configured to input the filtered user activity information into a second machine learning model that is configured to receive the filtered user activity information and to output system exposure information that identifies network security threats. The device is further configured to identify network security actions based on the network security threats and to execute the network security actions.

Abstract: A node provides a service to a client node in a network. The node is configured to execute a code for providing the service to the client node in an enclave of a trusted execution environment (TEE) and to execute a code library in the enclave to attest to the client node the identity of the service provided. The service provided to the client node may be a distributed service including a result of a cooperation of a plurality of neighbor nodes, which are connected to the node either directly or through other intermediate nodes. The code library is configured to attest to the client node the identity of the distributed service.

Abstract: A vehicle computer system includes one or more sensors configured to receive input regarding a vehicle's environment, and a controller in communication with the one or more sensors of the vehicle. The controller is configured to identify a cyber-attack on one or more vehicle controllers in the vehicle, and respond to the cyber-attack based upon at least the vehicle environment.

Abstract: Specification covers new algorithms, methods, and systems for: Artificial Intelligence; the first application of General-AI (versus Specific, Vertical, or Narrow-AI) (as humans can do) (which also includes Explainable-AI or XAI); addition of reasoning, inference, and cognitive layers/engines to learning module/engine/layer; soft computing; Information Principle; Stratification; Incremental Enlargement Principle; deep-level/detailed recognition, e.g., image recognition (e.g., for action, gesture, emotion, expression, biometrics, fingerprint, tilted or partial-face, OCR, relationship, position, pattern, and object); Big Data analytics; machine learning; crowd-sourcing; classification; clustering; SVM; similarity measures; Enhanced Boltzmann Machines; Enhanced Convolutional Neural Networks; optimization; search engine; ranking; semantic web; context analysis; question-answering system; soft, fuzzy, or un-sharp boundaries/impreciseness/ambiguities/fuzziness in class or set, e.g.

Abstract: Techniques for automated identification of false positives in DNS tunneling detectors are disclosed. In some embodiments, a system, process, and/or computer program product for automated identification of false positives in DNS tunneling detectors includes receiving a set of passive DNS data, wherein the set of passive DNS data includes a DNS query and a DNS response for resolution of the DNS query for each of a plurality of DNS queries; extracting a plurality of features associated with each domain in the set of passive DNS data; and classifying DNS tunneling activities and performing false positive reduction using the plurality of features associated with each domain in the set of passive DNS data to reduce false positive detections.

Abstract: Provided in some embodiments are systems and methods for determining a data flow path including a plurality of network devices for routing data from a first network device to a second network device; determining for the network devices one or more flow rules that specify an input for receiving data, an output for outputting data, and a role tag indicative of a role of a network device, where the role tag for one or more flow rules for a first network device of the network devices indicates a source role; distributing, to the network devices, the one or more flow rules; determining malicious activity on the data flow path; determining that the first network device is a source based at least in part on the role tag for the first network device; and sending, to the first network device, a blocking flow rule to inhibit routing of malicious data.

Abstract: There is disclosed in one example a network gateway device, including: a hardware platform including a processor and a memory; a network interface, including network interface hardware; and instructions encoded within the memory to instruct the processor to: receive from an endpoint device, via the network interface, a signed security posture data structure, the signed security posture data structure including information about a security posture of the endpoint device; cryptographically verify the signed security posture data structure; and according to the signed security posture data structure, assign a network security policy to the endpoint device.

Abstract: A method for controlling a robot is provided. The method includes the steps of: acquiring information on status of communication connections between a plurality of robots located in a serving place, wherein the status of communication connections between the plurality of robots is specified with respect to at least one relay robot among the plurality of robots; and determining a communication scheme to be used between the plurality of robots, with reference to the information on the status of communication connections between the plurality of robots.

Abstract: Disclosed are examples related to data driven interfaces for decoupling management system components from a manufacturer or a platform of client devices managed by the management system. In some examples, among others, a system can generate a data driven interface template that can be used to cause rendering of a data driven user interface for configuring a profile payload of a device profile for the client device. The system can generate, based on values associated with the data driven user interface, a profile document in an instance in which values are obtained from the data driven user interface. In some aspects, the profile document is a generic representation of the profile payloads for the platform, the manufacturer or the type of the client device.

Abstract: A computer-implemented method of monitoring activity of devices in a network is provided. The method comprises passively collecting data regarding how the devices access the network, and for each device on the network, identifying all other devices on the network with which the device communicates. All communication traffic from the devices to outside the network is identified. A determination is made if there are any required updates and if patches for the devices execute in a fashion defined as safe. A number of risk indicators for privacy risks are determined according to device communication within the network, device communication to outside the network, and update and patch execution. A visualization of any identified risk factors is displayed to a user through a user interface.

Abstract: A control plane system for providing data exchange between a plurality of gateway endpoints using a secure tunnel between the gateway endpoints. The system includes an end-user device, a cloud control plane, and a cloud provider. The end-user device includes a client endpoint providing a request for accessing data using a gateway device by sending data packets. The cloud control plane uses a data plane and a control plane for provisioning the request. The control plane is isolated from the data plane. Routing information of network traffic is received, a tenant associated with the request is identified and isolated. A network policy associated with the access to the data is identified based on the network patterns. The network policy specifies routing for access to the data and the secure tunnel. The access to the data is provided from the cloud provider to the client endpoint on the gateway device.

Abstract: Embodiments are directed to managing and monitoring endpoint activity in secured networks. In response to a client request being provided to an agent associated with the resource server. A driver associated with the resource server may be determined based on the client request. The client request may be provided to the resource server via a second network connection. Responses from the resource server may be provided to a server-tee module such that the server-tee module provides a copy of the responses to the server-handler module; employing the server-handler module to generate log information based on the copied responses; employing the server-tee module to modify the responses from the resource server such that the responses are forwarded to the client via the first network connection over the overlay network; or the like.

Abstract: Computer-implemented methods, apparatuses, and computer program products are provided for frequency based operations. An example computer-implemented method includes receiving a request for data transfer of a plurality of data elements of a production data environment to a non-production data environment. The method includes determining an access frequency associated with each data element and grouping each data element into a first set of data elements or a second set of data elements based upon the determined access frequency. The method further includes refreshing the first set of data elements according to a first refresh protocol defining a first refresh rate and refreshing the second set of data elements according to a second refresh protocol defining a second refresh rate less than the first refresh rate. The method also includes outputting the plurality of data elements to the non-production data environment.

Abstract: Implementations of the present disclosure include providing a graph representative of a network, a set of nodes representing respective assets, each edge representing one or more lateral paths between assets, the graph data including configurations affecting at least one impact that has an effect on an asset, determining multiple sets of fixes for configurations, each fix having a cost associated therewith, incorporating fix data of the sets of fixes into the graph, defining a set of fixes including one or more fixes from the multiple sets of fixes by defining an optimization problem that identifies one or more impacts that are to be nullified and executing resolving the optimization problem to define the set of fixes, each fix in the set of fixes being associated with a respective configuration in the graph, and scheduling performance of each fix in the set of fixes based on one or more operational constraints.

Abstract: Provided herein are systems and methods for configuring trace events. A system includes at least one hardware processor coupled to a memory and configured to instantiate a user code runtime to execute user-defined function (UDF) code. The user code runtime is instantiated within a sandbox process of an execution node. An application programming interface (API) call is detected during execution of the UDF code. The API call includes one or more configurations of a trace event. Telemetry information is collected based on the one or more configurations. The telemetry information is associated with the trace event using a telemetry API. The telemetry API corresponds to the API call. The telemetry information is formatted using the telemetry API, to generate structured telemetry information. The at least one hardware processor causes ingestion of the structured telemetry information into an event table.

Abstract: A system for controlling an electricity supply to a load comprises at least one battery for storing energy. The system also comprises a controller for determining when to switch between a first mode wherein electricity is supplied to the load from a mains electricity circuit; and a discharging mode wherein electricity is supplied from the battery to the load via the mains electricity circuit. The determining is based on information associated with the electricity supply.