Abstract: A computer may receive editing instructions that specify one or more changes to filters in an existing access control list or a template for an access control list. Then, the computer may dynamically generate the clone access control list by applying the editing instructions to the existing access control list or the template for the access control list. For example, the computer may provide the editing instructions to a computer network device (such as a switch or a router) that are applied to the existing access control list or the template for the access control list while the computer network device is processing data packets. Alternatively, the computer may apply the editing instructions to the existing access control list or the template for the access control list that is not currently installed on the computer network device, and may provide the access control list to the computer network device.

Abstract: Systems, methods, and storage media useful in a computing platform to automatically generate and deploy access control list (ACL) rules for one or more firewalls in a data center are provided. The computing platform is vendor-agnostic and generates ACL rules in multiple syntaxes depending on the firewall needing updating. The platform traverses a data center mapping structure to identify one or more firewalls to be updated for a destination IP address and source IP address and automatically generates the ACL rule in the syntax for the one or more firewalls identified.

Abstract: Systems and methods for policy based agentless file transfer in zero trust private networks. Various systems and methods include receiving a request for a file transfer; determining a file transfer protocol; evaluating one or more criteria associated with the request, the criteria being associated with any of an end user and the contents of the file; and allowing or denying the file transfer based on the evaluating. Responsive to an end user's policy including a requirement for file inspection, the steps can further include sending the file to a sandbox for inspection, and receiving a result of the inspection from the sandbox.

Abstract: There are provided systems and methods for a data access notification alert mechanism that monitors for any data access request at a user database of the service provider and sends an electronic notification message to the user when such data access request is detected. Specifically, the data access notification alert mechanism may be implemented with a server, which in turn provides an application programming interface (API) to be integrated with the service provider server, and the API may be called by the service provider database to send a message to the user when a database query to the user information is received at the database.

Abstract: Apparatuses, methods, systems, and program products are disclosed for endpoint-based security. An apparatus includes a network module that is configured to receive, at an end user device, a request for content from a network source. An apparatus includes a policy module that is configured to compare a network source of requested content against a policy that is stored on an end user device prior to the content being allowed on the end user device. An apparatus includes an action module that is configured to modify at least one header in a request for content based on a requirement for a network source.

Abstract: A method including monitoring, by a processor associated with a first device having an established VPN connection with a VPN server and an established meshnet connection with a second device, communication of transmission packets to be transmitted by the first device; receiving, by the processor, a transmission packet to be transmitted by the first device; determining, by the processor, a destination associated with the transmission packet based at least in part on metadata included in the transmission packet; and routing, by the processor, the transmission packet for transmission via the VPN connection or for transmission via the meshnet connection based at least in part on determining whether the second device is the destination associated with the transmission packet. Various other aspects are contemplated.

Abstract: Embodiments for a system and method for secure authentication of backup clients in a way that eliminates the need to create users for backup client authentication anywhere in the backup ecosystem, and which eliminates the need for credentials, such as passwords that need protection, updating and synchronization. Such embodiments use a short-term token, such as a JSON web token, for both client and server authentication within the system, and verifies that the tokens grant access using the public key corresponding to the private key assigned to the directory objects by the creator of the directory objects.

Abstract: A method including determining, by a first device having an established virtual private network (VPN) connection with a VPN server and an established meshnet connection with a second device in a mesh network, a transmission packet to be transmitted by the first device; and transmitting, by the first device, the transmission packet to the second device utilizing the meshnet connection based at least in part on determining that a destination associated with the transmission packet is the second device or to the VPN server utilizing the VPN connection based at least in part on determining that the destination associated with the transmission packet is a device other than the second device. Various other aspects are contemplated.

Abstract: A method including configuring a security device to receive, from a user device, a transmission packet; configuring the security device to determine, based on a destination IP address, whether the user device is permitted to transmit the transmission packet; configuring the security device to determine, based on determining that the user device is permitted to transmit the transmission packet, whether the user device is permitted to transmit to a port associated with the destination IP address; configuring the security device to determine, based on determining that the user device is permitted to transmit to the port, whether the user device is permitted to utilize a protocol utilized by the user device; and configuring the security device to determine, based on determining that the user device is permitted to utilize the protocol, whether the user device is permitted to utilize a web application utilized by the user device is disclosed.

Abstract: In an embodiment, a data platform creates an application in a data-provider account. The application includes one or more APIs corresponding to one or more underlying code blocks. The data platform shares provider data with the application in the data-provider account, and also installs, in a data-consumer account, an application instance of the application. The application instance includes one or more APIs corresponding to the one or more APIs in the application in the data-provider account. The data platform shares consumer data with the application instance in the data-consumer account, and invokes one or more of the APIs of the application instance to execute respective associated underlying code blocks, which are not visible to the data-consumer account. The data platform also saves output of the one or more respective associated underlying code blocks locally within the data-consumer account.

Abstract: Presented herein are systems and methods for processing tokens in identity assertions for access control to resources. A server may receive, via an interface from a gateway, a request to permit a customer device to access a resource associated with the server. The request may include an identifier for the customer device and a first token used to authenticate the customer device at the gateway. The server may generate, responsive to validating the first token, a second token to be used to authorize the customer device at the server for access to the resource. The server may store, on a database, an association identifying the identifier, the first token, and the second token. The server may perform the server, an action to permit the customer device access to the resource associated with the server based on the association maintained on the database.

Abstract: A method is provided for the remote management of a device connected to a residential gateway, including, when performed by the gateway: intercepting a request coming from the device including an address of a first server for which the request is intended, the purpose of the request being to obtain an address of a second server with which the device must be connected; determining a processing operation to be applied to the request, an identifier of the device contained in the request and configuration information obtained from an operator, the configuration information including information representing a set of devices, the plurality of processing operations including a processing operation applied when the device belongs to the set, including responding to the request without contributing the first server. When the processing to be applied is a redirection, a response is provided to the request containing the address of the second server.

Abstract: A technique includes accessing, by a computer, a container image that is built at least in part inside a virtual machine instance; and accessing, by the computer, an image of the virtual machine instance. Pursuant to the technique, the container image and the image of the virtual machine instance are scanned for security issues; and a result of the scanning is displayed by the computer.

Abstract: A method for identifying an active administration function (ADMF) in a lawful interception deployment that utilizes an ADMF set comprising a plurality of ADMFs can be implemented by a network element. The method can include exchanging lawful interception signaling with a first ADMF when the first ADMF is the active ADMF. The method can also include receiving an auditing request message from one of the plurality of ADMFs in the ADMF set and sending a ping request message to each ADMF in the ADMF set. The method can also include receiving a ping response message from a second ADMF among the plurality of ADMFs in the ADMF set and identifying the second ADMF as the active ADMF in response to receiving the ping response message. The method can also include exchanging second lawful interception signaling with the second ADMF when the second ADMF is the active ADMF.

Abstract: Systems, method, and non-transitory computer readable storage medium are provided for configuring an information computing machine during execution of a kernel image. The system can create a file system from a base file system image in system memory of the computing system, apply configuration files from a bundle image to the file system in memory, copy files from a persistent file system stored in the storage resource to memory, validate the files from the persistent file system, and apply validated files to the file system in memory. The base file system image and bundle image can be verified by comparing a signed hash of the image with a hash generated by the initial file system and checking the hash signature against a public certificate included in the initial filesystem. The system can further execute /sbin/init and start application services.

Abstract: A method including configuring a security device to receive registration information indicating groups of user devices; configuring the security device to receive policy information indicating respective filtering policies for each group of user devices; configuring the security device to receive a transmission packet for transmission to a destination device over an open internet; configuring the security device to determine, based on the registration information, the group of user devices to which the user device belongs; configuring the security device to determine, based on the policy information and on determining the group to which the user device belongs, whether the user device is permitted to transmit the transmission packet; and configuring the security device to selectively block transmission of the transmission packet based on determining whether the user device is permitted to transmit the transmission packet is disclosed.

Abstract: A processing control system includes: at least one terminal device that is used by at least one user; a monitoring unit that monitors a security status of the at least one terminal device; and a control unit that controls, in a case where the security status which relates to executing processing instructed from the at least one user does not meet a condition, the processing including plural sub-processing operations on the at least one terminal device, execution of each of the sub-processing operations on the at least one terminal device based on the security status of the at least one terminal device.

Abstract: A technique and system protects documents at rest and in motion using declarative policies, access rights, and encryption. Methods, techniques, and systems control access to documents and use of content in documents to support information management policies.

Abstract: An automated method executed by circuitry is provided for monitoring a software platform including multiple pods that manage, deploy, and execute micro services. The method uses monitoring pods at locations of interest in the software platform to label transactions that pass through the monitoring pods. The labels applied to the transactions are sent to a security program for review.

Abstract: A method including receiving, by a security device, registration information indicating groups to which user devices belong; receiving, by the security device, policy information indicating respective filtering policies for each group of user devices; receiving, from a user device, a transmission packet for transmission to a destination device over an open Internet; determining, by the security device based on the registration information, the group of user devices to which the user device belongs; determining, by the security device based on the policy information and on determining the group of user devices to which the user device belongs, whether the user device is permitted to transmit the transmission packet to the destination device; and selectively blocking, by the security device, transmission of the transmission packet on determining whether the user device is permitted to transmit the transmission packet to the destination device is disclosed. Various other aspects are contemplated.

Abstract: Methods and apparatus consistent with the present disclosure may be performed by a Cloud computing device may use instrumentation code that remains transparent to an application program that the instrumentation code has been injected into, may perform deep packet inspection (DPI) on computer data, or identify a content rating associated with computer data. In certain instances, data sets that include executable code may be received via packetized communications or be received via other means, such as, receiving a file from a data store. The present technique allows one or more processors executing instrumentation code to monitor actions performed by the program code included in a received data set. Malware can be detected using exception handling to track memory allocations of the program code included in the received data set. Furthermore, access to content associated with malware, potential malware, or with inappropriate content ratings may be blocked.

Abstract: An event routing service may be used to implement lightweight reactive workflows through internal event generation and matching. The service may receive, from a client, specification of event routing rules as well as internal event rules. The internal event rules specified by the client are for matching internal events generated by the service and performing actions in response to the matching of the internal events. For example, when the event routing service determines that one of the incoming events has been successfully delivered to a target service, then the event routing service generates an internal event indicating the successful delivery. The event routing service determines that the internal event matches one of the internal event rules specified by the client. In response, the service performs an action specified by the internal event rule (e.g., send the incoming event to another target or generate a message).

Abstract: Apparatuses, methods, systems, and program products are disclosed for endpoint-based security. An apparatus includes a network module that is configured to receive, at an end user device, a request for content from a network source. An apparatus includes a policy module that is configured to compare a network source of requested content against a policy that is stored on an end user device prior to the content being allowed on the end user device. An apparatus includes an action module that is configured to segment network traffic associated with a request for content from a network source, based on a comparison of the network source against a policy, between at least one of directly accessing the content from the network source and indirectly accessing the content via a remote cloud device by rerouting the network traffic from an end user device to the remote cloud device.

Abstract: An apparatus includes a processor and a memory that stores a deep Q reinforcement learning (DQN) algorithm configured to generate an action, based on a state. Each action includes a recommendation associated with a computational resource. Each state identifies at least a role within an enterprise. The processor receives information associated with a first user, including an identification of a first role assigned to the user and computational resource information associated with the user. The processor applies the DQN algorithm to a first state, which includes an identification of the first role, to generate a first action, which includes a recommendation associated with a first computational resource. In response to applying the DQN algorithm, the processor generates a reward value based on the alignment between the first recommendation and the computational resource information associated with the first user. The processor uses the reward value to update the DQN algorithm.

Abstract: Techniques for providing network slice-based security in mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for network slice-based security in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network; extracting network slice information for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the network slice information.

Abstract: The IOC Infrastructure management system (100) and method is disclosed for building an IOC infrastructure and its management thereof. The system mainly includes a IOC processing unit and an endpoint engine. The IOC processing unit is configured to i) source raw IOCs from a plurality of external sources, ii) convert format of the raw IOCs into a predetermined format of an IOC database using a parser unit, where each parser of the parser unit corresponds to at least one IOC format, iii) build and apply syntax tree to the parsed IOCs, where the syntax tree supports complex expression-based toolsets, such as YARA, and sort the IOCs lexicographically to avoid duplication of IOC entry and render the malware detection scanning process faster and efficient.

Abstract: A policy-based browser system for managing browser extensions used to access functionalities on a web browser in a cloud-based multi-tenant system. The policy-based browser system includes a client device, a web server configured to provide the functionality of the browser extension on a web browser of the client device, and a mid-link server. The network traffic from the client device is monitored to identify traffic patterns, risk is determined associated with the browser extension based on the traffic patterns, and a correlation of the browser extension with a plurality of browser extensions. A policy for the browser extension is identified based on the risk. The policies specify access to the browser extensions based on the risk associated with the browser extensions. The browser extensions are categorized based on the policies and the risk. An authorization corresponding to the browser extension is determined based on the policy.

Abstract: Some embodiments provide a method for identifying security threats to a datacenter. The method receives flow attribute sets for multiple flows from multiple host computers in the datacenter on which data compute nodes (DCNs) execute. Each flow attribute set indicates at least a source DCN for the flow. The method identifies flow attribute sets that correspond to DCNs responding to name resolution requests. For each DCN of a set of DCNs executing on the host computers, the method determines whether the DCN has sent responses to name resolution requests in a manner that deviates from a historical baseline for the DCN based on the identified flow attribute sets. When a particular DCN has sent responses to name resolution requests in a manner that deviates from a historical baseline for the particular DCN, the method identifies the particular DCN as a security threat to the datacenter.

Abstract: Database writeback using an intermediary statement generator including receiving, by a statement generator, a table update request to update a table within a database on a cloud-based data warehouse, wherein the table update request comprises an update value and a selection of a row and a column from the table; verifying, by the statement generator, that the selection is updatable; generating, by the statement generator based on the selection and in response to the verification, an update database statement comprising a table identifier, a column identifier, a row identifier, and the update value; and sending, by the statement generator, the update database statement to the database on the cloud-based data warehouse, wherein the table of the database is updated in response to receiving the update database statement.

Abstract: In one embodiment, a device in a network captures domain name system (DNS) response data from a DNS response sent by a DNS service to a client in the network. The device captures session data for an encrypted session of the client. The device makes a determination that the encrypted session is malicious by using the captured DNS response data and the captured session data as input to a machine learning-based or rule-based classifier. The device performs a mediation action in response to the determination that the encrypted session is malicious.

Abstract: Disclosed herein are a method for establishing a remote work environment for ensuring the security of a user terminal for remote work and an apparatus using the method. The method, performed by the apparatus, includes acquiring media image creation information from a user; creating a certificate for VPN access based on the media image creation information and creating a media image using the media image creation information and the certificate for VPN access; and providing the media image to the user such that the user is able to create a medium for remote work. The user terminal for remote work is booted through the medium for remote work, thereby configuring a runtime environment for remote work in which security is ensured.

Abstract: A method and system for security flow analysis of application code comprising: detecting data flows in a code base; and extracting an information flow, comprising determining a primary data flow by identifying a data flow that contains exposed data, and extending the primary data flow through descriptor data flows, wherein the descriptor data flows are associated with the set of data tracked by the primary data flow; wherein the information flow is a high level flow description that exposes the application code vulnerabilities based on the primary data flow and all associated descriptor data flows.

Abstract: A method includes providing a data set to an artificial intelligence filter trained to detect sensitive data based on sensitive data rules and detect one or more sensitive data values in the data set. The one or more sensitive data values are replaced with one or more substitute values in the data set, and the data set is associated with a key value. The data set is sent with the one or more substitute values to a third-party service to obtain a result. The key value associated with the result is identified. The one or more sensitive data values associated with the one or more substitute values are determined based on the key value. The one or more substitute values are replaced with the one or more sensitive data values in combination with a portion of the result to create a modified result.

Abstract: A collection of documents or other files and the like within an enterprise network are labelled according to an enterprise document classification scheme, and then a recognition model such as a neural network or other machine learning model can be used to automatically label other files throughout the enterprise network. In this manner, documents and the like throughout an enterprise can be automatically identified and managed according to features such as confidentiality, sensitivity, security risk, business value, and so forth.

Abstract: A management device includes a receiving unit that receives a link request to link a user ID of a user from a link origin, and a control unit that, in response the link request, requests the user to input unique information of the link origin, and does not execute a linking of the user ID in a case in which the unique information input from the user is incorrect.

Abstract: A security management system for a remove working environment, a computer program therefor, and a method therefor are provided. The security management system monitors and tracks a behavior of an endpoint in real time after execution of a process or a network access time point. Furthermore, the security management system monitors a behavior of an operating system level on the endpoint to which the security policy is not applied in real time to detect a behavior which threatens the security management system and controls the endpoint. Furthermore, the security management system corrects and manages the security policy in response to a request about exception application of a predetermined security policy in real time to flexibly perform security management of the endpoint.

Abstract: According to one embodiment, a memory system includes a first nonvolatile memory, a second nonvolatile memory and a controller. The first nonvolatile memory includes a first memory element. The second nonvolatile memory includes a second memory element in which data is able to be written only once. The second memory element stores first key information. The controller receives second key information stored in an information processing apparatus, generates a first key using the first key information and the second key information, and generates a second key using at least the first key. The controller encrypts data, which is to be written into the first nonvolatile memory, with the second key, and decrypts data, which is read from the first nonvolatile memory, with the second key.

Abstract: During operation, the system receives a request, via a REST API, for data stored in a database which uses a schema associated with a current version, wherein the request indicates a version of the REST API. Responsive to determining that the indicated version is a prior version of the REST API which does not correspond to the current version of the database schema, the system: dispatches the request to a translation proxy; applies rules which converts the request to indicate an updated REST API version corresponding to the current version of the schema; obtains results from the database based on the converted request and the applied rules; and returns the results, wherein the prior version of the REST API comprises an old version and wherein the current version of the schema comprises a new version, which enables functionality from the new version to work with the old version.

Abstract: A system includes an intelligent electronic device (IED) and a proxy device communicatively coupled to the TED via a Media Access Control (MACsec) communication link. The proxy device is configured to perform operations that include receiving permissions data, receiving a request to perform an action associated with the TED, determining whether the action is authorized based on the permissions data, and transmitting data to the TED via the MACsec communication link in response to determining that the action is authorized.

Abstract: A terminal device uploads data to a storage device. The terminal device includes a processor and a memory storing instructions that cause the device to determine whether data to be uploaded is a file or a partial dataset being used by an application, determine whether one or more data objects created in a given format is included in the data to be uploaded determined to be the partial dataset, generate image data and a shared byte string from the data to be uploaded if the data objects created in the given format are included in the data to be uploaded, send the data to be uploaded to the storage device as shared data if the data to be uploaded is the file, and send the image data and the shared byte string to the storage device as the shared data if the data to be uploaded is the partial dataset.

Abstract: A user inputs a speech including a keyword via a speech input device; a first processor searches a job history by the keyword, the job history being stored on a storage, the job history including a job record, the job record including a set of values having ever been used for a job executed by an image processing apparatus. A job record specifying device includes a second processor that conducts an analysis on different values in multiple job records; selects a speech with reference to the different values; transfers the speech to a speech generator; and finds a specific job record from the multiple job records using a keyword extracted from a speech inputted via the speech input device in response to the speech outputted by the speech generator. The image processing apparatus reflects a target set of values in the specific job record, to the setting of a job.

Abstract: In an embodiment, a method includes receiving, by a processor and from a user device associated with a user, a request to access a service associated with a first protocol. The method further includes receiving, by the processor, a virtual credential of the user authorized by an authorizing entity. The virtual credential is compliant with a second protocol different than the first protocol. The method further includes verifying, by the processor, that the virtual credential is authorized by the authorizing entity. The method further includes transforming, by the processor, the virtual credential to generate a transformed virtual credential compliant with the first protocol. The method further includes sending, by the processor, a representation of the transformed virtual credential to the service. The method further includes verifying, by the processor and after the sending, that the transformed virtual credential is valid.

Abstract: Systems and methods for controlling access to a blockchain are disclosed. The systems and methods are comprised of a security agent, a controller, an authenticator, a rules engine, and a policy engine. In certain embodiments, the security agent receives a message from an application, parses the message, and transmits the message to the controller if the message comprises one or more predetermined applicable rules or policies. The controller receives the message with its rules and policies, queries the rules engine and the policy engine to apply the rules and policies, and transmits an authentication request to the authenticator. The authenticator then requests an authentication signal from a user and transmits the results to the controller. The controller applies the results and forwards them to the security agent, which may or may not release the message to the blockchain depending the results.

Abstract: Systems and methods for a security rating framework that translates compliance requirements to corresponding desired technical configurations to facilitate generation of security ratings for network elements is provided. According to one embodiment, a host network element executes a collection of security checks on at least a first network element. The execution is performed by receiving configuration data of the first network element pertaining to each security check of the collection of security checks in response to a request by the host network element and validating each security check by comparing the received configuration data pertaining to each security check with a pre-defined or configurable network security configuration recommendation to generate a compliance result. Further, the host network element generates a compliance report by aggregating the compliance results obtained by executing each security check of the collection of security checks.

Abstract: A method, device, and system for configuring a session for communication between electronic devices includes sending, by a session management entity of a wireless network, a first request message to a policy control entity of the wireless network, the first request message comprising a key identifier, receiving, by the session management entity, a first response message from the policy control entity, wherein the first response message corresponds to a response to the first request message, and the first response message comprises a session policy for a communication session corresponding to the key identifier, and configuring, by the session management entity, the communication session based at least in part on the session policy.

Abstract: Methods and systems described in this disclosure receive a call from a caller, generate a first session through a first channel associated with the caller when the call is received and then send a request for authentication credentials to a device associated with the caller. In some embodiments, sending the request for authentication credentials generates a second session through a second channel associated with the caller. The caller can be authenticated to the first session using communication received during the second session through the second channel.

Abstract: A system and method configures permission settings for applications (“apps”) running on a computing device of a user. A data center generates at least one model of collective privacy preferences. The computing device is in communication with the data center via a communications network. The computing device comprises a processor that execute at least a first app that requests access to at least one permission of the computing device and a personal privacy assistant app. The personal privacy assistant app receives the at least one model from the one or more servers of the data center; collects information about the user; identifies at least one recommended permission setting for the first app based on the at least one model and such that the recommended permission setting is user-specific; and configures the computing device to implement the received at least one user-specific recommended permission setting.

Abstract: The present invention relates to a method for configuring a second home automation device (D2) by means of replacing a first home automation device (D1), the method comprising the following steps: recording (ERU1) at least one set of configuration data or instructions (cfg1) associated with a unique identifier of a first home automation device (D1); receiving (ERU9) a configuration request from a second home automation device (D2); determining (ERU10) an association between the second home automation device (D2) on the one hand and the first home automation device (D1) on the other hand; determining (ERU11) at least one set of configuration data or instructions (cfg2) associated with the second home automation device (D2); sending (ERU12) at least one configuration message (MCfg) comprising the at least one set of configuration data or instructions (cfg2) to the second home automation device (D2).

Abstract: A system generates network perimeter for an organization based on the connection data. The system builds a model, for example, a machine learning based model configured to receive a network zone as input and output a score indicating security of the network zone. The system receives information describing connection requests received from client devices associated with the organization. The system adjusts parameters of the machine learning based model based on information describing the connection requests. The adjusting of the machine learning based model improves the accuracy of prediction based on the information describing the connection requests. The system determines a network perimeter for the organization using the machine learning based model. The network perimeter may be used for implementing a network policy for the organization based on the determined network perimeter.

Abstract: Systems, methods, and software described herein provide enhancements for implementing security actions in a computing environment. In one example, a method of operating an advisement system to provide actions in a computing environment includes identifying a security incident in the computing environment, identifying a criticality rating for the asset, and obtaining enrichment information for the security incident from one or more internal or external sources. The method also provides identifying a severity rating for the security incident based on the enrichment information, and determining one or more security actions based on the enrichment information. The method further includes identifying effects of the one or more security actions on operations of the computing environment based on the criticality rating and the severity rating, and identifying a subset of the one or more security actions to respond to the security incident based on the effects.