Abstract: The invention relates to a system that implements application lineage metadata and registration. An embodiment of the present invention is directed to auto-generating Application Lineage data. This may be accomplished by implementing code markers, such as @Annotations, within the code. An embodiment of the present invention may scan the code each time a build is kicked off by a continuous integration and continuous delivery (CI/CD) pipeline. At the end of the build, the documentation may be automatically generated with application lineage information.

Abstract: Methods and systems for verifying a user's identity on a computing device using two-factor authentication are described. More particularly, the system utilizes a personal identification number input by a user, together with one or more of a secure browsing feature, a device fingerprint, and a token generator to authenticate the user on the computer.

Abstract: Disclosed herein, among other things, are systems and methods for authentication and encryption key exchange with an ALD for hearing device applications. A method includes receiving an acoustic input at a microphone of a hearing device, and receiving a wireless signal over a wireless link from an assistive listening device (ALD) at an antenna of the hearing device, the wireless signal including digital audio information. The acoustic input is compared to the digital audio information using a processor of the hearing device. Upon determining that the acoustic input and the digital audio information are correlated at a threshold level, the processor is used to create and distribute an encryption key to the ALD to secure the wireless link. The ALD may include a processor for correlating the input and the information, and for creating and distributing the encryption key, in some embodiments.

Abstract: Disclosed herein is a system and a method to remotely control operation of an electronic lock securing access to a real estate property. The invention disclosed allows a buyer agent to remotely control operation of an electronic device associated with the prospective buyer and uses the electronic device of the buyer to unlock an electronic lock that secures access to the real estate property. This alleviates the need to share the password with the buyer and thereby maintaining confidentiality of the electronic lock password and security of the real estate property and at the same time enabling access of the property to the buyer without the buyer agent being physically present on the real estate property.

Abstract: Techniques are disclosed for processing data packets and implementing policies in a software defined network (SDN) of a virtual computing environment. At least one SDN appliance is configured to disaggregate enforcement of policies of the SDN from hosts of the virtual computing environment. The servers are communicatively coupled to network interfaces of the SDN appliance. The servers host a plurality of virtual machines The SDN appliance comprises a plurality of smart network interface cards (sNICs) configured to implement functionality of the SDN appliance.

Abstract: Apparatuses, methods, systems, and program products are disclosed for task management. An apparatus includes a processor and a memory that stores code executable by the processor. The executable code includes code to receive information for defining one or more form fields of a compliance template associated with a compliance task. The information is derived from a compliance policy. The executable code includes code to include one or more interactive multimedia elements in the compliance template. The one or more interactive multimedia elements are associated with at least one of the one or more form fields. The executable code includes code to electronically present the compliance template during the compliance task to gather compliance information related to the compliance task.

Abstract: A system includes a privacy vault storing user-associated contents. The vault also stores access permissions defined for third-parties with whom the user has a sharing relationship. An access permission defines, for at least one third party, procurement and utilization policies for vault contents accessed by the third-party. The system may access a user account to recover user-associated contents stored by the accessed account and stores the recovered contents in the privacy vault. The system receives a request from a third-party to access identified contents stored in the privacy vault and determines if the contents are procurable by the third party based on an access permission defined, in the privacy vault, for the third-party. The system provides procurable contents to the third party along with indication of any constraints on the contents defined by utilization policies of the access permission defined for the third party.

Abstract: Methods, systems, and computer-readable media for analysis of role reachability using policy complements are disclosed. An access control analyzer determines two nodes in a graph that potentially have a common edge. The nodes correspond to roles in a provider network, and the roles are associated with first and second access control policies that grant or deny access to resources. The access control analyzer performs a role reachability analysis that determines whether the first role can assume the second role for a particular state of one or more key-value tags. The role reachability analysis determines a third access control policy authorizing a negation of a role assumption request for the second role. The role reachability analysis performs analysis of the third access control policy with respect to a role assumption policy for the second role for the particular state of the one or more key-value tags.

Abstract: This application provides a wireless local area network configuration method and a device, and relates to the field of communications technologies, so as to increase a success rate of configuring authentication information of a home wireless local area network for a home device, and improve efficiency in connecting the home device to the home wireless local area network. A specific solution is as follows: A terminal obtains authentication information of a first wireless local area network, configures an SSID of the first wireless local area network as a hidden SSID, and sends at least one first probe request frame, where the first probe request frame carries at least a part of the authentication information of the first wireless local area network.

Abstract: An apparatus and method for intelligent processing of cyber security risk assessment data are provided. The apparatus includes a processor and a memory communicatively coupled to the at least a processor. The memory contains instructions configuring the at least a processor to receive a cyber profile associated with a digital environment. The processor is also configured to generate a cyber profile summary of the cyber profile data and generate a user interface data structure including the cyber profile summary and the cyber profile. A graphical user interface (GUI) is communicatively connected to the processor and the GUI is configured to receive the user interface data structure including the cyber profile summary and the cyber profile and display the cyber profile summary on a first portion of the GUI.

Abstract: A cloud based network includes a plurality of nodes, each of which include at least one containerized microservice that enables intent-driven operation of the cloud based network. One or more resource controllers, each designated to manage a custom resource, communicate with a master controller of the node to manage operational and configuration states of the node and any microservices containerized within the node. The master enables a user to monitor and automate the management of microservices and the cloud based network as a whole. The containerized microservice architecture allows user customizable rendering of microservices, reconciliation of old and new versions of microservices, and facilitated management of a plurality of nodes.

Abstract: Techniques for using contextual information to manage data that is subject to one or more data-handling requirements are described herein. In many instances, the techniques capture or depend upon the contextual information surrounding the creation and/or subsequent actions associated with the data. The contextual information may be updated as the data is handled in various manners. The contextual information may be used to identify data-handling requirements that are applicable to the data, such as regulations, standards, internal policies, business decisions, privacy obligations, security requirements, and so on. The techniques may analyze the contextual information at any time to provide responses regarding handling of the data to requests from requestors, such as administrators, applications, and others.

Abstract: The present invention relates to a method for managing IoT devices by a security fabric. A method is provided for managing IoT devices comprises collecting, by analyzing tier, data of Internet of Things (IoT) devices from a plurality of data sources, abstracting, by analyzing tier, profiled element baselines (PEBs) of IoT devices from the data, wherein each PEB includes characteristics of IoT devices; retrieving, by executing tier, the PEBs from the analyzing tier, wherein the executing tier is configured to control network traffic of IoT devices of a private network; generating, by the executing tier, security policies for IoT devices from PEBs of the IoT devices; and controlling, by the executing tier, network traffic of the IoT devices of the private network to comply with the security policies.

Abstract: Systems and methods for overcoming technical problems associated with virtual private networks and application provisioning systems to provide ways for end-users and/or providers to control access, use, and communications associated with websites, online applications, and online services. Such systems and methods leverage techniques analogous to technologies known for implementing man-in-the-middle (MITM) attacks.

Abstract: A system and method for conducting a computerized surveillance in a computerized environment, including: initiating an installation of an agent on an endpoint device (EPD) in response to an indication of a potential malicious activity executed on the EPD; activating the agent to collect data on the EPD; based on the analysis of the collected data, selecting at least one mitigation action to be executed by the agent; and initiating an uninstallation of the agent from the EPD.

Abstract: Disclosed are systems, methods, and computer-readable media for ensuring that one or more compliance information bundles associated with one or more end-point identifiers maintain compliance with one or more regulations. It is detected that a rules engine has been updated with a new regulation. Based on an identification that one or more compliance information bundles associated with the one or more end-point identifiers will not be compliant with the new regulation after an expiration of a grace period associated with the new regulation, a status associated with each one or more compliance information bundles is changed to a provisionally-approved status. The changing of the status associated with each of the one or more compliance information bundles to the provisionally-approved status causes each of the one or more compliance information bundles to be treated, temporarily like the status of each the one or more compliance information bundles is an approved status.

Abstract: A method for managing data in view of data controls includes determining that a jurisdictional restriction associated with a jurisdiction applies to utilization of a portion of data, determining that a compliant service to utilize the portion of data is unavailable, deploying an instance of the compliant service, and utilizing the portion of data using the instance of the compliant service.

Abstract: As described herein, a system, method, and computer program are provided for using shared customer data and artificial intelligence to predict customer classifications. A first system of a first business entity receives an artificial intelligence model generated using output of a secure multi-party computation applied to: a first schema of first customer data stored by the first system, and a second schema of second customer data stored by a second system of a second business entity. Additionally, the first system executes the artificial intelligence model on the first customer data stored by the first system to generate a predictor, the predictor configured to receive input and process the input to predict a classification for the input. Further, the first system distributes the predictor for use by the second system of the second business entity to predict at least one classification for the second customer data.

Abstract: A cybersecurity engine can guide a forensic investigation of a security incident by estimating the utility of investigating events associated with the security incident, selecting a subset of such events based on the estimated utilities, and presenting data associated with the selected events to the investigator. A method for guiding a response to a security incident may include estimating, for each of a plurality of security events associated with the security incident, a utility of investigating the security event. The method may further include selecting a subset of the security events based, at least in part, on the estimated utilities of investigating the security events. The method may further include guiding the response to the security incident by presenting, to a user, data corresponding to the selected security events.

Abstract: A data platform for managing an application as a first-class database object. The data platform includes at least one processor and a memory storing instructions that cause the at least one processor to perform operations including detecting a data request from a browser for a data object located on the data platform, executing a stored procedure, the stored procedure containing instructions that cause the at least one processor to perform additional operations including instantiating a User Defined Function (UDF) server, an application engine, and the application within a security context of the data platform based on a security policy determined by an owner of the data object. The data platform then communicates with the browser using the application engine as a proxy server.

Abstract: A system and method of selectively outputting content on a head mounted wearable computing device is provided. The system may determine a context associated with the operation of the head mounted wearable computing device, and selectively output content on the head mounted wearable computing device, or delay the output of content, based on the context. The content may be displayed in one or more designated portions of the display of the head mounted wearable computing device so as to reduce distraction to the user, and enhance situational awareness and situational safety during use of the head mounted wearable computing device.

Abstract: Various systems, methods, and apparatuses relate to managing data transmissions from one or more Internet of Things (IoT) devices. A method includes discovering one or more IoT devices; tracking data transmission between the one or more IoT devices and an IoT server; restricting audiovisual data transmission by at least one of the one or more IoT devices based on a user profile associated with a user by providing an instruction to the at least one of the one or more IoT devices; determining that the at least one of the one or more IoT devices is continuing to transmit audiovisual data to the IoT server subsequent to the restriction; based on the determination, denying network access; and presenting, via a user device, a user interface including an indication whether communications to the IoT server have been prevented for each of the one or more IoT devices.

Abstract: Embodiments of the present invention disclose systems and methods for controlled access to a website from a mobile device when the mobile device is connected with an external public or private network away from home. Certain embodiments provide for such protection and security through the use of smart and secure home router which is connected to the mobile device through a virtual private network, whether in a module form or as a standalone server.

Abstract: Methods and systems for monitoring use, determining risk, and pricing insurance policies for a vehicle having autonomous or semi-autonomous operation features are provided. In certain aspects, with the customer's permission, a computer-implemented method for updating an autonomous operation feature may be provided. An indication of a software update associated with the autonomous operation feature may be received, and several autonomous or semi-autonomous vehicles having the feature may be identified. The update may be installed within the several vehicles, such as via wireless communication. Also, a change in a risk level associated with the update to the autonomous operation feature may be determined, and an insurance discount may be determined or adjusted.

Abstract: Providing policy check functionality to file uploads is disclosed. An attempted file upload is detected at a browser isolation system. A user of a client is prompted to provide a credential associated with the file and usable to access contents of the file. A policy is applied to the file upload.

Abstract: A computer implemented method for resolving a Domain Name System, DNS, query received at a third party cloud computing environment comprises: receiving a DNS query at the third party cloud computing environment. The DNS query is forwarded to a sinkhole DNS server if the DNS query comprises an unauthorised domain name. The DNS query is forwarded to a default DNS server of the third party cloud computing environment if the DNS query does not comprise an unauthorised domain name.

Abstract: Examples described herein include systems and methods for deploying Data Loss Prevention (DLP) policies to user devices. An example method can include receiving a configuration specifying at least one DLP policy applicable to an application, along with an indication of an assignment group specifying users, or user devices, to which the DLP policy should apply. Information regarding the DLP policy and assignment group can be provided to an identity service and then synchronized with a second server that manages the application. The method can further include provisioning the application to a user device and instructing the user device to retrieve the DLP policy from the second server and implement it when executing the provisioned application.

Abstract: A policy-controlled access system comprising a client device running a local application, A mid-link server monitors network traffic from the client device. The network traffic includes third-party content accessed by a user on the client device. A request for data from the end-user is received using the local application, a category associated with the request for the data is determined, and a policy associated with access to the data is determined based on the category. A risk score associated with the data is determined based on the policy using machine learning models. The machine learning models analyze user activities from the network traffic for the determination of the risk score. The risk score is compared with a threshold value and based on the comparison the request is authorized. Machine learning-based recommendations associated with the data are generated. The recommendations include modifications in the policy for access to the data.

Abstract: A computerized broker system for enabling coordination of computerized federation resources in a networked computer environment to support discovery, connection and correspondence with the computerized federation resources, the computerized broker system disclosed. The computerized broker system enables the coordination of unique meaningful multipart identifiers and resolver outcomes that satisfy the mutual interest of federation members and ensure agreement, interoperability, usability, reusability, flexibility, stability, expected behaviors, scalability, avoidance of conflict, and other such mutual benefits that are difficult to achieve at scale through member to member cooperation and with no brokerage. A method for distributing and discovering networked resources in a computerized broker system is disclosed and a further method for managing federated networks and federation resources in a computerized broker system is also disclosed.

Abstract: The present disclosure, in a method for providing a security service by a security controller in a security management system, is receiving a high-level first security policy from an interface to network security functions (I2NSF) user via a consumer-facing interface.

Abstract: Embodiments are directed to managing and monitoring endpoint activity in secured networks. In response to a client request being provided to an agent associated with the resource server. A driver associated with the resource server may be determined based on the client request. The client request may be provided to the resource server via a second network connection. Responses from the resource server may be provided to a server-tee module such that the server-tee module provides a copy of the responses to the server-handler module; employing the server-handler module to generate log information based on the copied responses; employing the server-tee module to modify the responses from the resource server such that the responses are forwarded to the client via the first network connection over the overlay network; or the like.

Abstract: In various embodiments, a computer-implemented method comprises determining that a first property associated with a dashboard is modified at a first device, determining that the dashboard is accessible at a second device, where the first device and the second device are coupled via a trusted tunnel bridge, and in a real-time response to determining that the first property was modified, transmitting, to the second device via the trusted tunnel bridge, an update that causes the second device modify the dashboard based on the modified first property.

Abstract: An illustrative embodiment disclosed herein is a non-transitory computer readable medium. In some aspects, the non-transitory computer readable medium includes instructions for providing a mobile user monitoring solution that, when executed by a processor, cause the processor to capture a transaction transmitted over an N12 interface, extract, from the transaction, one of an expected response (XRES) or an authentication token (AUTN), a user identifier (ID), and a cipher key, capture a first message transmitted over an N1 interface, and determine that the first message is associated with the user ID and the cipher key extracted from the transaction.

Abstract: A packet-filtering network appliance such as a threat intelligence gateway (TIG) protects TCP/IP networks from Internet threats by enforcing certain policies on in-transit packets that are crossing network boundaries. The policies are composed of packet filtering rules derived from cyber threat intelligence (CTI). Logs of rule-matching packets and their associated flows are sent to cyberanalysis applications located at security operations centers (SOCs) and operated by cyberanalysts. Some cyber threats/attacks, or incidents, are composed of many different flows occurring at a very high rate, which generates a flood of logs that may overwhelm computer, storage, network, and cyberanalysis resources, thereby compromising cyber defenses.

Abstract: Methods, systems, and computer-readable media for deploying and implementing enterprise policies that control augmented reality computing functions are presented. A computing device may receive policy information defining policies that, when implemented, control capture of augmented renderings. After receiving the policy information, the computing device may intercept a request to capture at least one view having at least one augmented reality element. In response to intercepting the request, the computing device may determine whether the policies allow capture of views comprising augmented reality elements. Based on determining that the policies allow capture, the computing device may store view information associated with the at least one view having the at least one augmented reality element. Based on determining that the policies do not allow capture, the computing device may prevent the at least one view having the at least one augmented reality element from being captured.

Abstract: Latency in a cloud security service provided via a network security device is reduced by receiving in the network security device a new network connection request for a connection between a local network device and a remote server. If a locally cached rule is applicable to the new network connection request, the applicable locally cached rule is applied to selectively allow the new network connection based on the rule. If no locally cached rule is applicable to the new network connection request, the new network connection request is forwarded to the remote server and to a cloud security service, and a response from the remote server is selectively forwarded to the local network device only upon receiving a determination by the cloud security device as to whether the new network connection is a security risk.

Abstract: Disclosed herein are systems and methods for blocking information from being received on a computing device. In one aspect, an exemplary method comprises, by a hardware processor, intercepting a Domain Name System (DNS) request, the intercepted DNS request being initiated by an advertising module of the computing device; obtaining a set of rules for a transmission of the intercepted DNS request; estimating a probability of the intercepted DNS request being a DNS request that was initiated by one or more actions of a user based on the obtained set of rules; and blocking displaying the advertisement information on the computing device based on the estimated probability, wherein the blocking displaying the advertisement information comprises blocking the advertisement information from being received on the computing device.

Abstract: This application discloses an authorization revocation method and an apparatus, and relates to the communications field. An example method includes: receiving, by a first entity, an authorization revocation request message from a second entity, wherein the authorization revocation request message carries an identifier of an application programming interface (API) invocation entity; and sending, by the first entity, an authorization revocation response message to the second entity based on the authorization revocation request message, wherein the authorization revocation response message indicates that authorization revocation succeeds or fails.

Abstract: A building management system includes a remote rules server and a local rules server. The local rules server is located at a customer site, and includes a standard rules database and a custom rules database. The standard rules database stores standard rules and the custom rules database stores user-created rules. The local rules server is configured to allow a customer to create a new user-created rule and send the new user-created rule to the remote rules server. The remote rules server is configured to receive the new user-created rule and provide the new user-created rule to one or more other local rules servers located at one or more other customer sites.

Abstract: There may be provided a method for managing column extents of a tabular database, the method may include (a) generating a multi-snapshot row score to each row of a group of rows of the tabular database multiple rows; wherein the multi-snapshot score is indicative of fullness of the row in the multiple snapshots; wherein the group of rows comprises column extents associated with column extents metadata; and (b) improving a column extent metadata parameter by reordering the rows of the group of rows according to the multi-snapshot row scores to provide a re-ordered group of rows that comprises re-ordered group extents associated with re-ordered column extents associated with re-ordered column extents metadata.

Abstract: Various embodiments are described herein to enable physical topology independent dynamic insertion of a service device into a network. One embodiment provides for a network system comprising a set of network elements to interconnect a set of host devices, the set of network elements having a physical topology defined by the physical links between network elements in the set of network elements and a logical topology defined by a flow of network data between a network service device and a client of the network service device, wherein the physical topology differs from the logical topology, and a network management device including a service policy module to monitor a service policy of the network service device and automatically configure the logical topology of the network elements based on a change in the service policy.

Abstract: Systems and methods for generating best next communication policies, for a time step of an exchange of electronic documents, fit over historical exchanges, optimizing to maximize a probability of achieving a quantified objective leveraging weighted sampling. In a preferred embodiment an electronic document is segmented whereby each constituent segment is deconstructed as a composition of custom expression varieties, pre-defined to enable fulfilment of an objective within a theme of correspondence, associating each expression with a semantic vector. A set of expression extraction models is trained independently and then a second set with knowledge of parallel label predictions, iterating to convergence. The expression compositions and associated semantic vectors are combined into a single vector for each segment. The segment vectors are appended onto profile vectors for the exchange parties, yielding a time series of profile-content vectors.

Abstract: A method includes receiving, at an access node of a local network, a connection request from a device and in response to the connection request, establishing a connection with an identity provider. The device, the access node, the local network, and the identity provider are members of an identity federation. The method further includes receiving an indication that the device previously violated a network policy of a network different from the local network and after the device is authenticated with the identity provider, determining, by the access node and based on the indication, whether to allow the device to communicate over the access node.

Abstract: A method for protecting content of online conversational content. The method provides for scanning content of an online conversational exchange between a first device and a second device. A sensitive object included in the content of the online conversation exchange is identified, based on object type information accessible from a protection policy included in respective user profiles. A pseudonymized-object-holder is assigned to the identified sensitive object according to the protection policy of the respective user profiles, and the identified sensitive object identified in the content of the online conversation exchange and stored on both the first device and the second device is replaced with a pseudonymized-object-holder, based on the sensitive-object protection policy of the respective user profiles.

Abstract: In an embodiment, a semantic model and a semantic model training method that obtains a textual description of one or more features associated with a first vulnerability that has been used in one or more attacks. Text is parsed from the first textual description in accordance with one or more rules. The system determines a first label for the first vulnerability that is associated with one or more of a plurality of stages of an attack chain taxonomy. The model is generated or refined to map the parsed text to the first label associated with the one or more stages of the attack chain taxonomy.

Abstract: Cloud Security Posture Management (CSPM) systems and methods include, in a node in a cloud-based system, obtaining a plurality of security policies and one or more compliance frameworks for a tenant of a cloud provider where the tenant has a cloud application deployed with the cloud provider, wherein each security policy defines a configuration and an expected value, and wherein each compliance framework includes one or more of the security policies; obtaining configurations of the cloud application; identifying misconfigurations of the cloud application based on a comparison of the obtained configurations with the plurality of security policies; analyzing the misconfigurations to determine risks including prioritization of the risks based on their likelihood of exposure to security breaches; and causing remediation of the identified misconfigurations and the determined risks, wherein the cloud-based system performs the CSPM service in addition to one or more additional cloud services.

Abstract: Resources can be secured by a resource security system. The resource security system can determine whether to grant or deny access to resources using authorization information in an access request. The resource security system can also determine whether the access request is legitimate or fraudulent using risk scoring models. A score transformation table can be used to provide consistency in the risk level for a particular score over time. The score transformation table can be based on a target score profile and a precision format (e.g., integer or floating point). The score transformation table can dynamically adapt based on the trending top percent of risk and can account for changes in the distribution of scores over time or by weekday. The scores can be used to determine an access request outcome. Access to the resource can be accepted or rejected based on the outcome.

Abstract: A firewall uses information about an application that originates a network request to determine whether and how to forward the request over a network. The firewall may more generally rely on the identity of the originating application, the security state of the originating application, the security state of the endpoint, and any other information that might provide an indication of malicious activity, to make routing and forwarding decisions for endpoint-originated network traffic.

Abstract: Systems, methods, and apparatuses for securely completing a dual custody activity are described herein. A security activity management system comprises a network, an employee device, a supervising employee device, and a provider computing system. The provider computing system is associated with a provider. The provider computing system comprises a processing circuit structured to identify a plurality of employees eligible for performing a task based employee rankings of the plurality of employees and transmit an indication of the plurality of employees eligible for performing the task to a supervising employee via an augmented reality to be displayed on the supervising employee device. The processing circuit is further structured to receive a selection indicating an employee that is associated with the employee device to perform the dual custody activity, authorize the employee to perform the task, and monitor the employee while the employee performs the task.

Abstract: Apparatus and methods are disclosed for performing dynamic vulnerability correlation suitable for use in enterprise information technology (IT) environments, including vulnerability filtering, patch correlation, and vulnerability paring. According to one disclosed embodiment, a method of vulnerability filtering includes attempting to execute vulnerability scanning rules according to a specified order in a rule hierarchy, and depending on the type of the rule hierarchy and on whether the attempt was successful, not executing additional rules in the rule hierarchy. In another disclosed embodiment, a method of patch correlation includes executing vulnerability scanning rules based on a correlation associations including, if a particular vulnerability is detected, then not executing other correlated scanning rules for a particular software patch.