Abstract: Specifications of digital certificate validation security policies for a server within an intranet environment are received. A first one of the policies is specified to be applied for an intranet network connection and a second for a network connection outside the intranet. Each of the first and second policies includes a plurality of different configurable individual settings to enable or disable corresponding individual components of a plurality of different component digital certificate validation checks. A determination is made to establish a connection with a network destination and a digital certificate from the destination is received. One of the policies to apply for the connection is identified. For each of the plurality of the different component checks, a determination is made based on the identified policy whether to perform the component check for the received certificate. Any of the plurality of the different component checks determined to be performed are performed.

Abstract: Operations include transmitting, on behalf of a first application, a first request to a first service provider, the first request requesting first services from the first service provider, intercepting, at a local agent, a first redirect message from the first service provider to an identity provider, receiving an identity provider cookie from the identity provider based on a validation of credentials during the authentication process, storing a copy of the identity provider cookie, transmitting, on behalf of a second application, a second request to a second service provider, the second request requesting second services from the second service provider, intercepting a second redirect message from the second service provider to the identity provider, adding the identity provider cookie to the second redirect message, and receiving validation to access the second service provider from the identity provider based on the identity provider cookie stored by the local agent.

Abstract: A computer-implemented method can include encrypting a data file as a multiplicity of independent segments that are each a multiple of a block encryption's block size, encrypting the application data on a segment-by-segment basis using the multiplicity of selected encryption methods and associated information, and creating a programming shared object “shim” Interposer module.

Abstract: Systems, methods, apparatuses, and computer-readable media for secure management of accounts on display devices using a contactless card. An application executing on a display device may receive a request specifying a service provider. The display device may receive a cryptogram generated a contactless card, and transmit the cryptogram to an authentication server. The authentication server may decrypt the cryptogram and generate a virtual account number associated with the contactless card. The authentication server may transmit the virtual account number to the service provider, which may create an account based at least in part on the virtual account number and the decryption of the cryptogram by the authentication server. The display may receive an authentication token generated by the service provider for the account, and access the account created by the service provider based at least in part on the authentication token.

Abstract: Methods and systems to identify the domain names that can potentially be used for delivering instructions to a bot, before bots on a computer network succeed in obtaining the instructions. The system maintains a device rating for each device that reflects a likelihood that the device is infected by malware. The system also maintains a domain-name rating for each device that reflects a likelihood that the domain name is malicious. When a device attempts to access a particular domain name, the domain-name rating of the domain name is updated in light of the device rating of the device, and/or update the device rating of the device in light of the domain-name rating.

Abstract: For end-to-end encryption of a virtual cloud network, a VPN tunnel from a customer device is terminated at a host network headend device using encryption keys secured in hardware and managed by the customer. The network headend device can be a card in a bare-metal server with one or more network virtualization devices. The network headend device is configured to receive a first key provisioned by a customer; receive a first data packet sent from a device of the customer; and decrypt the first data packet using the first key to obtain information. A network virtualization device is configured to receive the information from the network headend device; ascertain that the information is to be sent to a virtual machine in a virtual cloud network; ascertain that data in the virtual cloud network is configured to be encrypted; and encrypt the information with a second key to generate a second data packet before routing the second data packet to the virtual machine.

Abstract: A system and method for determining device attributes using a classifier hierarchy. The method includes: determining at least one exploitation condition for a manufacturing device based on at least one first device attribute of the manufacturing device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes; analyzing behavior and configuration of the medical device to detect an exploitable vulnerability for the manufacturing device, wherein the exploitable vulnerability is a behavior or configuration of the manufacturing device which meets the at least one exploitation condition; and performing at least one mitigation action based on the exploitable vulnerability.

Abstract: New intrusion detection system (IDS) rules to be deployed on an IDS that generates alerts based on an applied ruleset are accessed. A trial window that includes incorporating the new IDS rules into a candidate list to enable summarization and filtering of the alerts is started and the applied ruleset that includes existing IDS rules is supplemented with the candidate list that includes the new IDS rules. The applied ruleset is transmitted to a network sensor associated with the IDS upon the supplementation and alerts generated based on network events implicated by both the existing IDS rules and the new IDS rules in the applied ruleset are received from the IDS. Upon completion of the trial window, a set of alerts generated only by the new IDS rules in the applied ruleset are designated as suppressed alerts and a set of new IDS rules is eliminated from the applied ruleset upon determining that the set of new IDS rules generate a subset of alerts that exceed an alert threshold.

Abstract: Methods, apparatus, systems and articles of manufacture to detect phishing websites are disclosed. An example apparatus includes a plurality of website analyzers to analyze a requested website for evidence of a phishing attack, the plurality of website analyzers including a first website analyzer and a second website analyzer. An analysis selector is to select the first website analyzer for execution, the analysis selector to, in response to determining that an additional analyzer is to be executed, select the second website analyzer to analyze the requested website. A website classifier is to, in response to a website analyzer indicating a classification that exceeds a confidence threshold, classify the requested website as a benign site or presenting a phishing attack.

Abstract: Embodiments are directed to managing communication. Credentials of a user may be provided to an authorization service such that the authorization service authenticates the user as a member of authorization groups and such that the user may be associated with a gateway on an overlay network. The authorization groups may be compared with user groups to associate the user with one or more user group. The gateway may be associated with one or more resource group based on the user groups. Policy information may be generated for the gateway based on each resource group. The policy information may be provided to the gateway to define policies associated with resources in the overlay network. The policy information may be enforced against source nodes providing overlay traffic directed to target nodes in the overlay network.

Abstract: Disclosed embodiments relate to systems and methods for automatically detecting and addressing security risks in code segments. Techniques include accessing a plurality of code segments developed for execution in a network environment, automatically identifying a first code segment from the plurality of code segments for analysis, automatically performing a first code-level security risk assessment for the first code segment, and determining a first security risk level for the first code segment based on the application programming interface risk level. The first code-level security risk assessment may be performed based on at least one of an application programming interface risk level, an embedded credentials risk level, and a target resource risk level. Further techniques may include determining a second security risk level for a modified version of the first code segment; and enabling a comparison between the first security risk level and the second security risk level.

Abstract: A system and method is provided for encrypting data for secure storage or transport. The method includes generating object-based wave screen(s) and optionally stumbling block(s) and/or XOR block(s) associated with a block map layout. For each data segment to be encrypted, the method includes positioning the bits of the data segment within the block map layout to generate a data map, and encrypting the data map by applying the object-based wave screen(s) and optionally the stumbling block(s) and/or XOR block(s) to remap the positions of the bits within the block map layout. The encrypted data map is then stored or transported as a representation of the data segment.

Abstract: A data integrity protection method and apparatus in a network environment are described. A terminal device obtains an integrity protection algorithm and a key corresponding to a session or a flow, and a DRB corresponding to the session. The terminal device performs, by using the integrity protection algorithm and the key corresponding to the session, integrity protection on data of the DRB corresponding to the session or the flow, where one session includes a plurality of flows. Different integrity protection algorithms and keys can be used for different sessions, and different integrity protection algorithms and keys can also be used for different flows. In this way, integrity protection is more flexible and meets security requirements of a same user for different services.

Abstract: Systems, method, and non-transitory computer readable storage medium are provided for configuring an information computing machine during execution of a kernel image. The system can create a file system from a base file system image in system memory of the computing system, apply configuration files from a bundle image to the file system in memory, copy files from a persistent file system stored in the storage resource to memory, validate the files from the persistent file system, and apply validated files to the file system in memory. The base file system image and bundle image can be verified by comparing a signed hash of the image with a hash generated by the initial file system and checking the hash signature against a public certificate included in the initial filesystem. The system can further execute /sbin/init and start application services.

Abstract: Protecting a fragment of a document includes automatically detecting the fragment without user intervention based on the content of the fragment and/or the context of the fragment within a set of documents, selectively encrypting the fragment to prevent unauthorized access, and providing an alternative view of the fragment that prevents viewing and access of content corresponding to the fragment unless a decryption password is provided. Automatically detecting the fragment may include detecting numbers and alphanumeric sequences of sufficient length that do not represent commonly known abbreviations, detecting generic terms, detecting proper names, detecting terms signifying a type of content, detecting mutual location of terms and sensitive content, and/or detecting user defined terms. The generic terms may correspond to password, passcode, credentials, user name, account, ID, login, confidential, and/or sensitive. The proper names may be names of financial organizations and security organizations.

Abstract: Methods and apparatuses are described for decentralized authorization of user access requests in a distributed service architecture. A gateway node receives a user access request from a remote computing device. The gateway generates a signed and encrypted access token based upon the user access request using an authorization service node and a key management service node. The gateway transmits the access token, the user access request, and a security certificate received from the authorization service to a security proxy node of a microservice container. The security proxy validates the certificate and the access token. The security proxy decrypts the access token using a public key from the certificate, and determines user authorization to access a service endpoint node based upon the decrypted token. The security proxy transmits the user access request to the service endpoint, which provides the remote device with access to services based upon the user access request.

Abstract: An identity server authenticates a first user identity for a user device through a first authentication exchange as part of a passwordless authentication system. The identity server registers with a relying party as an authenticator for a second user identity. The identity server initiates a second authentication exchange by obtaining from the relying party, a credential request associated with the second user identity. Responsive to a determination that the first user identity authenticated in the first authentication exchange is authorized to act as the second user identity, the identity server obtains a credential request response authenticated by the authenticator in the identity server. The identity server completes the second authentication exchange by providing the credential response to the relying party. The second authentication exchange authenticates the user device to the relying party without involving the user device.

Abstract: A method for commissioning an access control device according to one embodiment includes writing, by an enrollment reader, a site key and an access control device identifier to a credential device, reading, by the access control device, the site key and the access control device identifier from the credential device, writing, by the access control device, a device unique identifier (DUID) associated with the access control device and a modified access control device identifier to the credential device, and reading, by the enrollment reader, the DUID from the credential device.

Abstract: An apparatus and method for generating an NFT associated with an assignment. An assignment is completed and an indication of the completion of the assignment is submitted to a processor. The processor verifies the completion of the assignment by processing the submitted evidence of the completion of the assignment. An NFT is generated that is associated with the completion of the assignment. The NFT may be associated with the user that completed the assignment.

Abstract: An identity authority computing device having a processor in communication with a database is described herein. The database stores a plurality of persistent user identifiers associated with a plurality of users. The processor is programmed to receive a service request over a public network, the service request including a service provider identifier and a single-use token value associated with one of the users. The processor is also programmed to determine at least one persistent user identifier associated in the database with the token value, and generate an updated service request including the at least one persistent user identifier. The processor further is programmed to generate an encrypted service request using a public encryption key associated with the service provider identifier, and transmit the encrypted service request to a service provider computing device associated with the service provider identifier.