Abstract: A system featuring a cloud-based malware detection system for analyzing an object to determine whether the object is associated with a cyber-attack. Herein, subscription review service comprises a data store storing subscription information. The subscription information includes identifier for the customer and one or more identifiers each associated with a corresponding customer submitter operable to submit an object to the cloud-based malware detection system for analysis. The first customer submitter receives credentials provided by the subscription review service to establish communications with the cloud-based malware detection system.

Abstract: In particular embodiments, in response a data subject submitting a request to delete their personal data from an organization's systems, the system may: (1) automatically determine where the data subject's personal data is stored; (2) in response to determining the location of the data (which may be on multiple computing systems), automatically facilitate the deletion of the data subject's personal data from the various systems; and (3) determine a cause of the request to identify one or more processing activities or other sources that result in a high number of such requests.

Abstract: Approaches presented herein enable dynamically updating, based on a status of one or more Internet of Things (IoT) devices in an IoT network, a security setting of an IoT device controller and/or at least one of the one or more IoT devices. A status of each of a plurality of IoT devices in the IoT network is monitored. In response to the monitoring of at least one status among the plurality of IoT devices, an event requiring a security setting update is identified. The security setting update is then dynamically applied.

Abstract: A computing device is configured to divide an Oblivious Pseudorandom Function (OPRF) key to generate a plurality of N partial keys, distribute a respective one of the plurality of N partial keys to a corresponding plurality of N Key Management System (KMS) units. The computing device receives from a threshold number T of KMS units, a plurality T partial blinded keys, wherein the plurality T partial blinded keys are based on processing of a value of a blinded key received by a respective KMS unit and a corresponding stored partial key of the N partial keys, combines the plurality T of partial blinded keys into the blinded key, processes the blinded key based on the blinding key in accordance with an OPRF unblinding operation to generate a key and accesses secure information based on the key.

Abstract: Approaches for providing data protection in a networked computing environment are provided. A method includes detecting, by at least one computer device, a breach of a first system in the networked computing environment. The method also includes generating, by the at least one computer device, a second system in the networked computing environment, wherein the second system includes a patch based on the breach. The method additionally includes converting, by the at least one computer device, the first system to a decoy system. The method further includes generating, by the at least one computer device, a third system in the networked computing environment, wherein the third system has reduced security relative to the first system.

Abstract: Disclosed are examples of decentralized systems and related apparatus, devices, computer program products, and methods for secure access of digital content. In some implementations, a first request from a client to access encrypted digital content includes a call on a digital contract. The call passes an ephemeral key set encrypted with a public key of a consumer. A transaction identifying the first request in association with the encrypted ephemeral key set is recorded in the digital contract. The transaction is identified by a transaction identifier (ID), which is sent to the client. A second request from the client includes: an authorization token including the transaction ID, and a signature of the consumer. Authorization of the consumer is verified based on the authorization token. A transaction identifying one or more keys is recorded in the digital contract. The digital content can be re-encrypted and sent to the client.

Abstract: Provided herein are systems and methods for defining and securely sharing objects for use in preventing data breach or exfiltration. Memory may be configured to store a plurality of objects for use in preventing data breach or exfiltration. A validation engine can validate the objects, incorporate into each object an object identifier and a signature, and generate a subset of the objects for use by a first user. The validation engine can store, in the memory, the plurality of objects as a superset of objects corresponding to the generated subset. An evaluation engine may, responsive to identifying that one or more object identifiers and signatures in a received set of objects belong to the subset corresponding to the stored superset, verify whether any object in the received set has been tampered with.

Abstract: A computer-implemented method for performing authentication includes: determining, by a database server storing data in a blockchain ledger, a target ledger segment on which time service authentication is to be performed; generating a Merkle tree corresponding to the target ledger segment; determining a root hash of the Merkle tree, the root hash of the Merkle tree being based on a block hash of each data block in a set of one or more data blocks; executing a predetermined time capture process in a trusted execution environment to obtain a trusted time from an interface provided by a trusted time service organization; generating a digital signature for the trusted time and the root hash in the trusted execution environment; and generating a time service certificate including the trusted time, the root hash, and the digital signature.

Abstract: Techniques for identifying certain types of network activity are disclosed, including parsing network traffic to automatically recognize anonymous identifiers. Such techniques may be used to identify and eliminate malicious and/or undesirable network traffic, and to identify topics relevant to a user of a particular network device so that communications to such a user are more likely to relate to a topic of interest to the user.

Abstract: A Software-defined Networking (SDN) controller of data center with application-aware firewall policy enforcement is disclosed. In one example, the SDN controller receives a request to initialize an instance of an application. in response to receiving the request, the SDN controller transmits, to a firewall component positioned between an SDN gateway device of the data center and a network external to the data center, a message. In some examples, the messing includes an application signature corresponding to the instance of the application and an application firewall policy corresponding to the application signature. The message instructs the firewall component to install the application firewall policy for application to network traffic for the instance of the application.

Abstract: Examples of multi-persona account management in client devices are described. In one example, a client device can host a personal workspace, such as for personal data and applications of a user of the client device, along with a separate alternate persona workspace for work-related data and applications of the user. The client device interfaces with a management computing environment to enroll in device management services and establish an alternate persona workspace on the client device. The client device receives a token for the alternate persona workspace from the management computing environment, creates the alternate persona workspace, and installs an interface service in the alternate persona workspace. The client device also associates an alternate persona account with the alternate persona workspace using the token and returns a service identifier to the management computing environment.

Abstract: Methods and apparatus are disclosed to provide a sandboxed code execution in a virtualized environment. The example apparatus includes a closure service to receive an input related to code for execution and generate a closure to trigger execution of the code within the apparatus. The example apparatus includes an image service to monitor container hosts and associated container images. The example image service is to expedite code execution on a container host having a prepared container image and to generate an execution container image on a second container host not having a container image. The container host is to form a host environment for the prepared container image. The prepared container image is to spawn a container to execute the code. The container is to execute the code and keep code execution and result inside the container. The code execution and result inside the container do not affect operation of the apparatus.

Abstract: Methods and apparatus are disclosed to provide a sandboxed code execution in a virtualized environment. An example apparatus includes a closure service to receive a request for execution of code. The example closure service is to generate a closure to trigger execution of the code within the apparatus. The example apparatus includes a container host to form a host environment for a container image. The example container image is to spawn, in response to the closure, a container to execute the code. The example container is to execute the code and keep code execution and result inside the container. Code execution and result inside the container do not affect operation of the apparatus.

Abstract: A network interface device comprises an integrated circuit device comprises at least one processor. A network interface device comprises a memory. The integrated device is configured to execute a function with respect to at least a part of stored data in said memory.

Abstract: There are provided measures for machine learning based malware detection systems. Such measures exemplarily include analyzing a set of training data, said set of training data comprising a plurality of training data elements, wherein each of said plurality of training data elements is associated with a respective one of at least two maliciousness related properties, learning a malicious object detection model on the basis of first feature combinations of said plurality of training data elements, said first feature combinations characterizing each of said at least two maliciousness related properties, learning an anomalous data detection model on the basis of second feature combinations of said plurality of training data elements, said second feature combinations characterizing said set of training data, said anomalous data detection model being associated with said malicious object detection model, and providing said malicious object detection model and said anomalous data detection model.

Abstract: A network interface device comprises an integrated circuit device comprises at least one processor. A network interface device comprises a memory. The integrated device is configured to execute a function with respect to at least a part of stored data in said memory.

Abstract: In an example, memory address encryption is facilitated for transactions between electronic circuits in a memory fabric. An electronic circuit may obtain a transaction integrity key and a transaction encryption key. The electronic circuit may encrypt an address using the transaction encryption key and a compute a truncated message authentication code (MAC) using the transaction integrity key.

Abstract: Techniques are described for controlling data and resource access. For example, methods and systems can facilitate controlled token distribution across systems and token processing in a manner so as to limit access to and to protect data that includes access codes.

Abstract: A system and method for facilitating sharing of credentials and other secret data in a networked computing environment. An example embodiment provides for access to data of an external data source by a software application, wherein the external data source requires use of credentials to allow access to the data, but where the credentials themselves are not to be supplied to the software application. An example method includes storing the credentials in a secure data store; providing a token to the application, the token associated with the credentials and with an indication of the external data source; transferring the token from the application to a secure connector; using the secure connector and the token to retrieve the credentials from the secure data store to the secure connector; using the secure connector and the credentials to request data from the external data source to the secure connector before transfer of the requested data to the application via the secure connector.

Abstract: Technologies for providing secure utilization of tenant keys include a compute device. The compute device includes circuitry configured to obtain a tenant key. The circuitry is also configured to receive encrypted data associated with a tenant. The encrypted data defines an encrypted image that is executable by the compute device to perform a workload on behalf of the tenant in a virtualized environment. Further, the circuitry is configured to utilize the tenant key to decrypt the encrypted data and execute the workload without exposing the tenant key to a memory that is accessible to another workload associated with another tenant.