Abstract: A tokenization system receives a request for data anonymization, the request referencing structured data containing values of interest. Responsively, the tokenization system performs a tokenization operation on the structured data, generates a corresponding token, and replaces a value of interest with the corresponding token to produce an anonymized version of the structured data. The tokenization system stores the value of interest with the corresponding token in a secure data vault. Subsequently, the tokenization system may receive a request for revealing the anonymized version of the structured data containing the corresponding token. In response, the tokenization system can perform a reveal operation on the anonymized version of the structured data by querying the secure data vault for the corresponding token and retrieving the value of interest from the secure data vault using the corresponding token.

Abstract: Methods and systems for a processing architecture that maintains a separate logic pathway corresponding to a first operation type and a second operation type, until a blockchain operation is submitted to the blockchain network using either the first operation type or a second operation type. Following submission of the blockchain operation to the blockchain network, the architecture collapses the parallel logic pathways to a single logical pathway for both types.

Abstract: Systems and methods for protecting and interacting with data in real time are described by the disclosed subject matter. A method includes monitoring a presentation of data by an application on a display and determining that a portion of the data is restricted. The method includes asking, in real time, the presentation of the portion of the data that is restricted.

Abstract: Methods, systems, and computer-readable storage media for receiving, by an identity network and from a verifying entity, a query including an identifier that uniquely identifies an entity that is active in the mobility network and an attestation that is to be authenticated, resolving, by the identity network, the query to provide a resolved query, the resolved query including the attestation, resolving at least partly including identifying a data source of a plurality of data sources that is to be queried to authenticate the attestation, transmitting, by the identity network, the resolved query to the data source, receiving, by the identity network, a response to the resolved query, and transmitting, by the identity network, the response to the verifying entity.

Abstract: Edge security is disclosed. Hosts included in a distributed infrastructure are equipped with data processing units that may be centrally managed using a control plane. Security policies can be selectively distributed to the hosts and localized at the hosts. Reactions to security violations can be initiated at the hosts in substantially real-time. The security policies may take various forms, including rule-based security policies and inference mode-based security policies.

Abstract: Methods, systems, and devices for communications are described. A device or a group of devices may generate data. The group of devices may receive a group profile from a node that identifies the devices to be included, and the group profile may include a function to be evaluated at each of the devices. The node may also provision evaluation parameters which may allow the device to provide authenticated aggregate data to a requesting third party, without sharing the data between the devices, thus concurrently maintaining individual data privacy and data provenance.

Abstract: An example method for monitoring volume dependencies for security threats comprises: detecting a request to perform an operation with respect to a volume included in a plurality of volumes included in a storage system; determining, based on a dependency mapping that specifies dependencies between the plurality of volumes, that performance of the operation would affect a dependency between the volume and one or more other volumes included in the plurality of volumes; and determining, based on the determining that the performance of the operation would affect the dependency between the volume and the one or more other volumes, that the request is possibly associated with a security threat against data stored by the storage system.

Abstract: Systems and methods for processing erasure requests are provided, namely requests from users to have their user data erased from a system. The system maintains user data in multiple components which may not be in communication with each other. With the provided system, certain entities, referred to herein as erasure control entities, are informed of details of received erasure requests, and are given the opportunity to provide input on whether they should be executed or note. For example, one erasure control entity, such as a credit card server, may not want an erasure request executed for a user with a large outstanding debt, while another erasure control entity, such as a legal component, may be unaware of this and may not be concerned with the erasure request being executed. The system and method ensure that erasure requests are not executed in situations that are premature or inappropriate.

Abstract: Unicode data can be protected in a distributed tokenization environment. Data to be tokenized can be accessed or received by a security server, which instantiates a number of tokenization pipelines for parallel tokenization of the data. Unicode token tables are accessed by the security server, and each tokenization pipeline uses the accessed token tables to tokenization a portion of the data. Each tokenization pipeline performs a set of encoding or tokenization operations in parallel and based at least in part on a value received from another tokenization pipeline. The outputs of the tokenization pipelines are combined, producing tokenized data, which can be provided to a remote computing system for storage or processing.

Abstract: A network reachability solving algorithm based on formal verification, which abstractly models the network reachability problem, concretely models and refines it through semantic equivalence, and implements the network reachability solving algorithm through logical equivalence transformation. With the help of formal verification tools, the present disclosure ensures the correctness and logical completeness of the reachability solving algorithm through mathematical reasoning. Compared with traditional testing-based schemes, the present disclosure guarantees the correctness and effectiveness of the network reachability algorithm based on formal method.

Abstract: A set of distance measurable encrypted feature vectors can be derived from any biometric data and/or physical or logical user behavioral data, and then using an associated deep neural network (“DNN”) on the output (i.e., biometric feature vector and/or behavioral feature vectors, etc.) an authentication system can determine matches or execute searches on encrypted data. Behavioral or biometric encrypted feature vectors can be stored and/or used in conjunction with respective classifications, or in subsequent comparisons without fear of compromising the original data. In various embodiments, the original behavioral and/or biometric data is discarded responsive to generating the encrypted vectors. In another embodiment, distance measurable or homomorphic encryption enables computations and comparisons on cypher-text without decryption of the encrypted feature vectors. Security of such privacy enabled embeddings can be increased by implementing an assurance factor (e.g.

Abstract: The disclosed technology provides solutions for performing a document validation process wherein physically present witnesses are required. In some aspects, a process of the disclosed technology includes steps for receiving geolocation data for a mobile device associated with a first user, receiving a signed electronic document via the first device, determining if the signed electronic document was properly executed by the first user, and if the signed electronic document was properly executed, providing a prompt to the first user, wherein the prompt is configured to request electronic contact address for a second device associated with a second user. In some aspects, the process can further include transmitting an authentication request to the second device associated with the second user, receiving geolocation data from the second device in response to the authentication request. Systems and machine-readable media are also provided.

Abstract: An identity profile of a user is tracked using previous message communications of the user. A message identified as potentially from the user is received. The identity profile of the user is identified and obtained. Information is extracted from a header of the received message. A security risk assessment of the received message is determined at least in part by comparing the extracted information with one or more corresponding entries of the identity profile of the user. A security action is performed based on the determined security risk assessment.

Abstract: A document management system manages documents. The documents are managed such that the documents may be shared with one or more users during an online sharing session for electronic signing. During the online sharing session, one or more documents are collaboratively reviewed by one or more participants of the online sharing session. The one or more documents are e-signed at least one of the participants of the online sharing session.

Abstract: Embodiments of the invention are directed to systems, methods, and computer program products for utilizing machine learning to predict future deceitful domain names and determine preferred security responses. As such, the system allows for use of a machine learning engine to collect new domain name registration information from a plurality of sources and predict future name registrations associated with said sources. A single user may register deceitful domain names through a plurality of domain name registration systems. By collecting data from multiple servers, the system may identify data trends and generate predictions of future domain names independently of any individual server. Thus, the system may benefit a number of entities, by providing real-time data analysis that would not be obtainable by any one entity operating alone.

Abstract: Protecting sensitive data from unauthorized disclosure is provided. For example, systems, methods, and computer readable storage devices are described that may be operable or configured to tokenize sensitive data attributes that may be included in a data file received from a client. Tokens that are anonymized but representative of the attributes may be generated and mapped to the sensitive data attributes. A tokenized data file may be de-tokenized and re-tokenized to perform processes that require the sensitive data attributes. A document may be transformed to protect the sensitive data attributes while reducing risk of disclosure of the sensitive data.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for secure communication based on random key derivation. An example method includes receiving an initial symmetric key shared between the key depot device and a host device. The method also includes receiving seed data shared between the key depot device and the host device. The method also includes establishing a connection to a client device. The method also includes generating, by key derivation circuitry of the key depot device, a first symmetric key based at least on a portion of the seed data. The method also includes causing transmission of the first symmetric key to the client device. The method also includes generating a key allocation indication that identifies an authentication target and comprises an indication of the generation of the first symmetric key. The method also includes causing transmission of the key allocation indication to the host device.

Abstract: Apparatuses, methods, and systems are disclosed for enabling roaming with authentication and key management for applications. An apparatus includes a processor that determines a serving network of a user equipment (“UE”) device, the serving network comprising a visited public land mobile network (“VPLMN”) that is different from a home PLMN (“HPLMN”) associated with the UE. The processor selects a network function within the serving network for provisioning an authentication and key management for applications (“AKMA”) security context for an application function (“AF”) based on a name for the serving network. The apparatus includes a transceiver that sends the security context to the network function.

Abstract: Disclosed herein are system, method, and computer program product embodiments for managing the dissemination of documents using downstream control. A document linking system may facilitate the creation of a document link, graphical document link, and/or a corresponding document token. This link may be distributed downstream via messages, emails, or other applications. The document linking system may track document interactions, trace locations, and/or control individualized downstream access. The document linking system may provide instructions to a document delivery system to integrate a plugin or widget into its corresponding application (e.g., a messaging or email application). A user using the application may select a GUI object to access the document linking system and generate a document link. This link may then be embedded into a message or email and disseminated. The document linking system may also generate graphical document links that may be scanned with a camera to access the document.

Abstract: A protocol state fuzzing method for security of a control plane of a distributed software-defined network is provided. The protocol state fuzzing method includes receiving input alphabets being abstract symbols of a protocol message in an ambusher of a distributed network operating system (NOS), converting the input alphabets into the protocol message, and sending the protocol message to a cluster, monitoring, by the cluster, intercommunication between instances in the distributed NOS, and selecting a set of sequences executable in the cluster and searching a cluster log for an output by executing the sequence to generate an attack result.