Abstract: Systems and methods for protecting access to network ports on a server are provided herein. A system comprises a server configured to receive a data packet comprising a cryptoken corresponding to a network port address. The server is further configured to generate a plurality of cryptokens based on a plurality of timecodes, a network port configuration, and the destination address. The server generates a plurality of hashes based on the plurality of cryptokens. The server generates, based on a comparison of each of the plurality of cryptokens to the cryptoken, a rule to allow inbound connections to a first network port corresponding to the network port address.

Abstract: A key management method and a related device are provided. The method includes: receiving key generation request information; generating attribute access policy information on the basis of the key generation request information, the attribute access policy information being an attribute set for encrypting a data key; encrypting the data key on the basis of the attribute set for encrypting the data key; receiving key acquisition request information; on the basis of the attribute set for encrypting the data key, verifying whether attribute information of the key acquisition request information is included in the attribute set for encrypting the data key; and in response to the attribute information of the key acquisition request information being included in the attribute set for encrypting the data key, acquiring a destination data key on the basis of the attribute information of the key acquisition request information.

Abstract: A system and method for applying a policy on a network path is disclosed. The method includes: selecting a reachable resource having a network path to access the reachable resource, wherein the reachable resource is a cloud object deployed in a cloud computing environment, having access to an external network which is external to the cloud computing environment; actively inspecting the network path to determine if the network path of the reachable resource is accessible from the external network; applying a policy on the accessible network path, wherein the policy includes a conditional rule; initiating a mitigation action, in response to determining that the conditional rule is not met; and applying the policy on another network path, in response to determining that the conditional rule is met.

Abstract: A network-accessible service provides an enterprise with a view of identity and data activity in the enterprise's cloud accounts. The service enables distinct cloud provider management models to be normalized with centralized analytics and views across large numbers of cloud accounts. Based on identity and audit data received from a set of cloud deployments, and according to a cloud intelligence model, a set of permissions associated with each of a set of identities are determined. For each identity, and based on a set of identity chains extracted from the cloud intelligence model, a set of identity account action paths (IAAPs) are then determined. An IAAP defines how the identity obtains an ability to perform a given action in a given account. Using the identity account action paths together with context information, one or more roles, groups and accounts in the enterprise that are propagating permissions within the public cloud environment are then identified.

Abstract: A system or method for hosting and managing FIDO authenticators in local network or cloud for users in a shared multi-user environment; which receives an authentication request initiated by a relying party application on a computing device via Web Authentication (WebAuthn) interface; and uses unique identifiers (such as RFID tags) to distinguish the hosted authenticators associated with each user to forward the authentication request; and receiving a response to that authentication request from the hosted authenticator on the local network or cloud; and transmitting the authentication response back to the sender application on the computing device for authentication purposes.

Abstract: Disclosed are method and apparatus for video watermarking, an electronic device and a storage medium. The method includes steps described below. Image data of a target video frame is converted from an RGB format to a YUV format; in the YUV format, an offset with a preset value is superimposed on a pixel value of a pixel point corresponding to a shape be watermarked on the target video frame; and the target video frame on which the offset is superimposed is encoded.

Abstract: Provided are a computer system which suggests an appropriate security set to a user for user information and statistical information related to collected statistical security parameters, a security setting suggestion method, and a program. The computer system, which is arranged in communication connection to at least one user terminal (10) and which is provided with a security statistics database (250), acquires, from the user terminal (10), a suggestion request for a security set, and user information at least including an attribute, uses the suggestion request and the acquired user information to extract, from the security setting statistics database (250), a security set associated with user information which is identical to the acquired user information or similar to the acquired user information within a specific extent, and provides the user terminal (10) with at least one extracted security set as a suggested security set.

Abstract: A system comprises a memory that stores computer-executable components; and a processor, operably coupled to the memory, that executes the computer-executable components. The system includes a receiving component that receives a corpus of data; a relation extraction component that generates noisy knowledge graphs from the corpus; and a training component that acquires global representations of entities and relation by training from output of the relation extraction component.

Abstract: A dormant account identifier is disclosed. An inactive account can be determined based on whether a user activity of the account is outside a threshold amount. A determination can be made as to whether the inactive account is a dormant account based on account activity of a peer account to the inactive account.

Abstract: The present disclosure relates to a method, apparatus, system and storage medium for access control policy configuration. The method includes receiving a request for creating a target resource; determining, based on the request, whether an access control policy inheritance attribute is set for the target resource, the access control policy inheritance attribute indicating an inheritance relationship between access control policies of the target resource and its parent resource; and configuring the access control policy of the target resource according to a result of the determination. Thus, the efficiency of configuring an access control policy for a resource is improved.

Abstract: Embodiments of the present invention provide a method, program, and apparatus that may identify a device by using a virtual code generated based on a unique value of a chip inside a device without a separate procedure for identifying the device. Furthermore, embodiments of the present invention provide a method, program, and apparatus that may generate a virtual code, which is not matched with any other code, whenever a code for identifying a device is requested. Moreover, embodiments of the present invention provide a method, program, and apparatus for identifying a device that may add and use only an algorithm without changing a conventional process.

Abstract: Methods of secure resource authorization for external identities using remote principal objects are performed by systems and devices. An external entity creates a user group and defines entitlements to an owning entity's secure resource as a set of permissions for the group. An immutable access template with the permissions and an access policy for the secure resource are provided to the owning entity for approval. On approval, a remote principal object is created in the owner directory according to the permissions and access policy. A remote principal that is a group member requests access via an interface to the owner domain using external domain credentials. The identity of the remote principal is verified against the remote principal object by a token service. Verification causes generation and issuance of a token, with the enumerated entitlements, to the remote principal interface affecting a redirect for access to the secure resource.

Abstract: A method includes: generating a manifest of assets during the target time interval; labeling each asset in the manifest of assets with a set of attributes exhibited by the asset during the target time interval; defining a first attribute category exhibiting a first combination of attributes; assigning a first action to the first attribute category; identifying a subset of assets in the manifest of assets matching the first attribute category, each asset in the subset of assets exhibiting a set of attributes including the first combination of attributes; and executing the first action on the first subset of assets.

Abstract: A method in a virtual private network (VPN) environment, the method including determining, by a processor, first substitute domain information by utilizing a hashing function to hash a first time marker and a string of alphanumeric characters; determining, by the processor, second substitute domain information by utilizing the hashing function to hash a second time marker and the string of alphanumeric characters, the second time marker being different than the first time marker; and transmitting, by the processor, a connection request utilizing the second substitute domain information to reach a VPN service provider based at least in part on determining that the VPN service provider is unreachable via utilization of the first substitute domain information. Various other aspects are contemplated.

Abstract: Disclosed are various examples for kernel level application data protection. In one example, a security label and a list of permitted applications are received. The security label is utilized to limit access to files that embed the security label. A security label map is written within a kernel layer of the client device. The security label map includes the security label and the list of permitted applications. A secured file is generated by embedding the security label within a file stored on the client device.

Abstract: A method includes logging into a server and sending geolocation information to the server by a first device. The first device requests rights to decrypt a secure data file, and in response, the server sends a machine-readable optical label to the first device. The first device displays the machine-readable optical label. A second device logs into the server, and scans the machine-readable optical label displayed by the first device to create a scanned image. The second device decodes data from the scanned image to form decoded data. Geolocation information of the second device and the decoded data are submitted to the server. The decoded data and the geolocation information are validated by the server, and in response to successfully validating the geolocation information, a link completion status indicator is sent to the second device, and information to decrypt the secure data file is sent to the first device.

Abstract: A management server retrieves access logs associated with a plurality of identities and generates a plurality of behavioral scores for the plurality of identities. The behavioral score for a particular identity increases responsive to access approvals and decreases responsive to access denials for that particular identity. A proxy server receives a first request to access a resource associated with a first identity of the plurality of identities and determines a zero trust access policy for the resource. When a first behavioral score for the first identity satisfies a behavioral score threshold for the zero trust access policy, the proxy server provides the resource. The proxy server receives a second request to access the resource associated with a second identity. When a second behavioral score for the second identity fails to satisfy the behavioral score threshold, the proxy server performs an action defined in the zero trust access policy.

Abstract: An electronic device includes a network communications interface, a processor, and a memory configured to store instructions that, when executed by the processor, cause the processor to instantiate a set of processes; receive, over a network and via the network communications interface, a policy for network socket creation; receive, from the set of processes, a set of requests to create a first set of network sockets used to communicate over the network via the network communications interface; collect telemetry pertaining to a second set of network sockets used to communicate over the network via the network communications interface; allow or block creation of network sockets in the first set of network sockets, in accordance with the collected telemetry and the policy for network socket creation; and transmit at least part of the collected telemetry to a controller, over the network and via the network communications interface.

Abstract: Techniques are disclosed relating to biometric authentication, e.g., facial recognition. In some embodiments, a device is configured to verify that image data from a camera unit exhibits a pseudo-random sequence of image capture modes and/or a probing pattern of illumination points (e.g., from lasers in a depth capture mode) before authenticating a user based on recognizing a face in the image data. In some embodiments, a secure circuit may control verification of the sequence and/or the probing pattern. In some embodiments, the secure circuit may verify frame numbers, signatures, and/or nonce values for captured image information. In some embodiments, a device may implement one or more lockout procedures in response to biometric authentication failures. The disclosed techniques may reduce or eliminate the effectiveness of spoofing and/or replay attacks, in some embodiments.

Abstract: A method for assessing a network environment includes obtaining, by the network assessment computing device, device information for one or more devices each with an Internet Protocol address currently on a defined network in a network environment from a network appliance device coupled to the network environment. Each of the identified devices are assessed, by the network assessment computing device, for one or more vulnerabilities. Network status data and any actionable items for the identified devices for the one or more vulnerabilities is generated, by the network assessment computing device, based on the assessing. The generated status data and any actionable items are provided by the network assessment computing device.