Abstract: The invention relates to the technical field of network security, in particular to a distributed network source security access management system and a user portal for reducing system security risks and improving system flexibility. The distributed network source security access management system includes a policy management module, a user management module, a user access module, a resource management module, and a resource access module. The resource management module is used for managing network resources and transmitting the network resource information and a connection relation between the network resources and the resource access module to the policy management module.

Abstract: Secure access to a corporate application in an SSH session using a transparent SSH proxy. In some embodiments, a method may include receiving, at a secure access cloud point of delivery (PoD), from a client application on a client device, a request to access a corporate application that is deployed in a corporate datacenter. The method may also include forwarding, from the secure access cloud PoD, to a connector that is also deployed in the corporate datacenter, the request. The method may further include brokering, by the connector and the secure access cloud PoD, authentication of a user, authorization of access by the user, and an SSH session between the client application and the corporate application using a transparent SSH proxy, with the client application being unaware that the SSH session is brokered by the connector and the secure access cloud PoD.

Abstract: The disclosed technology teaches a method of reducing false detection of anomalous user behavior on a computer network, including forming groups from identity and access management (IAM) properties and assigning the users into initially assigned groups based on respective IAM properties, and recording individual user behavior in a statistical profile, including application usage frequency. The method also includes dynamically assigning a user with a realigned group, different from the initial assigned group, based on comparing the recorded user behavior, with user behavior in statistical profiles of the users in the groups, evaluating and reporting anomalous events among ongoing behavior of the individual user based on deviations from a statistical profile of the realigned group. The method utilizes common app usage for forming the groups, in some cases.

Abstract: Systems and methods for protecting access to network ports on a server are provided herein. A system comprises a server configured to receive a data packet comprising a cryptoken corresponding to a network port address. The server is further configured to generate a plurality of cryptokens based on a plurality of timecodes, a network port configuration, and the destination address. The server generates a plurality of hashes based on the plurality of cryptokens. The server generates, based on a comparison of each of the plurality of cryptokens to the cryptoken, a rule to allow inbound connections to a first network port corresponding to the network port address.

Abstract: The disclosed computer-implemented method for increasing cybersecurity protection may include (i) receiving, at a subscription-management computing device, an alert indication that indicates (A) a cybersecurity status score on a protected computing device is lower than a threshold value and (B) the protected computing device is associated with an expired subscription to a cybersecurity service and (ii) performing, responsive to receiving the alert indication, a security action comprising sending, from the subscription-management computing device to a server, a transfer instruction directing the server to transfer, to the protected computing device, at least a portion of a duration of a valid subscription to the cybersecurity service. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Apparatuses, methods, systems, and program products are disclosed for endpoint-based security. An apparatus includes a network module that is configured to receive, at an end user device, a request for content from a network source. An apparatus includes a policy module that is configured to compare a network source of requested content against a policy that is stored on an end user device prior to the content being allowed on the end user device. An apparatus includes an action module that is configured to perform at least one action related to requested content based on a comparison between a network source of the requested content and a policy.

Abstract: A method, a data protection module and a network system for protecting data of an electronic device, on which sensitive data are recorded or supplied; the sensitive data being processed by external services, in particular, Internet services. The data protection module is used for automatically computing data protection configurations for the device on the basis of device metadata and service metadata.

Abstract: A system already on a network may be analyzed when the system takes an action or may be periodically reviewed. The analysis of the system may include the creation of an environment hash for the system, which is a representation of the configuration (e.g., hardware, software, or the like) of the system, and a comparison with hash requirements. The hash requirements may be stored authorized hashes, stored unauthorized hashes, past hashes for the same system, hashes for other systems with the same or similar configurations, or the like. When the environment hash of the system meets hash requirements, the system may be allowed to continue to operate on the system or may be allowed to take the action on the network. When the hash of the system fails to meet a hash requirement, the system may be isolated from the network and investigated for a non-compliant configuration.

Abstract: Systems and methods for a security rating framework that translates compliance requirements to corresponding desired technical configurations to facilitate generation of security ratings for network elements is provided. According to one embodiment, a host network element executes a collection of security checks on at least a first network element. The execution is performed by receiving configuration data of the first network element pertaining to each security check of the collection of security checks in response to a request by the host network element and validating each security check by comparing the received configuration data pertaining to each security check with a pre-defined or configurable network security configuration recommendation to generate a compliance result. Further, the host network element generates a compliance report by aggregating the compliance results obtained by executing each security check of the collection of security checks.

Abstract: A system and method for mapping licenses from disparate data sources and databases from third parties triggered by a system registration request, analyzing data structures for license information records and third-party information records, cross-referencing a license record with a third-party information record, flagging database records that reflect a license field record change, updating mapping-related procedures and queries, and providing a presentation of license information records and related status.

Abstract: A method for obtaining a profile for access to a communication network by a secondary terminal via a main terminal. The main terminal includes a security element having an authentication key, the authentication key being used by the network and by the main terminal to generate at least one session master key specific to the main terminal. The secondary terminal: provides its identifier to the main terminal; receives from the main terminal a temporary key specific to the secondary terminal, a temporary identifier of the secondary terminal, and an identifier of the network for access to the network. The temporary key is based on the temporary identifier of the secondary terminal and the session master key of the main terminal. The temporary key, the temporary identifier, the identifier of the secondary terminal, and the identifier of the access network are included in an profile for access to the network.

Abstract: A security mechanism, e.g., a computing system, security server, can effectively serve as a centralized security mechanism, e.g., a computing system, security server, for an ecosystem that can include diverse clients and servers. The security mechanism can obtain redirected requests for services, authenticate credentials of a client and generate a (client-side) token that can be provided by the client to the server for verification of the identity of the client. The security mechanism can also obtain a token from a server that can be similar to a (client-side) token provided to a client and then generate a (server-side) token that can be provided to a server. The server-side token can include authorization information that allows access to one or more services of one or more other servers.

Abstract: Embodiments of the present invention provide a method, program, and apparatus that may identify a device by using a virtual code generated based on a unique value of a chip inside a device without a separate procedure for identifying the device. Furthermore, embodiments of the present invention provide a method, program, and apparatus that may generate a virtual code, which is not matched with any other code, whenever a code for identifying a device is requested. Moreover, embodiments of the present invention provide a method, program, and apparatus for identifying a device that may add and use only an algorithm without changing a conventional process.

Abstract: A technique utilizes a security heat map associated with a geographic region. The technique involves receiving, by a server, current heat scores for one or more endpoint devices located within the geographic region. The technique further involves providing, by the server, for areas within the geographic region, respective aggregate heat scores based on the current heat scores for the one or more endpoint devices. The technique further involves, based on the respective aggregate heat scores for the areas within the geographic region, generating, by the server, a security heat map defining one or more security zones within the geographic region. The technique further involves imposing, by the server, security policies on the one or more endpoint devices based on the security heat map.

Abstract: Methods are described for providing access to one or more transponder functions of sports timing transponder that is configured for transmitting a signal comprising a transponder identifier to a receiver of a timing system that is configured to determine the point in time that said transponder passes said receiver. The method may comprise: establishing a communication link between said transponder and an access module configured to determine time information; determining rights information stored in a memory of said transponder, said rights information comprising one or more access conditions for determining when a user of said transponder has a right to access at least part of said transponder functions; receiving time information from said access module; and, determining whether said user has a right to access at least part of said one or more transponder functions on the basis of at least part of said access conditions and said time information.

Abstract: A method of secure access through a wireless connection is provided. The method includes detecting availability of an access control wirelessly by a mobile device. A predicted intent is determined of a user of the mobile device to have the access control open a lock. The method determines whether a relay attack is detected. Based on detection of the relay attack, a prompt to confirm an intent of the user of the mobile device to have the access control open a lock is determined. Based on non-detection of the relay attack, a lock actuator is activated through the access control to open the lock responsive to a credential based on affirmatively confirming the intent or the predicted intent.

Abstract: A system and method is provided for detecting anomalous events based on a dump of an address space of a software process in a memory of a computing device. An exemplary method includes detecting at least one event occurring in an operating system of the computing device during an execution of the software process, determining a context of the detected event, wherein the context comprises a dump of an address space of the software process containing code that was being executed at the moment of occurrence of the detected event, selecting a set of features of the dump for use in determining whether or not the event is anomalous, transforming the selected set of features of the dump into a convolution, determining a popularity of the convolution by polling a database, and determining that the detected event is an anomalous event if the determined popularity is below a threshold value.

Abstract: Secure digital assistant integration with web pages is provided. The system receives an intent manifest data structure that maps actions of a digital assistant with link templates of an electronic resource developed by a third-party developer device. The system validates the electronic resource based on the intent manifest data structure. The system receives, from a data exchange component of an iframe of the electronic resource loaded by a client computing device, an identifier of the client computing device. The system receives a foreground state of the electronic resource from an onsite state sharing API. The system selects a data value for a parameter based on the foreground state and the intent manifest data structure. The system provides the data value. An authorization component generates an authorization prompt, receives input, and transmits the data value to an onsite intent execution API of the electronic resource to execute an action.

Abstract: There is provided a method and system for securely coupling and transferring data between devices. In a preferred embodiment, the devices may comprise two devices, a transferring device and a receiving device, and both devices are mobile devices. Embodiments of the present invention allow the wireless transfer of data such as contacts, photo images, video files, or other data from one device to another device, without need for special hardware or cabling.

Abstract: Embodiments described herein relate generally to network-based threat detection mechanisms. Specifically, embodiments described herein describe a communication mechanism that filters (e.g., allows or blocks) received communications according to an iterative security list.