Abstract: An identity authority computing device having a processor in communication with a database is described herein. The database stores a plurality of persistent user identifiers associated with a plurality of users. The processor is programmed to receive a service request over a public network, the service request including a service provider identifier and a single-use token value associated with one of the users. The processor is also programmed to determine at least one persistent user identifier associated in the database with the token value, and generate an updated service request including the at least one persistent user identifier. The processor further is programmed to generate an encrypted service request using a public encryption key associated with the service provider identifier, and transmit the encrypted service request to a service provider computing device associated with the service provider identifier.

Abstract: Techniques regarding the use of digital identity tokens describing a computer application to obtain authorization to confidential data based on one or more policies are provided. For example, one or more embodiments described herein can comprise a system, which can comprise a memory that can store computer executable components. The system can also comprise a processor, operably coupled to the memory, and that can execute the computer executable components stored in the memory. The computer executable components can comprise a trusted platform module component that can generate a digital identity token that is bound to a computer application process. The computer executable components can also comprise a key authenticity component that can compare the digital identity token to a security key to retrieve a security credential.

Abstract: This disclosure enables a digital token with a set of asset-specific attributes, where the set of asset-specific attributes is modifiable or enabled to receive a new asset-specific attribute at least after the digital token with the set of asset-specific attributes is issued on a blockchain-based tokenization platform. Such functionality may be enabled via the digital token containing an attribute component with a set of key-value pairs populated with a subset of the set of asset-specific attributes, where the set of key-value pairs is programmed to be modified or have a new key-value pair being added thereto after the digital token is issued on the blockchain-based tokenization platform.

Abstract: A coordinating network element manages a protocol that prohibits the coordinating network element from substantively accessing data content that, at least in part, underlies received protocol-compliant requests. By one approach, these teachings provide for preventing substantive access to data information that is included within the protocol-compliant request in tokenized form, wherein the tokens are generated using secrets, at least one of which is unavailable to the coordinating network element.

Abstract: Techniques for performing cyber-security alert analysis and prioritization according to machine learning employing a predictive model to implement a self-learning feedback loop. The system implements a method generating the predictive model associated with alert classifications and/or actions which automatically generated, or manually selected by cyber-security analysts. The predictive model is used to determine a priority for display to the cyber-security analyst and to obtain the input of the cyber-security analyst to improve the predictive model. Thereby the method implements a self-learning feedback loop to receive cyber-security alerts and mitigate the cyberthreats represented in the cybersecurity alerts.

Abstract: Techniques are disclosed relating to generating trained machine learning modules to identify whether user interfaces accessed by a computing device match user interfaces associated with a set of Internet domain names. A server computer system receives a set of Internet domain names and generates screenshots for user interfaces associated with the set of Internet domain names. The server computer system then trains machine learning modules that are customized for the set of Internet domain names using the screenshots. The server then transmits the machine learning modules to the computing device, where the machine learning modules are usable by an application executing on the computing device to identify whether a user interface accessed by the device matches a user interface associated with the set of Internet domain names. Such techniques may advantageously allow servers to identify whether user interfaces are suspicious without introducing latency and increased page load times.

Abstract: A computer-implemented method, computer program product, and computer system is provided for establishing connectivity between user devices. The computer-implemented method includes: broadcasting a message to running processes on an operating system of the first user device to indicate that a requesting application is looking for a live connection channel to attempt discovery with a second user device to ascertain virtual proximity of the first user device with the second user device. The computer-implemented method further includes receiving a response from a live connection channel and attempting to verify pairing via the live connection channel to confirm a virtual proximity of the second user device with the first user device. The pairing provides information for establishing a subsequent connection between the first and second user devices via the requesting application.

Abstract: A method and a device for policy translation of a data converter in a security management system are disclosed.

Abstract: A system and method for out-of-path detection of cyber-attacks are provided. The method includes receiving, by a detector, a plurality of data feeds from a plurality of data sources, wherein the detector is communicatively connected to the plurality of data sources; processing, by the detector, the plurality of received data feeds to generate enriched Flow data sets; analyzing the enriched Flow data sets to detect a potential cyber-attack; and upon detection of a potential cyber-attack, providing indication to each network entity of the network entities that is under attack.

Abstract: Containerised computing processes are generated by an orchestration processor interpreting user commands and user profile data to build a deployment specification specifying functions to be run by a containerised process, using a shell script run on a host virtualisation container. External events such as security threats and computing resource overloads can be used to generate the virtualised process, allowing vulnerability detection, and apply countermeasures such as deployment or migration of containers during attacks to lesser prone infrastructure, and allows the orchestration of non-container tools to provide security and resilience.

Abstract: Disclosed embodiments relate to systems and methods for enforcing security policies in dynamic development pipelines. Techniques include accessing a build script, including a set of instructions for a software build process, parsing the build script to identify a set of scripted build instructions, determining a set of expected build actions based on the scripted build instructions, and constructing a representation of the set of expected build actions. The techniques may further include automatically generating a security policy based on the representation of the set of expected build actions, monitoring a build machine running the build script, and enforcing the security policy on the build machine.

Abstract: A computer storage device having a host interface, a controller, non-volatile storage media, and firmware. The firmware instructs the controller to: limit a crypto key to be used in data access requests made in a first namespace allocated on the non-volatile storage media of the computer storage device; store data in the first namespace in an encrypted form that is to be decrypted using the crypto key; free a portion of the non-volatile storage media from the first namespace, the portion storing the data; and make the portion of the non-volatile storage media available in a second namespace without erasing the data stored in the portion of the non-volatile storage media.

Abstract: Multi-tenant cloud-based firewall systems and methods are described. The firewall systems and methods can operate overlaid with existing branch office firewalls or routers as well as eliminate the need for physical firewalls. The firewall systems and methods can protect users at user level control, regardless of location, device, etc., over all ports and protocols (not only ports 80/443) while providing administrators a single unified policy for Internet access and integrated reporting and visibility. The firewall systems and methods can eliminate dedicated hardware at user locations, providing a software-based cloud solution.

Abstract: Systems and methods are provided that may be implemented as an identity management system to provide a single sign on to a master website and silent authentication for subservient websites. The identity management system may include an identity provider server and a user management server. The identity provider server may authenticate a user, redirect an authenticated user to the user management server, and receive and verify a silent authentication request including a cryptographic signature and a modified message on behalf of the authenticated user from the user management server.

Abstract: Provided is a process that includes: obtaining with a distributed application comprising an identity management system, a first password; comparing with the distributed application, the first password to a set of compromised credentials within a database external to the network-accessible resource; receiving one or more passwords that match the first password based on the comparison; determining with the distributed application whether the one or more passwords satisfy a criterion; and in response to the determination that the one or more passwords satisfy the criterion, causing the first user associated with a first account and the first password to be notified that the first password has been compromised.

Abstract: Embodiments of network devices for access control are described. In some embodiments, an access control processor of a first node receives a request from a requestor node on an unsecure network to join a first group of nodes on a secure network, where the first node coordinates network activities of the first group of nodes including a plurality of partitioned nodes of a network. In response to receiving the request, the access control processor assigns the requestor node to a first pool of the first group of nodes that are configured to perform authorized modifications of data including a cryptographic hash to protect the data against unauthorized modifications. In some embodiments, the access control processor initiates the authorized modifications of the data using one or more nodes assigned to the first pool and one or more nodes of a second pool of the first group of nodes.

Abstract: Implementations provide self-consistent, temporary, secure storage of information. An example system includes short-term memory storing a plurality of key records and a cache storing a plurality of data records. The key records and data records are locatable using participant identifiers. Each key record includes a nonce and each data record includes an encrypted portion. The key records are deleted periodically. The system also includes memory storing instructions that cause the system to receive query parameters that include first participant identifiers and to obtain a first nonce. The first nonce is associated with the first participant identifiers in the short-term memory. The instructions also cause the system to obtain data records associated with the first participant identifiers in the cache, to build an encryption key using the nonce and the first participant identifiers, and to decrypt the encrypted portion of the obtained data records using the encryption key.

Abstract: A digital rights management system is provided that includes a receiving device for receiving an encryption key request from a client device, a first database for storing a set of supported security capabilities corresponding to client device, a second database for storing a set of required security capabilities corresponding to at least one of the encryption key and content associated with the encryption key, a content management system for establishing rules to determine the set of required security capabilities corresponding to content, and a processing device. The processing device may be configured to identify the set of supported security capabilities corresponding to the client device and identify the set of required security capabilities corresponding to the content associated with the encryption key. The content management system may be configured to configure the set of supported security capabilities and configure the set of required security capabilities.

Abstract: One or more computing devices, systems, and/or methods are provided. A request for content associated with a device and/or a set of request information associated with the request for content may be received. A content item may be transmitted to the device. A set of client information associated with the device may be received. The set of client information may be analyzed to determine a fraudulence label associated with the request for content. Fraud detection information generated based upon the set of request information, the set of client information and/or the fraudulence label may be stored in a fraud detection database. A second request for content associated with a second device and/or a second set of request information associated with the second request for content may be received. A second fraudulence label may be determined based upon the second set of request information and/or the fraud detection database.

Abstract: According to certain implementations, an access control system controls access to secured data that is stored on a secured source. A requestor system may request information representing the secured data. The access control system receives the secured data from the secured source, and selects a portion of the secured data based on a lens including a filter criteria or a modification instruction. Adjusted data may be generated based on a modification of the selected portion of data, where the modification is based on the lens. The access control system provides the adjusted data to the requestor system via an access interface. In some cases, upon completion of a time period, the access control system prevents the requestor system from accessing the adjusted data, by disabling the access interface used to access the adjusted data. The adjusted data may be deleted from the access control system.