Abstract: Example embodiments relate to a policy service employed to perform operations to: generate and maintain a data-set that comprises at least a column and a row that intersect at a cell; assign an access policy to a row or column of the data-set, wherein the access policy is defined by one or more access credentials required to receive access the cell that intersect with the row or column; receive a request to read the data-set from a user account, wherein the user account has an associated credential; filter the cell that intersects with the row or column of the data-set based on the access policy and the credential of the user account, in response to receiving the request from the user account; and provide the user account with access to the filtered data-set.

Abstract: An authentication system for providing shared credential authentication includes a client information handling (IHS) system having a resource service application, and a mobile IHS having a shared authentication application. The shared authentication token indicates that an authenticated state between the client IHS and the mobile IHS exists. The resource service application receives a request to access the resource, and sends an authentication request to an authentication server to authorize access to the resource. The shared authentication application receives a query from the authentication server to verify a status of a shared authentication token, and, when the shared authentication token is valid, responds to the query that the shared authentication token is valid. The resource service application further receives a response to the authentication request, and grants access to the resource when the authentication token indicates that the shared authentication token is valid.

Abstract: A secure device comprises a secure computing environment (SCE) that stores one or more cryptographic secrets, such as private keys, and is able to receive input from secure input devices such as a keypad or smartcard interface and provide output to secure output devices such as a secure display. The SCE provides safeguards against remote and physical exploits, erasing or rendering unusable the secrets in the event of actual or suspected exploit, protecting the secrets from compromise. The SCE may digitally sign internally generated messages or messages from an external device such as a smartphone. Message signing conditions may be checked and satisfied in the SCE before a digitally signed message is generated. Messages may be automatically signed if they satisfy specified conditions. The secure device may be used as part of a multisignature scheme in which a plurality of private keys are used to create a digital signature.

Abstract: According to at least one example embodiment of the present invention, provided is a face authentication system including: a criterion setting unit that sets a criterion of face authentication performed on a user so as to be different in accordance with a state of an access target system accessed by the user; and a face authentication unit that performs face authentication of the user based on the criterion.

Abstract: According to at least one example embodiment of the present invention, provided is a face authentication system including: a criterion setting unit that sets a criterion of face authentication performed on a user so as to be different in accordance with a state of an access target system accessed by the user; and a face authentication unit that performs face authentication of the user based on the criterion.

Abstract: Systems and methods are presented for causing deception technology to be installed on a first computing device, generating a unique identifier for a user associated with the first computing device and the first computing device, and generating a unique Uniform Resource Locator (URL) associated with the unique identifier. The systems and methods further presented for transmitting the unique URL to the first computing device, detecting that the unique URL has been accessed by a second computing device, capturing data identifying the time and date the unique URL is accessed and information associated with the second computing device accessing the URL, and generating a notification to alert the user of the first computing device of unauthorized access.

Abstract: Systems and methods for providing simultaneous access to a plurality of discrete, secure private network enclaves are presented. A credential server configured to maintain a repository of available private network enclaves, network locations of enclave access services associated with the available private network enclaves, and credential information regarding which users are permitted access to which private network enclaves, is accessed. Private network enclaves available to a particular user, wherein the accessed private network enclave contain resources for the particular user to access, are accessed. Forwarding to and from resources contained across multiple private network enclaves as if they were available locally in a user virtualized network domain, is provided.

Abstract: A system for identifying suspicious logins. The system may include a memory storing executable instructions, and at least one processor configured to execute the instructions to perform operations. The operations may include receiving a first user login from an electronic device, the first user login comprising login credentials; receiving a second user login from an electronic device, the second user login comprising login credentials; analyzing a plurality of device history characteristics, wherein at least one device history characteristic comprises a determination of a last financial transaction performed by an electronic device; determining, based on the analysis, that the first and second user logins originate from different electronic devices; identifying, based on the determination and the analysis, the second user login as a suspicious login; sending, to a user, a notification of the identified suspicious login; and modifying, based on the notification, security settings on an account of the user.

Abstract: Methods and systems to identify the domain names that can potentially be used for delivering instructions to a bot, before bots on a computer network succeed in obtaining the instructions. The system maintains a device rating for each device that reflects a likelihood that the device is infected by malware. The system also maintains a domain-name rating for each device that reflects a likelihood that the domain name is malicious. When a device attempts to access a particular domain name, the domain-name rating of the domain name is updated in light of the device rating of the device, and/or update the device rating of the device in light of the domain-name rating.

Abstract: An example operation may include one or more of receiving user profile identification data associated with a user profile, creating a smart contract on a blockchain with the user profile identification data, validating an identity of the user profile based on the user profile identification data, performing a predictive analysis by the smart contract to determine one or more future tasks to be performed by a user device associated with the user profile, generating one or more tokens associated with the user profile, the one or more tokens include access rights for the user device to perform the one or more future tasks, and storing the one or more tokens in the blockchain.

Abstract: Presented herein are methods and systems for adjusting code files to apply memory protection for dynamic memory regions supporting run-time dynamic allocation of memory blocks. The code file(s), comprising a plurality of routines, are created for execution by one or more processors using the dynamic memory. Adjusting the code file(s) comprises analyzing the code file(s) to identify exploitation vulnerable routine(s) and adding a memory integrity code segment configured to detect, upon execution completion of each vulnerable routine, a write operation exceeding from a memory space of one or more of a subset of most recently allocated blocks allocated in the dynamic memory to a memory space of an adjacent block using marker(s) inserted in the dynamic memory in the boundary(s) of each of the subset's blocks. In runtime, in case the write operation is detected, the memory integrity code segment causes the processor(s) to initiate one or more predefined actions.

Abstract: Techniques are provided for evaluating and modifying countermeasures based on aggregate transaction status. A first expression pattern is determined that occurs in each of first response messages served by the web server system in response to successful transactions of the transaction type. A second expression pattern is determined that occurs in each of second response messages served by the web server system in response to non-successful transactions of the transaction type requested. Aa status is determined for each of a plurality of transactions of the transaction type based on matching the first expression pattern or the second expression pattern to response messages served by the web server system. Aggregate status information for the transaction type based on the status for the set of operations is updated. Based on a change in the aggregate status information, a set of one or more security countermeasures is updated.

Abstract: System and methods implemented in a node in a cloud-based security system include obtaining a plurality of rules each define via a rule syntax that includes a rule header and rule options, wherein each rule header is used to for a rule database lookup, and each rule options is used to specify details about the associated rule; monitoring data associated with a user of the cloud-based security system; analyzing the data with the plurality of rules; and performing one or more security functions on the data based on triggering of a rule of the plurality of rules.

Abstract: An authentication method, includes: receiving an authentication request from a user, the authentication request including an identity identifier of the user; acquiring authentication data associated with the identity identifier from a blockchain network, a blockchain node of the blockchain network storing a mapping relationship between identity identifiers and authentication data; and performing identity authentication for the user according to the authentication data.

Abstract: A computer implemented method and system for protecting against denial of service attacks by detecting changes in a preferred set of hierarchically-structured items in a network data stream in which a set of network destination prefixes is identified that account for a user specified target of the attack traffic. Changes in the attack traffic profile are detected and new sets of network destination prefixes are generated when the attack has shifted by a predetermined threshold. sets of identified destination prefixes are then translated into route announcements to divert attack traffic to mitigation devices.

Abstract: The innovation disclosed and claimed herein, in one aspect thereof, comprises systems and methods of credentialing an application in a cloud environment. The application is determined to be a trusted application type. The application is provided with a certificate service process dedicated to request and receive a certificate from a source outside the cloud environment. An integration component retrieves the secret and provides it to the application that is inside the cloud environment. The secret is verified within the cloud environment and the application is deployed as a trusted application instance inside the cloud environment.

Abstract: A network-based appliance includes a mechanism to set-up and selectively use an “out-of-band” encryption channel. The mechanism comprises a packet parser, and a packet dispatcher, and it is integrated with an existing network layer stack that typically is not visible to host applications. In lieu of simply encrypting all data it receives, the mechanism instead analyzes one or more attributes, e.g., protocol type, application type, current encryption strength, content payload, etc., associated with a packet transmission to determine whether further encryption is required. The evaluation may include a deep packet inspection (DPI) when the information at the network layer (e.g., IP address, port number, etc.) is not sufficient to determine if the payload in the packet needs to be further encrypted. Based on the result of the analysis, packets are dispatched to the encryption channel as and when necessary.

Abstract: A computer implemented method and system for identifying a preferred set of hierarchically structured items in streaming data for analyzing Netflow data to identify those network destinations that are currently the target of a DDoS attack and to automatically select a set of network prefixes such that diversion routes for the prefixes are sent to the routers to divert attack traffic to TMS devices, The method includes searching sets of Hierarchical Heavy Hitters wherein each set corresponds to a different fraction of a total volume of network traffic and scoring each set according to an arbitrary scoring function. A certain set is selected and scored with a ‘good’ score and a member of the ‘good’ scored set is ranked in accordance with an arbitrary ranking function. A subset of the ‘good’ scored set is selected such that the volume associated with the subset is in close proximity to a user-specified total whereby the selected subset becomes a set of recommended prefixes.

Abstract: A three-factor authentication system for restricting and securing user-access to a system. The authentication system that includes a vein-image-capturing device for capturing and processing wrist-vein images. The unique biometric data is one factor of a three-factor authentication system, along with unique device identification data and a user PIN, all three used to validate and provide secure access to a user. This system can be used to restrict and provide secure access to information systems, physical spaces, personal computer devices, and any other device or system requiring controlled user access.

Abstract: Secure operations are performed on encrypted code. A processor in a first operating mode obtains encrypted code. The processor switches from the first operating mode to a second operating mode, and decrypts the encrypted code to obtain decrypted code. The decrypted code is executed, based on the processor being in the second operating mode, to provide a result. The result is encrypted, and the encrypted result is sent to a user, based on the processor switching back to the first operating mode.