Abstract: In a general aspect, risks associated with cryptography usage in network communication between computing nodes are identified. In some aspects, a network packet capture agent obtains cryptography usage data by examining network traffic communicated by computing nodes in the computing environment. A cryptography usage analysis agent identifies cryptography usage risks based on the cryptography usage data. A cryptographic risk identification agent identifies one or more applications associated with the cryptography usage risks.

Abstract: The disclosure is directed to systems and methods for enterprise-wide fine-grained role-based access control to a plurality of organizational assets. In various embodiments exemplary methods include receiving, via an authorization service client API, identification of an asset for fine-grained role-based access control; a definition of an asset type of the asset; a definition of an asset value; receiving, a definition of an organizational role with fine-grained role-based access control to at least one of the asset, the asset type, and the asset value. Furthermore, receiving permissions for fine-grained role-based access by the organizational role to at least one of the asset, the asset type, and the asset value. Furthermore, the exemplary method may comprise providing an authorization service user interface (UI) for enabling fine-grained role-based access control to the asset based on the fine-grained role-based access control database schema.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; a user-space application including instructions to interact with a web site via a uniform resource locator (URL); and a security agent including instructions to: intercept an interaction of the user-space application with the web site; determine that the intercepted interaction is to send sensitive information to the web site; suspend the interaction; and assign a reputation to the URL.

Abstract: A method for detecting machine logon attacks within a cloud service. The method can include accessing a collection of network traffic protocol monitoring data. The network traffic protocol monitoring data can be network traffic protocol monitoring data across a cloud service. The method can also include analyzing the collection of network traffic protocol monitoring data to identify anomalous behavior by attacker entities associated with IP addresses indicating a brute force attack by the attacker entities associated with the IP addresses. Then, based on the anomalous behavior, the method can comprise identifying the IP addresses associated with the attacker entities, and at least one of attack patterns or campaign attack characteristics. Finally, the method can include compiling IP addresses associated with the attacker entities and the at least one of attack patterns or campaign attack characteristics into a reference data structure.

Abstract: The authentication method of a block chain authentication module includes: receiving an authentication preparation request; configuring a channel and generating a channel key allocated to the channel; generating a block including an authentication comparison data, the block further including a block key allocated to the block; commonly transmitting the channel key and the block key, and dividing and transmitting the authentication comparison data; transmitting an authentication preparation completion message including the channel key and the block key; receiving an authentication request message including the channel key, the block key, and authentication target data; dividing and transmitting the authentication target data; receiving a result of comparing the divided and transmitted authentication comparison data with the divided and transmitted authentication target; and determining whether the authentication of the terminal succeeds.

Abstract: A procedure for neutralizing an attack on a control system of an industrial asset includes detecting an anomaly in a first sensor node associated with a first unit operating in a first operational mode, and receiving time series data associated with the first sensor node. A subset of the time series data is provided to each of a plurality of virtual sensor models A first virtual sensor model is selected from among a plurality of virtual sensor models based upon the subset of the time series data received by each of the plurality of virtual sensor models. A first confidence level of the first virtual sensor is determined. Responsive to determining that the first confidence level is below a first confidence level threshold, the first unit is transferred to a second operational mode using sensor readings associated with a second sensor node of a second unit of the industrial asset.

Abstract: Embodiments described include systems and methods for incorporating tags in content of network applications. An embedded browser, which is executable on one or more processors of a client device, may detect content from a network application accessed via the embedded browser. A DRM engine of the embedded browser identifies a DRM scheme for the network application from the plurality of DRM schemes and according to the network application. The DRM engine generates a DRM tag for the content according to the DRM scheme identified for the network application. The DRM tag includes a classification of the content. The DRM engine incorporates the DRM tag into the content for managing usage of the content according to the classification.

Abstract: This disclosure relates to a storage device comprising non-volatile storage and a controller. The non-volatile storage may comprise a firmware image, a known data pattern (KDP) in plaintext, and an encrypted KDP. The controller may be coupled to the non-volatile storage, and may be configured to update the firmware image of the non-volatile storage. For this update, the controller may first receive a symmetric key from a host by way of a public key encryption process. Next, the controller may decrypt the encrypted KDP using the symmetric key. If the decrypted KDP matches the KDP in plaintext, the symmetric key may be validated and the firmware image update may be downloaded. The firmware image update may then replace the firmware image in non-volatile storage.

Abstract: A method to use static software analysis tools to determine breachable common weakness enumerations within software source code by avoidance of non-breachable situations which allows for the classification of breachable common weakness enumeration situations into 5 categories, each with a unique means of detection.

Abstract: The invention pertains to a reusable disposable (1) for usage within a medical treatment process by a corresponding medical apparatus (A) and a corresponding medical apparatus. The reusable disposable (1) for usage within a medical process by a medical apparatus (A), the reusable disposable (1) comprises first memory means (MEM1) for storing predetermined data, whereby the first memory means are programmed during production of the reusable disposable (1), whereby the first memory means (MEM1) are secured against any or any unauthorized alteration after production, second memory means (MEM2) for storing patient identity data, whereby the second memory means is a write-once memory, whereby re-usage of the reusable disposable is only allowed with respect to same patient identity data.

Abstract: A data generation apparatus includes a processor that executes a process including obtaining target data sequentially from time-series data, the target data including n (n being an integer greater than or equal to 2) data items in a predetermined section of the time-series data, calculating parameter information satisfying a (k?1) order polynomial based on the target data, the (k?1) order polynomial including k random values, k being an integer greater than or equal to 1 and less than n, associating the target data to the parameter information, outputting the target data and the parameter information associated to the target data, attaching a signature to secret information based on a secret distributed protocol. The secret information is calculable by using k pairs of data including the target data and the parameter information associated to the target data, and outputting the secret information attached with the signature.

Abstract: A computer system, such as a data storage system, implements techniques for deleting durably stored data without affecting the availability or durability of other data associated therewith. In some embodiments, data is encrypted prior to redundancy coding such that deletion of an encryption key used to encrypt the data renders that data inaccessible, but other data bundled in the same redundancy coded bundle remains available. In such embodiments, a shard containing deleted data may still be usable to regenerate other, non-deleted or live data still extant in the same bundle of shards.

Abstract: Techniques are disclose herein for facilitating secure user access to resources without user-provided credentials. More specifically, the techniques described herein eliminate the need for end users to remember and provide privileged resource authentication information (e.g., credentials) at the time of resource access. The system accepts and securely stores registration information for accessing privileged resources during a registration process. As discussed herein, the registration information can include identification and authentication information for each privileged resource. The authentication process can also include registration of one or more secondary authentication devices that are used to verify the identity of the end user in lieu of the end user providing credentials.

Abstract: A method and system for detecting malicious behavior from smart appliances within a network. Smart appliances have a certain level of intelligence that allows them to perform a specific role more effectively and conveniently. Network traffic data and appliance identification data is collected about smart appliances within a network. The data is sent to a behavior analysis engine, which computes confidence levels for anomalies within the network traffic that may be caused by malicious behavior. If the behavior analysis engine determines that malicious behavior is present in the network, it sends an instruction to a network traffic hub to block network traffic relating to the anomaly. In some embodiments, network traffic is blocked based on source-destination pairs. In some embodiments, network traffic is blocked from a device outside the network that is determined to be malicious.

Abstract: A method and system for detecting malicious behavior from smart appliances within a network. Smart appliances have a certain level of intelligence that allows them to perform a specific role more effectively and conveniently. Network traffic data and appliance identification data is collected about smart appliances within a network. The data is sent to a behavior analysis engine, which computes confidence levels for anomalies within the network traffic that may be caused by malicious behavior. If the behavior analysis engine determines that malicious behavior is present in the network, it sends an instruction to a network traffic hub to block network traffic relating to the anomaly. In some embodiments, network traffic is blocked based on source-destination pairs. In some embodiments, network traffic is blocked from a device outside the network that is determined to be malicious.