Abstract: A system and method for the secure and private demonstration of cloud-based cyber-security tools. Using an advanced sandboxing design patterns, isolated instances of virtual networks allow a potential client to compare their existing cyber defense tools against a set of cloud-based tools. Capitalizing on non-persistent and secure sandboxes allow the invention to demonstrate fully functional and devastating cyber-attacks while guaranteeing strict privacy and security to both existing customers and potential ones. Additionally, instantiating separate sandboxed observed systems in a single multi-tenant infrastructure provide each customer with the ability to rapidly create actual representations of their enterprise environment offering the most realistic and accurate demonstration and comparison between products.

Abstract: An electronic device includes an address generator module that generates a source address for each traffic class to be sent using a network interface. The source address includes a Unique Local Address (ULA) prefix and an interface identifier having a traffic class identifier as one or more most significant bits and a randomly generated remainder. The address generator module generates a destination address having the ULA prefix and the traffic class identifier. When a processor of the electronic device is selecting a source address for the traffic class according to rules of a network layer protocol (e.g., IPv6), including a rule that a longest matching address of possible source addresses to the given destination is selected as the source address, the generated source address is selected due to the one or more most significant bits of the interface identifier matching with the traffic class identifier of the destination address.

Abstract: A computer device, having at least two long-range wireless profiles and coupled with a communication bus of a vehicle, receives a notice that a vehicle-centric download for the computer device, or for a vehicle device coupled to the communication bus, is pending from a remote server. The vehicle computer device determines the size and security requirement associated with the pending download, and a current operational state of the vehicle. If the size or security requirement is low, a consumer-centric profile may be used for the download even if the vehicle is currently being used. If the download file size is large or requires very high security, or if a user is currently using the computer device according to the consumer-centric profile, the computer device may schedule the download to occur after receiving a trigger event occurrence message.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for fraud detection. One of the methods includes partitioning a feature space into a plurality of sub feature spaces, wherein the feature space comprises features associated with user account events for an online service; generating one or more clusters of users for each of one or more sub feature spaces; comparing a feature profile of one or more of the clusters with a global feature profile to determine features of one or more the clusters that have concentrated key values that exceed a respective threshold value; for each of the one or more clusters, scoring the cluster including aggregating the degree to which the key values for features exceed the corresponding threshold values; and based on the scores of the one or more clusters, determining one or more fraud detection actions.

Abstract: Embodiments of the present application provide a network access authentication method, apparatus, and system. The network access authentication method mainly comprises: obtaining a user name by a network access management client through encryption using a device ID of a terminal device, and obtaining a dynamic password through encryption using the device ID and a time value within a time step, so that the terminal device performs network access authentication using the user name and the dynamic password. The device ID is uniquely assigned by an authentication server to the terminal device, and thus functions to identify the identity of the terminal device, so that network access authentication can be independent of digital certificates, thereby solving the problem that the terminal device cannot accomplish network access authentication for unsupported use of or unavailability of a digital certificate, while meeting network access security requirements.

Abstract: A network address translation device or similarly situated network device can cooperate with endpoints on a subnet of an enterprise network to secure endpoints within the subnet. For example, the network address translation device may be configured, either alone or in cooperation with other network devices, to block traffic from a compromised endpoint to destinations outside the subnet, and to direct other endpoints within the subnet to stop network communications with the compromised endpoint.

Abstract: A user device comprises an app that stores and maintains exclusive control of user data, and causes one or more processors to send a request for services according to a trial period to a distributed ledger associated with service providers and anonymously interact with the service providers according to a set of rules maintained in the distributed ledger by passing along a token uniquely associated with the user during for the respective interaction with each service provider without the user data being shared with the service providers.

Abstract: Methods and systems are disclosed. At a respective computing system, a request to run a program on first data stored within the respective computing system may be received. In some examples, the first data may be stored in association with a data access policy that defines access restrictions for the first data. In response to receiving the request, whether the request to run the program on the first data satisfies the access restrictions defined by the data access policy may be determined. In response to determining whether the request to run the program satisfies the access restrictions, in accordance with a determination that the access restrictions are satisfied, the program may be run, including performing one or more operations on the first data in an environment within the respective computing system, where a contents of the environment cannot be accessed from outside of the environment.

Abstract: An application may perform operations within a first secure enclave of a processing device. The application may provide secure monitoring data, such as secure heartbeat information. The monitoring data and an application identity may be verified at a second secure enclave of the processing device using local attestation operations. A remote attestation signature may be generated at the second secure enclave based on the monitoring data, the application identity, and a node private key. A monitoring message signature may be generated at the first secure enclave based on an application private key and a message payload that includes the monitoring data, the application identity, and the remote attestation signature. A monitoring message that includes the payload and monitoring message signature may be sent from the first secure enclave to a monitoring system, which may verify the message to detect unauthorized changes to the monitoring data or the application identity.

Abstract: Systems herein allow a digital assistant to make requests to applications, such as third-party applications, that access data in an enterprise mobility management (“EMM”) system. The digital assistant can link to a portal application and receive a token that identifies a user. A remote application on a user device can establish a session with the portal application as part of a single sign on (“SSO”). The session can identify the same user. The portal application can then link the digital assistant to the remote application. When the digital assistant makes a request to the portal application, a notification can be pushed to the remote application. The user can confirm the request, establishing an authorized session during which time the digital assistant can make additional requests to the portal application. The portal application can service the requests by accessing third-party applications available through the portal application and authorized for access by the SSO.

Abstract: A distributed key management system includes a first SCP subsystem coupled to second SCP subsystems via a network. The first SCP subsystem establishes secure communication channels with the second SCP subsystems, and a first key management subsystem in the first SCP subsystem retrieves enabling key(s) for communicating via the secure communication channels from a second key management subsystem in one of the second SCP subsystems, and stores the enabling key(s). The first key management subsystem then receives a first enabling key request from the first SCP subsystem and determines whether the first SCP subsystem is trusted. If the first SCP subsystem is trusted, the first key management subsystem provides the first SCP subsystem access to the at least one enabling key. If the first SCP subsystem is not trusted, the first key management subsystem prevents the first SCP subsystem from accessing the at least one enabling key stored.

Abstract: A structured document is verified for changes that are made during and after deployment of an application. The structured document includes first fields that are designated as mutable, and second fields that are designated as immutable. An attempted change is detected to the structured document during or after deployment of the application. Upon detecting the attempted change, a digital signature is generated of the second fields of the structured document. A determination is made whether the generated digital signature of the second fields matches a reference digital signature of the second fields. Upon determining that the generated digital signature matches the reference digital signature, the change to the structured document is permitted. Upon determining that the generated digital signature does not match the reference digital signature, the change is blocked to the structured document.

Abstract: The devices and methods relate to web categorization of web requests. The devices and methods may perform a two-step classification of the web requests. The first classification may provide potential web categories for web request based on a fully qualified domain name (FQDN) of the web request. The first classification may be used to determine whether transport layer security (TLS) termination may be performed on the web request. The second classification may provide a web category for a uniform resource locator (URL) of the web request after performing the TLS termination. The web category may be used by a firewall in filtering web traffic for the web request.

Abstract: A device includes at least one first and one second module configured to cooperate to solve a task and/or are configured to communicate with a higher-level apparatus, a certification module configured to issue a cryptographic signature for each of the at least one first and second module, and an identity generation module configured to form a first code as an identity of the first module from a signature of the first module, to form a second code as an identity of the second module from a signature of the second module, and to form an overall code from the first and the second codes. The certification module is further configured to sign the overall code with a key in order to issue a unique certificate for the device, which biuniquely identifies the device.

Abstract: Method and apparatus for trusted service management are disclosed. The method includes obtaining an identification identifier and address information of a computing unit; obtaining a mapping table for the identification identifier and the address information of the computing unit; initiating a trusted service request message to a server that provides trusted service management using the identification identifier of the computing unit; and receiving a corresponding trusted service response message, and transmitting the trusted service response message to the computing unit according to the mapping table. This thereby solves the problem that some terminals cannot carry all services logics for communications between a TSM Agent and a TSM Server.

Abstract: Unicode data can be protected in a distributed tokenization environment. Data to be tokenized can be accessed or received by a security server, which instantiates a number of tokenization pipelines for parallel tokenization of the data. Unicode token tables are accessed by the security server, and each tokenization pipeline uses the accessed token tables to tokenization a portion of the data. Each tokenization pipeline performs a set of encoding or tokenization operations in parallel and based at least in part on a value received from another tokenization pipeline. The outputs of the tokenization pipelines are combined, producing tokenized data, which can be provided to a remote computing system for storage or processing.

Abstract: A decentralized public key management system for named data networks based on blockchain, which solves the Compromised Certificate Authority (CA) Problem. The system divides the power of an individual CA among multiple Public Key Miners (PKMiners) that maintain the public key blockchains. The majority rule in name-principal validation allows the present invention to tolerate compromised PKMiners without causing any damage.

Abstract: A system and method for crowdsourced innovation and automated process implementation, wherein individuals and businesses use a distributed computational graph module with crowdsourcing-technology to develop ideas and create process workflows for implementing those ideas. The developed process workflows are implemented through a system which automatically integrates heterogenous Internet resources such as electronic commerce, recruiting, and management platforms into a single portal. Businesses and other collaboration initiatives are supported via crowdsourced labor that are automatically orchestrated by the distributed computational graph workflows and user interface that provide a comprehensive and convergent solution for process management.

Abstract: A security system that provides for secure communication from a remote system operating on an unsecure network without the need for encrypting the packets related to the communication. The packets for the communications are sent over the network in clear text, which are readable by any systems on the network, however, only the systems that are authorized are able to determine what packets are the correct packets and what packets are the imitation packets. Moreover, a remote secure network may be utilized such that any system operating on an unsecure network may send packets through the remote secure network in a randomized routing in order to aid in hiding the systems sending and receiving the packets and the relays through which the packets are being sent.

Abstract: A system and method for creating and implementing data processing workflows using a distributed computational graph comprising modules that represent various stages within a data processing workflow. Each module represents one or more data processing steps, with some of the modules representing data processing performed by a cloud-based service and containing code for interfacing with the application programming interface (API) of that cloud-based service. A series of modules and their interconnections specify the workflow. Data is processed according to the workflow by implementing the data processing step represented by each module, some of which may access cloud-based data processing services. The result is that users can create complex data processing workflows that utilize cloud-based services to process data without having to know how to access the cloud-based data processing services, or even know that they exist.