Abstract: Embodiments of the present disclosure provide methods, systems, apparatuses, and computer program products that provide for an improved, more efficient, and more stable system of networked computing devices. The embodiments disclose an apparatus and system that enable client devices to selectively grant to third party applications permissions to access group-based communication objects of a group-based communication system. The apparatus and system further enable client devices to selectively grant to third party applications permissions to take specific actions with regards to the group-based communication objects within the system. To accomplish the improvements, the disclosed systems, apparatuses, and computing devices maintain a record of the permissions granted to third party applications in a permissions table stored in a computer storage device.

Abstract: An example method of enforcing granular access policy for embedded artifacts comprises: detecting an association of an embedded artifact with a resource container; associating the embedded artifact with at least a subset of an access control policy associated with the resource container; and responsive to receiving an access request to access the embedded artifact, applying the access control policy associated with the resource container for determining whether the access request is grantable.

Abstract: An information processing method is provided. The method includes acquiring a JavaScript (JS) template for filtering multimedia information from a backend server when determining a preset update condition is satisfied; and acquiring a filtering parameter corresponding to a target webpage from the backend server when detecting that a user requests to access the target webpage. The method also includes inserting the filtering parameter into the JS template; executing the JS template inserted with the filtering parameter, screening out multimedia information from webpage information displayed on the target webpage and shielding displaying of the multimedia information.

Abstract: A computer-implemented method includes: determining assets held by a remitter, the assets to be spent in a remittance transaction between the remitter and one or more payees, in which each asset corresponds to a respective asset identifier, a respective asset amount, and a respective asset commitment value; determining a remitter pseudo public key and a remitter pseudo private key; determining a cover party pseudo public key, in which the cover party pseudo public key is obtained based on asset commitment values of assets held by the cover party; and generating a linkable ring signature for the remittance transaction.

Abstract: Examples relate to identifying signatures for data sets. In one example, a computing device may: for each of a plurality of first data sets, obtain a data set signature; generate a first data structure for storing each data set signature that is distinct from each other data set signature; for each of a plurality of second data sets, obtain at least one data subset; generate a second data structure for storing each data subset; remove, from the first data structure, each data set signature that matches a data subset included in the second data structure; and for each data set signature removed from the first data structure, identify each first data set from which the data set signature was obtained; and for each identified first data set, obtain a new data set signature.

Abstract: A module such as an M2M device or a mobile phone can include a removable data storage unit. The removable data storage unit can include a nonvolatile memory, a noise amplifying memory, and a cryptographic unit. The nonvolatile memory can include (i) shared memory for access by both the module and the cryptographic unit, and (ii) protected memory accessible only by the cryptographic unit. The cryptographic unit can use a noise memory interface and noise amplifying operations in order to increase and distribute bit errors recorded in the noise amplifying memory. The cryptographic unit can (i) generate a random number using the noise amplifying memory and (ii) input the random number into a set of cryptographic algorithms in order to internally derive a PKI key pair. The private key can be recorded in protected memory and the public key signed by a certificate authority.

Abstract: Technology is described for a device registration service for a local computing environment. The device registration service may provide one or more computing hubs within the local computing environment with robust means to authenticate or verify the authority of a computing device (e.g., a computer, a server, a mobile device, smart phone, a tablet), and/or other devices requesting to access to the local computing environment. The device registration service provided by the one or more computing hubs may be used in addition to, in place of, or as a backup to a device management and provisioning services provided remotely from the local computing environment using a service provider environment.

Abstract: Certain aspects of the present disclosure provide techniques for determining an identity of a user requesting access to a resource. An example technique for determining the identity of the user includes, upon receiving a request for a resource, determining the identity assurance strength of the user. The determination of the identity assurance strength of the user is based on personal identifying information, risk signals, user history, and the like. If the user does not have the requisite identity assurance strength to access a resource, based on policy criteria, an identity proofing operation may be determined for the user to complete in order to access the resource, where the operation is determined based on policy criteria, risk signals, and the like. Upon completion of the identity assurance operation, if the user has adequate identity assurance strength, then the user may access the resource.

Abstract: A method of starting an electronic device includes: receiving a first wireless signal carrying a first identification data by a wireless receiver before the electronic device enters a normal operating state; comparing the first identification data with a valid data; obtaining an account name and a password according to the first identification data if the first identification data matches the valid data and logging in to an operating system with the account name and the password so as to allow the electronic device to enter the normal operating state; and not logging in to the operating system if the first identification data does not match the valid data.

Abstract: A technique for securely rendering content downloaded over a network includes parsing a downloaded web page into a DOM (Document Object Model) tree and splitting the DOM tree into multiple DOM instances, where each DOM instance is dedicated to a respective type of web content. The technique processes each DOM instance using a respective render engine, which implements the security policy on the respective type of web content by blocking or altering content, and/or by limiting functionality that may be used in connection with the content.

Abstract: A method of installing an application on a device configured with a plurality of personas is disclosed. The method includes receiving an indication to engage a first persona of the plurality of personas. The method further includes causing an indication of the first persona to be displayed. The method further includes receiving via an interface associated with the first persona, an indication to install a first application. The method further includes causing the first application to be installed. The method further includes causing the installed first application to be associated with the first persona.

Abstract: Methods, apparatus, systems and articles of manufacture for producing generic Internet Protocol (IP) reputation through cross-protocol analysis are disclosed. An example apparatus includes a data collector to gather a first data set representing IP telemetry data for a first protocol, the data collector to gather a second data set representing IP telemetry data for a second protocol different from the first protocol. A label generator is to generate a training data set based on records in the first data set and the second data set having matching IP addresses, the training data set to include combined label indicating whether each of the respective matching IP addresses is malicious. A model trainer is to train a machine learning model using the training data set. A model executor is to, responsive to a request from a client device, execute the machine learning model to determine whether a requested IP address is malicious.

Abstract: Systems and methods are provided for collaborative decision-making in medicine. The systems can employ a distributed record-keeping and verification system to solicit suggested modifications to an initial healthcare regime from interested healthcare workers. The systems can aggregate the suggested modifications and use a consensus algorithm to determine the most appropriate modification.

Abstract: An apparatus in one embodiment comprises at least one processing device having a processor coupled to a memory. The processing device is configured to implement a first ledger node of a first cloud having a first set of cloud resources. The first ledger node of the first cloud is configured to communicate over one or more networks with a plurality of additional ledger nodes associated with respective additional clouds having respective additional sets of cloud resources, to monitor auditable information relating to cloud resources of the first cloud and cloud services provided by the first cloud, to associate the auditable information with one or more cloud service transactions, and to generate a cryptographic block characterizing the one or more cloud service transactions and the associated auditable information. The cryptographic block is entered into a blockchain distributed ledger collectively maintained by the first and additional ledger nodes.

Abstract: A malicious URL detection method, apparatus, and storage medium are provided. The method includes rolling back a virtual machine to an initiating state in response to detecting a trigger event of the virtual machine. In the initiating state, page content of a target URL is loaded using the virtual machine. Using the virtual machine, an application program linked to the page content is run. A system snapshot file of the virtual machine is obtained in at least one state of the initiating state, a state in which the loading of the page content is completed, or a state in which the application program is being run. Malicious URL detection is performed on the target URL based on the obtained system snapshot file.

Abstract: Disclosed herein are methods, systems, and processes for tracking honeytokens. A malicious attack from an attacker is received at a honeypot and a determination is made that an attack event associated with the malicious attack has compromised deceptive credential information maintained by the honeypot. A unique credential pair that corresponds to the deceptive credential information sought by the attack event is generated and a honeytoken tracker state table is modified to include the unique credential pair and attack event metadata in association with the attack event. The unique credential pair is then transmitted to the attacker.

Abstract: In an example, a method includes pairing a first electronic device and a data relay apparatus associated with a second electronic device to establish a secure wireless communication link therebetween. Each of the first electronic device and the data relay apparatus may be associated with an identifier and a verifier, each verifier being to verify the identifier of the other of the first electronic device or data relay apparatus. The pairing may include mutual verification of an identifier using the verifier, establishing shared key data and using the shared key data to establish a shared secret value for use in determining a derived key.

Abstract: Disclosed herein are methods, systems, and processes for tracking honeytokens. A malicious attack from an attacker is received at a honeypot and a determination is made that an attack event associated with the malicious attack has compromised deceptive credential information maintained by the honeypot. A unique credential pair that corresponds to the deceptive credential information sought by the attack event is generated and a honeytoken tracker state table is modified to include the unique credential pair and attack event metadata in association with the attack event. The unique credential pair is then transmitted to the attacker and the honeytoken tracker state table is synchronized with a honeypot management system. Another malicious attack is detected, the honeytoken tracker state table is accessed, and the malicious attacker is correlated to the attacker.

Abstract: Systems and methods for identity and access management are provided in a service mesh that includes a plurality of interconnected microservices. Each microservice is associated with a microgateway sidecar. The associated microgateway sidecar may intercept a request for the associated microservice sent over a communication network from a user device. Such request may include data regarding a context of the request. A token associated with the request may be enriched based on the context data and sent to at least one other microservice. A database of security policies for each of the microservices may be maintained. An authentication engine may generate a risk profile for the request based on the context data of the request and one or more of the security policies in the database. One or more of a plurality of available security workflows may be selected based on the risk profile.

Abstract: A request to issue a digital certificate may be received. A hash value corresponding to an application that has provided the request for the digital certificate may be identified. A determination may be made as to whether the hash value corresponding to the application matches with a known hash value. In response to determining that the hash value corresponding to the application matches with the known hash value the digital certificate may be issued to the application.