Abstract: A shared database platform implements dynamic masking on data shared between users where specific data is masked, transformed, or otherwise modified based on preconfigured functions that are associated with user roles. The shared database platform can implement the masking at runtime dynamically in response to users requesting access to a database object that is associated with one or more masking policies.

Abstract: An access control method for controlling access to data requested from an electronic information system. The method comprises receiving a request for the data, determining a user identity associated with the request; gathering the requested data from one or more data sources by an orchestrator for input to a cognitive engine; analyzing the requested data; based on results of analyzing the requested data, deciding on whether the user identity can be allowed to access the requested data; providing feedback by the user identity; and updating a learning module based on the feedback.

Abstract: In one or more embodiments, an encryption key of a device may be split into multiple segments. One of the segments may be retained by an owner of the device, and some of the segments may be distributed to multiple entities. For example, one of the segments may be provided to a service provider, and one of the segments may be provided to an escrow agent. The escrow agent may process its segment, provide information based on its segment to a public ledger, and destroy its segment. A proxy agent may retrieve, from the public ledger, the information based on the segment provided to the escrow agent and obtain compensation. When the proxy agent obtains the compensation, the public ledger exhibits information utilizable to obtain the segment provided to the escrow agent. With the segments provided to the escrow agent and the service provider, the encryption key may be obtained.

Abstract: Provided are systems, methods, and computer-readable medium for identifying security risks in applications executing in a cloud environment. In various implementations, a security monitoring and management system can obtain application data from a service provider system. The application data can include a record of actions performed by an application during use of the application by users associated with a tenant. The application executes in a service platform provided for the tenant by the service provider system. In various implementations, the application data is analyzed to identify an event associated with a security risk, where the event is identified from one or more actions performed by the application. The system can determine an action to perform in response to identifying the event. In various examples, an agent executing on the service platform can add instrumentation codes used by the application, where the instrumentation provides the application data.

Abstract: A document management system includes a management apparatus and plural processing apparatuses. Each of the plural processing apparatuses includes an acquisition unit and a transmitter. The acquisition unit acquires a document and information on a destination to which the document is transmitted. The transmitter transmits metadata of the document to the management apparatus and transmits a protected document generated from the document to the destination. The metadata includes the information on the destination. The management apparatus includes a memory and a response unit. The memory stores metadata of documents received from the plural processing apparatuses. The response unit responds to a request for metadata corresponding to a document by returning metadata of the document which is stored in the memory.

Abstract: A group of processors in a processor pool comprise a secure “enclave” in which user code is executable and user data is readable solely with the enclave. This is facilitated through the key management scheme described that includes two sets of key-pairs, namely: a processor group key-pair, and a separate user key-pair (typically one per-user, although a user may have multiple such key-pairs). The processor group key-pair is associated with all (or some define subset of) the processors in the group. This key-pair is used to securely communicate a user private key among the processors. The user private key, however, is not transmitted to non-members of the group. Further, preferably the user private key is refreshed periodically or upon any membership change (in the group) to ensure that non-members or ex-members cannot decipher the encrypted user key.

Abstract: System, method and medium for securely transferring untrusted files from a portable storage medium to a computer. The invention can filter, scan and detonate untrusted files to be transferred to a computer from a portable storage medium. First, the types of files which are eligible to be selected for transfer are limited, by file type and/or content. Second, each file selected for transfer is scanned against a collection of signatures of known malware. Thus, files contain malware which has been previously identified as such can be blocked from ever being transferred to the computer. Finally, each file to be transferred is detonated by opening it in a controlled, sterile environment to determine if it adversely impact the operation of that sterile environment. Malware detected in this way can then be added to the collection of malware that can be detected by the second step.

Abstract: An authentication system and method are provided. According to the embodiments of the present disclosure, it is possible to provide a secure authentication service capable of maintaining personal privacy by enabling authentication while preventing personal information used for personal authentication, such as biometric information, from being exposed in the authentication process.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for a row-level security. One of the methods includes receiving a request for one or more objects. The method includes determining that a type of the one or more requested objects is associated with an object representative of instance level security. The method includes determining access is authorized to at least some of the one or more objects. Determining access includes obtaining a first access statement associated with the type of the one or more objects, obtaining a second access statement associated with the object representative of instance level security, combining at least the first access statement and the second access statement into a third access statement, and obtaining one or more objects using the third access statement. The method also includes providing the authorized subset of objects to the user.

Abstract: A method for providing personal information of a user requested by a given online service. The method includes, by a security server of a mobile terminal operator of be user: (a) receiving a request for the personal information, including comprising a unique identifier of the user and an identifier of the online service; (b) sending, to the mobile terminal, a response authorisation request; (c) if a response authorisation confirmation is received, sending data, which is associated in a database with the unique identifier and the identifier of the online service. Each pair of a unique identifier and an online service identifier is also associated in the database with a parameter representative of a level of security required in order to confirm the response authorisation on the mobile terminal. The step (b) includes: determining the value of the parameter; and integrating the determined value in the response authorisation request.

Abstract: Various embodiments include systems and methods of determining whether media access control (MAC) address spoofing is present in a network by a wireless communication device. A processor of the wireless communication device may determine an anticipated coherence interval based on a beacon frame received from an access point. The processor may schedule an active scan request and may determine whether a response frame corresponding to the scheduled active request is received within the anticipated coherence interval. The processor may calculate a first correlation coefficient in response to the response frame being received within the anticipated coherence interval and may determine that MAC address spoofing is not present in the network when the first correlation coefficient is greater than a first predetermined threshold.

Abstract: Described herein are systems, methods, and software to enhance secure communications between computing systems. In one implementation, a private domain name system (DNS) receives a DNS lookup request from a computing system of a plurality of computing systems associated with a private communication group, and forwards the DNS lookup request to a public DNS. The private DNS further receives a public address associated with the DNS lookup request from the public DNS, translates the public address to a private address, and transfers the private address to the requesting computing system.

Abstract: A blockchain is configured with a public mainchain connected to a plurality of private sidechains. Access is controlled to the private sidechains through an access controller allowing transactions in the sidechain to be trusted implicitly. Data parity may be maintained between the mainchain and sidechains through the use of a parity controller configured by a user.

Abstract: An encryption security protocol-based communication method of supporting integrity verification between a client and a server includes receiving, by the server, a first message from the client, the first message including a request for a first integrity verification of the client so as to start a handshake of a transport layer security (TLS) connection, transmitting, by the server, a second message to the client, the second message including a request for first verification information for the first integrity verification, receiving, by the server, the first verification information from the client, and performing the first integrity verification by using the first verification information, and finishing the handshake and performing data communication between the client and the server based on a result of the first integrity verification.

Abstract: A surgical hub is configured to transmit generator data associated with a surgical procedure from a generator of the surgical hub to a cloud-based system. The surgical hub comprises a processor and a memory storing instructions executable by the processor to: receive generator data; encrypt the generator data; generate a message authentication code based on the generator data; generate a datagram comprising: the encrypted generator data, the generated message authentication code, a source identifier and a destination identifier; and transmit the datagram to the cloud-based system. The datagram allows for the cloud-based system to: decrypt the encrypted generator data; verify the integrity of the generator data based on the message authentication code; authenticate the surgical hub as the source of the datagram; and validate a transmission path followed by the datagram between the surgical hub and the cloud based system.

Abstract: A method and system for detecting and mitigation recursive domain name system (DNS) cyber-attacks are disclosed. The method includes receiving DNS queries directed to a DNS resolver, wherein the DNS resolver is communicatively connected between at least one client and at least one name server; parsing each received DNS query to extract a hostname identified therein; updating at least one array of Bloom filters using the extracted hostname; computing a ratio of an unrecognized hostnames per sample (UPS) based on the contents of the at least one array; and determining if the UPS ratio is abnormal, wherein an abnormal UPS ratio is an indication of an attack.

Abstract: In one embodiment, a device in a network receives information regarding a network anomaly detected by an anomaly detector deployed in the network. The device identifies the detected network anomaly as a false positive based on the information regarding the network anomaly. The device generates an output filter for the anomaly detector, in response to identifying the detected network anomaly as a false positive. The output filter is configured to filter an output of the anomaly detector associated with the false positive. The device causes the generated output filter to be installed at the anomaly detector.

Abstract: SSL/TLS certificate filtering devices, systems and processes may filter packets based on risk associated with each packet. A risk score may be determined for each packet based on associated threats and risks. Risk scores may be determined based on certificates, certificate authorities, and/or end users associated with each packet. The certificates may be scored and/or categorized by threats and risk.

Abstract: Systems and methods for protecting from external monitoring attacks cryptographic data processing operations involving universal polynomial hash functions computation.

Abstract: An apparatus is provided which comprises: an entropy source to produce a first random sequence of bits, wherein the entropy source comprises an array of bi-stable cross-coupled inverter cells; a first circuitry coupled to the entropy source, wherein the first circuitry to generate an entropy source selection set; and a second circuitry coupled to the entropy source and the first circuitry, wherein the second circuitry is to receive the first random sequence and the entropy source selection set, and wherein the second circuitry is to generate a second random sequence.