Abstract: A system and method control or manage access to multiple target servers in a network. The system includes an access control user interface, a memory, and a management server. The access control user interface is accessible to the multiple target servers. The memory stores a database providing information to the access control user interface. The management server includes a processor implementing discovery and event trigger engines. The discovery engine discovers user rights stored at the multiple target servers and delivers the user rights over the network to the database. The event trigger engine is invoked by detection of a security event from a first target server, updates the user rights at a local cache on the first target server, and delivers the updated user rights to the database. The event trigger engine is configured to modify the discovery engine based on the detection of the security event.

Abstract: Methods, systems, and media for protecting applications from malicious communications are provided. In some embodiments, the method comprises: receiving a rule that indicates that communications from a source application to a destination application are to be blocked, wherein the rule is generated by: calculating risk values associated with communications transmitted by the source application; calculating a risk score for the source application; identifying a group of applications that have communicated with the source application; calculating a risk profile score for the source application; and in response to determining that the risk profile score exceeds a threshold, generating the rule; intercepting a communication to the destination application; determining whether to transmit the communication to the destination application; and in response to determining that the communication is not to be transmitted to the destination application, blocking the communication.

Abstract: A risk assessment (RA) computing device for generating network security campaigns to discover network security gaps. The RA computing device includes at least one processor in communication with a memory and a network. The RA computing device is programmed to generate a tracer file and transmit the tracer file to the network for enabling a verified user to attempt to retrieve the tracer file from the network. The verified user retrieves the tracer file from the network and uploads the tracer file to the RA computing device. The RA computing device performs one or more validations against the tracer file to verify that the tracer file was generated by the verified user.

Abstract: Systems and methods for applying and detecting cross dependent marks incorporated into an electronic or digital image to form a watermark. The electronic or digital image may include encoded information for example a machine-readable symbol. The watermarking may include an encoding and insertion sub-process that inserts one or more marks into an image at a first point in time for form a marked image, an extraction sub-process that extracts the marks at a second point in time, and a detection sub-process 108 that determines if any modifications have been made to the marked image. The marked image may be formed by determining a first original descriptor and first original mark within the image, determining a second original descriptor and second original mark within the image, and incorporating the first original mark into the second original descriptor and incorporating the second original mark into the first original descriptor.

Abstract: A method, a computer system, and a computer program product may provide a cryptographic key object to a guest virtual server for use in cryptographic operations. The guest virtual server may register with a hypervisor. The hypervisor may generate a guest wrapping key associated with guest credentials from the registering. The hypervisor may also generate a satellite virtual server instance. The guest virtual server and the satellite virtual server instance share a master key that cannot be accessed by the hypervisor or by any guest virtual server. The trusted hypervisor may pass a copy of the guest wrapping key to the satellite virtual server instance. A random guest key may be generated and may be wrapped with a guest wrapping key thereby producing a wrapped guest key. The hypervisor may convert the wrapped guest key to be a protected key that serves as the cryptographic key object.

Abstract: Certain aspects involve facilitating the integration of sensitive data from a data provider into an instance of a web-based, third-party application. For example, a data provider service can receive an authentication API call from a third-party system. The authentication API call can include a user identifier and a request for an access token usable by a web-based interface of the third-party system. The data provider service can generate an access token for the third-party system from which the authentication API call is received. The data provider service can subsequently receive, from the user device, a feature API call including the access token and a feature request for sensitive data. The data provider service can generate output data specific to the user identified by the access token included in the feature API call. The data provider service can provide the output to the user device via the web-based interface.

Abstract: A method and apparatus of a device that stores an object on a plurality of storage servers is described. In an exemplary embodiment, the device receives an object to be stored and encrypts the object with a first key. The device further creates a plurality of bit vectors from the encrypted object. In addition, the device randomizes the plurality of bit vectors to generate a plurality of randomized bit vectors. Furthermore, the device sends the plurality of randomized bit vectors and the plurality of second keys to the plurality of storage servers, wherein each of the plurality of storage servers stores at least one each of the plurality of randomized bit vectors and the plurality of second keys.

Abstract: A self-targeting method of automated cybersecurity analysis on an operating system on a target computer. An analysis software executable defined by a core engine executable is provided to the target computer and run on the operating system shell. The analysis software executable identifies the specific operating system that is running on the target computer and then causes one or a plurality of bash scripts which correspond to the identified operating system and which have been parsed from security setting entries from a standardized guide for desired security settings. The bash scripts then automatically assess the compliance of various aspects of the target computer system with the security setting entries, generating an output that is compatible with existing viewers for entries of standardized guides.

Abstract: A communication system including a receiver to receive training data. An input interface to receive input data coupled to a hardware processor and a memory. The hardware processor is configured to initialize the privacy module using the training data. Generate a trained privacy module, by iteratively optimizing an objective function. Wherein for each iteration the objective function is computed by a combination of a distortion of the useful attributes in the transformed data and of a mutual information between the sensitive attributes and the transformed data. Such that the mutual information is estimated by the auxiliary module that maximizes a conditional likelihood of the sensitive attributes given the transformed data. Receive the input data via the input interface. Apply the trained privacy module on the input data to produce an application specific transformed data. A transmitter to transmit the application specific transformed data over a communication channel.

Abstract: A method for providing a token code in conjunction with a value token is disclosed. The token code serves as a shared secret for authenticating the use of the value token. Multiple token holders can possess the same value token, but each token holder may have a different token code for use with the value token.

Abstract: A device secures open authorization (OAuth) resources according to systems described herein. In some instances, a resource server is configured for receiving a request for authorization from a client device. The request, for authorization to use a requested resource, may include a token having at least one claim. The resource server may interpret data of the token according to a domain specific language. The interpreting may obtain at least one rule associated with the at least one claim from among a range of resource access control rules. The rule may be compared against a resource request and operation. Based on the comparison, the request may be allowed or rejected. In one example, interpretation of the token may decode resources including quantities and combinations of uniform resource identifiers (URIs) claimed by the token using a domain specific language defined by a context-free grammar.

Abstract: Implementations of this disclosure provide verification in a blockchain-type data storage ledger. An example method performed by a server includes receiving a verification request that includes a hash value to be verified; determining a data record of the blockchain-type data storage ledger that corresponds to the hash value to be verified; obtaining a value of a service attribute included in the data record; determining a set of data records of the blockchain-type storage ledger that correspond to the value of the service attribute in the blockchain-type data storage ledger; determining one or more data blocks of the blockchain-type data storage ledger that store data records included in the set of data records; and performing integrity verification on each one of the data blocks that store the data records included in the set of data records.

Abstract: A control method for preventing an unnecessary control command from being transmitted to a reception Internet of things (IoT) device in an IoT system, and an electronic device thereof are provided. The control method includes receiving first access control information generated from an external electronic device and storing the first access control information, in response to occurrence of an event for transmitting a first control command to the external electronic device, determining whether the first control command has an authority to control the external electronic device using the first access control information, and, in response to a determination that the first control command has the authority to control the external electronic device, transmitting the first control command to the external electronic device.

Abstract: One embodiment of the present invention sets forth a technique for predicting fraud by correlating user behavior biometric data with one or more other types of data. The technique includes receiving cursor movement data generated via a client device and analyzing the cursor movement data based on a model to generate a result. The model may be generated based on cursor movement data associated with a first group of one or more users. The technique further includes receiving log data generated via the client device and determining, based on the result and the log data, that a user of the client device is not a member of the first group.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for identifying devices. One of the methods includes receiving one or more data packets at a network location from a client device, the one or more data packets being associated with a connection request from the client device seeking a connection with particular network resources; identifying transport layer information from the one or more data packets; extracting particular values of the transport layer information; generating a cryptographic hash value from the extracted values, wherein the hash value provides an identifier for the client device; using the identifier for the client device to monitor subsequent connection requests from the client device; and in response to the monitoring, determining whether to perform denial of service (DoS) mitigation with respect to the client device.

Abstract: Methods and apparatus for allowing an individual to preserve his/her privacy and control the use of the individual's images and/or personal information by other, without disclosing the identity of the individual to others, are described. In various embodiments the individual seeking privacy provides his/her identifying information, images, and sharing preferences indicating desired level of privacy to a control device which is then stored in a customer record. The control device can be queried to determine if an image or other information corresponds to a user who has restricted use of his/her image or other information in a public manner. Upon receiving a query the control device determines using the stored customer record whether an individual has authorized use of his or her image. Based upon the determination a response is sent to the querying device indicating whether the use of the image and/or individual's information is authorized.

Abstract: Examples described herein relate to systems, apparatuses, and methods for using tokens between two entities comprising a client device and a server, including receiving, by the server, a token from the client device, wherein the token is unique to a transaction, deriving, by the server, a server-derived token from the original data based on a transaction count, wherein the transaction count corresponds to a number of times that the original data is involved in transactions, comparing, by the server, the received token with the server-derived token, and responsive to determining that the received token and the server-derived token are same, sending, by the server, a verification message.

Abstract: There is described a method and data processing gateway comprising: data processing circuitry for performing data processing operations in response to program code; a first execution environment (FEE) and a second execution environment (SEE) for storing data and program code, wherein data and program code stored in the FEE when accessible to the data processing circuitry configured to operate in the FEE is inaccessible to the data processing circuitry when configured to operate in the SEE, the FEE comprising: a data ingestion store for receiving a device decryption mechanism into the FEE to decrypt encrypted device data, the data ingestion store further for receiving encrypted device data into the FEE and for decrypting the encrypted device data using the device decryption mechanism; and a subscriber client manager for receiving a first subscriber encryption mechanism into the FEE, and further for encrypting device data using the first subscriber encryption mechanism and further for transmitting encrypted dev

Abstract: Information associated with a process is received. At least a portion of the received information is used to modify a Process Tree. Modifying the Process Tree includes at least one of: (1) adding a Tag to the Process Tree and (2) modifying a Tag in the Process Tree. An Alert is generated based at least in part in response to determining that a Strategy has been matched.

Abstract: The disclosed computer-implemented method for improving application analysis may include (i) configuring a computing environment to execute an application such that the computing environment spoofs a simulated geolocation that is detected by the application, (ii) performing a dynamic analysis of how the application behaves within the simulated geolocation, and (iii) generating a holistic security analysis of the application based on both a result of the dynamic analysis performed for the simulated geolocation and an additional result of at least one additional dynamic analysis performed for a second geolocation that is distinct from the simulated geolocation. Various other methods, systems, and computer-readable media are also disclosed.