Abstract: Methods, apparatuses, or computer program products are disclosed providing for the dynamic data classification of data objects. Examples enable prediction of candidate data classification labels for data objects associated with one or more applications, services, or computing devices. Examples enable the assignment of one or more data classification labels to a data object for transmission to one or more computing devices. Examples enable the interactive and progressive application of machine learning techniques to data classification systems to assign data classification labels with probable certainty. Examples enable the tracking, monitoring, storage, sorting, and retrieval of labeled data objects. Examples provide for access control configuration of services to restrict or allow access to data objects based on data classifications and other service parameters.

Abstract: A process includes, in a computer system, acquiring a first measurement that corresponds to a software container. Acquiring the measurement includes a hardware processor of the computer system measuring a given layer of a plurality of layers of layered file system structure corresponding to the software container. The given layer includes a plurality of files, and the first measurement includes a measurement of the plurality of files. The process includes storing the first measurement in a secure memory of the computer system. A content of the secure memory is used to verify an integrity of the software container.

Abstract: A method for managing an application permission and an electronic device includes an electronic device that displays a home screen, where the home screen includes an icon of a first application. In response to a first operation from the user on the icon, the electronic device displays a first interface, and when displaying the first interface, the electronic device allows the first application to use a first application permission. In response to a second operation of the user on the first interface, the electronic device displays a second interface, and when displaying the second interface, the electronic device rejects the first application to use the first application permission.

Abstract: A method and/or system for processing an application for launch to determine whether it might be legitimate or non-legitimate, and if non-legitimate taking security action.

Abstract: Examples disclosed herein relate to using an integrity manifest certificate to verify the state of a platform. A device identity of a device that has the device identity provisioned and stored in a security co-processor to retrieve an integrity proof from the security co-processor. The device includes at least one processing element, at least one memory device, and a bus including at least one bus device, and wherein the device identity is associated with a device identity certificate signed by a first authority. The integrity proof includes a representation of each of a plurality of hardware components including the at least one processing element, the at least one memory device, the at least one bus device, and a system board and a representation of plurality of firmware components included in the device. The integrity proof is provided to a certification station.

Abstract: Systems and methods include receiving a trained machine learning model that has been processed with training information removed therefrom, wherein the training information is utilized in training of the trained machine learning model; monitoring traffic, inline at the node, including processing the traffic with the trained machine learning model; obtaining a verdict on the traffic based on the trained machine learning model; and performing an action on the traffic based on the verdict.

Abstract: A method for evaluating security of third-party application is disclosed. The method includes: receiving, from a first application, a request to obtain first account data for a user account associated with a protected data resource; generating fake data for at least a portion of the requested first account data; providing, to the first application, a first data set in response to the request, the first data set including at least the generated fake data; monitoring use of the first data set by the first application; detecting a trigger condition indicating misuse of account data based on monitoring use of the first data set by the first application; in response to detecting the trigger condition, generating a notification identifying the misuse of account data; and transmitting the notification to a computing device associated with an application user.

Abstract: Systems and methods for protected verification of user information are provided. Multiple computing systems may transmit or receive communications from one or more other computing systems as part of the protected user information verification. For example, a user may utilize a verification service to independently verify the user's information to third-party systems without the verification service actually storing, receiving, accessing, or otherwise coming into contact with the user-specific information that it is verifying. In this way, the system can protect a user's personal information while streamlining the user's verification with one or more third parties.

Abstract: A system and method for utilizing permissioned data is disclosed. A user may grant permission to share certain data over a platform. A third party may seek targeted attributes and match the targeted attributes with the shared attributes of a user. A user may agree to accept communications directly from the third party.

Abstract: A method for managing a first application program comprises: executing, by a first processor, a first control flow; executing, by a second processor, in synchronization with the first control flow execution, a second application, comprising a variable and an expected value that the variable has to have or a condition that the variable has to satisfy to authorize an execution of the correct first control flow; verifying, by the second processor, by executing each of the at least one second application, whether the variable has the expected value or the variable satisfies the condition; and inferring, by the second processor, if, for the second application, the variable has (not) the expected value or does (not) satisfy the condition, that the first processor is (not) executing the correct first control flow.

Abstract: In some embodiments, a client application at a client device can receive, from a browser application at the client device, a first message including a unique identifier associated with a session of the browser application at a website associated with a content management system. The client application can extract the unique identifier from the first message, and establish a connection between the client application and the content management system by sending, from the client application to the content management system, a second message including the unique identifier. The client application can then receive, from the content management system through the connection, a third message relayed by the content management system from the website, where the third message is associated with the unique identifier.

Abstract: Verification system and methods are provided for allowing database server responses to be verified. A proxy device may maintain a data structure (e.g., a Merkle B+-tree) within a secure memory space (e.g., an Intel SGX enclave) associated with a protected application. In some embodiments, the data structure may comprise hashed values representing hashed versions of the data managed by the database server. The proxy may intercept client requests submitted from a client device and forward such requests to the database server. Responses from the database server may be verified using the data structure (e.g., the hashes contained in the Merkle B+-tree). If the data is verified by the proxy device, the response may be transmitted to the client device.

Abstract: In one embodiment, a multi-tenant computing system includes at least one processor including a plurality of cores on which a plurality of agents of a plurality of tenants of the multi-tenant computing system are to execute, a configuration storage, and a memory execution circuit. The configuration storage includes a first configuration register to store configuration information associated with the memory execution circuit. The first configuration register is to store a mode identifier to identify a mode of operation of the memory execution circuit. The memory execution circuit, in a first mode of operation, is to receive encrypted data of a first tenant of the plurality of tenants, the encrypted data encrypted by the first tenant, generate an integrity value for the encrypted data, and send the encrypted data and the integrity value to a memory, wherein the integrity value is not visible to the software of the multi-tenant computing system.

Abstract: This document describes, among other things, systems and methods for more efficiently resuming a client-to-origin TLS session through a proxy layer that fronts the origin in order to provide network security services. At the time of an initial TLS handshake with an unknown client, for example, the proxy can perform a set of security checks. If the client passes the checks, the proxy can transmit a ‘proxy token’ upstream to the origin. The origin can incorporate this token into session state data which is passed back to and stored on the client, e.g., using a TLS session ticket extension field, pre-shared key extension field, or other field. On TLS session resumption, when the client sends the session state data, the proxy can recover its proxy token from the session state data, and upon successful validation, bypass security checks that it would otherwise perform against the client, thereby more efficiently handling known clients.

Abstract: A method including storing, by a device in a database, a trusted fingerprint determined based at least in part on encrypting trusted connection information included in a trusted transmission packet received from a trusted source application; determining, by the device, a current fingerprint based at least in part on encrypting current connection information included in a current transmission packet received from a current source application; comparing, by the device, the current fingerprint with the trusted fingerprint; and processing, by the device, the current transmission packet based at least in part on a result of comparing the current fingerprint with the trusted fingerprint. Various other aspects are contemplated.

Abstract: Approaches presented herein enable detection of security vulnerabilities in software containers. More specifically, a software container comprising a build script and a base image is received. An instance of the software container is instantiated in an encapsulated environment using the build script and the base image. The instance of the software container is executed in the encapsulated environment, and the execution of the software container instance is monitored in the encapsulated environment to detect one or more security vulnerabilities.

Abstract: Systems and methods are provided for performing privacy transformation of data to protect privacy in data analytics under the multi-access edge computing environment. In particular, a policy receiver in an edge server receives privacy instructions. Inference determiner in the edge server in a data analytics pipeline receives data from an IoT device and evaluates the data to recognize data associated with personally identifiable information. Privacy data transformer transforms the received data with inference for protecting data privacy by preventing exposure of private information from the edge server. In particular, the privacy data transformer dynamically selects a technique among techniques for removing information that is subject to privacy protection and transforms the received data using the technique.

Abstract: An ultrasonic transceiver system includes a transmitter block, a receiver block, a state machine, and a computing unit. The transmitter block contains circuitry configured to drive an ultrasound transducer. The receiver block contains circuitry configured to receive signals from the ultrasound transducer and convert the signals into digital data. The state machine is coupled to the transmitter and receiver blocks and contains circuitry configured to act as a controller for those blocks. The computing unit is coupled to the transmitter block, the receiver block, and the state machine and is configured to drive the transmitter block and process data received from the receiver block by executing instructions of a program. The program memory is coupled to the computing unit and is configured to store the program. The computing unit is configured to be reprogrammed with one or more additional programs stored in the program memory.

Abstract: A multi-country data pipeline keeps all of the PII received from a user that is in a first country in the first country. The data pipeline allows the non-personal data received from the user to be transmitted and analyzed in a second country. The method further allows the results of the analysis in the second country to be transmitted back to the first country where the PII is added to the results of the analysis. The data pipeline allows the results of the analysis in the second country to be used to take a desired action for the user in the first country, all while the PII of the user never leaves the first country.

Abstract: The disclosed technology is generally directed to the authentication of software. In one example of the technology, a private attestation key is stored in hardware. In some examples, during a sequential boot process a hash is calculated, in an order in which the software stages are sequentially booted, of each software stage of a plurality of software stages. The hashes of each software stage of the plurality may be cryptographically appended to an accumulation register. The accumulation register may be used to attest to validity of the software stages. The plurality of software stages may include a first bootloader, a runtime for a first core of a multi-core processor, and a runtime for a first execution environment for a second core of the multi-core processor.