Abstract: Methods, systems, and computer readable mediums for securely establishing credential data for a computing device are disclosed. According to one example, a method includes assigning, by a credential manager, credential set data to a computing device and mapping the credential set data to a device identifier key associated with the computing device in a credential data store accessible by the credential manager. The method further includes receiving, from a provisioning service client, a credential set request message including the device identifier key by the credential manager in response to an activation of the computing device at a customer location site and sending, by the credential manager to the provisioning service client, the credential set data for authenticating the computing device at the customer location site.

Abstract: Embodiments are directed monitoring network traffic using network monitoring computers. Activity associated with a document in a network may be determined based on the network traffic. A profile may be generated based on a summarization of the activity associated with the document such that the profile may be stored in a data store that stores other profiles. Similar profiles may be determined based on a classification of each profile in the data store based on similarities between the profile and the other profiles in the data store. In response to determining similar profiles, locations in the network associated with documents that correspond to the similar profiles may be determined. Locations may be classified based on the activity, the similar profiles and access policies. In response to portions of the locations being classified as inconsistent with the access policies may be reported.

Abstract: Systems, methods, and related technologies for device identification are described. In certain aspects, packet data associated with a device can be analyzed and a score determined. The score and the threshold can be compared to determine a device identification for the device.

Abstract: Systems and methods include providing a user interface to an administrator associated with a tenant of a cloud-based system, wherein the tenant has a plurality of users each having an associated user device; receiving a plurality of client forwarding policies for the plurality of users, wherein each client forwarding policy of the client forwarding policies define rules related to how application requests from the plurality of users are forwarded for zero trust access; and providing the rules to corresponding user devices of the plurality of users.

Abstract: Systems and methods are described that relate to authentication and/or binding of multiple devices with varying security profiles. In one aspect, a first device with a higher security profile may vouch for the authenticity of a second device with a lower security profile when the second device requests access for content from a content provider. The vouching process may be implemented by allowing the first device to overlay its digital signature on a registration request that has been signed and transmitted by the second device. The second device with the lower security profile may access content from the content provider or source for a predetermined time period, even when the second device does not access content through the first device.

Abstract: A method and device for processing information, and a storage medium is provided. The method is applied to an authorization proxy server, and includes receiving a first account information of a first vehicle-mounted terminal, determining, based on an associating record of a user account service, that a first account corresponding to the first account information is an authorized account that has been associated with the user account service, and authorizing the first account with a control right for controlling a device to be controlled.

Abstract: Methods, systems, and computing platforms for data communication are disclosed. A computer-data communication based network, including receiving a set of virtual nodes each with a data payload may include an originating node attribute, an infosec data attribute, an behavioral data attribute, a biometric enterprise attribute and at least one data element associated with the originating node attribute. A machine learning module may learn from across multiple of collection points to determine control triggers and control durations. A user anomaly collector/module may be configured to identify an unusual or anomalous usage of an application.

Abstract: A system for location-aware authentication is configured to receive an authentication request associated with an identifier of a user for accessing an application and retrieves user information associated with the identifier and the application. The system then determines that the user information includes a geofence and information associated with a device of the user. Based on the geofence and the device information, the system sends a geolocation data request to the device, causing the device to gather and send the device's current geolocation data to the computing system. A data structure is generated to store data related to the device's current geolocation and sent to the application, which in turn causes the application to grant or deny the authentication request.

Abstract: Systems for credential evaluation and control are provided. In some examples, a request to access data via a website may be received. The request may include a username. A browser extension embedded in the web browser used to request the data via the website may be triggered and one or more credential evaluation functions may be executed. An event record associated with the request to access data may be generated. The event record may be analyzed to determine a designation associated with the website and a designation associated with user credentials provided with the request to access the data. The designation of the website and the designation of the credentials may be compared to determine whether the designations match. If so, access to the requested data may be provided. If not, one or more mitigating actions may be identified and executed.

Abstract: To easily identify an invalid device certificate by means of a validity check when signing keys that are used to create device certificates are compromised, a piece of status information is provided for device certificates that comprises positive evidence of the existence and validity of the device certificate, and alternatively or additionally to apply a special validity model for device certificates, wherein the time of issue of the device certificate is documented by means of a signed electronic timestamp, and wherein a different signing key is used for signing the timestamp than for signing the device certificate. Additionally, all information that is required for the validity check of a device certificate is stored in a memory of the device or in a memory associated with the device, so that an identity check on the device can be performed at any time without fetching additional data.

Abstract: A system for bidirectional device authentication between two computing devices is disclosed. A first processor generates a first random number sequence, performs a first operation on the first random number sequence to determine a first table address, and retrieves a first entry in the first table based on the first table address. The processor also executes a first transformation function on the first entry to generate a first transformed entry, transmits the first random number sequence to the second computing device, receives an encoded entry from a second computing device in response to transmission of the first random number sequence, and decodes the encoded entry to determine a second transformed entry. The first transformed entry matches the second transformed entry, and the first processor performs an update to a dynamic table by replacing each entry of the dynamic table with an associated transformed entry.

Abstract: A computer-implemented method includes receiving an authentication request from an external device for authenticating an application on the external device, and receiving a plurality of information items in connection with the authentication request from a plurality of different externally residing information sources. The authentication request is then evaluated, which includes evaluating each of the plurality of information items, to determine an authentication status of the application. Based on the authentication status, the device is then selectively permitted access to private information through the application. A computer system and/or machine-readable media may be provided to perform some or all steps of the method.

Abstract: A system for managing custom code within a data computing platform determines that a request for one or more uniform resource identifiers external to the platform is being made by custom code executing in the platform. In response to the determination, the system checks a whitelist of allowable external URIs against the requested one or more URIs and allows access to the requested one or more URIs if a match is detected with the whitelist, otherwise access by the custom code to the requested one or more URIs is denied. In addition, or alternatively, the system checks a blacklist of disallowed external URIs against the requested one or more URIs and denies access to the requested one or more URIs if a match is detected with the blacklist, otherwise access by the custom code to the requested one or more URIs is allowed. The blacklist can override the whitelist.

Abstract: Systems and methods directed to a third-party gateway that controls egress traffic from Internet Data Centers (IDC) and/or Virtual Private Clouds (VPC) are described. When egress traffic reaches the third-party gateway, a forward proxy may obtain a service identified or otherwise associated with the source IP address and port. Once, the service is identified, the third-party gateway may obtain a configuration rule specified by a rule manager to determine if the service is allowed to access the destination host(s). If the destination host is approved for the service, the forward proxy may send the traffic to the internet. If the destination host is not approved for the service, the forward proxy may block or otherwise drop the respective communication. In some examples, one or more auditors or auditing agencies may access essential information from the third-party gateway to view egress traffic logs and verify egress traffic approved destinations.

Abstract: Systems and methods include obtaining data from a log system storing historical transactions monitored by a security system; creating one or more mock transactions based on the data; and analyzing the one or more mock transactions with a signature pattern matching engine having updates provided therein subsequent to a time of the historical transactions. The one or more mock transactions can have a header based on the data from corresponding historical transactions. The systems and methods can include performing a content scan in the one or more mock transactions based on the signature pattern matching engine having the updates, or determining malicious activity in the one or more mock transactions based on the signature pattern matching engine having the updates to determine missed matches in the corresponding historical transactions.

Abstract: Systems and methods of securing interface to a blockchain based network, including generating, by a server, a proxy communication layer for communication between the server and a computerized device, wherein the proxy communication layer replaces an IP address of the computerized device with another IP address, intercepting, by the server, data communicated through the proxy communication layer, and blocking, by the server, unauthorized communication data intercepted by the server, wherein communication requests associated with unauthorized IP addresses are blocked, where the server is in communication with the blockchain based network, and wherein the server provides a web interface to decentralized applications of the blockchain based network.

Abstract: Devices, systems and methods for authenticating a user to access electronic content include use of a processor configured to identify a technical condition for the content, access distributor logic providing a first release of the technical condition, receive a request from a subscriber to transfer the first release to an identified user, determine whether to approve or deny the request, and when approved, provide a device associated with the identified user with an authentication that permits the identified user to activate the first release and access the electronic content, and a database that stores the technical condition.

Abstract: Embodiments of the present specification disclose data processing methods, apparatuses, devices, and media. One method includes the following: receiving a data use request; determining data to be used based on the data use request; determining one or more approvers of the data to be used; sending an approval instruction to the one or more approvers, wherein the approval instruction instructs the one or more approvers to approve the data use request; receiving feedback data from the one or more approvers; and determining that the data use request is approved if the feedback data satisfies a predetermined condition.

Abstract: A tamper resistant device can be used for an integrated circuit card. The device includes memory storing a first security domain that includes a telecommunication profile and a second security domain that includes an application profile. A first physical interface is configured to be coupled to a baseband processor configured to operate with a mobile telecommunications network. A second physical interface configured to be coupled to an application processor. The first physical interface configured to allow the baseband processor to access the telecommunication profile and the second physical interface is configured to allow the application processor to access the application profile. The tamper resistant device is configured to enable accessibility to the application profile if corresponding commands are received at the first interface and to enable accessibility to the telecommunication profile if corresponding commands are received at the second interface.

Abstract: Disclosed herein are methods, systems, and processes for monitoring scan attempts in a network. A virtual security appliance with multiple ports is deployed in a network. One or more ports are obfuscated via the virtual security appliance to make the various ports appear to be closed. An address of the virtual security appliance within the network is modified, the several ports are adjusted to assume a predetermined profile, a network neighbor's profile is discovered and emulated, and a received connection attempt intended for the virtual security appliance is monitored.