Abstract: A method, system, and computer program product for frictionless mutual authentication of unsolicited communications may detect an incoming communication. A verification interface may be displayed on a consumer device. On the consumer device, a first valid verification may be received via the verification interface. In response to receiving the first valid verification, a challenge interface may be presented to an enterprise device. On the enterprise device, a second valid verification may be received via the challenge interface. In response to receiving the second valid verification, a verification credential may be presented to both the consumer device and the enterprise device. A connection for the incoming communication may be established between the consumer device and the enterprise device.

Abstract: A method for authenticating a user for performing a transaction comprises receiving unique knowledge of the user such as photoauthentication, and receiving a hardware profile associated with the user. The unique knowledge and the hardware profile are compared against previously stored data representing unique knowledge of the user and a hardware profile associated with the user. If both the received data representing the unique knowledge of the user and the received hardware profile are authenticated, the transaction is allowed to go forward.

Abstract: A method for automatically securing endpoint device data communications includes establishing, between a first server and an endpoint device, a persistent virtual private network (VPN) connection, the endpoint device configured to automatically establish the persistent VPN connection upon establishing network connectivity. The first server provides, for the endpoint device, a network address translation (NAT) firewall service. The first server receives a plurality of data packets from a third computing device. The first server inspects each of the received plurality of data packets. The first server determines whether to block one of the plurality of data packets or to forward the one of the plurality of data packets to the second computing device. The first server blocks the one of the plurality of data packets based upon a determination that the one of the plurality of data packets fails to satisfy a security rule.

Abstract: An access manager determines whether access will be granted to a guarded species or space utilizing a controller including a digital processor with a memory for storing an ID library and a transducer block coupled with the processor for accessing a plurality of different ID types and an access control block coupled with the processor for granting or denying access.

Abstract: A network apparatus maintains a database of a plurality of virtual private network (VPN) protocols and respective VPN providers. A VPN protocol detection process is performed for determining a VPN protocol used by a computing device based on analyzing network traffic data and the database. In response to detecting the VPN protocol detection process failing or detecting a need to identify a respective VPN provider, an endpoint detection process for determining the VPN usage of the computing device is performed. In response to detecting the endpoint detection process failing or detecting a need to identify VPN usage time information, a traffic pattern search process for determining the VPN usage of the computing device is performed. Further action is taken to protect the computing device in response to detecting the VPN usage on the basis of the VPN protocol detection process, the endpoint detection process, and/or the traffic pattern search process.

Abstract: An electronic control unit is connected to a network in an in-vehicle network system. The electronic control unit includes a first control circuit that operates on a first operating system and a second control circuit that operates on a second operating system. The first control circuit is connected to the network via the second control circuit. The second control circuit performs a first determination process on frames to determine conformity of the frames with a first rule. Upon determining that the frames conform to the first rule, the second control circuit transmits contents of the frames to the first control circuit. The first control circuit performs a second determination process on the contents of the frames to determine conformity with a second rule. The second rule is different from the first rule.

Abstract: Systems and methods include receiving messages from local security agents each on a host in a network, wherein the messages include network topology of the network in terms of addresses and sockets; incrementally creating a network topology of the network based on the messages; determining security policies for one or more microsegments in the network based on flow data and the network topology; and providing the security policies to respective hosts for local implementation of the one or more microsegments.

Abstract: A digital cross-network platform and method for providing controlled data- and process-driven cross-network interaction and program development between heterogeneous units with network-enabled devices on a secured cloud-based network, each unit having a unit or user account in the digital cross-network platform with assigned authentication and authorization credentials for authentication and authorization controlled network access to the digital cross-network platform and the secured cloud-based network, and each unit having an assigned relationship with one or more other units stored in a persistent storage of the digital networking platform, each assigned relationship providing a defined relationship between the one or more other units or a subgroup of the one or more other units and an associated program.

Abstract: A distributed cloud computing system is disclosed that includes a controller configured to deploy a transit gateway and a first gateway in a security virtual private cloud (VPC) in a cloud computing network, wherein the first gateway is configured to connect to a first firewall instance deployed within the security VPC, and logic. The logic, upon execution by one or more processors, causes performance of operations including receiving network traffic at the transit gateway from an originating VPC deployed within the cloud computing network, routing the network traffic from the transit gateway to the first gateway, providing the network traffic to the first firewall instance for inspection, and routing the network traffic to a destination VPC deployed within the cloud computing network. In embodiments, the first gateway is connected to a plurality of firewall instances, where each instance of the plurality of firewall instances is an active firewall instance.

Abstract: Systems and methods are described for implementing a device isolation service. A device isolation service creates and administers per-device virtual networks for individual computing devices, thereby isolating the computing devices from each other and limiting device-to-device communication. The device isolation service may further provide a monitored and access-controlled network that facilitates access to the isolated devices, thereby allowing “administrator” devices to access and administer devices while preventing a compromised device from seeing, probing, or compromising other devices on the network. The device isolation service may group devices by category or function, and may put devices that communicate with each other on the same virtual network while isolating other devices to different virtual networks.

Abstract: Systems and methods for adjusting the behavior of an endpoint security agent based on a network location are provided. According to an embodiment, an agent of an endpoint device detects whether the endpoint has moved to a new network by monitoring for changes to an IP address associated with the endpoint. When the detecting is affirmative, the agent further determines whether a trusted network determination service associated with a cloud-based security service is reachable. When the determining is affirmative, the agent further identifies whether the new network is among a set of trusted networks that have been previously registered with the cloud-based security service by querying the trusted network determination service. When the identifying is affirmative, a particular security feature on the endpoint is configured for operation within a trusted network and when the identifying is negative, the particular security feature is configured for operation outside of a trusted networks.

Abstract: A computer-implemented method is disclosed. The method includes: sending, to a plurality of computing devices, an invitation containing a link to access a first electronic document in a first state; detecting a change in state of the first electronic document from the first state to a second state; identifying a first subset of the computing devices including devices that did not provide any indication of approval for the first electronic document and devices that have already received requests for updated approvals for the first electronic document; sending, to a second subset of the computing devices that are not included in the first subset, requests to provide indications of approval for the first electronic document in the second state; and responsive to receiving indications of approval for the first electronic document from computing devices of the second subset, generating a locked form of the first electronic document in the second state.

Abstract: This disclosure is directed to devices, systems, and techniques for enforcing access to resources within a computer network. In some examples, a system includes a network managed by a service provider and configured to provide a plurality of microservices to a plurality of tenants each having one or more users and a controller having access to the network. The controller is configured to output, to a user interface, data indicative of a plurality of capabilities for presentation by the user interface and receive, from the user interface, data indicative of a user selection of a set of capabilities and a user selection of a new role identifier. The controller is further configured to create, based on the set of capabilities and the role identifier, a role which enables access to a set of actions within a computer network, the set of actions corresponding to the set of capabilities.

Abstract: In one embodiment, a discrepancy detection application automatically detects and addresses unauthorized activities associated with one or more authorization keys based on a request log and a provider log. The request log specifies activities that a client initiated, where the activities are associated with the authorization keys. The provider log specifies activities that a cloud provider performed, where the activities are associated with the authorization keys. In operation, the discrepancy detection application determines that one or more unauthorized activities have occurred based on comparing the request log to the provider log. The discrepancy detection application then performs an action that addresses the unauthorized activities.

Abstract: Systems and methods for providing remote network security using a network embeddings model are provided. A method consistent with the present disclosure includes retrieving a corpus of network activity data associated with a first network. The network activity data may be generated from users within the first network submitting network requests for network assets to service the network requests. The method also includes creating a crafted encoded corpus by selecting a subset of the corpus of network activity data and creating a network embeddings model based on the crafted encoded corpus. Lastly, the method includes generating an alert in an event that the network security system identifies an anomaly associated with the crafted encoded corpus of network activity data.

Abstract: Various systems and methods are provided that retrieve raw data from issuers, reorganize the raw data, analyze the reorganized data to determine whether the risky or malicious activity is occurring, and generate alerts to notify users of possible malicious activity. For example, the raw data is included in a plurality of tables. The system joins one or more tables to reorganize the data using several filtering techniques to reduce the processor load required to perform the join operation. Once the data is reorganized, the system executes one or more rules to analyze the reorganized data. Each rule is associated with a malicious activity. If any of the rules indicate that malicious activity is occurring, the system generates an alert for display to a user in an interactive user interface.

Abstract: An embedded software analyzer (ESA) detects vulnerabilities in software, such as embedded software items (e.g., software that is pre-loaded onto a device or component). Vulnerabilities may include flaws, glitches, weaknesses, and/or other elements that may prevent correct operation or allow an attacker to access or exploit the software (and/or associated devices, components, systems, etc.) The ESA may utilize techniques such as fuzzing and symbolic execution to identify vulnerabilities. The ESA may predict vulnerabilities and prioritize analysis based on the prediction. The ESA may use smart seeding to optimize fuzzing or other analysis. Such smart seeding may include generating optimized inputs for a particular software item. The ESA may apply machine learning to perform, optimize, and/or otherwise implement such analysis techniques.

Abstract: A permission terminal generates access information for content using a content public key of the content and a user public key of a browser of the content, and registers the access information in a blockchain. The access information includes an aggregate public key generated by aggregating the content public key and the user public key, a message for the content, and a content signature obtained by signing the message with a content private key corresponding to the content public key. A browsing terminal acquires access information of requested content from a blockchain and verifies, with the aggregate public key, an aggregate signature where a user signature in which a message of the access information is signed with a user private key and the content signature of the access information are aggregated, and transmits a content request including the user signature or the aggregate signature if the verification succeeds.

Abstract: A secure authentication between a network server and a network client. The secure authentication being achieved using server and client table objects only known to the server and client. The server and client table objects maintain equivalency. The server and client table objects have a table label for identifying working server and client table. The server and client table objects contain a label group, a data group, and a time group. The server and client contain a duplicate set of arithmetic formulas. The formulas use data from the table objects to send a solution to a receiving node. The receiving node arithmetically reverses the solution to verify sending node. The receiving node then responds using a different formula and different data from the table objects to verify itself to the original sending node. Once a server and client trust are established additional formula are then used to encrypt data.

Abstract: An image matching method includes extracting, from a first image of an object, a landmark patch including a landmark point of the object, extracting, from a second image of the object, a target patch corresponding to the landmark patch; and determining a target point in the second image corresponding to the landmark point based on a matching between the landmark patch and the target patch.