Abstract: A technique to establish a secure session to a network-accessible application from a mobile device executing a native app. Initially, the network-accessible application is provisioned for access by an enterprise associating a set of one or more of its enterprise users with the network-accessible application. Thereafter, access to the application is enabled via an identity provider. In operation, the identity provider receives a request to validate that an enterprise user seeking access to the network-accessible application is associated with the application. The request is generated by the application in response to a login request initiated from the native app from a mobile device, wherein a certificate for the application is not available to the native app.

Abstract: For ensuring a universal serial bus, USB, attack protection between a communication device (CD) and an accessory device (AD), a protection device (PD) being inserted between the communication device (CD) and the accessory device (AD) through a USB link, the communication device (CD): memorizes the highest value (HV) of indexes of string descriptor found in a USB Device Descriptor received from the accessory device (AD), sends a request (Req) for a string descriptor to the accessory device (AD) with a value (Val1) of index higher than said highest value (HV), receives a response (Res) generated and sent from the protection device (PD), the response containing an identifier (Id P) of the protection device validates the presence of the protection device (PD) if the identifier (Id P) is found in a database.

Abstract: Methods and equipment for determining whether a ransomware attack is suspected include a data storage device including a controller; non-volatile memory; a data path between the controller and the non-volatile memory; and an anti-ransomware module configured to monitor the data path. Methods and equipment also include monitoring a data path between a controller and a non-volatile memory on a data storage device; calculating an entropy of a data set to be written to the non-volatile memory; analyzing the calculated entropy; and determining whether a malware attack is suspected. Methods and equipment also include monitoring a data path between a controller and a non-volatile memory on a data storage device; identifying activity indicative of ransomware; once activity indicative of ransomware has been identified, calculating an entropy of a data set to be written to the non-volatile memory; analyzing the calculation; and determining whether a ransomware attack is suspected.

Abstract: A robotic process automation system with improved security in the form of a credential vault includes data storage for storing bots. The data storage also stores credentials in encrypted form where the credentials are not associated with any of the plurality of bots. The credentials include standard credentials and user specific credentials. A processor is operatively coupled to the data storage and is configured to execute instructions that when executed cause the processor to provide to an administrator a control console. The instructions implement a standard credential generator and a user specific credential generator, to generate a user specific credential template useable by a user to enter credentials specific to the user. The instructions also implement a configurable locker that is stored in encrypted form in the data storage to associate a set of users as a group and to provide selected standard credentials to the group.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, apparatuses, and processes that, among other things, dynamically authorize pre-stages data exchanges based on contextual data. For example, an apparatus may receive first data characterizing an initiation of a first exchange of data between a client device and a terminal device. Based on the first data, the apparatus may obtain second data that characterizes an expected initiation of a second exchange of data during a corresponding temporal interval, which may be specified relative to an initiation time of the first data exchange. The apparatus may generate and transmit, to a computing system, pre-authorization data that requests a pre-authorization of the second data exchange to a computing system. The pre-authorization data may include a portion of the second data and may instruct the computing system to pre-authorize the second data exchange in accordance with the second data.

Abstract: A message interface system is provided that allows for local nodes to communicate with remote nodes securely. The message interface system provides a secure zone system that includes a reverse proxy server and a proxy server that interface with an internal firewall and an external firewall. The message interface system also includes a bridge system that is behind the internal firewall and that directs the secure zone system to establish connections with remote nodes, sends outbound messages of the local node to the proxy server for sending to the remote nodes, and receives inbound messages from the reverse proxy server sent from the remote nodes. The secure zone system helps ensure that the effects of a cyberattack are limited to the secure zone system without compromising business data of the local node.

Abstract: Embodiments presented herein provide a partner authentication (PA) system that coordinates a network-based authorization process for an application. The PA system exchanges a series of messages with the application seeking an access token for a protected resource, an authorization server associated with the resource, and an agent executing on a device accessed by a user who wants the application to access the resource. The PA system and the agent communicate with the authorization server on behalf of the application throughout the authorization process. The PA system receives an access token and a refresh token from the server on behalf of the application and sends a partner authorization (PA) token to the application. When the application seeks access to the resource that is available to authorized parties via the resource server, the application sends the PA token to the PA system and receives the access token in return.

Abstract: A method includes dynamically generating an authentication grid that identifies an association between a first set of characters and a second set of characters. Based on a shared secret associated with a user, an encrypted version of the authentication grid is generated and transmitted to a first computing device associated with the user. A challenge is generated and transmitted to a second computing device associated with the user. User input is received, and the user is authenticated based at least in part on the authentication grid and a mapping of at least one character in a first set of characters in the challenge to at least one second character the user input.

Abstract: Method and system for generating dynamic rules for a computer network firewall are provided. The method includes applying a plurality of drop rules to a plurality of packets that are received at a network interface. The plurality of drop rules are sequentially arranged rules and determine at least one of allowance and dropping of a packet based on corresponding tracking information. Then a unique drop rule is generated for dropping a set of packets based on an implicit deny rule. The implicit deny rule determines a drop for the plurality of packets. Thereafter, sequence for the unique drop rule in the plurality of drop rules is determined based on dropping of the plurality of packets. Accordingly, the unique drop rule is deployed in the sequence of drop rules.

Abstract: An approach is provided for generating a secure, cloud-based data collection tool for collecting data from computer resources of a target system. In an embodiment, the method comprises: receiving a request to perform a data collection on one or more target computer resources; based on the request, generating a customization specification; and transmitting the customization specification to a deployment engine to cause the deployment engine to: based on the customization specification, generate the customized collector that is specific to the data collection, and storing the customized collector at a particular location in a cloud storage; generate, and transmit to a custodian, a first notification that includes the particular location; generate a unique deployment key that is specific to the customized collector; generate a second notification that includes the unique deployment key; and transmit the second notification to the custodian separately from transmitting the first notification.

Abstract: In some implementations, a computing device can determine the similarity of binary executables. For example, the computing device can receive an application, including a binary executable. The computing device can generate function signatures for the functions called within the binary executable. The computing device can generate a locality sensitive hash value for the application based on the function signatures. The computing device can group applications based on the locality sensitive hash value generated for each application. The computing device can compare the function signatures of the binary executables of the applications within a group to determine the similarity of the applications. If two applications have binary executables that are over a threshold percentage of similarity, the two applications can be identified as clones of each other.

Abstract: Systems and methods for embedding data in a dynamic image of a remote session display. The method includes, by a processor: receiving a display frame associated with the dynamic image, receiving data to be embedded in the display frame, identifying one or more stable regions in the display frame, upon identification of the one or more stable regions, updating a cache, identifying a largest stable region corresponding to the display frame in the cache, and embedding the data to be embedded in the largest stable region to create a region including embedded data. The cache includes a plurality of stable regions corresponding to one or more display frames associated with the dynamic image.

Abstract: A system and method for data distribution against credential information leak are presented. A data block may be encrypted with block cryptograph on virtual storage so as to create an encrypted block. The virtual storage may be obtained by virtualizing one or more cloud storages of a storage area network (SAN). The encrypted block may be divided into one or more divided blocks. Store-blocks may be generated by combining divided blocks from the encrypted block and different encrypted blocks. The store-blocks may be stored in the one or more cloud storages.

Abstract: A data input method is implemented by an electronic device that includes a storage component, a display device and a processor. The storage component stores an application to be executed by the processor, in response to user-input selection of the application, to implement the data input method for entering data in an input field displayed on the display device. The data input method includes controlling the display device to display at least one hotkey that is associated with pre-stored data, and in response to user-input interaction associated with the at least one hotkey, entering the pre-stored data in the input field.

Abstract: One or more embodiments of the disclosure provide systems and methods for providing media presentations to users of a media presentation system. A media presentation generally includes a plurality of media segments provided by multiple users of the media presentation system. In one or more embodiments, a user of the media presentation system may share a media presentation with a co-user. The media presentation system can enable the co-user, if authorized by the user, to contribute (e.g., add a media segment) to a media presentation shared with the co-user.

Abstract: A hypervisor generates first and second page views, where a guest physical address points to a first page of the first page view and a second page of the second page view. A first pointer value is written to the first page and a second pointer value is written to the second page. A guest operating system executes a first task and if a determination to switch to the second task is made, the guest operating system reads a current pointer value and determines what the current page view is. If the guest operating system determines that the current page view is the first page view, the guest operating system saves the first pointer value in a first memory of the first task, loads the second pointer value from a second memory of the second task, and executes a virtual machine function to switch to the second page view.

Abstract: A mismatch between model-based classifications produced by a first version of a machine learning threat discernment model and a second version of a machine learning threat discernment model for a file is detected. The mismatch is analyzed to determine appropriate handling for the file, and taking an action based on the analyzing. The analyzing includes comparing a human-generated classification status for a file, a first model version status that reflects classification by the first version of the machine learning threat discernment model, and a second model version status that reflects classification by the second version of the machine learning threat discernment model. The analyzing can also include allowing the human-generated classification status to dominate when it is available.

Abstract: A storage controller that is coupled to a plurality of storage clouds is maintained. The storage controller determines security requirements for performing a selected operation in the plurality of storage cloud. A subset of storage clouds of the plurality of storage clouds that are able to satisfy the security requirements are determined. A determination is made as to which storage cloud of the subset of storage clouds is most responsive for performing the selected operation. The selected operation is performed in the determined storage cloud that is most responsive.

Abstract: A method for a virtual machine to access a physical server in a cloud computing system is disclosed. A cloud platform allocates, to the service deployed on the physical server, a publishing IP address and a publishing port and sends a NAT rule to an access network element of the virtual machine. When receiving a service access request for accessing the service, the access network element modifies, according to the NAT rule, a destination address of the service access request into the IP address and the port that are of the physical server, and routes the modified service access request to the physical server, so that the virtual machine can access the service on the physical server without knowing a real IP address and port of the physical server.

Abstract: The technology disclosed relates to non-intrusively enforcing security during federated single sign-on (SSO) authentication without modifying a trust relationship between a service provider (SP) and an identity provider (IDP). In particular, it relates to configuring the IDP to use a proxy-URL for forwarding an assertion generated when a user logs into the SP, in place of an assertion consumer service (ACS)-URL of the SP. It also relates to configuring an assertion proxy, at the proxy-URL, to use the SP's ACS-URL for forwarding the assertion to the SP. It further relates to inserting the assertion proxy in between the user's client and an ACS of the SP by forwarding the assertion to the SP's ACS-URL to establish a federated SSO authenticated session through the inserted assertion proxy.