Abstract: The disclosed technology addresses the need in the art for providing workflow controls to shared content items stored on client devices, and enforcing content item check outs or content item locks for shared content items stored and accessed on client devices. The present technology further includes automatically locking a shared content item that is edited on a client device so that other team members cannot modify the content item. Accordingly, the present technology improves upon existing systems that provide workflow controls such as file check-in and checkout functionality by permitting users to access content items directly from the file system of their client device, and by providing automatic checkout and check-in functionality.

Abstract: An approach is provided for generating a secure, cloud-based data collection tool for collecting data from computer resources of a target system. In an embodiment, the method comprises: receiving a request to perform a data collection on one or more target computer resources; based on the request, generating a customization specification; and transmitting the customization specification to a deployment engine to cause the deployment engine to: based on the customization specification, generate the customized collector that is specific to the data collection, and storing the customized collector at a particular location in a cloud storage; generate, and transmit to a custodian, a first notification that includes the particular location; generate a unique deployment key that is specific to the customized collector; generate a second notification that includes the unique deployment key; and transmit the second notification to the custodian separately from transmitting the first notification.

Abstract: A device generates a biometric public key for an individual based on both the individual's biometric data and a secret S, in a manner that verifiably characterizes both while tending to prevent recovery of either. The biometric data has a Sparse Representation and is encoded in a manner to include a component of noise, such that it is challenging to identify which locations are actually encoded features. Accordingly, the biometric data are encoded as a vector by choosing marker at locations where features are present and, where features are not present, choosing noisy data. The noisy data may be chaff bit values selected collectively from a group of (a) random values and (b) independent and identically distributed values. The biometric public key may be later used to authenticate a subject purporting to be the individual, using a computing facility that need not rely on a hardware root of trust.

Abstract: A method or system for authentication and access control in for network device management is disclosed. The method or system may include establishing a communication channel between a user device and a network device and receiving, by the network device, a public-key certificate including a specified identity of the user device. The method or system may include determining whether the public-key certificate is valid against a root certificate stored in the network device, and determining an actual identity of the user device. The method or system may include indicating that the user device is authentic and authorized when the received public-key is valid against the root certificate and when the actual identity of the user device matches the specified identity in the public-key certificate.

Abstract: Embodiments presented herein provide a partner authentication (PA) system that coordinates a network-based authorization process for an application. The PA system exchanges a series of messages with the application seeking an access token for a protected resource, an authorization server associated with the resource, and an agent executing on a device accessed by a user who wants the application to access the resource. The PA system and the agent communicate with the authorization server on behalf of the application throughout the authorization process. At the completion of the authorization process, the PA system receives an access token and a refresh token from the server on behalf of the application and sends a partner authorization (PA) token to the application. When the application seeks access to the resource that is available to authorized parties via the resource server, the application sends the PA token to the PA system and receives the access token in return.

Abstract: Logical data containers of a data storage system are associated with policies that require data transformation of data to be stored in the logical data containers. When a data object is received to be stored in a logical data container, the data object is transformed in accordance with a policy on the logical data container. Transformation of the data object may include encryption. The logical data container may also be associated with a cryptographic key used to perform a required transformation.

Abstract: In a method for providing access to a service provided by a physical server in a cloud computing system, a cloud platform allocates to the service a publishing IP address and a publishing port, and sends a NAT rule to an access network element associated with the virtual machine. Upon receiving a service access request from the virtual machine for accessing the service, the access network element modifies, according to the NAT rule, a destination address of the service access request into the IP address and the port of the physical server that provides the service, and routes the modified service access request to the physical server.

Abstract: A method and system for completing a task executed in a crowd-sourced environment is disclosed. The method comprises, at a training phase: transmitting a training task to a plurality of users; acquiring a plurality of training results responsive to the training task; acquiring a respective user activity history associated with each user; for each of the plurality of training results, assigning a label value; generating a set of triples of training data; and training a machine learning algorithm, the training including, determining for each triples of data a set of features representative of a property of the triples of training data; and generating an inferred function based on the set of features, the inferred function being configured to determine a error parameter of a given result received from a given user to a given task.

Abstract: Technologies disclosed herein provide cryptographic computing with cryptographically encoded pointers in multi-tenant environments. An example method comprises executing, by a trusted runtime, first instructions to generate a first address key for a private memory region in the memory and generate a first cryptographically encoded pointer to the private memory region in the memory. Generating the first cryptographically encoded pointer includes storing first context information associated with the private memory region in first bits of the first cryptographically encoded pointer and performing a cryptographic algorithm on a slice of a first linear address of the private memory region based, at least in part, on the first address key and a first tweak, the first tweak including the first context information. The method further includes permitting a first tenant in the multi-tenant environment to access the first address key and the first cryptographically encoded pointer to the private memory region.

Abstract: A method related to authenticating a device may include accessing a plurality of hash values, wherein the plurality of hash values corresponds to a plurality of passwords of a plurality of devices. The method may also include generating a hash value corresponding to the device and authenticating the device by providing the plurality of hash values and the hash value to an authentication system.

Abstract: A method may include extracting, from a document, first content of a first content type and second content of a second content type, deriving first features from the first content and second features from the second content, and generating a first prediction by applying a first supervised model to the first features and a second prediction by applying a second supervised model to the second features. The first supervised model may correspond to the first content type, and the second supervised model may correspond to the second content type. The method may further include combining the first prediction and the second prediction to predict that the document comprises malicious code.

Abstract: A method for detection of malicious files includes training a mapping model for mapping files in a probability space. A plurality of characteristics of an analyzed file is determined based on a set of rules. A mapping of the analyzed file in probability space is generated based on the determined plurality of characteristics. A first database is searched using the generated mapping of the analyzed file to determine whether the analyzed file is associated with a family of malicious files. The first database stores mappings associated with one or more families of malicious files. In response to determining that the analyzed file is associated with the family of malicious files, a selection of one or more methods of malware detection is made from a second database. The second database stores a plurality of malware detection methods. The selected method is used to detect the associated family.

Abstract: In one aspect, a computerized system useful for implementing a cloud-based multipath routing protocol to an Internet endpoint includes an edge device that provides an entry point into an entity's core network. The entity's core network includes a set of resources to be reliably accessed. The computerized system includes a cloud-edge device instantiated in a public-cloud computing platform. The cloud-edge device joins a same virtual routing and forwarding table as the edge device. The cloud-edge device receives a set of sources and destinations of network traffic that are permitted to access the edge device and the set of resources.

Abstract: One or more embodiments of the disclosure provide systems and methods for providing media presentations to users of a media presentation system. A media presentation generally includes a plurality of media segments provided by multiple users of the media presentation system. In one or more embodiments, a user of the media presentation system may share a media presentation with a co-user. The media presentation system can enable the co-user, if authorized by the user, to contribute (e.g., add a media segment) to a media presentation shared with the co-user.

Abstract: A method for detecting hypertext transfer protocol secure (HTTPS) flood denial-of-service (DDoS) attacks. The method estimating traffic telemetries of at least ingress traffic directed to a protected entity; providing at least one rate-base feature and at least one rate-invariant feature based on the estimated traffic telemetries, wherein the rate-base feature and the rate-invariant feature demonstrate a normal behavior of HTTPS traffic directed to the protected entity; evaluating the at least one rate-base feature and the at least one rate-invariant feature with respect to at least one baseline to determine whether the behavior of the at least HTTPS traffic indicates a potential HTTPS flood DDoS attack; and causing execution of a mitigation action when an indication of a potential HTTPS flood DDoS attack is determined.

Abstract: A system includes a storage unit, a trusted time source, a key generation unit, and an encryption unit. The storage unit is configured to store data. The trusted time source provides a correct time responsive to a request. The key generation unit receives a time expiration associated with the data stored on the storage unit. The time expiration indicates when the data stored on the storage unit is to become inaccessible. The key generation unit further receives the correct time from the trusted time source and generates an encryption key based on the correct time and further based on the time expiration. The encryption unit is configured uses the encryption key to encrypt the data stored on the storage unit. A certificate that includes the time expiration and a decryption key associated with the encryption key is generated responsive to the data stored on the storage unit being encrypted.

Abstract: A method and system for detecting impersonated network traffic by a protected computing device and a network protection system. The method includes the computing device receiving installation of a browser application, the browser application configured to generate requests to communicate with other computers via the World Wide Web and receiving a configuration for the browser application. The browser application is configured to obtain a short-lived password (SLP) in coordination with generating a request and insert the short-lived password into the generated request before transmitting the request. The SLP is synchronized with an expected value generated by the network protection system. The transmitted request is passed to the network protection system and treated as legitimate network traffic by the network protection system only if the network protection system detects and verifies the SLP.

Abstract: A new approach is proposed to support generating and presenting to a user cyber attack monetary impact estimation of a current or future cyber attack, which is used to stop monetary losses or to mitigate monetary impacts. First, both historic data and real time data on monetary impact of current and/or potential cyber attacks is continuously collected from a plurality of data pools. The collected data is then synchronized, correlated and filtered/cleansed once the data is available to create fidelity among the data from the plurality of data pools. The cyber attack monetary impact is calculated based on the correlated and cleansed data, and is presented to the user along with one or more suggested applications by the user in response to the cyber attack monetary impact, to mitigate the monetary impact of the current or future cyber attack.

Abstract: Systems and methods for providing a trusted keystore are disclosed. In one embodiment, in an information processing apparatus comprising at least one computer processor, a method for providing a trusted keystore may include: (1) selecting and storing a root Keyblock Protection Key (KBPK) in a trusted domain; (2) for each key class: creating a keyblock with a class KBPK; and storing the keyblock in an untrusted keystore in an unfrosted domain; (3) loading keyblocks to a trusted key manager in the trusted domain; (4) decrypting the keyblocks with an encryption class key; (5) verifying the keyblocks under a MAC class key; (6) loading class keyblocks to the trusted key manager from the untrusted keystore; (7) writing the keyblocks to the untrusted keystore; and (8) writing class keyblock MACs in a hierarchy to the untrusted keystore. A number of levels in the hierarchy is based on an amount of available storage in the trusted domain.

Abstract: A computing system that facilitates approval and validation of executable code between parties. A template including executable code and specifying certain operations and functions to be performed on protected data, as well as constraints thereto, may be verified and agreed upon by parties. The verified template and/or a hash of the verified template may be stored on a blockchain. Prior to execution of the code certain parameters within the template may be filled and validated by a system that will execute the code. A contract, which too may be agreed upon and stored on the blockchain, may also include other terms governing the parties. The filled template may also be validated, and compared against a blockchain version of the template, by the parties prior to execution of the code and prior to access being granted to protected data. Such verifications and validations ensure that data is only operated on, using a secure system, within the parameters as agreed upon by the parties.