Abstract: A network service, program product and method that manages secure web application delivery. A service is disclosed that includes an interface configured to receive a request for a secure web application from a plug-in integrated into a web browser on a client computing device, wherein the request further includes a user credential token. Also included is a token processor that evaluates the user credential token and determines an associated customer domain server provided by a back-end service and a transport service that establishes a secure channel with the customer domain server, and forwards the request to the associated customer domain server and receives back a text-based data package. Once generated, the text-based data package is forwarded to the plug-in in response to the request.

Abstract: A platform for delivering secure web applications to a client browser. A software plug-in is provided configured for integration into a web browser. The plug-in includes: a request hook that intercepts web browser requests associated with a secure web application; a request processing system that redirects an request to access the secure web application to a network service, and then redirects subsequent HTTP requests to interact with the secure web application to the network service; and a package manager that receives a text-based data package from a customer domain server in response to the initial request and renders the secure web application in the web browser, and receives an updated text-based data package from the customer domain server in response to the subsequent HTTP request and renders updates to secure web application in the web browser.

Abstract: A computing platform may receive, from a web server, entity identification information in different formats, and normalize the entity identification information. After normalizing the information, the computing platform may receive a plurality of interaction records each associated with an interaction between a system and a client of the system. The computing platform may compare the normalized entity identification information with the interaction records of the interactions between the system and the clients of the system. After determining that the entity identification information matches client information for one of the interaction records, the computing platform may send an alert to a control server. The alert may cause the control server to take one or more actions with respect to the client. For example, future attempts by the client to access one or more services offered by the system may be blocked for access by the client.

Abstract: Mechanisms for generating documents with confidential information are provided, the systems comprising: a memory; and a first collection of at least of one hardware processor coupled to the memory and configured to: receive from a user device a request for a first document with confidential information; generate a second document, that corresponds to the first document, with at least one token corresponding to the confidential information; transmit the second document to a second collection of at least one hardware processor in a high-trust network that is entitled to access the confidential information; receive from the second collection of at least one hardware processor in the high-trust network a uniform resource locator (URL) corresponding to the first document; and transmit the URL to the user device. In some of these mechanisms, the user device is in the high trust network.

Abstract: An example operation may include one or more of receiving, by a document validation node, documents from a plurality of document owner nodes over a blockchain network, generating, by the document validation node, commitments for the documents on the blockchain network, deriving, by the document validation node, proofs to verify predicates of the documents, and generating, by the document validation node, a document relationship graph (DRG) based on the commitments and the predicates.

Abstract: Mechanisms (which can include systems, methods, and computer readable media) for generating documents with confidential information are provided, the mechanisms comprising: receiving, using a first collection of at least one hardware processor, a first document from a second collection of at least one hardware processor; replacing, using the first collection of at least one hardware processor, at least one token in the first document to produce a second document; causing the second document to be stored; and transmitting a uniform resource locator (URL) corresponding to the second document to the second collection of at least one hardware processor. In some of these mechanisms, the mechanisms further comprise serving the first document to a user device.

Abstract: Mechanisms for generating documents with confidential information are provided, the mechanisms comprising: sending, from a user device, a request for a first document with confidential information to a first collection of at least one hardware processor in a low-trust network that is not entitled to access the confidential information; receive a uniform resource locator (URL) corresponding to the first document from the first collection of at least one hardware processor at the user device; request, from the user device, the first document using the URL from a second collection of at least one hardware processor in a high-trust network that is entitled to access the confidential information; receive the first document at the user device; and cause the first document to be presented. In some of these mechanisms, the user device is in the high trust network.

Abstract: Technology related to risk-informed autonomous adaptive cyber controllers is disclosed. In one example of the disclosed technology, a method includes generating probabilities of a cyber-attack occurring along an attack surface of a network. The probabilities can be generated using sensor and operational data of a network as inputs to an attack graph. The risk scores can be determined using a plurality of fault trees and the generated probabilities from the attack graph. The respective risk scores can correspond to respective nodes of an event tree. The event tree and the determined risk scores can be used to determine risk estimates for a plurality of configurations of the network. The risk estimates for the plurality of configurations of the network can be used to reconfigure the network to reduce a risk from the cyber-attack.

Abstract: A computer implemented method to identify malicious software in a computer system includes receiving an indication of a detection of malicious network traffic communicated via a computer network accessed by the computer system; identifying a software component involved in the malicious network traffic at the computer system; evaluating a measure of a correlation fractal dimension (CFD) for at least a portion of the software component; and storing the measure of CFD for subsequent comparison with a second measure of CFD for a corresponding portion of a second software component in the computer system to identify the second software component as a software component involved in malicious network communication.

Abstract: A method for distributing encrypted cryptographic data includes receiving, by a key service, from a first client device, a request for a first public key. The method includes transmitting, by the key service, to the first client device, the first public key. The method includes receiving, by the key service, from an access control management system, an encryption key encrypted with the first public key and a request from a second client device for access to the encryption key. The method includes decrypting, by the key service, the encrypted encryption key, with a private key corresponding to the first public key. The method includes encrypting, by the key service, the decrypted encryption key, with a second public key received from the second computing device. The method includes transmitting, by the key service, to the second client device, the encryption key encrypted with the second public key.

Abstract: Provided is a network-enabled method for creating an online account using a network of devices. The method comprises: receiving by an authentication system, a request to create an online account with an online server; generating a visual graphical code by the authentication system, which is displayed on a display screen and comprises a validation identity; acquiring image data of the visual graphical code from a user device with aid of optical detection apparatus, by capturing an image of the visual graphical code displayed on the display screen; processing the image data to extract the validation identity; based on the validation identity identifying an online serve provider associated with the online server and user information categories associated with the online account; and based on identification information related to the user identifying the user, and the data to the online server for the online account with the online server.

Abstract: Aspects of providing single sign on (SSO) sessions are described. An access interval key is generated using an access code as a seed to a key derivative function. The access interval key is encrypted using a public key of an SSO-enabled application to generate an encrypted access interval key for a sign on session. The sign on session is established by storing the encrypted access interval key in a memory location of an SSO session map shared by SSO-enabled applications.

Abstract: A method of limiting data usage for certified purposes by using functional encryption, comprising: receiving from a software publisher an application code and declared privacy information, the declared privacy information specifies at least one declared usage for at least one data type; analyzing the application's usage of data collected by the application, to identify an actual usage of the at least one data type by a function; identifying when the actual usage is compliant with the at least one declared usage according to the analysis; in response to the identification, creating a pair of a public key and a master private key; creating a function private key for the function using the master private key; and sending the function private key to the software publisher to be used for operating the function on data which is encrypted using the public key.

Abstract: The embodiments described herein relate generally to securely establishing an account and authentication metrics associated with a communication platform. An account associated with a communication platform may allow a user associated with the account to send and receive communications via the communication platform.

Abstract: A value comparison server holds a first secret key and a plurality of tags corresponding to values, each of the plurality of tags is a ciphertext obtained by encrypting each of the values with an additive-homomorphic encryption scheme by using secret keys including the first secret key and a first parameter, a plaintext space has remainder operation with a natural number as modulo in the encryption scheme, and the value comparison server generates a value used for comparing two values corresponding to two tags included in the plurality of tags from the first secret key and the two tags by using the additive homomorphism; and determines which of the two values is greater or equal, on the basis of whether a discrete logarithm of the generated value to the first parameter can be calculated within a value of a predetermined range.

Abstract: A trusted computing method applicable in a computer device, a computer device, and a storage medium are provided. The method comprises: during a startup process of the computer device including first and second trusted computing chips, the first trusted computing chip performing a static measurement on the computer device to obtain a static measurement result, and sending the static measurement result to a verification center; and during operations of the computer device after startup of the computer device, the second trusted computing chip performing a dynamic measurement on the computer device to obtain a dynamic measurement result, and sending the dynamic measurement result and association evidence to the verification center, wherein the association evidence indicates that the first and the second trusted computing chips are disposed in the same computer device, and the verification center associates the two measurement results and verifies the integrity of a software system of the computer device.

Abstract: A system and method include an encryptor, a decryptor, and a communication link. The encryptor includes a first processor and a first memory, and the decryptor includes a second processor and a second memory. The encryptor and the decryptor communicate data via the communication link. The encryptor and the decryptor are configured to: exchange public messages comprising keying materials, and calculate a common key based on the keying materials, first private modular integers known only to the encryptor, and second private modular integers known only to the decryptor. The keying materials disclosed in the public messages form an under-determined system of equations in variables of the first and the second private modular integers.

Abstract: A system and method of providing a secure inter-domain data management platform based on blockchain technology allows a user to access files of one or more organizations based on the credentials of the user. The system includes at least one remote server and a network of computing nodes. The remote server is used to manage at least one group. The at least one group may be one or more intelligence or government organizations. The at least one group includes a plurality of member accounts. Each member account includes a member access level. The network of computing nodes is used to manage a blockchain system and to store a plurality of files. Each file includes a file access level. A user with a member account can access a file in accordance to the member access level of the member account and the file access level of the file.

Abstract: Embodiments described herein provide a system and method for secure delivery of assets to a trusted device. Multiple levels of verification are implemented to enable components of a software update and asset delivery system to verify other components within the system. Furthermore, updates are provided only to client devices that are authorized to receive such updates. In one embodiment, the specific assets provided to a client device during a software update can be tailored to the client device, such that individual client devices can receive updated versions of software asset at a faster or slower rate than mass market devices. For example, developer or beta tester devices can receive pre-release assets, while enterprise devices can receive updates at a slower rate relative to mass market devices.

Abstract: A system and method wherein an authentication request to verify authentication information submitted to a first system in connection with a first request submitted to the first system is received from the first system. A response to the authentication request is generated that includes information usable by a second system to make, without communicating with the authentication system, based at least in part on the information and one or more cryptographic processes, a determination whether fulfillment of a second request from the first system is allowable under authority of the authentication system, with the determination being based at least in part on policy information included in the information that specifies one or more policies applicable to an identity that is associated with the first request. The response generated is provided to the first system.