Abstract: A known-deployed file metadata repository (KDFMR) and analysis engine enumerates reference lists of files stored on a software delivery point (SDP) and compares the enumerated list of files and associated metadata to previously stored values in the KDFMR. If newly stored or modified files are identified, the analysis engine acquires the files from the SDP. Each file is analyzed to determine whether the file is an atomic file or a container file and metadata is generated or extracted. Each file stored in a container file is recursively extracted and analyzed, where metadata is generated for each extracted file and each container file. The KDFMR periodically analyzes the files stored on the SDP for differences to maintain the currency of the KDFMR data with respect to files stored on the SDP. Storage or modification of files on the SDP triggers analysis of the associated file. KDFMR data is updated with metadata determined based on sandbox detonation of files and/or identified artifacts of known-deployed files.

Abstract: A method including at each of a number of client devices receiving a data item, receiving a public key from a second computing system, encrypting the data item using the public key to produce a singly encrypted data item, engaging in an oblivious pseudorandom function protocol with a first computing system using the singly encrypted data item to produce a seed, generating an encrypted secret share using a threshold secret sharing function under which the encrypted secret share cannot be decrypted until a threshold number of encrypted secret shares associated with the same singly encrypted data item are received, and transmitting the encrypted secret share to the first computing system and at the first computing system receiving a number of encrypted secret shares from the number of client devices, processing the number of encrypted secret shares to produce processed data, and transmitting the processed data to a second computing system.

Abstract: Systems and methods for role-based access control for a storage system are described. An illustrative method includes an access control system identifying, based on a role of a user requesting access to the storage system, a permission of the role to access a resource type; determining, based on the resource type and on a mapping of resources of different secured endpoints of the storage system to resource types, a set of resources of the storage system that the role has permission to access; identifying a subset of the set of resources of the storage system that the user is authorized to access; and granting the user role-based access to the subset of the set of resources of the storage system.

Abstract: Disclosed embodiments relate to systems and methods for securely provisioning sensitive data elements to virtualized execution instances. The techniques may include: identifying a request to provision a new virtualized execution instance; determining, in association with the request, that the new virtualized execution instance will require a prohibited data element in order to communicate with a target network resource; without providing the new virtualized execution instance the prohibited data element, registering the new virtualized execution instance; identifying a request from the new virtualized execution instance to communicate with the target network resource: performing a verification process for the request to communicate with the target network resource; and conditional on the verification process, provisioning the prohibited data element to the new virtualized execution instance.

Abstract: A method for granting guest access to a control device includes detecting, by a monitoring control unit, a new connection of a guest device to a network, transmitting, by the monitoring control unit and to an authorized device, a request to grant access to the guest device to control a monitoring system, in response to the request, receiving, by the monitoring control unit, approval to grant access to the guest device to control the monitoring system, and in response to the approval, transmitting, by the monitoring control unit and to the guest device, (i) data that allows the guest device to access a web service and (ii) a temporary authentication token.

Abstract: A fraud detection system may obtain a number of known fraudulent end-user profiles and/or otherwise undesirable end-user profiles. Using statistical analysis techniques that include clustering the end-user profiles by attributes and attribute values and/or combinations of attributes and attribute values, the fraud detection system identifies on a continuous, periodic, or aperiodic basis those attribute values and/or attribute value combinations that appear in fraudulent or otherwise undesirable end-user profiles. Using this data, the fraud detection system generates one or more queries to identify those end-user profiles having attribute values or combinations of attribute values that likely indicate a fraudulent or otherwise undesirable end-user profile.

Abstract: Disclosed embodiments relate to systems and methods for securely provisioning sensitive data elements to virtualized execution instances. The techniques may include: identifying a request to provision a new virtualized execution instance; determining, in association with the request, that the new virtualized execution instance will require a prohibited data element in order to communicate with a target network resource; without providing the new virtualized execution instance the prohibited data element, registering the new virtualized execution instance; identifying a request from the new virtualized execution instance to communicate with the target network resource; performing a verification process for the request to communicate with the target network resource; and conditional on the verification process, provisioning the prohibited data element to the new virtualized execution instance.

Abstract: A known-deployed file metadata repository (KDFMR) and analysis engine enumerates reference lists of files stored on a software delivery point (SDP) and compares the enumerated list of files and associated metadata to previously stored values in the KDFMR. If newly stored or modified files are identified, the analysis engine acquires the files from the SDP. Each file is analyzed to determine whether the file is an atomic file or a container file and metadata is generated or extracted. Each file stored in a container file is recursively extracted and analyzed, where metadata is generated for each extracted file and each container file. The KDFMR periodically analyzes the files stored on the SDP for differences to maintain the currency of the KDFMR data with respect to files stored on the SDP. Storage or modification of files on the SDP triggers analysis of the associated file. KDFMR data is updated with metadata determined based on sandbox detonation of files and/or identified artifacts of known-deployed files.

Abstract: The present disclosure relates to the exchange of information between a message sending device and a message receiving device with message authentication and proposes to reduce the time required for message authentication by pre-computing a message tag, such as a MAC, and subsequently replacing the computation of the MAC when the tag is to be validated (or indeed also on sending) by a table look-up. The approach requires a set of messages and works particularly well for small sets of messages, for example as small as two or three messages, or less than five or ten messages. The approach finds particular application in control networks where control decisions have to be taken quickly and securely, for example in the control of a vehicle, for example an autonomous vehicle, or the control of a smart electricity grid.

Abstract: Described herein are systems, methods, and software to manage private networks for computing elements. In one example, a computing element may obtain credential information associated with a user and generate a public-private key pair for the computing element. The computing element may further communicate the public key from the pair with metadata to a coordination service to register the computing element at the coordination service. Once registered, the computing element may receive communication information associated with one or more other computing elements that permit the computing element to communicate with the other computing elements.

Abstract: The present disclosure relates to techniques for remediating data assets stored on one more software as a service (SaaS) platforms from a centralized security enforcement platform. An integration component is configured to integrate SaaS accounts with the security enforcement platform. The security enforcement platform enables users to create remediation policies that target specified data assets stored on the SaaS accounts. In some scenarios, the automated remediation functions can be executed to perform bulk remediation on large-scale data assets while handling inheritance issues in full.

Abstract: A method, implemented in a device, for remote resetting of the device to factory default settings, the device comprising an electric circuit adapted to carry out the factory default reset and a secure processing and storage environment, SPSE, the method comprising: receiving, at the SPSE, a request to reset the device to factory default settings and a challenge associated with the request, wherein the request and the challenge are received via a network; initiating, by the SPSE, a reset to factory default settings of the device by communicating with the electric circuit via a communication channel; and sending, by the SPSE, a confirmation via the network, wherein the confirmation includes a response to the challenge as produced by the SPSE and an attestation report, the attestation report being a declaration by the SPSE that the reset to factory default settings is initiated or carried out.

Abstract: An example of a method for detecting hacking activities includes categorizing a plurality of web pages of a web site providing bank services using a trained semantic model. The trained semantic model uses at least one resource identifier of a web page as an input and generates a web page category as an output. One or more attributes of an interaction between a user and bank services are identified. The one or more identified attributes are analyzed by comparing the one or more identified attributes with attributes known to belong to hacking interactions based on a corresponding web page category. Hacking activity is identified based on the results of the analysis.

Abstract: Techniques are presented for controlling or influencing use of and/or access to a resource. This resource may be a device, such as an IoT (Internet of Things) device or a process. Techniques include a method comprising generating a blockchain transaction (TxA) indicative of a condition on use of, or access to, the resource for a specified period of time, the blockchain transaction comprising a multi-signature script requiring a plurality of signatures for completion of the blockchain transaction; providing a first subset of the plurality of signatures to the blockchain transaction (TxA) to generate a partially signed signature script to partially complete the blockchain transaction (SI 14); and responsive to the condition on the use of, or access to, the resource being satisfied, providing a second subset of the plurality of signatures (S204) to the blockchain transaction to fully complete the blockchain transaction.

Abstract: A method may include detecting a keylogger based at least in part on an increase in power drawn by an input device, detecting the keylogger based at least in part on a driver of the input device, detecting the keylogger based at least in part on a duration of time that a signal generated by the input device takes to transmit to a computing device, or any combination thereof. The method may also include, in response to detecting the keylogger, generating an alert to indicate a presence of the keylogger.

Abstract: Enterprise applications need to store and evaluate permissions on per User, per Entity and per Action basis for hundreds of Users and thousands of permissions. Most of the times this data takes up to 5 database tables to store the Role Based Access Control (RBAC) permissions. Selecting permissions for user from database consumes time while any User attempts to perform any Action. Sometimes the time taken to check permission is more than time taken to perform the required Action. Thus the current approaches for RBAC are inefficient in all—computation TIME, runtime MEMORY and database STORAGE. Binary arithmetic is known for being vast in scalability, smallest in memory and fastest in speed. This paper describes a new method which uses binary data structure and binary arithmetic to accurately check User permissions. We also claim that this method is the most scalable and fastest possible for Role Based Access Control.

Abstract: In some implementations, a server device may receive, from a first device, a credential and a request to access a resource. The server device may transmit, to a second device associated with the credential, an image that includes a first symbol composed of a set of elements. The server device may receive, from the first device, information associated with a second symbol formed via user interaction with a user interface of the first device. The second symbol may be formed by dragging elements, presented via the user interface, to an area of the user interface in which the second symbol is to be formed, or drawing elements in the area of the user interface in which the second symbol is to be formed. The server device may grant or denying access to the resource based on the first symbol and the information associated with the second symbol.

Abstract: A communication management system provides a cognition test electronically to control access to an account. A test implementer includes a graphical user interface. One or more processors are configured to administer the cognition test by: displaying a plurality of image components on the graphical user interface such that each image component of the plurality of image components moves along a respective movement path within the graphical user interface; receiving an input via the graphical user interface; comparing the input to a solution value for the cognition test, wherein the solution value is based on the plurality of image components; blocking access to a protected account based on the input not correlating to the solution value; and allowing access to the protected account based on the input correlating to the solution value.

Abstract: In IP communication, an authentication code AC1 uniquely generated by a receiving-side communication device 1b is sent to an originating-side communication device 1a (S1, S2), and stored in the originating-side communication device (S3). Packets in which the stored authentication code is embedded are sent to the receiving-side communication device 1b on connection from the originating-side communication device 1a to the receiving-side communication device 1b (S4), and it is determined at the receiving-side communication device whether the originating-side communication device is true or false depending on if the authentication code sent from the receiving-side communication device is contained in the packets received from the originating-side communication device or not (S5).

Abstract: Systems, methods, and software can be used for securing injected codes of a browser plugin. One example of a method includes establishing a code package to be injected into a web page. The code package comprises at least one element, and the at least one element includes a first script to be executed before executing a code of the web page. The method further includes injecting the at least one element to the web page to execute the first script. The execution of the first script comprises generating a script element comprising one or more secrets. The method further comprises appending the script element to the web page and deleting the script element from the web page.