Abstract: In one example, the present disclosure describes a device, computer-readable medium, and method for multi-phase protection of digital content. For instance, in one example, a method includes receiving a request for digital content from a client device, initiating a digital content protection process comprising a plurality of phases, where each phase of the plurality of phases includes verifying credentials provided by the client device, delivering a plurality of seeds to the client device, wherein each individual seed of the plurality of seeds is delivered to the client device upon a successful completion of one phase of the plurality of phases, encrypting the digital content, using an encryption key derived using the plurality of seeds, to generate encrypted content, and delivering the encrypted content to the client device.

Abstract: Methods, apparatus and articles of manufacture to use artificial intelligence to define encryption and security policies in a software defined data center are disclosed. Example apparatus include a language parser to parse a natural language statement into a policy statement that defines a distributed network encryption policy or a distributed network security policy. Example apparatus also include a comparator to compare the policy statement to a set of reference policy templates and a template configurer to select a first policy template from the set of reference policy templates in response to the comparator determining the first policy template corresponds to the policy statement. A policy distributor distributes a policy rule defined by the first policy template for enforcement at network nodes of a software defined data center. The policy rule is a distributed network encryption policy rule or a security policy rule.

Abstract: Methods, systems, and computer program products are described herein for the classification, tagging, and protection of data objects. Such techniques may be imposed on the data objects automatically regardless of whether the data objects are created/generated/interacted/downloaded/uploaded/accessed on the cloud-based environments and/or on-premises environments. The foregoing techniques are orchestrated from a centralized policy that is treated uniformly regardless of the data objects' environment. Once a data object is identified, it is classified based on multiple criteria and a tag is associated therewith. An enforcement action may be applied to the data objects based on a defined policy. The tag attached to the data object may be used to search for related audit logs that track accesses to the data object. By associating the tag and protection persistently, data object(s) are treated uniformly (i.e., in the same manner) regardless of what environment it is in.

Abstract: A device may receive first information associated with a set of security rules. The first information may identify a set of security actions a device is to implement when the set of security rules applies to traffic. The device may determine a manner in which the set of security rules is to apply using the first information. The device may determine whether the manner in which the set of security rules is to apply and an intent of a network security policy or a manner in which a set of previously defined security rules is to apply match to determine whether the set of security rules conflicts with the network security policy or whether the set of security rules and the set of previously defined security rules are related. The device may perform an action.

Abstract: A mechanism is provided for controlling execution of a computer program. An execution of unallowed software may be prohibited. Structural elements of a graphical user interface of the computer program are detected. The detected structural elements are compared with a stored signature, each signature comprising structural elements of a graphical user interface of allowed computer programs. Upon not finding a matching signature among the stored signatures when comparing, further executing of the computer program is inhibited.

Abstract: Different database deployments, or other data system deployments, may want to communicate with each other without sacrificing security or control. To this end, embodiments of the present disclosure may provide secure message exchange techniques for a source and/or target deployment. Configurable rule sets may be stored in the deployments; the rule sets may define what messages may be communicated between deployments. The deployments may implement a selective filtering scheme in one or more stages based on the rule sets to filter outgoing and/or incoming messages.

Abstract: Examples described herein include systems and methods for providing secure access to an email server. A gateway server can receive a request for email notification information from a notification server and parse the request to identify at least one user device associated with the request. The gateway server can then determine whether the identified devices comply with any applicable compliance rules, for example by requesting a compliance status from a management server at which the identified devices are enrolled. If at least one of the identified devices is in compliance, the gateway can pass the request through to the email server. The gateway can then receive a response from the email server and provide it to the notification server.

Abstract: A method for determining behavior information corresponding to a dangerous file in a computer device includes running the dangerous file in a virtual environment of the computer device when detecting existence of the dangerous file, wherein the virtual environment comprises at least one virtual API identical to at least one real API in a real environment of the computer device; monitoring behavior(s) of the dangerous file in the virtual environment to obtain the behavior information corresponding to the dangerous file. According to the solution of the present disclosure, it does not need to analyze disruptive behaviors of a dangerous file manually, the behavior information of the dangerous file can be quickly obtained in a virtual environment, thereby quickly and comprehensively repair the real system of the computer device.

Abstract: A secure boot mechanism is described. The secure boot mechanism can operate in environments not originally designed to support such a mechanism. Downstream boot components can be executed from an encrypted boot partition. A first stage boot loader (FSBL) can load a second stage boot loader (SSBL) from an encrypted disk partition. The FSBL can decrypt and load the SSBL. The FSBL can intercept all I/O initiated by the SSBL so that the SSBL can transparently operate on an encrypted disk partition as though the encrypted disk were unencrypted.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for managing blockchain-based centralized ledger systems. One of the methods includes transmitting a timestamp request for a to-be-timestamped block of a blockchain at a time point to a trust time server by a ledger server in a blockchain-based centralized ledger system that stores data in the blockchain, the trust time server being associated with a trust time authority and independent from the blockchain-based centralized ledger system, the blockchain including a plurality of blocks storing transaction data, and disregarding the timestamp request in response to determining that a predetermined time period has lapsed after the time point and that there has been no reply to the timestamp request from the trust time server.

Abstract: The disclosure relates to a method for constructing a graph data structure as an intermediate representation of source code for a compiler configured for compiling the source code into executable machine code running on a processor of a computer system, wherein program operations of the source code are represented in an object-oriented programming language by objects of classes that form a hierarchy growing from a base node class of the graph data structure, the method comprising: producing new nodes of the graph data structure by calling factory methods associated with existing nodes of the graph data structure based on a factory method design pattern implemented in the nodes of the graph data structure, wherein the nodes of the graph data structure are identified by symbols; and using the symbols as proxies of the nodes of the graph data structure according to a proxy design pattern.

Abstract: A data processing system operates in a plurality of modes including a first privilege mode and a second privilege mode with the first privilege mode giving rights of access that are not available in the second privilege mode. Application code executes in the second privilege mode and generates function calls to hypervisor code which executes in the first privilege mode. These function calls are to perform a secure function requiring the rights of access which are only available in the first privilege mode. Scheduling code which executes in the second privilege mode controls scheduling of both the application code and the hypervisor code. Memory protection circuitry operating with physical addresses serves to control access permissions required to access different regions within the memory address space using configuration data which is written by the hypervisor code.

Abstract: A method includes obtaining a plurality of tasks, where certain tasks have a dependency relationship to other tasks. The method also includes arranging the tasks into multiple levels based on the dependency relationships between the tasks, each level having at least one task. The method further includes, for a particular level, determining a list of possible assignment scenarios of the at least one task of the level to multiple processing devices, determining a cost for each of the assignment scenarios, and selecting the assignment scenario having a lowest cost. Each assignment scenario includes an assignment of each of the at least one task of the level to one of the processing devices. The method includes also building a schedule by assigning the tasks to the processing devices based on the selected assignment scenarios.

Abstract: The present disclosure relates to deriving cryptographic keys for use in encrypting data based on a plaintext to be encrypted. An example method generally includes receiving, from a querying device, a request for a cryptographic key. The request generally includes data derived from a plaintext value to be encrypted and an indication of a type of the plaintext value to be encrypted. A cryptographic key is generated based, at least in part, on the derived data and the type of the plaintext value to be encrypted. The key deriver transmits the generated cryptographic key to the querying device.

Abstract: A communication device of handling data transmission comprises instructions of configuring a first bearer and a second bearer according to at least one bearer configuration received from a network; encrypting a first packet of a first flow into a first encrypted packet according to an encryption key and a first bearer identity of the first bearer; receiving a second packet of the first flow from the network via the second bearer, before transmitting the first encrypted packet to the network successfully; transmitting the first encrypted packet to the network via the first bearer, after receiving the second packet; encrypting a third packet of the first flow into a second encrypted packet according to the encryption key and a second bearer identity of the second bearer in response to the second packet; and transmitting the second encrypted packet to the network via the second bearer.

Abstract: Embodiments disclosed herein provide systems, methods, and computer readable media for managing data consumption rate in a virtual data processing environment. In a particular embodiment, a method provides, in a cache node of a host system, identifying read completions for one or more virtual machines instantiated in the host system, with the one or more virtual machines processing one or more processing jobs. The method further provides allocating the read completions to individual processing jobs of the one or more processing jobs and accumulating the read completions on a per-job basis, with the cache node determining a data consumption rate for each processing job of the one or more processing jobs.

Abstract: Systems and methods for managing Application Programming Interfaces (APIs) are disclosed. Systems may involve automatically generating a honeypot. For example, the system may include one or more memory units storing instructions and one or more processors configured to execute the instructions to perform operations. The operations may include receiving, from a client device, a call to an API node and classifying the call as unauthorized. The operation may include sending the call to a node-imitating model associated with the API node and receiving, from the node-imitating model, synthetic node output data. The operations may include sending a notification based on the synthetic node output data to the client device.

Abstract: A data processing system operates in a plurality of modes including a first privilege mode and a second privilege mode with the first privilege mode giving rights of access that are not available in the second privilege mode. Application code executes in the second privilege mode and generates function calls to hypervisor code which executes in the first privilege mode. These function calls are to perform a secure function requiring the rights of access which are only available in the first privilege mode. Scheduling code which executes in the second privilege mode controls scheduling of both the application code and the hypervisor code. Memory protection circuitry operating with physical addresses serves to control access permissions required to access different regions within the memory address space using configuration data which is written by the hypervisor code.

Abstract: This disclosure relates to managing user density in a virtual desktop infrastructure. The method includes installing plurality of virtual machine agents on plurality of virtual machines and at least one hypervisor agent on at least one hypervisor host. The method includes configuring each of plurality of virtual machine agents and each of the at least one hypervisor agent to capture virtual machine management data from the plurality of virtual machines and the at least one hypervisor host. The method includes analyzing virtual machine management data to determine a plurality of sets of common applications. The method includes creating a plurality of dedicated virtual desktops and a plurality of session sharable virtual desktops. One of the plurality of sets of common applications is installed on one of the plurality of session sharable virtual desktops and at least one unique application is installed on one of the plurality of dedicated virtual desktops.

Abstract: Disclosed embodiments relate to verifying identities based on identity-inherent data that is inaccessible to the system. Techniques include receiving, from a client, an encrypted token, the encrypted token having been encrypted at the client using a cryptographic key created at the client based on identity-inherent data of an identity of the client; wherein the identity-inherent data of the identity is not itself received by the system, and wherein the cryptographic key is accessible only to the client; and storing the encrypted token in association with a hash of a decrypted version of the encrypted token to allow for comparing the stored hash with a created hash and determining whether to verify the identity based on a result of the comparing.