Abstract: A computing system that is configured to receive requests to send computer executable programs to a data owner system associated with a data source for execution of the computer executable program by the data owner system. The data owner system may store to a blockchain a permitted list of programming functions, function libraries, function syntax definitions, and execution environment requirements. The computing system may be further configured to retrieve the permitted lists. The computing system may be further configured to evaluate the computer executable program using the permitted lists to determine if the computer executable program may be executed by the data owner system. The evaluation may be performed by generating an abstract syntax tree of the computer executable program. The computing system may be further configured to send the computer executable program to the data owner system if the computer executable program satisfies the conditions of the permitted lists.

Abstract: An online identity can be verified based on data from multiple identity sources stored in a blockchain. For example, a request for a token is received from an entity for authenticating an online identity of the entity to an online service. The request can be stored in a blockchain that represents the online identity of the entity by adding a new block to the blockchain. The new block can include data indicating the request for the token. The token can be generated based on the one or more ordered blocks in the blockchain. The token can be transmitted to the entity. The token can be received from the online service. Confirmation of the online identity of the entity can be transmitted to the online service based on receiving the token from the online service.

Abstract: A marine vessel portable device registration system includes portable devices and a controller. A registered portable device transmits a specific wireless signal based on an input operation on a portable device operator. The controller is configured or programmed to receive the specific wireless signal from the registered portable device, and perform a control to authenticate and register an unregistered portable device as a new registered portable device based on having received a wireless signal from the unregistered portable device.

Abstract: In a system, computer-readable media and methods for secure ledger assurance tokenization (SLAT), a block content of a first blockchain is audited, which includes accessing, by a request circuit of a SLAT computing system, a retrievably stored cross-reference content and generating an audit result. Generating an audit result includes evaluating, by a SLAT circuit of the SLAT computing system, the cross-reference content such that the audit result is informed at least by the cross-reference content. The audit result is included in a secure ledger assurance token generated by a SLAT generation circuit of the SLAT computing system and stored relationally to the block content of the first blockchain.

Abstract: Systems and methods include obtaining unused user accounts associated with a cloud application where an unused user account is one where a corresponding user has not accessed the cloud application in a certain period of time; determining a subset of the unused user accounts that are abnormal user accounts, wherein an abnormal user account is one that is anomalous compared to similar users; scoring and ranking the unused and abnormal user accounts; and remediating a set of the ranked unused and abnormal user accounts.

Abstract: A phytosanitary treatment blockchain is generated from automatically gathered phytosanitary treatment records. The phytosanitary treatment records are generated by matching authenticated treatment data with authenticated identification data. Matching may be based on geolocation, timestamps, or both. Authentication may be based on digital signatures using private key encryption. Separate treatment sensors and identification sensors automatically gather information about a phytosanitary treatment and the item being treated. The gathered information is encrypted and transmitted to blockchain members that perform authentication, matching, and generation of the phytosanitary treatment blockchain. A tracking code may be issued for each treatment. The tracking code is used to obtain an authentication of the treatment that indicates whether the treatment passed or failed.

Abstract: Dynamic segmentation of network traffic through the use of Pre-Shared Keys (PSKs). Each defined network segment uses a different pre-shared key and a message authentication code (MAC)-signing algorithm to sign data packets with segment-specific MACs. As such, only those computer hosts/nodes that are in the network segment (i.e., have been assigned the same pre-shared key for generating and decoding the MAC signed data packets) are capable or reading the segment's network traffic. By implementing segment-specific MAC signed data packets, the present invention allows for confidential data transmission absent the need to encrypt the actual contents/data being transmitted.

Abstract: Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or memory access. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a detection mechanism (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it), inter alia, for detection and/or notification of, and action by a monitoring guest upon access by a monitored guest to predetermined physical memory locations.

Abstract: Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or hypervisor fingerprinting. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a CPU ID instruction handler (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it). The CPU ID instruction handler may perform processing, inter alia, to return configurable values different from the actual values for the physical hardware. The virtualization assistance layer may further contain virtual devices, which when probed by guest operating system code, return the same values as their physical counterparts.

Abstract: Methods, systems, articles of manufacture and apparatus to privatize consumer data are disclosed. A disclosed example apparatus includes a consumer data acquirer to collect original data corresponding to (a) confidential information associated with consumers and (b) behavior information associated with the consumers, and a data obfuscator. The data obfuscator is to determine a degree to which the original data is to be obfuscated and a type of obfuscation to be applied to the original data based on the original data, generate obfuscation adjustments of the original data based on the degree and the type, and generate an obfuscation model based on the obfuscation adjustments.

Abstract: A recording medium storing a program for causing a computer to execute processing including: creating first and second partial certificate information from certificate information that includes attribute information of a signer and certification information used to certify the attribute information, based on a data amount of an electronic document, in response to a signing request for the electronic document; generating an electronic signature for the electronic document and the first partial certificate information; attaching the generated electronic signature to the electronic document and the first partial certificate information, and transmitting the electronic document and the first partial certificate information with the electronic signature attached to a submission source of the electronic document; and transmitting the second partial certificate information to a verification device that verifies authenticity of the certificate information, using another route different from a route that connects the

Abstract: A client device is configured to receive user-input and provide user-output to a client-user. A service provider is configured to serve a network-provided service for authorized users. An identity provider is configured to: maintain authorization information for the network-provided service and generate a permission-object that i) specifies that the client-user is an authorized user of the network-provided service and ii) may include an access-override field that specifies a network address of a remote browser isolation (RBI) host. The system also includes the RBI host configured to access the network-provided service; run the network-provided service in an isolation environment to generate a graphic user interface (GUI); provide a visual reproduction of the GUI to the client device; receive browser-input from the client device; and apply the browser-input to the running network-provided service.

Abstract: This disclosure is directed to a computing system that performs techniques relating to the secure storage, maintenance, and retrieval of data. Techniques described in this disclosure may prevent, limit, or otherwise insulate the data from unauthorized access by hackers, rogue devices, and unauthorized users. In some examples, a computing system may store a file by fracturing the file into multiple data blocks, encrypting the data blocks or the data stored within the data blocks, and storing the data blocks in scattered locations on a network. Further, the computing system may occasionally move at least some of the stored data blocks, and may, upon moving such data blocks, reencrypt the moved data blocks with a different encryption key. Still further, the computing system may inject fake data and/or fake data blocks into the system.

Abstract: A system for detecting anomalous user interactions with a computing resource a processor and a memory communicatively coupled to the processor and configured with instructions, which cause the processor to perform operations including receiving a request to monitor interactions of a user with the computing resource, obtaining first event data first event data that includes information that is indicative of first interactions of the user with the computing resource prior to receiving the request and obtaining second event data that includes information that is indicative of second interactions of the user with the computing resource after receiving the request. The operations further include determining, based on the first event data and the second event data, whether a deviation between the first interactions and the second interactions satisfies an indicated criteria. The operations additionally include generating a security alert based on the determination.

Abstract: Embodiments described include systems and methods for management and pre-establishment of network application and secure communication sessions. Session logs may be analyzed to identify an application or secure communication sessions likely to be accessed, and prior to receiving a request to establish the session, an intermediary (e.g. another device such as an intermediary appliance or other device, or an intermediary agent on a client such as a client application) may pre-establish the session, performing any necessary handshaking or credential or key exchange processes. When the session is subsequently requested (e.g. in response to a user request), the system may immediately begin using the pre-established session. This pre-establishment may be coordinated within the enterprise providing load balancing and scheduling of session establishment to prevent large processing loads at any one point in time.

Abstract: Systems, devices, media, and methods are presented for determining a level of abusive network behavior suspicion for groups of entities and for identifying suspicious entity groups. A suspiciousness metric is developed and used to evaluate a multi-view graph across multiple views where entities are associated with nodes of the graph and attributes of the entities are associated with levels of the graph.

Abstract: Aspects of the present disclosure relate to systems and methods for partitioning an OS or hypervisor utilized on a computing device from the process of proxy control. For example, a proxy may be installed on a separation kernel or firmware on a computing device that routes all data traffic received via a network connection to a cloud which performs various services such as IP reputation management, URL reputation detection and validation, malicious file filtering through potential malware detection.

Abstract: Apparatuses, systems, and methods of the present disclosure may provide access security in a process control system. For example, current biometric data representative of a user may be acquired and compared to stored biometric data representative of previously identified users. Access to the process control system may be authorized when the current biometric data matches stored biometric data.

Abstract: Computer-implemented systems, method and products configured for providing one or more restriction groups in a content management system are provided. One or more restriction marks may be associated with the one or more restriction groups. At least a first restriction mark may be associated with a first restriction group. The first restriction mark may be assigned to a first content item stored in the content management system, in response to determining that the first content is associated with the first restriction group, the first content item being associated with metadata indicating user access permissions according to the first restriction mark and a security classification. The metadata associated with the first content item may be updated based on the assignment of the first restriction mark to the first content item to allow or limit user access to the first content item.

Abstract: Methods and systems for detecting and responding to an intrusion in a computer network include generating an adversarial training data set that includes original samples and adversarial samples, by perturbing one or more of the original samples with an integrated gradient attack to generate the adversarial samples. The original and adversarial samples are encoded to generate respective original and adversarial graph representations, based on node neighborhood aggregation. A graph-based neural network is trained to detect anomalous activity in a computer network, using the adversarial training data set. A security action is performed responsive to the detected anomalous activity.