Abstract: A method includes receiving, in a data storage device, a request from a client computer for a portion of ciphertext stored in the data storage device, and providing, by a controller of the data storage device, the portion of the ciphertext to the client computer. The method also includes receiving, in the data storage device, an update token generated by the client computer from the portion of the ciphertext. The method further includes performing, by the controller of the data storage device, re-encryption of the ciphertext using the update token.

Abstract: An intelligent-adversary simulator can construct a graph of a virtualized instance of a network including devices connecting to the virtualized instance of the network as well as connections and pathways through the virtualized instance of the network. Running a simulated cyber-attack scenario on the virtualized instance of the network in order to identify one or more critical devices connecting to the virtualized instance of the network from a security standpoint, and then put this information into a generated report to help prioritize which devices should have a priority. During a simulation, the intelligent-adversary simulator calculates paths of least resistance for a cyber threat in the cyber-attack scenario to compromise a source device through to other components until reaching an end goal of the cyber-attack scenario in the virtualized network, all based on historic knowledge of connectivity and behaviour patterns of users and devices within the actual network under analysis.

Abstract: Briefly, systems and methods for managing Internet of Things (IoT) devices provide platforms featuring an architecture for user and device authentication as well as IoT system self-healing.

Abstract: An end-user computing device can include a theft detector that maintains a registered host device list containing identifiers of at least one registered host device. The theft detector can have root access to operations of the end-user device and the theft detector can provides a secure reboot request in response to detecting a possible theft condition. The end-user computing device can also include a boot loader that executes a secure reboot of the end-user device in response to a secure reboot request from the theft detector. The secure reboot of the end-user device resets the end-user device to prevent access to the end-user device.

Abstract: Systems and methods are provided for a media provider to allow a user to access media objects with a third-party partner that authenticates the user and authorizes the user to access certain media objects. The media provider offers access to media objects, such as video content or audio content. The partner, through a relationship with the media provider, similarly offers access to the media provider's media objects, for example, as a service or benefit to the partner's customers or users. In particular, a partner integration server mediates user authentication and authorization by the partner. The partner integration server also allows the media provider to easily and flexibly to add and integrate additional partners.

Abstract: A method, in particular a computer-implemented method, for processing data of a technical system. The method includes the following steps: ascertaining first pieces of information which are associated with a data traffic of the system, and ascertaining metadata associated with the data traffic of the system based on the first pieces of information.

Abstract: Cyberattacks are rampant and can play a major role in modern warfare, particularly on a widely adopted platforms such as the MIL-STD-1553 standard. To protect a 1553 communication bus system from attacks, a trained statistical or machine learning model can be used to monitor commands from a bus controller of the 1553 communication bus system. The statistical and/or machine learning model can be trained to recognize communication anomalies based at least on the probability distribution of patterns of one or more commands. The statistical model can be stochastic model such as a Markov chain that describes a sequence of possible commands in which the probability of each command depends on the occurrence of a group of one or more commands.

Abstract: Systems and methods for dynamic, hyper context-based microsegmentation are described. In one aspect, a computing device is detected on a network. A network hyper context is assigned to the computing device based on network properties and computing device properties associated with the computing device. A policy defining a segment identifier identifying a network segment and corresponding to the network hyper context is accessed. The segment identifier is assigned to the computing device. The computing device is segmented onto the network responsive to detecting the computing device.

Abstract: A method for an access network of a telecommunications network includes: in a first step, a first authentication, authorization and accounting (AAA)-related message is sent by an authentication server entity and received by an access orchestrator entity, the first AAA-related message comprising: at least one standardized message attribute according to an access protocol; and at least one vendor-specific message attribute; in a second step, subsequent to the first step, the access orchestrator entity sends a second AAA-related message to a service edge entity, the second AAA-related message solely comprising the at least one standardized message attribute according to the access protocol; and in a third step, subsequent to the first step and prior to, during or after the second step, the access orchestrator entity sends at least one third AAA-related message to the service edge entity, the at least one third AAA-related message corresponding to a message according to an application programming interface (API)

Abstract: There is provided a method of communication among at least two processes miming on the same computer. The method comprises: generating, by at least one process of the at least two processes, a group key usable for encrypting/decrypting a data unit retrieved from/stored to shared access memory, wherein the generating utilizes, at least, a nonce provided by each of the at least two processes, and wherein the nonces are provided as encrypted integrity-protected data according to, at least, a platform-provided hiding function, wherein each process executes in a protected container, the processes are signed by a single signing authority, and the protected container infrastructure enables use of encrypted, integrity-protected data according to a platform-provided hiding function and a platform-provided revealing function; and verifying, by at least one process of the at least two processes, that a data unit read from shared access memory is successfully decrypted using the group key.

Abstract: Integrated controls frameworks are disclosed. In one embodiment, in an information processing apparatus comprising at least one computer processor, a method for using an integrated control framework for an application comprising a plurality of application modules may include: (1) defining an application profile, an application model, and a target cloud environment for an application; (2) identifying a plurality of security, resiliency, and controls requirements for the target cloud environment; (3) configuring a plurality of security controls for the application based on the plurality of security, resiliency, and controls requirements; and (4) deploying the security controls to the target cloud environment.

Abstract: A method includes storing first authentication information and second authentication information, the first authentication information being information for a user to access a first information processing device, the second authentication information including third authentication information and forth authentication information, the third authentication information being information for the user to access a second information processing device, and the fourth authentication information being information for the user to access a third information processing device; acquiring first index information from the second information processing device based on the third authentication information; acquiring second index information from the third information processing device based on the fourth authentication information; and generating a list including the first index information with a first indication, and the second index information with a second indication different from the first indication.

Abstract: This patent disclosure provides various verification techniques to ensure that anonymized surgical procedure videos are indeed free of any personally-identifiable information (PII). In a particular aspect, a process for verifying that an anonymized surgical procedure video is free of PII is disclosed. This process can begin by receiving a surgical video corresponding to a surgery. The process next removes personally-identifiable information (PII) from the surgical video to generate an anonymized surgical video. Next, the process selects a set of verification video segments from the anonymized surgical procedure video. The process subsequently determines whether each segment in the set of verification video segments is free of PII. If so, the process replaces the surgical video with the anonymized surgical video for storage. If not, the process performs additional PII removal steps on the anonymized surgical video to generate an updated anonymized surgical procedure video.

Abstract: Aspects of the disclosure relate to preventing unauthorized access to secured information systems. A computing platform may receive, from an end user desktop computing device, a request to login to a user account associated with a user account portal. In response to receiving the request, the computing platform may generate an authentication token in an authentication database and may send a notification to at least one registered device linked to the user account. After sending the notification, the computing platform may receive, from the at least one registered device, an authentication response message. If the authentication response message indicates that valid authentication input was received, the computing platform may update the authentication token to indicate that the request to login to the user account has been approved. After updating the authentication token, the computing platform may provide, to the end user desktop computing device, access to a portal interface.

Abstract: Various embodiments of the present technology can include systems, methods, and non-transitory computer readable media configured to receive information about a plurality of regions contained within a hierarchy of a computer network environment, wherein the plurality of regions are assigned respective prime numbers. A first prime number assigned to a first region of the plurality of regions is determined. A second prime number assigned to a second region of the plurality of regions, wherein the second prime number is different from the first prime number is determined. A nearest common region in the hierarchy that includes the first region and the second region based on the respective prime numbers is identified. A security policy associated with the nearest common region is determined.

Abstract: A service provider provides flexible access to services using an identity provider. The service provider is associated with a custom access policy used by the identity provider to authenticate access requests associated with client devices for services of the client system. The custom access policy describes a set of access levels corresponding to variable levels of access to services of the service provider. The identity provider authenticates access requests by client devices using one or more device signals from the client devices. In some embodiments, the identity provider determines a device trust score for the client device using the one or more device signals. The identity provider provides an authentication response to the client system based on the custom access policy. The client system uses the authentication response to determine an access level for the client device from the set of access levels described by the custom access policy.

Abstract: This disclosure describes techniques including, by a domain name service (DNS), receiving a name resolution request from a client computing device and, by the DNS, providing a nonce to the client computing device, wherein a service is configured to authorize a connection request from the client computing device based at least in part on processing the nonce. This disclosure further describes techniques include a method of validating a connection request from a client computing device, including receiving the connection request, the connection request including a nonce. The techniques further include determining that the nonce is a valid nonce. The techniques further include, based at least in part on determining that the nonce is a valid nonce, authorizing the connection request and disabling the nonce.

Abstract: A method includes: accessing an attack record defining actions representing a previous known attack on a second computer network; initializing an attack graph; for each action, defining a set of behaviors—analogous to the action and executable by an asset on a target network to emulate an effect of the action on the second computer network—and storing the set of behaviors in a node in the attack graph; connecting nodes in the attack graph according to an order of actions in the known attack; scheduling the asset to selectively execute analogous behaviors stored in the set of nodes in the attack graph; accessing alerts generated by a set of security tools deployed on the target network; and characterizing vulnerability of the target network based on alerts, in the set of alerts, indicating detection and prevention of behaviors executed by the asset according to the attack graph.

Abstract: One example method includes receiving clear text data at a storage system, generating, at the storage system, a clear text data encryption key, requesting a key management system to encrypt the clear text data encryption key with a master key to create an encrypted data encryption key, and the requesting is performed by the storage system, receiving, at the storage system, the encrypted data encryption key from the key management system, encrypting, at the storage system, the clear text data with the clear text data encryption key to create encrypted data, and storing, together, the encrypted data and the encrypted data encryption key.

Abstract: Protecting data in non-volatile storages provided to clouds against malicious attacks. According to an aspect, multiple malicious patterns indicating respective malicious attacks to access non-volatile storages provided to clouds in a cloud infrastructure are maintained. When an access request is received, the data stream representing the access request is examined to determine whether the data stream contains any of the malicious patterns. If the data stream is found not to contain any malicious pattern, it is concluded that the access request is free of the malicious attacks. If the data stream is found to contain at least one malicious pattern, it is concluded that the access request is a malicious attack corresponding to the malicious pattern.