Abstract: Persistence can be enabled in a volatile secure workspace. A management service may be configured to provide a managed application image containing a managed application to a host agent on a user computing device. When a secure workspace is deployed on the user computing device, the host agent can attach the managed application image to the secure workspace to create an injected volume. The host agent can also provide image details of the managed application image to a file system filter in the secure workspace. The file system filter may cause the managed application to be loaded from the managed application image and may then redirect I/O performed by the managed application to the injected volume which in turn will cause such I/O to be persisted in the managed application image. In this way, the managed application, any files it creates or modifies, and any state will be persisted even though the secure workspace is volatile.

Abstract: A method of providing credentials to enable a second party to verify an identity of a first party. The first party is associated with a first public key which is registered with a third party. One or more first credentials are provided to the second party. A request transaction is obtained, which comprises a) an input comprising a signature generated based on a respective private key of the third party, and b) an output locked to a second public key of the first party. The second public key is based on the first public key. A confirmation transaction is generated. The confirmation transaction comprises an input that references the output of the request transaction, and a signature generated based on a private key corresponding to the second public key of the first party. The confirmation transaction is transmitted to nodes of a blockchain network for inclusion in a blockchain.

Abstract: A method includes receiving, by a server computer, a thin client identifier from a thin client on a communication device. The server computer can then retrieve an encrypted first cryptographic key based on the thin client identifier. The encrypted first cryptographic key is a first cryptographic key that is encrypted with a second cryptographic key. The server computer can initiate the sending of the encrypted first cryptographic key to the thin client. The server computer then receives an encrypted secret from the thin client, the encrypted secret being a secret encrypted with the first cryptographic key.

Abstract: A secure communication system enabling secure transport of information is disclosed. The system comprises a secure network with one or more packet processing units connected by links through an internal communication system. The secure network transports packets of information between credentialed and authenticated agents. Each packet is associated with a visa issued by a visa service. The visa specifies the procedures governing the processing of the packet by the packet processing units as it is transported along a compliant flow, between agents thorough the network, according to a set of policies specified in a network configuration. Packet processing units include docks and forwarders. Adaptors serving the agents communicate with the network through tie-ins to docks. The system also includes and admin service, accessible to one more admins, that facilitates configuration and management of the network.

Abstract: An example system includes a processor to receive an instance of a composite format comprising a masking restriction. The processor can generate a mask for the instance of the composite format based on the masking restriction. The processor can output the generated mask.

Abstract: A system and method for centralized cybersecurity configuration compliance management for an enterprise having one or more assets operate to collect external inputs including one or more of open source cybersecurity configuration baselines (OSCSCBs), vendor hardening documentation (VHD), and information from exploitation and vulnerability public databases, collect internal inputs including cybersecurity standards of the enterprise and guidelines that are specific to the assets of the enterprise, consolidate the collected external and internal inputs, and apply supervised decision tree machine learning (ML) model to generate cybersecurity configuration baseline (CSCB) controls mapping to the assets in the enterprise.

Abstract: A computer executed method is presented for identifying security issues in a workload. The method identifies instance(s) of the workload and scans each instance for security vulnerabilities using hierarchical and incremental scanning. The hierarchical and incremental scan of each instance is performed by identifying as a base machine image a machine image that has previously been scanned for security vulnerabilities and that the instance originated from. The differences between the instance and the base machine image are then identified and scanned for security vulnerabilities.

Abstract: Methods and systems are presented for providing a data control framework that enables storing, sharing, and transferring of data in a secure manner. Data files stored in data repositories are scanned. Content associated with different section of each data file is analyzed, and each section is tagged with a sensitivity level based on the content and a subject matter derived for the data file. Each data file is also assigned to a clearance classification based on an expected viewer of the data file. When sections from a first data file is being transferred to a second data file, a data control mechanism is triggered. If a particular section from the first data file is incompatible with the second data file, the data control mechanism may prevent the particular section from being transferred to the second data file, while allowing the remaining sections being transferred to the second data file.

Abstract: A method and a system for intercepting dirty data is disclosed, the method includes: starting a vulnerability detection task and loading an application and an underlying code for communication between the application and a database; acquiring the underlying code and editing the detection logic code to obtain an underlying detection code; acquiring an original request of an application and initiating a replay request through an active IAST so that the application obtains a data stream in response to the replay request; communicating, by the application, with the database through a network to trigger the underlying detection code to start; examining a type of a structured query language of the data stream according to the underlying detection code; constructing and sending an exception structured query language to the database; and returning, by the database, error information to the application and stopping writing the data stream into the database.

Abstract: Disclosed are systems and techniques for enhanced protection of cryptographic key generation in cryptographic applications. In particular, described is a method and a system that performs the method of obtaining input numbers associated with a cryptographic application, generating masking matrix based on at least one random value, obtaining masked numbers using a matrix product of the MM and the input numbers, determining a greatest common divisor (GCD) of the masked numbers, identifying a GCD of the input numbers, and using the identified GCD to generate a cryptographic key.

Abstract: The present disclosure relates to bootstrapping an encrypted single node VSAN cluster. One method includes receiving a request to create an encrypted VSAN cluster from a single host in a software-defined datacenter, deploying a virtual server on a VSAN datastore of the software-defined datacenter, registering a native key provider (NKP) in the virtual server, creating an empty VSAN cluster encrypted by the NKP, adding the single host to the encrypted empty cluster to create a one-host encrypted cluster, registering a KMIP KMS in the virtual server, switching encryption of the one-host encrypted cluster from the NKP to the KMIP KMS, and adding another host to the one-host encrypted cluster to create the encrypted cluster.

Abstract: Systems and methods for providing an integration platform for abstracting and interacting with one or more third party platforms provided by one or more third party computing systems can include the utilization of one or more abstraction blocks and one or more application programming interfaces. In some implementations the systems and methods can include a user interface that can leveraged as an intermediary for intaking user inputs, processing the user inputs, and providing abstracted versions of the inputs to the third party computing systems in order to provide access to the third party platforms to the user.

Abstract: A computer-implemented method of determining whether to configure a detection comprised within a query is disclosed. The method includes analyzing a query to determine clauses within the query that identify logs relevant to the detection comprised within the query. The method further includes determining a statistical distribution for modeling a likely hit rate of the detection. Additionally, the method includes updating the statistical distribution with information associated with an observed hit rate. Also, the method includes determining a hit rate for the detection using the updated statistical distribution and live telemetry data and computing a confidence score for the detection. Responsive to a determination that the confidence score for the detection is above a predetermined threshold, the method includes maintaining the detection online.

Abstract: A brownfield security gateway is configured to support a trusted execution environment (TEE) that employs cryptographic and physical security—which forms a trusted cyber physical system—to protect sensitive transmissions on route to a controllable device. The gateway may be implemented with a System on Chip (SoC) that utilizes an application layer gateway to filter content within a transmission. When the application layer gateway authorizes the transmission, the transmission is forwarded to a trusted peripheral device that is configured with communication transport protocols, and the trusted peripheral device transfers the transmission to the controllable device. The trusted peripheral device and the controllable device are physically protected by, for example, protected distribution systems. Accordingly, the trusted peripheral device functions as a gateway between the SoC and the controllable device.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for managing keys of digital certificates. An example method includes receiving a digital certificate comprising a first public key and a corresponding first digital signature and a second public key and a corresponding second digital signature. The example method also includes receiving a signed data object associated with the digital certificate. The signed data object indicates a set of key management policies associated with the first public key and the second public key. The example method further includes performing, based on the set of key management policies, a first cryptographic data protection action using the first public key and the first digital signature or the second public key and the second digital signature. The first cryptographic data protection action facilitates secure communication between the first device and the second device.

Abstract: A federated learning method comprises creating a log of previously provided gradients from a plurality of workers, receiving updated gradients from the plurality of workers, calculating a vulnerability weight for each layer of a global machine learning model using the updated gradients, calculating an aggregated gradient using the vulnerability weight and the updated gradients, and updating the global machine learning model using the aggregated gradient. Some embodiments may also determine whether a Byzantine attack is occurring based upon the calculated aggregated gradient. An apparatus and computer program product may be used to implement the method.

Abstract: Based on an instruction for starting communication parameter sharing processing using a Wi-Fi Device Provisioning Protocol, a public key to be used in the communication parameter sharing processing is shared, and authentication processing with a providing apparatus that provides a communication parameter is executed using the shared public key. After the authentication processing, a Configuration Request packet indicating a request for a plurality of network identifiers is generated, and the generated Configuration Request packet is transmitted to the providing apparatus.

Abstract: The present disclosure is related to a system that may include a storage component and a computing device. The storage component may store applications and datasets associated with a user. The computing device may execute each of the applications. One of the applications may perform operations, including receiving a list of the applications, determining a privacy exposure of the user based on at least a portion of the datasets accessed by the applications, and generating a privacy report based on the privacy exposure.

Abstract: Aspects described herein provide for hardening an RF signature by dynamically utilizing a sending device carrier frequency offset (CFO) as part of the RF signature. The CFO and the CFO varying pattern of wireless devices observed. A radio frequency signature at a sending device is paired to a frequency offset estimation algorithm at a receiving device, the final CFO estimation error may be bounded to a small range for various applications and communication protocols, and utilized to properly identify the sending device at the receiving device.

Abstract: A method comprises generating, by a test application in a test system of the zero trust network, a test packet comprising a unique token identifying the penetration test based on a test log, wherein the test log indicates that the penetration test is to be performed on a communication between a source microsegment and a target microsegment, transmitting, by the test application, the test packet to a policy enforcement point in the target microsegment, wherein a result log stores data, in association with the unique token, regarding at least one of a reception or processing of the test packet by the policy enforcement point, and comparing, by a log application in the test system, the test log and the result log to determine that the test packet has impermissibly passed through the policy enforcement point or been processed by the policy enforcement point.