Abstract: A method and system for hardening cloud security policies of a cloud computing platform are presented.

Abstract: Techniques are disclosed relating to reporting for network events within a computer network. A computer system may access a set of data corresponding to a particular network event within a computer network, where the set of data includes captured attributes of the particular network event. The computer system may then calculate, using the set of data, a security score indicative of suspiciousness of the event and an actionability score that is based on an extent to which of a particular group of attributes are missing from the set of data. The computer system may determine, based on the two scores, a combined score for the event. The computer system may then report a notification for the event, based on the combined score. Such techniques may decrease a number of reported events for a network, which may advantageously allow resources to be focused on a smaller set of events.

Abstract: Examples associated with network compliance detection are described. One example includes storing a set of security rules for a device. The device monitors the device for compliance with the security rules. Upon detecting noncompliance with an identified security rule, the device may disable network access for the device, and establish a trigger. The trigger may disable network access for the device when network access for the device is restored prior to returning the device to compliance with the identified security rule.

Abstract: A method of applying proof of lottery to select block forgers in a blockchain, comprising performing the following at a certain one of a plurality of computing nodes connected to a blockchain network: (1) transmitting one or more of a plurality of participation transactions submitted by at least some of the plurality of computing nodes for participating in selection process conducted to select forgers from the plurality of computing nodes to forge blocks to be added to the blockchain; (2) determining a respective forger, during each selection process, by applying a selection function to an outcome of a hash function and a plurality of participation transactions extracted from a first subset of blocks preceding the respective block, the hash function is applied to a second subset of blocks preceding the respective block; and (3) forging the respective block in case the certain computing node is selected as the respective forger.

Abstract: A system and method to create a plurality of hyperscaler accounts having predefined access rights to an object store of a database service in a cloud environment; store hyperscaler credentials specifying access rights to the object store corresponding to the predefined access rights of the hyperscaler accounts in a secure credential store, the hyperscaler credentials providing access to the object store for a specified backup function; map each of a plurality of different backup service component processes to one of the hyperscaler credentials, each of the plurality of backup service component processes operative independent of each other and having a specific backup service functionality; receive a request to execute one of the plurality of different backup service component processes; and authenticate access rights of the backup service component process included in the request based on the mapping.

Abstract: An electronic device is provided. The electronic device includes a communication module, a memory storing instructions, and at least one processor operably connected to the communication module and the memory, wherein the at least one processor is, by executing the instructions, configured to receive a request for execution of an application programming interface (API) from an application while driving the application, identify a policy for the execution-requested API based on data received from a decentralized network through the communication module, and determine whether to execute the execution-requested API, based on the identified policy for the API.

Abstract: Prioritizing vulnerability scan results is provided. Vulnerability scan results data corresponding to a network of data processing systems are received from a vulnerability scanner. The vulnerability scan results data are parsed to group the vulnerability scan results data by vulnerability identifiers. A corresponding security threat information identifier is associated with each vulnerability identifier. A correlation of each associated security threat information identifier is performed with a set of current vulnerability exploit data that corresponds to that particular security threat information identifier. Current security threat information that affects host data processing systems in the network is determined based on the correlation between each associated security threat information identifier and its corresponding set of current vulnerability exploit data. The current security threat information is prioritized based on a number of corresponding current vulnerability exploit attacks.

Abstract: In some embodiments, a method includes processing at least a portion of a received file into a first set of fragments and analyzing each fragment from the first set of fragments using a machine learning model to identify within each fragment first information potentially relevant to whether the file is malicious. The method includes forming a second set of fragments by combining adjacent fragments from the first set of fragments and analyzing each fragment from the second set of fragments using the machine learning model to identify second information potentially relevant to whether the file is malicious. The method includes identifying the file as malicious based on the first information within at least one fragment from the first set of fragments and the second information within at least one fragment from the second set of fragments. The method includes performing a remedial action based on identifying the file as malicious.

Abstract: In some examples, a system includes a router device and a first adapter device in communication with the router device. The first adapter device includes processing circuitry configured to: communicate with the router device, wherein the router device is incapable of communicating in accordance with the MACsec protocol. The processing circuitry is further configured to establish an encrypted connection in accordance with the MACsec protocol between the first adapter device and a remote device, determine that the encrypted connection is offline, and output a message to the router device that the encrypted connection is offline. The router device is configured to communicate with the remote device via a second adapter device configured to communicate in accordance with the MACsec protocol and bypass the first adapter device.

Abstract: Methods and systems for creating a digital association are provided. The method includes obtaining a first user-generated item comprising identifiable features of a first user and a second user. The method also includes obtaining a second user-generated item comprising the identifiable features of the first user and the second user. The method also includes cross-confirming that the first and second user-generated items are valid to verify the digital association.

Abstract: The present disclosure relates to a system, comprising: a first server computing device configured to store various application data relating to the system, and control a first plurality of modules to simultaneously establish multiple logically separate and secure networks within a self-supported computing environment; a second server computing device configured to control a second plurality of modules to perform out-of-band management of the system; and a third server computing device configured to control a third plurality of modules to control inbound and outbound data traffic of the logically separate and secure networks. The system is scalable by at least adding additional one or more first server computing devices to host additional application data within the self-supported computing environment's secure configuration and logical separation of networks while maintaining the second and third server computing devices.

Abstract: Some embodiments provide a method for network management and control system that manages one or more logical networks. From a first user, the method receives a definition of one or more security zones for a logical network. Each security zone definition includes a set of security rules for data compute nodes (DCNs) assigned to the security zone. From a second user, the method receives a definition of an application to be deployed in the logical network. The application definition specifies a set of requirements. Based on the specified set of requirements, the method assigns DCNs implementing the application to one or more of the security zones for the logical network.

Abstract: Systems and methods for controlling record relationship changes in a content management system. The content management system may have several layers of access controls, which may include a layer of access control at the object level, a layer of access control at the row level and a layer of access control at the field level. Access may be controlled at the object level by a user's security profile, at the object record level (or row level) by the user's role, and/or at the object field level by the user's role or a state in a document lifecycle. A secure inbound relationship attribute may be used to control record relationship changes. Actions for creating, deleting and reassigning are permitted only when the inbound relationship is editable according to the secure inbound relationship attribute.

Abstract: Searching encrypted data using encrypted contexts by performing at least the following: configuring a first encryption context that allows access to a first encrypted field, configuring a second encryption context that allows access to a second encrypted field, assigning the first encryption context to a first role and the second encryption context to a second role, assigning the first role to a first user account to allow the first user account to access the first encrypted field, assigning the second role to a second user account to allow the second user to access the second encrypted field, receiving a query request associated with the first user account for a search term, wherein the query request includes instructions to search for an unencrypted version of the search term and a first encrypted value of the search term that is based on the first encryption context.

Abstract: In one embodiment, a secure object transfer system is described. The system features a virtual private cloud network (VPC) and a controller. The VPC includes a plurality of gateways and a network load balancer, which configured to conduct a load balancing scheme on access messages from computing devices deployed within an on-premises network to direct the access memory to one of the plurality of gateways for storage or retrieval of an object from a cloud-based storage element. Each gateway includes Fully Qualified Domain Name (FQDN) filtering logic to restrict access of the computing devices to certain cloud-based storage elements in accordance with a security policy. The controller is configured to maintain and update the security policy utilized by each gateway of the plurality of gateways.

Abstract: Embodiments of the disclosure relate to verifying a watermark of an artificial intelligence (AI) model for a data processing (DP) accelerator. In one embodiment, a system receives an inference request from an application. The system extracts the watermark from an AI model having the watermark. The system verifies the extracted watermark based on a policy. The system applies the AI model having a watermark to a set of inference inputs to generate inference results. The system sends a verification proof and the inference results to the application.

Abstract: A Cloud Access Security Broker (CASB) system includes a controller; a message broker connected to the controller; and a plurality of workers connected to the message broker and connected to one or more cloud providers having a plurality of files contained therein for one or more tenants, wherein the plurality of workers are configured to crawl through the plurality of files for the one or more tenants, based on policy and configuration for the one or more tenants provided via the controller, and based on assignments from the message broker. The plurality of workers can be further configured to cause an action in the one or more cloud providers based on the crawl and based on the policy and the configuration. The action can include any of allowing a file, deleting a file, quarantining a file, and providing a notification.

Abstract: Systems and methods are provided for efficient and automated control of software permissions and access to network resources across a complex enterprise environment. User access is may be governed by software bundles. Such bundles and bundles may or may not include all programs or access to all systems needed by the user. An access request management tool is provided that includes new process flows and artificial intelligence for automated refining of software access across a complex and large network of computer servers. The management tool may eliminate conventional intermediary systems needed when utilizing centralized access request management. The management tool may check which user has access to a software bundle and may assign the bundle to other users. The management tool may revoke or grant access to a software bundle.

Abstract: A method of scheduling and validating a multiple-participant process, the method including: submitting, by a submitting node associated with a participant in the multiple-participant process, a proposed transaction by sending a cryptographically-protected message to one or more recipient nodes, wherein the cryptographically-protected message includes at least an unencrypted submessage readable by an external node and a cryptographically-protected submessage to preserve privacy from at least the external node; determining, by the external node, an order of the proposed transaction relative to other transactions; by way of at least some of the recipient nodes, validating the cryptographically-protected message; receiving a confirmation of validity of the cryptographically-protected message from at least some of the recipient nodes; finalizing the proposed transaction, as a confirmed transaction, based on receiving one or more confirmations from at least some of the recipient nodes that satisfy a confirmation co

Abstract: In an illustrative embodiment, systems and methods for cyber vulnerability assessment include obtaining assessment data including information pertaining to domains of cyber security vulnerability of an enterprise and, for each security domain, a respective domain-level vulnerability score, identifying risk(s) relevant to the enterprise based on domain-level vulnerability score(s), identifying recommended products or services for mitigating each of the risks, and preparing a graphical user interface for selecting a portion of the recommended products or services. A user may select one or more products or services through the user interface for purchase and/or deployment planning. The domain-level vulnerability scores may be compared to peer vulnerabilities scores, target vulnerability scores, or prospective vulnerability scores based upon application of certain recommended products or services.