Abstract: Aspects of the disclosure relate to exfiltrated data detection. A computing platform may receive secure enterprise data from an enterprise data management platform. In response to receiving the secure enterprise data, the computing platform may generate data entities. The computing platform may load, into the data entities, secure enterprise data. After loading the secure enterprise data into the data entities, the computing platform may activate a verification process associated with each data entity, which may include triggering each data entity to send verification messages to other data entities. Each data entity may be configured to receive and validate verification messages received from the other data entities of the plurality of data entities, and may be configured to delete secure enterprise data stored in the corresponding data entity upon failing to receive the verification messages from the other data entities.

Abstract: A security program installed or in communication with a computer is provided. The security program is configured to intercept disk (I/O) operations that read/write from/to disk. This allows the security program to confirm and control access to data based on security rules. Further, the security program can categorize data based on security rules and then format and store data on disk in a format that prevents access by application(s) of the computer. The security program is further configured to re-format data to be accessible by the application in a format accessible by the application(s) when a request to access the data complies with security rules.

Abstract: In one embodiment, a method includes receiving a request to transfer a handle to an object from a first process to a second process, accessing a first security context of the handle and a second security context of the second process, identifying one or more security policies based on at least one of the first security context and the second security context, determining that the handle is allowed to be transferred to the second process by applying the one or more security policies on the first security context of the handle and the second security context of the second process, and transferring the handle to the second process in response to the request.

Abstract: A system including a network interface and a processing circuit is provided. The processing circuit includes one or more processors coupled to non-transitory memory. The processing circuit is structured to receive a request for a multiple custody linkage between user devices. The multiple custody linkage includes a digital connection between the user devices that allows shared access to a resource. The resource includes at least one of a physical object or information. The processing circuit is further structured to perform a validation process based on information in the request for the multiple custody linkage to determine if a violation of a security protocol exists. The security protocol is associated with security of the resource. The processing circuit is further structured to, in response to determining no violation of the security protocol exists, activate the multiple custody linkage between the user devices to allow the shared access to the resource.

Abstract: A computer-implemented method and a system provide a complete traceability of changes incurred in a security policy corresponding to a resource. A policy tracing engine (PTE) monitors and determines events of interest occurring at the resource. The PTE determines administrator-initiated intent-based changes and dynamic event-based changes incurred in the security policy and assigns a unique policy identifier (UPI) to the security policy. The UPI is a combination of unique identifiers assigned to the intent-based change and the event-based change. The PTE recomputes and stores the security policy and the UP in a policy database. The PTE receives network access information including the UPI from the corresponding resource deployed with the security policy. The PTE generates a traceability report that provides a complete traceability of each policy action performed in a networked environment to a source of each change incurred in the security policy as identified by the UPI.

Abstract: A cloud security service provides network security. The cloud security service receives, via a computer network, an electronic message sent by a sending user of an enterprise to a receiving user. The cloud security service analyzes the electronic message using a machine-learned user model describing the sending user's electronic messages, the user model generated based at least in part on previous electronic messages sent by the sending user. The cloud security service determines, based on the analysis, that the electronic message violates a security policy of the enterprise. The cloud security service performs a security action based on the determination that the electronic message violates the security policy.

Abstract: Various embodiments are generally directed to techniques for control flow protection with minimal performance overhead, such as by utilizing one or more micro-architectural optimizations to implement a shadow stack (SS) to verify a return address before returning from a function call, for instance. Some embodiments are particularly directed to a computing platform, such as an internet of things (IoT) platform, that overlaps or parallelizes one or more SS access operations with one or more data stack (DS) access operations.

Abstract: Nowadays much information pertaining to the user's life tends to be stored on their mobile device. Some of this information is considered strictly confidential by the user—not to be divulged to anybody else, not even to family members, co-workers or other intermittent borrowers of the user's device. Hence the significant user demand for an on-device Secure Vault for the placement of all such confidential content-files, with access to each such file individually-protected by a user-keyed access restriction method. This invention fulfils that demand.

Abstract: A verification system and method for cooperating with a blockchain and off-chain devices is provided. The system includes a security protocol device, a blockchain device, and a database device. The security protocol device receives and integrates the record data into a binary tree according to a hash function. Hash values of the record data are stored in the leaf nodes. The blockchain device is at the blockchain and communicates with the security protocol device. The security protocol device transmits the root hash to the blockchain device. The database device communicates with the security protocol device in an off-chain manner. The security protocol device stores the binary tree to the database device. The security protocol device compares the root hash from the blockchain device with the root hash of the binary tree stored in the database device to verify the correctness of the binary tree stored in the database device.

Abstract: A verification system and method for chaining data are provided. The system includes a security protocol device, a blockchain device, and a database device. The security protocol device receives record data and integrates the record data into binary trees. Each binary tree includes a root and leaf nodes. The security protocol device transmits root hashes of the roots to the blockchain device at a blockchain. The blockchain device includes a chain data string including data sets chained in a series manner. Each data set includes a root hash and a corresponding chain hash. The chain hash of each data set is related to the root hash and the chain hash of the previous data set. The chain hash of the first data set is related to an initial chain hash. The security protocol device stores the binary trees and the initial chain hash to an off-chain database device.

Abstract: At least one of nodes included in the second node group comprises a request means (521) for transmitting a request signal including verification information to at least any node of the first node group, and a verification means (522) for verifying response information for the request signal, the verification means determines, regarding the response information, whether or not desired information that is information requested by the request signal or a digest thereof is included, whether or not correct verification information is included, whether or not a value obtained by applying a one-way function to the response information satisfies a predetermined rule, and a response time that is the time taken between the transmission of the request signal and the obtainment of the desired information, and on the basis of the determination results thereof, assesses the presence or absence of reliability of the desired information or the degree of reliability thereof.

Abstract: Techniques for generating and enforcing whitelist security policies in a communication network are disclosed. A first plurality of whitelist policies are consolidated into a second plurality of whitelist policies based on populating a plurality of tables. The populated tables include a first table including pairs of endpoints and associating each pair of endpoints with a service identifier, and a second table associating the service identifiers with the policy identifiers. The second plurality of whitelist policies are programmed into a network device in the communication network, based on at least one of the plurality of tables. Rules governing traffic between the pair of endpoints are enforced, at the network device, using the programmed second plurality of whitelist policies.

Abstract: A network protection system (NPS) is augmented to determine and apply security information for a host on a network. The NPS is configured to monitor the host. In response to an occurrence, e.g., the host requesting a network host address, the NPS dynamically determines the security information and encodes it in a portion of the IP address that is assigned. The particular portion of the IP address that is configured for the security information is identified according to variable-length subnet masking (VLSM) notation and, in particular, by including an additional host identifier subdivision that identifies the portion that carries the relevant security data. The security information (e.g., a rank) is encoded in a bitmask. An IP address that has been extended in this manner is then provided on the network, where it is readily-evaluated by other applications and systems that recover the security information by simply applying the bitmask to the IP address.

Abstract: A method, system and computer-usable medium for redisplaying data at a remote access client system from a secure computing environment. The redisplaying data includes receiving a request form the remote access client system for data, inspecting the request for potential unauthorized or malicious retransmission. Modifying the data, by filtering audio data or transforming graphical data prior to sending the requested data is performed to prevent the unauthorized or malicious retransmission.

Abstract: Methods and systems relating incentivizing a data provider to participate in a match making protocol between a business (second entity) to a user (first entity) are shown. Encryption techniques maintain the secrecy of the data providers data such as proprietary analytics of user information such that the data is need not be shared with users or businesses. Businesses can verify that the user has desired properties without learning the actual raw data owned by the data provider. Users initiate data sharing by explicit request but do not learn the actual raw data known to the data provider, only whether or not they satisfy the properties of interest. The data provider is incentivized because the business compensates the data provider for access to proofs of properties about user data.

Abstract: A system automatically manages remote and local data through a declarative client that retrieves, tracks, and caches data in response to a transmission from an interface. The declarative client accesses an immutable image served by a secure cloud platform. A serverless compute engine receives the immutable image and a plurality of tasks that process the immutable image in a container. An application programming interface in communication with the declarative client extracts data via queries from a database. The declarative client includes an in-memory cache that stores broken up results of the queries into individual objects that are each associated with a unique identifier. The extracted data is deconstructed downloaded content in which assigned links between data elements are mapped to redirected computer-generated links that locate the downloaded content.

Abstract: Methods, systems, and computer program products are provided for real-time compromise detection based on behavioral analytics. The detection runs in real-time, during user authentication, for example, with respect to a resource. The probability that the authentication is coming from a compromised account is assessed. The features of the current authentication are compared with the features from past authentications of the user. After comparison, a match score is generated. The match score is indicative of the similarity of the authentication to the user's history of authentication. This score is then discretized into risk levels based on the empirical probability of compromise based on known past compromised user authentications. The risk levels may be used to detect whether user authentication is occurring via compromised credentials.

Abstract: A portable item reporting device automatically learns a use of a portable item which is selected by an authorized user of the portable item, where the device is configured to be attached to and in substantial collocation with the selected portable item, or to be integrated into the portable item. The portable item reporting device monitors item location, item movement, and/or other environmental factors. The portable item reporting device detects and analyzes environmental data during usage of the portable item by the authorized user, or during user-designated storage of the portable item in a storage location. The device further identifies and/or learns, based on the detected enviromental data, one or more repeated patterns and/or context-determined patterns of usage or physical storage of the user's portable item. The device then stores the past, learned pattern(s) of usage data as indicative of expected and/or normal, future use/storage by the authorized user of the portable item.

Abstract: Methods and systems for detecting and preventing malicious software activity are presented. In one embodiment, a method is presented that includes monitoring network communications on a network. The method may also include detect a suspect network communication associated with a suspect network activity and, in response, determine an originating machine based on the suspect network activity. The method may further suspend network communications for the originating machine. A forensics software agent may then be selected based on the suspect network activity. Then, the forensics software agent may be deployed on the originating machine. After deployment, the forensics software agent may fetch computer forensics data from the originating machine. Once the computer forensics data is fetched, a response action may be selected and executed based on said computer forensics data.

Abstract: A method of avoiding throughput penalties imposed by SaaS vendors on a user group due to excessive API events from users in the group, monitoring API event rate or volume in time for requests from the group, collectively, and from individual users in the user group to a SaaS vendor is disclosed. Also, recognizing a power user as submitting API events in excess of a limit and taking action to reduce the user's impact on the API event rate of the group when the API rate for the group, overall, exceeds or approaches a SaaS imposed trigger of a throughput penalty on the group. Further included is rationing transmittal of API event submissions from the power user to the SaaS and avoiding triggering of the throughput penalty by the SaaS, reducing latency for the users in the group other than the power user and increasing latency for the power user.