Abstract: Embodiments of the disclosure provide for a fast device installation and replacement (DI&R) service in a network while simultaneously providing confidentiality and integrity protection for sensitive device data. In one embodiment, this protection is provided by using certain characterization data associated with each device in a network to generate a passphrase. This passphrase can be related to the topology of the devices. In one embodiment, the passphrase is a concatenation of certain device characterization data with respect to the topology. In embodiments, the concatenation includes arranging the characterization data based on an order of each device with respect to the topology. Cryptographic keys are derived based on the passphrase. The cryptographic keys are used to automatically encrypt and decrypt the sensitive device data without user intervention.

Abstract: Systems and methods for monitoring and correcting security measures taken for a computer system are disclosed. Exemplary implementations may: determine a set of risk parameters of the computing system; collect sets of values of the security parameters at various times and determine the efficacy adjustments based on a comparison of the sets of values and an elapsed time between collection of the sets of values.

Abstract: Dynamically enforcing access control policies unique to respective users in a multi-cluster container orchestration environment is provided. Resource-permission-role mappings are generated for users in the multi-cluster container orchestration environment based on preset access control criteria. Dynamic access control criteria are learned from the multi-cluster container orchestration environment over time. The resource-permission-role mappings for the users in the multi-cluster container orchestration environment are updated based on the dynamic access control criteria learned from the multi-cluster container orchestration environment over time. The resource-permission-role mappings are enforced to respective users in the multi-cluster container orchestration environment in response to receiving corresponding user resource access requests.

Abstract: Method and apparatus for authentication of a user to a server that involves the user performing a requested act and that further involves relative movement between the user and a camera wherein fiducial marks are captured.

Abstract: Systems and techniques are provided for random oracles in open networks. A node computing device of an open network may choose a random secret. The random secret may be a numeric or alphanumeric value. The node computing device may distribute shares of the random secret to node computing devices that are members of essential subsets for the node computing device. The node computing device may receive a share of a random secret from a second node computing device. The node computing device may be a member of an essential subset of the second node computing device. The node computing device may sign a deterministic seed message using the share of the random secret received from the second node computing device to generate a signature share. The node computing device may reveal the signature share and may receive a random value in response.

Abstract: Provided in the present application are a one-time dynamic positioning authentication method, system and password changing method. The method comprises: an authentication server receives an authentication request from a client, generates a positioning factor string, and transmits generated information containing the positioning factor string and a structure of an all-element dynamic factor table to the client; the client receives the generated information, generates the all-element dynamic factor table, and maps the positioning factor string into the all-element dynamic factor table to acquire a dynamic graphical password inputted in accordance with a first positioning rule by a user and transmit to the authentication server; the authentication server receives the dynamic graphical password from the client, and if the first positioning rule corresponding to the parsed dynamic graphical password is consistent with a preset positioning rule, then the authentication is successful.

Abstract: A policy-controlled communication system including a plurality of client devices establishing a secure session with remote instances on a web server using a protocol. The system includes a policy component with a set of policies customized based on parameters. The policies specify configuration settings of encryption protocols for content security on a client device. The parameters include connection, application, source, destination, data classification, type, user groups, encryption type, and/or performance. A local application selects a cloud service. A mid-link server includes a router to provision the set of policies, a security developer to determine an encryption link to deliver the cloud service to the client device and a linker to select a session protocol for establishing the secure session between the client device and the web server based on the set of policies. The router establishes via the encryption link the secure session based on the selected session protocol.

Abstract: A method and system for anonymizing data to be transmitted to a destination computing device is disclosed. Anonymization strategy for data anonymization is provided. Data to be transmitted is received from a user computer. Selective anonymization of the data is performed, based on the anonymization strategy, using an anonymization module. The data includes a plurality of characters. An order indicator data indicative of the order of the received data is generated. The received data is anonymized to derive an anonymized data. The anonymized data and the order indicator data is transmitted to the destination computer over a network. In one embodiment, a portion of the anonymized data is selected as a search ID. A cross reference between a search key indicative of a portion of the received data and the corresponding search ID is stored.

Abstract: A processor-implemented method for the ownership transfer and tracking of tangible assets using a blockchain is described. In an embodiment, the method includes generating a root node associated with a tangible asset via a processor. The root node has a first hash value that represents a storage location of the root node, data associated with a tangible asset, and a second hash value that represents a storage location of the subsidiary node. The method also includes storing a hierarchical hash-linked tree structure in a non-transitory, processor-readable memory. The hierarchical hash-linked tree structure can include multiple nodes. The multiple nodes include the root node and the subsidiary node. The subsidiary node has the second hash value, and data associated with a tangible sub-asset of the tangible asset.

Abstract: In a general aspect, a distributed ledger transaction is generated on a cold hardware wallet. Generating the distributed ledger transaction includes receiving, at the cold hardware wallet, ledger information from a network-connected device via a private module-to-device communication link. The ledger information may include account information for the distributed ledger transaction, and a timestamp identifying when the account information was received by the network-connected device from a public network. The cold hardware wallet may generate a message based on the account information, identify a private key stored in the cold hardware wallet, generate a digital signature based on the message and the private key, and generate the distributed ledger transaction based on the message and the digital signature. The cold hardware wallet may send the distributed ledger transaction to the network-connected device via the private module-to-device communication link for forwarding to the public network for settlement.

Abstract: A method, computer program product and a computer system for facilitating a maintenance of access control information for controlling access to one or more resources of an information technology system by one or more subjects. One or more trigger policies are evaluated according to one or more policy parameters relating to the resources, the subjects and/or the access to the resources by the subjects. A revision of the access control information including a mining activity for mapping the subjects to the resources is triggered according to a result of the evaluation of the trigger policies. A computer program and a computer program product for performing the method are also proposed.

Abstract: The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to receive from a client an incoming request to upload an object to a cloud application over an application session. The object is subject to policy enforcement by the network security system. The network security system is further configured to generate a synthetic request, upload the object to the cloud application, and inject the synthetic request into the application session to transmit the synthetic request to the cloud application. The synthetic request is configured to modify a security posture of the uploaded object in dependence upon the policy enforcement.

Abstract: A technique uses a managed computing device to extend management control by an organization to IoT (Internet of Things) devices in a local environment of the computing device. The computing device discovers any local IoT devices and participates in a communication with a server to bring one or more of the IoT devices under management control. In some examples, extending management control involves enrolling selected IoT devices into a management framework of the organization and directing communications between the server and the respective IoT devices through the managed device, which provides a point-of-presence for administering management of the selected IoT devices in the local environment.

Abstract: A system for contraband device identification and alerting is disclosed. The system comprises a wireless signal detection system configured to identify signals from an unauthorized wireless device, and an alert module configured to generate notifications when an unauthorized wireless device is detected. The unauthorized wireless device is operating within a designated or controlled area. The designated area may overlap a controlled-environment facility and the wireless device is contraband within the controlled-environment facility. The alerting system may include a speaker, wherein the notifications comprise an audible message broadcast via the speaker. The alerting system may include one or more lights, wherein the notifications comprise illuminating the light. The notifications may also comprise one or more of a call, email, audible or visual alert, vibration and text that are sent to a designated individual.

Abstract: A device may receive content data from a content provider, the content data including: data identifying content, and data for verifying that the content has not changed. The device may access a blockchain associated with the content data, the blockchain including validation information specifying instructions for validating the content. In addition, the device may perform, based on the validation information, validation of the content to determine a measure of confidence that the content is accurate and store results of the validation in the blockchain as a transaction. Based on the validation results, the device may perform an action.

Abstract: A computer implemented method for access control for a consumer accessing a restricted resource in a network connected computer system, the method including receiving a continuous sequence of data records relating to use, by the consumer, of the restricted resource, the resource being accessed by the consumer over an access network; continuously comparing the data records with an access control policy for the restricted resource; in response to a determination that the behavior is non-compliant with respect to the policy, generating and communicating a shared secret to the consumer, the shared secret being communicated via a communications channel other than the access network; receiving a response to a challenge from the user via the access network; and notifying the computer system that access to the resource by the consumer should be precluded based on a comparison of the response to the challenge and the shared-secret.

Abstract: A system is provided for controlling access to data stored in a cloud-based storage service. Data associated with a user account is stored at the cloud-based storage service. A portion of the data is associated with a heightened authentication protocol, a first request receiving, at the cloud-based storage service, for an application to access data that is associated with the heightened authentication protocol. The first request is authenticated based on the heightened authentication protocol. In response to authenticating the first request, permission is granted to the application to access the data that is associated with the heightened authentication protocol. The permission is time-limited. It is determined that the application is editing the data that is associated with the heightened authentication protocol. Permission for the application to access the data while the application is editing the data is temporarily extended.

Abstract: Provided is a method for checking a safety rating of a first device with the aid of an associated digital certificate, including the steps: sending the digital certificate having an identifier of a safety rating from the first device to a second device, checking the identifier of the safety rating with respect to a predefined safety rule by means of the second device, executing safety measures in accordance with the result of checking the safety rules.

Abstract: A method, system, and computer-usable medium are disclosed for receiving a response, by a security management system, from a site external to an internal network comprising the security management system to an endpoint device of the internal network, and injecting a header into the response by the security management system, the header including security rules, such that when the response is communicated to the endpoint device, the endpoint device responds to the security management system with information regarding subsequent requests made by the endpoint device in connection with the response.

Abstract: Disclosed are techniques for detecting a security threat in a wireless mesh network. In an aspect, a monitoring device in the wireless mesh network detects a first message transmitted by a source node in the wireless mesh network to a destination node in the wireless mesh network via at least one relay node in the wireless mesh network, collects information from the first message as it is transmitted in the wireless mesh network, determines that the first message has been corrupted based on analysis of the information from the first message, and detects the security threat in the wireless mesh network based on the first message being corrupted.