Abstract: Techniques for sanitizing personally identifiable information (PII) from audio and visual data are provided. For example, in a scenario where the data comprises an audio signal with speech uttered by a speaker S, these techniques can include removing, obfuscating, or transforming speech related and non-speech related audio cues in the audio signal that can be used to trace the identity of S, while allowing the content of S's speech to remain recognizable. As another example, in a scenario where the data comprises an image or video in which a person P appears, these techniques can include removing, obfuscating, or transforming P's visible biological features and visual indicators of P's location, belongings, or personal data in the image/video, while allowing the general nature of the footage to remain discernable. Through this PII sanitization process, the privacy of individuals portrayed in the audio or visual data can be preserved.

Abstract: Examples of the present disclosure describe systems and methods of automatic inline detection based on static data. In aspects, a file being received by a recipient device may be analyzed using an inline parser. The inline parser may identify sections of the file and feature vectors may be created for the identified sections. The feature vectors may be used to calculate a score corresponding to the malicious status of the file as the information is being analyzed. If a score is determined to exceed a predetermined threshold, the file download process may be terminated. In aspects, the received files, file fragments, feature vectors and/or additional data may be collected and analyzed to build a probabilistic model used to identify potentially malicious files.

Abstract: The present disclosure relates to a data model for an analytics interface between an Interface to Network Security Functions (I2NSF) analyzer and a security controller in a security management system. A method of performing a security management by the I2NSF analyzer includes receiving monitoring data from at least one network security function (NSF) providing a security service, analyzing the received monitoring data to generate a new security policy or feedback information, and providing the generated new security policy or feedback information to the security controller.

Abstract: Example embodiments of the present disclosure relate to devices, methods, apparatuses and computer readable storage media for data encryption and decryption. In example embodiments, a first cipher key and a second cipher key are obtained. The first cipher key comprises a vector of cipher elements, and the second cipher key comprises a set of indices corresponding to a subset matrix of a polarizing matrix. A cipher vector is generated by polar coding of a data vector based on the first and second cipher keys and the polarizing matrix. The data and cipher vectors are combined for encryption of the data vector.

Abstract: A novel method for stateful packet classification that uses hardware resources for performing stateless lookups and software resources for performing stateful connection flow handshaking is provided. To classify an incoming packet from a network, some embodiments perform stateless look up operations for the incoming packet in hardware and forward the result of the stateless look up to the software. The software in turn uses the result of the stateless look up to perform the stateful connection flow handshaking and to determine the result of the stateful packet classification.

Abstract: This disclosure provides methods, apparatuses, systems, and computer-readable mediums for a unified plug-in micro-service access control for role-based authorization and tenant-based authorization. The method may be executed by a processor and may include receiving an access token in a first format, wherein the access token includes tenant-specific information associated with a user and role-specific information associated with the user, the role-specific information associated with the user and the tenant-specific information associated with the user correspond to a respective shared resource and validating the access token. The method may further include generating a mapping of roles associated with the user based on a common authorization library and setting a security context for the user based on the mapping of roles associated with the user.

Abstract: A method for improving inter-PLMN routing by implementing health checks for remote SEPPs includes storing a target SEPP database including records corresponding to remote SEPPs to which SBI request messages can be routed. The method further includes receiving SBI request messages destined for NFs in PLMNs protected by the remote SEPPs, using the target SEPP database to select and route messages to the remote SEPPs. The method further includes, for each of the remote SEPPs, sending a health check message to the remote SEPP, determining, based on a response or lack of a response to the health check message that the remote SEPP is unhealthy or unreachable, and, in response, removing a record for the remote SEPP from the target SEPP database or marking the record for the remote SEPP to indicate that the remote SEPP is unhealthy or unreachable.

Abstract: A system and method for an extended security scheme for reducing the prevalence of broken object level authorization. In one embodiment, a method includes receiving code associated with an application programming interface (API), wherein the code includes one of an API definition and an API server stub, and parsing the code for one or more keywords associated with an extended security scheme. If the code includes the API definition, the method further includes generating an associated API server stub based on at least one of the one or more keywords and the API definition. If the code includes the API server stub, the method further includes generating an associated API definition based on at least one of the one or more keywords and the API server stub.

Abstract: A computer implemented method comprising instructions stored on a non-transitory computer-readable storage medium and executed on a computing device having a processor and a memory for authentication of an Office as a Subscription (OaaS) service is provided. The method includes receiving a request from a user via the computing device for accessing the OaaS service from a server via an existing network. The method further includes verifying one or more access credential requirements associated with the user and upon verification, providing the user remote access to the OaaS service from the server. The method also includes allowing the user to manipulate data in the OaaS service and storing the manipulated data in the server.

Abstract: A method implemented on an electronic device detects and mitigates software attacks exploiting a zero-day vulnerability, such as Spring4Shell, against a computer server. At least one initial identifier, which indicates an attempt to extract a predetermined type of information on the computer server, is detected within an activity log of the computer server to thereby indicate occurrence of an initial stage. Then, prior to elapsing of a search window having a predetermined time duration, at least one subsequent identifier, which indicates an attempt to perform remote code execution on the computer server, is detected within the activity log of the computer server. Then, a source of network activity associated with the detected identifiers is detected, and a security response associated with the identified source of network activity is performed to mitigate the exploitation of the vulnerability.

Abstract: Described systems and methods protect electronic devices such as smartphones and IoT devices against malicious software. In some embodiments, a malware detector comprises a stack/cascade of feature processors configured to determine a set of derived feature values according to primary features characterizing software executing on the respective device, and further comprises a synthesizer module configured to determine whether the client device comprises malware according to the derived feature values. When a derived feature value is currently unavailable or cannot be computed, some embodiments supply a surrogate value to replace the missing derived feature value, thus ensuring that the malware detector can always produce a verdict.

Abstract: Disclosed herein are system, method, and computer program product embodiments for vaultless tokenization. Alphanumeric values may be determined based on numeric values generated from a hash of numeric user information shuffled through a plurality of randomly generated alphanumeric tables. The numeric user information and the alphanumeric values may be used to generate a table index. Shuffled numeric user information may be generated based on the table index and a plurality of randomly generated numeric tables, and transformed to alphanumeric user information (e.g., via format-preserving encryption, additive cipher, etc.). Each character of the alphanumeric user information may be shuffled through a different alphanumeric table of the plurality of alphanumeric tables identified for the character based on the table index. Moreover, an alphanumeric token may be generated based on the shuffled characters of the alphanumeric user information.

Abstract: There may be situations in which it is desirable to dynamically implement a rule on the firewall in response to detecting a particular pattern of user activity. However, the software code required for tracking user activity, identifying patterns of user activity, and deciding what action to take may be relatively complex. Deploying such software code on a firewall increases the complexity of the firewall. For example, the firewall can no longer be “stateless”. In some embodiments, the destination server works in combination with the firewall. The destination server monitors traffic to determine particular patterns of user activity. In response to a particular pattern of user activity being detected, an appropriate rule is established and the firewall is sent a command to implement the rule.

Abstract: Methods, systems, and devices for data processing are described. Some systems may support data processing permits and cryptographic techniques tying user consent to data handling. By tying user consent to data handling, the systems may comply with data regulations on a technical level and efficiently update to handle changing data regulations and/or regulations across different jurisdictions. For example, the system may maintain a set of data processing permits indicating user consent for the system to use a user's data for particular data processes. The system may encrypt the user's data using a cryptographic key (e.g., a cryptographic nonce) and may encrypt the nonce using permit keys for any permits applicable to that data. In this way, to access a user's data for a data process, the system may first verify that a relevant permit indicates that the user complies with the requested process prior to decrypting the user's data.

Abstract: A system and method for secure transfer of information facilitating transmission of completely encrypted data at wire speeds to/from one or more destinations is associated with authorized one or more users through one or more communication networks. The encrypted information contains a message configured to be concealed from unauthorized access and a decrypting key configured to retrieve the message from the encrypted information, the decrypting key being randomly placed in the encrypted information. The decrypting key accommodated in the encrypted information transmitted at a first time instant is configured to decrypt the message extracted from the encrypted information at a second time instant, the first time instant being followed by the second time instant. The encrypted information pertains to L2 and L3 communication protocols pertaining to standard TCP/IP format, the exchange of encrypted information being facilitated through one or more parallel communication interfaces.

Abstract: An improved password manager runs on an electronic communication device. It derives an encryption key from a user master password and generates a master encryption key. The manager uses the encryption key to twice encrypt the master encryption key. It uses the mater encryption key to encrypt secret data items. The manager generates a second tier encryption key and uses it to twice encrypt the master encryption key. The encrypted data is stored. The second tier encryption key is encrypted using a hardware encryption element and shared with a trusted password manager. When the master password becomes unavailable, the manager requests the encrypted second tier encryption key is requested from the trusted manager. Once the master encryption password is recovered, it is used to decrypt the encrypted secret data items.

Abstract: In order to provide an evaluation apparatus that appropriately evaluates risk of a source code changing over time, an evaluation apparatus includes a generating unit and an output unit. The generating unit generates an evaluation related to risk of a first library described in a source code. The output unit calculates the degree of risk of the fist library, based on at least the generated evaluation, calculates a risk value indicating risk inherent in the source code, based on the calculated degree of risk, and also outputs time-series data of the calculated risk value.

Abstract: Techniques for sanitizing personally identifiable information (PII) from audio and visual data are provided. For instance, in a scenario where the data comprises an audio signal with speech uttered by a person P, these techniques can include removing/obfuscating/transforming speech-related PII in the audio signal such as pitch and acoustic cues associated with P's vocal tract shape and/or vocal actuators (e.g., lips, nasal air bypass, teeth, tongue, etc.) while allowing the content of the speech to remain recognizable. Further, in a scenario where the data comprises a still image or video in which a person P appears, these techniques can include removing/obfuscating/transforming visual PII in the image or video such as P's biological features and indicators of P's location/belongings/data while allowing the general nature of the image or video to remain discernable. Through this PII sanitization process, the privacy of individuals portrayed in the audio or visual data can be preserved.

Abstract: Aspects described herein may relate to techniques for detecting login activity to a financial account during a knowledge-based authentication process. The login activity may be related to access to an online interface for the financial account. The detection of login activity during the authentication process my indicate that the integrity of the authentication process is compromised as login access may provide an individual with transaction data that may be used to answer transaction-based authentication questions. As a result of detecting login activity, an alternative authentication process may be initiated or an authentication request related to the financial account may be denied.

Abstract: Systems, methods, and software described herein manage traffic rules in association with fully qualified domain names (FQDNs). In one implementation, a domain name system (DNS) security service obtains a FQDN associated with a DNS request by a computing device. The DNS security service determines a first score for the FQDN based on trust factors associated with the FQDN and determines whether the first score satisfies one or more criteria. When the first score satisfies the one or more criteria, the DNS security service evaluates host posture information associated with an IP address in the DNS response for the FQDN, updates the first score to a second score based on the host posture information, and determines a traffic rule for the FQDN based on the second score.