Abstract: A masking system and method for automatically masking sensitive user information on a webpage is provided. The method includes the steps of identifying a location of the first user data of the first type of sensitive user information on the webpage, updating an initial path to the first user data to account for changes to the initial path detected in response to repeated visits to the webpage, wherein the updated initial path to the first user data is stored as a stable path, locating a second user data associated with a second type of sensitive user information on the webpage, by accessing a central database containing path information to a location of the second user data on the webpage, and masking the first user data and the second user data on the webpage, using the stable path and the path information obtained from the central database.

Abstract: The present application is directed a computer-implemented method for enhancing security. The method includes a step of sending, from a VPN service provider, a request to a cloud provider to create a dynamic server on a cloud. Then, the VPN service provider receives a notification from the cloud provider that the requested server is available on the cloud. Subsequently, the VPN service provider embeds the dynamic server with a VPN service. Further, the VPN service provider sends a credential of the dynamic server to an entity on the network. The application is also directed to system for enhancing security on a cloud server.

Abstract: Systems and methods are provided for use in implementing access controls to content blocks of a user profile associated with a user. One exemplary system includes an access engine configured to receive an access command from a user, via a communication device, to access the user profile. The access command includes a designation of at least one the content blocks for access by a provider, an identity of the provider, and a duration of the access. The access engine is configured to also modify a permission associated with the designated content block(s) in relation to the provider to permit the access by the provider, and to expose the content block(s) to the provider, thereby granting the access for the provider to the content block(s). The access engine is configured to further terminate the access of the provider to the content block(s) when the duration of the access expires.

Abstract: A method for managing privacy of a user in a network includes generating, by a user equipment (UE), a Locally Administered Randomized WLAN MAC Address (LRA), wherein at least one portion of the LRA is randomly generated based on at least one of a network temporary identity and a network parameter. Further, the method includes transmitting, by the UE, the generated LRA to a network node. A User equipment (UE) for managing privacy of a user in a network includes a memory, a processor, coupled to the memory, an LRA generator, coupled to the processor, configured to generate an LRA, wherein at least one portion of the LRA is randomly generated based on at least one of a network temporary identity or a network parameter, and a transceiver, coupled to the processor, configured to transmit the LRA to a network node.

Abstract: A method for user identity authentication using virtual reality includes presenting one or more virtual elements on a virtual reality (VR) scenario of a VR application for initiating a service, identifying, using one or more sensors communicably coupled to the VR device, one or more interactive operations of a user of the VR device with the one or more virtual elements, determining whether the one or more interactive operations match one or more predetermined operations for selecting the one or more virtual elements to initiate the service and trigger biometric authentication for user identity authentication, invoking biometric authentication if the one or more interactive operations match one or more predetermined operations, presenting a virtual guidance in the VR scenario for guiding the user to perform the biometric authentication, and presenting a service interface to the user if the biometric authentication is successful.

Abstract: Methods and apparatus for performing access control for a first entity. The method comprises using a pointer associated with a second entity to access, from a distributed ledger system, at least one attestation for at least one attribute of the second entity, wherein the at least one attestation is movable between at least two states in the distributed ledger system, the at least two states comprising a VERIFIED state and allowing the second entity to access the first entity in response to determining that the at least one attestation is in the VERIFIED state, that the third entity is to be trusted for verifying the at least one attestation, that the cryptographic proof is a valid proof of the at least one privilege label, and that the one or more access rules are satisfied.

Abstract: A method, a system and/or an apparatus of activity based access control in heterogeneous information technology infrastructure is disclosed. The infrastructure security server authenticates that a user is authorized to access a set of heterogeneous cloud-based services using at least one heterogeneous authorization system. The method monitors an activity of the user when accessing any of the set of heterogeneous cloud-based services over a period of time using a processor and a memory. The method dynamically adjusts access privileges to the set of heterogeneous cloud-based services. The adjustment to the access privileges includes a revocation of access to the user to a particular service of the set of heterogeneous cloud-based services and/or dynamically granting of access to the user to the particular service of the set of heterogeneous cloud-based services.

Abstract: A method for measurement of an information-security-controlling status in accordance with the present disclosure includes receiving actual inspection data obtained by actually inspecting whether each domain complies with each security-controlling item, computing security-controlling status measurement scores for each domain on the basis of a significance grade of each control item, the degree of compliance with a corresponding control item, and a weighting set by a measurement manager, computing a final security-controlling status measurement score for a parent organization to which each domain belongs on the basis of an average of the security-controlling status measurement scores for each domain, and outputting the computed security-controlling status measurement scores and final security-controlling status measurement score.

Abstract: Systems and methods are described which integrate file properties that in conventional systems has been considered weaker evidence of malware and analyzes the information to produce reliable results. Properties such as file paths, file names, source domains, IP protocol ASNs, section checksums, digital signatures that are not always present and not always reliable can be integrated into the classification process using a graph. A 1-neighborhood of object values in the graph may be created and analyzed to suggest a malware family label based on files having similar properties.

Abstract: A method for executing an operation whereby a first input data, may be combined with a second input data, may include: defining data pairs whereby each data of a first input set is associated with a respective data of a second input set, the data in the first and second input sets may be obtained by applying Exclusive OR (XOR) operations to the first and second input data and to all first and second mask parameters of first and second mask sets; and computing output data by applying the operation to each of the data pairs, to obtain an output set, the first and second mask sets being such that a combination by XOR operations of each pairs of corresponding first and second mask parameters may produce a third mask set, where each mask sets may include a word column having a same number of occurrences of all possible values of the words.

Abstract: In particular embodiments, a data processing data inventory generation system is configured to: (1) generate a data model (e.g., a data inventory) for one or more data assets utilized by a particular organization; (2) generate a respective data inventory for each of the one or more data assets; and (3) map one or more relationships between one or more aspects of the data inventory, the one or more data assets, etc. within the data model. In particular embodiments, a data asset (e.g., data system, software application, etc.) may include, for example, any entity that collects, processes, contains, and/or transfers personal data (e.g., such as a software application, “internet of things” computerized device, database, website, data-center, server, etc.). For example, a first data asset may include any software or device (e.g., server or servers) utilized by a particular entity for such data collection, processing, transfer, storage, etc.

Abstract: A verification method, device and computer-readable storage medium based on a flexible display screen are provided. The method includes: generating a verification code, and dividing the verification code into a plurality of parts; displaying the plurality of parts on the flexible display screen separately; detecting deformation of the flexible display screen, and determining a splicing result of the plurality of parts based on the deformation of the flexible display screen; and determining a verification result based on the splicing result.

Abstract: Systems and methods are described for securing credentials with optical security features formed by quasi-random optical characteristics (QROCs) of credential substrates. A QROC can be a pattern of substrate element locations (SELs) on the substrate that includes some SELs that differ in optical response from surrounding SELs. During manufacturing, a QROC of a substrate can be characterized, hidden by a masking layer, and associated with a substrate identifier. During personalization, personalization data can be converted into an authentication graphic formed on the substrate by de-masking portions of the masking layer according to a de-masking pattern. The graphic formation can result in a representation that manifests a predetermined optical response only when the de-masking pattern is computed with knowledge of the hidden QROC. The authentication graphic and optical response can facilitate simple human authentication of the credential without complex or expensive detection equipment.

Abstract: Techniques for making preliminary authorization determinations based on partial contextual information are disclosed. In one or more embodiments, an API receives an authorization request and partial contextual information associated with the authorization request. The API submits the partial contextual information to an authorization service, without submitting complete contextual information associated with the authorization request. The API receives, from the authorization service, a preliminary authorization response based on the partial contextual information. The preliminary authorization includes one of (a) denial of the authorization request and (b) non-denial of the authorization request.

Abstract: A method for assessing and responding to potential cybersecurity risks includes: obtaining, by a computing device, a plurality of attributes relating to an authentication event; determining, by the computing device, based on a cybersecurity risk assessment model, whether the plurality of attributes relating to the authentication event indicate a potential cybersecurity risk, wherein the cybersecurity risk assessment model is individualized on a per-user or per-device basis; and causing, by the computing device, in response to determining that the determined plurality of attributes relating to the authentication event indicate a potential cybersecurity risk, a heightened security measure to be implemented.

Abstract: A system includes one or more protected nodes within a protected system, where each protected node is configured to be coupled to a storage device. The system also includes a server configured to perform a check-in process so that one or more files on the storage device are (i) accessible by the one or more protected nodes within the protected system and (ii) not accessible by nodes outside of the protected system while the storage device is checked-in. The server is also configured to perform a check-out process so that the one or more files on the storage device are (i) accessible by the nodes outside of the protected system and (ii) not accessible by the one or more protected nodes within the protected system while the storage device is checked-out. The server could be configured to modify a file system of the storage device during the check-in process.

Abstract: The present invention provides a data management method, a computer program for the same, a recording medium thereof, a user client for executing the method, and a security policy server. The method is executed by a user client that is network-linked to a DB server and a security policy server, the method including: 1) recognizing a user ID through a user authentication; 2) detecting whether a DB control application is executed; 3) determining whether the application is allowed to be used for the user ID; 4) determining whether the DB server is allowed to be accessed by the user ID when determining that the application is allowed to be used; 5) allowing access to the DB server when determining that the DB server is allowed to be accessed; and 6) when data is transmitted from the DB server, encrypting and managing the data according to a preset user right policy.

Abstract: Techniques for unobtrusively protecting against large-scale data breaches over time are described. A security gateway coupled between clients and servers receives data object (DO) access requests from the clients on behalf of users of an enterprise. Each of the users is allocated a budget for each of one or more time periods. The security gateway determines an access cost for each DO access request based on characteristics of the DO request, where lower access costs are indicative expected DO access consumption for users of the enterprise, and charges the determined access cost against the budget for that user corresponding to the time period when the DO access request was received. Alert messages are transmitted based on different ones of the users exceeding their budget(s), and the transmission of the DO access requests to the data object servers is not prevented.

Abstract: From a record of a packet in a Domain Name System (DNS) communication between a DNS client and a DNS server, an input feature is constructed. Using the packet, a metadata item supporting the input feature is computed. Using a processor and a memory to execute a trained cognitive classification model, and by supplying the input feature and the supporting metadata item as inputs to the cognitive classification model, a transmission of the packet is classified as malicious use of DNS tunneling between the DNS client and the DNS server. From the cognitive classification model, a classification of the packet as malicious, and a confidence value in the malicious classification are output. By generating a notification, the DNS client is caused to cease the malicious use of the DNS tunneling.

Abstract: For communication pattern recognition, an apparatus is disclosed. The apparatus includes a baseline analysis module that samples predefined sources associated with a user and generates a baseline fingerprint for the user. The apparatus includes an active analysis module that re-samples the predefined sources associated with the user after a predefined time interval and generates an active fingerprint for the user. The apparatus includes a verification module that compares the active fingerprint to the baseline fingerprint and determines whether the active fingerprint closely matches the baseline fingerprint. If the active fingerprint closely matches the baseline fingerprint, then the verification module replaces the baseline fingerprint with the active fingerprint. If the active fingerprint does not match the baseline fingerprint, then the verification module performs a predefined action to rectify differences between the baseline fingerprint and the active fingerprint.