Abstract: A data privacy protection system is disclosed that comprises listener(s) that receive and store data including non-personal identifiable information (PII) and PII in data sets in a database and agent(s) that access each data set from the database, obtain the non-PII data and exclude the PII data to create non-PII data sets, and transmit the non-PII data sets to a third-party server. The system further comprises an anonymization framework that obtains the PII data from the data sets and stores some of the PII data in a raw PII data set. The anonymization framework distributes anonymization work on the stored PII data to queues based on hashed device identifiers associated with the stored PII data, performs the anonymization work on the stored PII data according to the queues to create an anonymized PII data set, and transmits the anonymized PII data set to the third-party server.

Abstract: A processor may identify a new application on a device. The processor may receive, from the device, user data. The user data may include user profile information and user activity information. The processor may evaluate the user data. The evaluating of the user data may include designating a security level to the user data. The processor may determine, from evaluating the user data, that a default security configuration for the new application is not secure. The processor may automatically generate a customized security configuration for the new application. The processor may apply the customized security configuration to the new application.

Abstract: Disclosed is a system and method for providing secure access control to an electronic network or device. By limiting the ability of a single administrator to act unilaterally without the agreement and/or notification of further system administrators, the data integrity and security of stored data, such as email accounts, may be enhanced and risk of compromise ameliorated. By permitting multiple administrators acting in a concert of action to access stored data, such as without notification of the email account holder, potential misconduct by email account holders may be audited.

Abstract: Disclosed herein is a social media platform profile identification and social discovery feature. Disclosed social media networks enable introduction of users that may not otherwise know one another based on commonality between those users. Social media profiles are identified by digital objects instead of or in addition to more traditional indexing methods such as real names or screen names. Social discovery on a social network is performed via matching to similar behavior profiles in activity monitored by a block explorer. Machine learning models categorize behavior patterns observed by the block explorer into a machine recognized glossary. Social networks further recommend actions by users based on the monitored online behaviors of social connections.

Abstract: Devices and techniques for replay protection nonce generation are described herein. A hash, of a first length, can be produced from a first input. A first subset of the hash can be extracted as a selector. A second subset of the hash can be selected using the selector. Here, the second subset has a second length that is less than the first length. The second subset can be transmitted as a nonce for a freshness value in a replay protected communication.

Abstract: A threat management facility stores a number of entity models that characterize reportable events from one or more entities. A stream of events from compute instances within an enterprise network can then be analyzed using these entity models to detect behavior that is inconsistent or anomalous for one or more of the entities that are currently active within the enterprise network.

Abstract: Methods, systems, and computer storage media for providing resource policy management based on a pre-commit verification engine are provided. Pre-commit verification operations are executed to simulate committing a policy, in a distributed computing environment, for test request instances, without actually committing the policy. In operation, a policy author communicates a policy and one or more test request instances. Based on the policy and the test request instances, an access control manager simulates committing the policy for the test request instances to the computing environment. Simulating committing the policy for test request instances is based on an existing set of policies including a live version of the policy and contextual information corresponding to the policy and the test request instances for the computing environment in which the policy will be applied.

Abstract: An inline network traffic monitor is deployed inline between two endpoints of a computer network. A particular endpoint of the two endpoints works in conjunction with the inline network traffic monitor to decrypt encrypted network traffic transmitted between the two endpoints. A series of Change Cipher Spec (CCS) messages is exchanged between the inline network traffic monitor and the particular endpoint during a Transport Layer Security (TLS) handshake between the two endpoints. The series of CCS messages allows the particular endpoint and the inline network traffic monitor to detect each other on the computer network. After detecting each other's presence, the particular endpoint sends the inline network traffic monitor a session key that is used by the two endpoints to encrypt their network traffic. The inline network traffic monitor uses the session key to decrypt encrypted data of the network traffic transmitted between the two endpoints.

Abstract: Systems and methods for analyzing applications (“apps”) on a mobile device for security risks for a company while maintaining the mobile device owner's privacy and confidentiality concerning the applications. The mobile device may be a user's personal device (a “bring your own device”). In an example method, a process generates one or more cryptographic representations of application information for each application on the mobile device. The cryptographic representations may comprise a hash or composite hash. The cryptographic representations may be transmit outside the mobile device to a system which makes a determination and provides an indication whether the application is permitted or not permitted for use at the company. The company can be associated with a hashed permitted or not permitted list. The application information can include application name, executable code, and a version number. The method may include automatically remediating the application if it matches a known risk.

Abstract: The present disclosure relates to techniques for developing artificial intelligence algorithms by distributing analytics to multiple sources of privacy protected, harmonized data. Particularly, aspects are directed to a computer implemented method that includes receiving an algorithm and input data requirements associated with the algorithm, identifying data assets as being available from a data host based on the input data requirements, curating the data assets within a data storage structure that is within infrastructure of the data host, and integrating the algorithm into a secure capsule computing framework. The secure capsule computing framework serves the algorithm to the data assets within the data storage structure in a secure manner that preserves privacy of the data assets and the algorithm. The computer implemented method further includes running the data assets through the algorithm to obtain an inference.

Abstract: A method of receiving one or more signals emanated from a monitored device, signal processing, based on a software model and a hardware-software (HW/SW) interaction model of the monitored device, one or more signals to determine if an anomaly exists in one or more signals, and responsive to determining that an anomaly exists based on the signal processing, transmitting an indication of the anomaly.

Abstract: Cluster state information is generated in response to a request to establish a connection with a cloud service system. The cluster state information includes a first instance of a security token and host information. The cluster state information is provided to a web browser associated with a user. The web browser associated with the user is redirected to a cloud identity provider. The cloud identity provider is configured to provide to the cloud service system via the web browser associated with the user, the cluster state information that includes the first instance of the security token and the host information. A certificate is requested from the cloud service system. The cluster state information that includes a second instance of the security token is provided to the cloud service system. The cloud service system is configured to establish the connection based on comparison between the first instance of the security token and the second instance of the security token.

Abstract: The present disclosure provides an authentication method of an IoT device, an IoT device, a cloud server, an IoT authentication system and a computer readable medium. The authentication method includes: calculating account information corresponding to the IoT device according to an identifier and preset attribute information of the IoT device; and sending the account information to a cloud server, to cause the cloud server to perform identity authentication on the IoT device according to the account information.

Abstract: Physically supplied user information is used to first verify the identity of a user before an app is supplied to a user device. Hardware identifiers of the user device are reviewed to determine whether to allow or deny use of the app on the user device. Once the app is approved, a user request is received by the app which is forwarded to the provider. The provider approves or disapproves of the request based, in part, on whether data in the request matches data maintained by the provider. Such approval/disapproval is provided from the provider to a party responsible for satisfying the user request. In addition, the provider generates a one-time-use electronic signature using data from a sequencer and data from the request, and the one-time-use electronic signature can be supplied to a signature repository and/or added to legal documents.

Abstract: Among other things, this document describes systems, methods and devices for discovering and identifying client devices that attempt to access out-of-policy network services via a secure web gateway (or other network security gateway) that lacks visibility into the client network actual IP space. This is a common problem with cloud hosted SWG services that enforce access policy from outside of a customer network (e.g., external to an enterprise network), due to network address translation at the interface between the customer network and the public Internet where the cloud-hosted SWG resides. The teachings hereof address this problem. In one embodiment, a cloud hosted SWG can redirect a client to a bouncer device inside the customer network; that bouncer device can capture the actual client IP address.

Abstract: A system for providing a service may include a user device executing an application. The application may have an authorization token associated therewith to authenticate a given user to the service. The system may also include a server executing the service, and a virtual assistant to receive a request to access the service via the virtual assistant and communicate the request to the server. The server may determine whether the token has been obtained thereat based upon the identifier. When the token has been received by the server, the server may determine whether the token has expired, and when not expired, the server may process the request. When the token has not been received by the server, the server may obtain the token from the user device, and process the request based upon obtaining the token from the user device.

Abstract: Methods, systems and computer program products are provided to determine an individual's risk of being targeted by a cyberattack based on quantifying their online presence. In some embodiments, online information pertaining to an individual, accessible through the clear web (e.g., Internet) or the dark web, is identified and used to calculate a digital vulnerability (DV) score. The DV score is used to determine the susceptibility of an individual of being targeted for a cyberattack or cybercrime based upon their online presence, and may be computed based upon personally identifying information (PII) features present on clear web and deep/dark web resources.

Abstract: An information handling system for providing comprehensive remote authorized access to multiple equipment in a datacenter. A mobile device security credential is first authenticated before access information is configured in the mobile device using a short-range wireless interface. The configured access information is mapped to the equipment and the corresponding access token and encryption keys from the equipment are received by the mobile device. The mobile device uses the access token and the encryption keys to simultaneously access the equipment through a long-range wireless interface. The simultaneous access includes parallel accessing of the equipment at a next accessing instance without requiring re-authentication. With the accessed equipment, the mobile device manages the accessed equipment based on the configured access information.

Abstract: A method and a network node for managing access, by a device, to a blockchain. The network node receives, a first request for creation of a first account. The first request includes information relating to a user of the device and a first hash value. The network node creates, based on the information and the first hash value, the first account on the blockchain, whereby a first address is obtained. The network node receives, a second request for recovering account information of the first account. The second request includes the first address of the first account, a source value from which the first hash value is derived and a second address of a second account. The network node generates a second hash value based on the source value. The network node initiates transfer of the account information of the first account to the second account.

Abstract: The present disclosure generally relates to one or more line replacement units (“LRUs”) for an airplane including a method for provisioning a second line replacement unit (“LRU”) using a first LRU in an airplane. The method includes providing, by the first LRU, a communication to the second LRU to request a certificate signing request (“CSR”) based on a public-private key pair generated by the second LRU; obtaining the CSR from the first LRU; providing the CSR and a certificate revocation request for a replaced LRU to a certificate authority (“CA”); obtaining a composite airline modifiable information (“AMI”) comprising a public key certificate associated with a private key generated by the first LRU; and providing the composite AMI to the first LRU.