Abstract: Methods, systems, articles of manufacture and apparatus to detect process hijacking are disclosed herein. An example apparatus to detect control flow anomalies includes a parsing engine to compare a target instruction pointer (TIP) address to a dynamic link library (DLL) module list, and in response to detecting a match of the TIP address to a DLL in the DLL module list, set a first portion of a normalized TIP address to a value equal to an identifier of the DLL. The example apparatus disclosed herein also includes a DLL entry point analyzer to set a second portion of the normalized TIP address based on a comparison between the TIP address and an entry point of the DLL, and a model compliance engine to generate a flow validity decision based on a comparison between (a) the first and second portion of the normalized TIP address and (b) a control flow integrity model.

Abstract: Enforcing different policy rules that are applicable to different types of data. A plurality of DIDs and a plurality of storages are managed by a computing system. Each of the plurality of storages is associated with at least one of the plurality of DIDs. Receive a request from an entity for operating on data stored or to be stored in one of the plurality of storages. Determine a type of the data requested to be operated on. Access one or more policy rules that are applicable to the type of the data. Based on the accessed one or more policy rules, determine whether the operation to be performed on the data will result in the data complying with the one or more policy rules. Based on the determination, allow or deny the request.

Abstract: Enforcing different policy rules that are applicable to different types of data stored at a decentralized storage service that uses a distributed ledger to authenticate and/or authorize users. Receive a request from an entity for operating on data stored or to be stored in a storage that is associated with a DID. A type of data that is requested to be operated on is then determined. One or more policy rules that are applicable to the determined type of data are accessed. Based on the one or more policy rules, determine if the operation to be performed on the data will result in the data complying with the one or more policy rules. Based on the determination, allow the request when the operation will result in the data complying with the one or more policy rules.

Abstract: A method for implementing a private computer network over which digital assets can be securely managed, the method comprising: implementing an autonomous network agent on each of a plurality of network devices that are communicable over a digital communications medium, the autonomous network agent being operable to execute a network program that is embodied as program code in a blockchain that is stored and synchronised by the respective network devices, the network program defining permissible network defined digital asset types and corresponding functions.

Abstract: A system for autonomous control in power systems is disclosed. In particular, a secure overlay communication model (“SOCOM”) is disclosed, the system including a combination of hardware and software for detecting power grid states, and determining appropriate actions for addressing detected states. The SOCOM is a logic-based system deployed onto computing devices such as field programmable gate arrays installed at bus controllers, Supervisory Control and Data Acquisition Systems (“SCADAs”), Intelligent Electronic Devices (“IEDs”), or other computing devices in power grid stations and substations. The logic-based nature of the SOCOM allows for seamless integration with preexisting power system equipment. In response to detecting various power grid faults such as line failures and over-current states, the system automatically rearranges power line configurations at the power stations and/or substations.

Abstract: A method and system for performing authentication for a backup service provided by a server is provided. The method receives a request for authentication from a client device, the request for authentication including a signature generated using a private key. The method sends a request to obtain a public key corresponding to the private key to the server and receives the public key from the server, the public key being retrieved by the server from a backup of a virtual machine. The method verifies the signature using the public key and generates a token encrypted using the public key, the token enabling the client device to access the server for the backup service. The method sends the token to the client device, the token to be decrypted using the private key by the client device.

Abstract: Methods, systems, devices and apparatuses for securely providing an over-the-air firmware upgrade. The system includes an embedded device configured to receive the firmware upgrade. The system includes a server having a memory configured to store a first key encryption key, the firmware upgrade and a firmware key and having a processor coupled to the memory. The processor is configured to obtain the firmware upgrade, the firmware key and the first key encryption key. The processor is configured to encrypt the firmware upgrade using the firmware key. The processor is configured to encrypt the firmware key with the first key encryption key and transmit the encrypted firmware upgrade and the encrypted firmware key to the embedded device.

Abstract: A private network includes a plurality of network security appliances participating in authenticating end users. Each network security appliance maintains a locally stored user list. A first network security appliance receives at least a portion of a non-local user list comprising second user identifier records for a second network security appliance of the plurality of network security appliances. The first network security appliance compares the local user list with the non-local user list received from the second network security appliance to identify one or more deviations. The first network security appliance merges the portion of the second user identifier records of the non-local user list corresponding with the one or more deviations with the first user identifier records of the local user list to generate an updated local user list. The first network security appliance authenticates a request to access the network using the updated local user list.

Abstract: Methods and systems for cryptographically secured data validation. The system includes a first validator. The first validator is designed and configured to receive a first instance of an immutable sequential data structure containing at least a first digitally signed textual element containing at least a first physical asset transfer field populated with a at least a first physical asset transfer datum and at least a second digitally signed textual element generated by a second validator. The first validator authenticates the first instance of the immutable sequential data structure. The first validator generates at least a second validity indicating a determination by the first validator as to the accuracy of the at least a first physical asset transfer field. The first validator detects a conflict between the at least a first validity flag and the at least a second validity flag. The first validator transmits to the at least a second validator an indication of the conflict.

Abstract: Techniques are provided for question delegation and security enforcement. One exemplary method comprises providing a third party with a question obtained from a user and a corresponding user security policy; providing a security policy response from the third party to the user indicating an acceptance of the corresponding user security policy or any proposed modifications to the corresponding user security policy for the question; performing the following steps once there is an agreement between the user and the third party regarding an accepted security policy for the question: monitoring responses to the question; enforcing directives within the accepted security policy for the question, wherein the directives comprise one or more triggers mapped to a security control and/or a compliance control for the question, and wherein each trigger has a corresponding predefined enforcement action; and performing the corresponding predefined enforcement action when a given trigger is detected.

Abstract: Methods and systems for authorizing a service request between two services in a network environment are disclosed. One method includes, in a recurring background process occurring separate from a service request, having a target service obtain a pre-authorization token including a signature of the request service. In response to confirming the pre-authorization token was issued by the request service, the pre-authorization token is acknowledged and stored for access by instance(s) of the target service. The acknowledged pre-authorization token is saved for use with service requests to the target service from the request service. In response to receiving a service request including pre-authorization token at an instance of the target service, the method confirms the pre-authorization token matches a stored, acknowledged pre-authorization token, and, if so confirmed, authorizes the service request. Pre-authorization tokens have a set duration.

Abstract: Application security analysis including systems and methods for analyzing applications for risk is provided. In an example method, the applications reside on a mobile device configurable to access an enterprise system. The example method includes evaluating each of a plurality of applications variously for privacy, data leakage, and malicious behavior. The example method also includes calculating a risk score for each of the plurality of applications based on the evaluating; and automatically remediating (e.g., quarantining) the applications, of the plurality of applications, for which the risk score meets or exceeds a risk score threshold. The method may evaluate all of the applications residing on a mobile device. The method may include grouping application behaviors, for each of the applications, that indicate an increased risk into groups comprising two or more of privacy risk, a data leakage risk, an account takeover risk, a device takeover risk, and a malware risk.

Abstract: Systems and methods are provided for encrypting and decrypting data using visually encoded ciphertext. The method includes selecting, using a graphical user interface coupled to an electronic device, one or more portions of a document to be encrypted, visually encoding the selected one or more portions of the document, generating a visual representation, wherein the visual representation corresponds to encrypted content, and replacing the selected one or more portions of the document with the visual representation. The method further includes displaying, to the user, the visual representation, capturing the visual representation using one or more cameras, decoding the visual representation, obtaining the encrypted content, and decrypting the encrypted content, generating decrypted content.

Abstract: Disclosed herein are system, method, and device embodiments for an authentication workflow incorporating blockchain technology. An embodiment operates by requesting, from a distributed authentication service, transmission of a time-based one-time password to a communication endpoint associated with an end-user, receiving a time-based one-time password submission from a user device associated with the end-user, retrieving a plurality of distributed ledger entries (e.g., a plurality of blocks of a blockchain), and validating the time-based one-time password submission based on the plurality of distributed ledger entries as a part of a two factor authentication workflow.

Abstract: The present document describes systems and methods that provide an envelope including an encrypted message and a data encryption key reference. A message is encrypted with a data encryption key to produce an encrypted message. The data encryption key is further encrypted using a key encrypting key to produce an encrypted data encryption key. An envelope includes the encrypted message and the data encryption key reference is then provided to a recipient.

Abstract: In one embodiment, a traffic inspection service executed by an intermediary device obtains, from a monitoring agent executed by an endpoint device, keying information for an encrypted traffic session between the endpoint device and a remote entity. The traffic inspection service provides a notification to the monitoring agent that acknowledges receipt of the keying information. The traffic inspection service uses the keying information to decrypt encrypted traffic from the encrypted traffic session. The traffic inspection service applies a policy to the encrypted traffic session between the endpoint device and the remote entity, based on the decrypted traffic from the session.

Abstract: Methods and systems for using ephemeral URL passwords to deter high volume attacks is described. A request to access one of several protected URLs is detected from a client computing device. A URL password is received from the client computing device. The request is redirected to the protected URL upon determining that the received URL password is valid for the one of the several of protected URLs.

Abstract: Systems and methods are disclosed for securely communicating sensitive data (e.g., interaction data) during a process for offline authentication. A data packet may be received by an access device from a user device in a one-way communication. The data packet may be converted to obtain interaction data comprising a digital certificate certified by the certificate authority and a digital signature value generated by the user device. A second public key associated with the user device may be obtained utilizing the digital certificate and the first public key associated with the certificate authority. The validity of the interaction data may be determined based at least in part on the digital signature value and the second public key associated with the user device. When the interaction data is determined to be valid, an identifier of the interaction data may be authorized and access may be provided based on this authorization.

Abstract: The behavior analysis engine can condense stored machine-learned models and transmit the condensed versions of the machine-learned models to the network traffic hub to be applied in the local networks. When the behavior analysis engine receives new data that can be used to further train a machine-learned model, the behavior analysis engine updates the machine-learned model and generates a condensed-version of the machine-learned model. The condensed-version of the machine-learned model may be more resource efficient than the machine-learned model while capable of making similar or the same decisions as the machine-learned model. The behavior analysis engine transmits the condensed version of the machine-learned model to the network traffic hub and the network traffic hub uses the condensed-version of the machine-learned model to identify malicious behavior in the local network.

Abstract: A method for sharing data in a multi-tenant database includes generating a share object in a first account comprising a share role. The method includes associating one or more access rights with the share role, wherein the one or more access rights indicate which objects in the first account are accessible based on the share object. The method includes granting, to a second account, cross-account access rights to the share role or share object in the first account. The method includes receiving a request from the second account to access data or services of the first account. The method further includes providing a response to the second account based on the data or services of the first account.