Abstract: Sharing context between web frames increases consistent application of security policies, without requiring changes to a document object model. A proxy receives a first request implicating a first web frame and its URL, potentially issues a sub-request and gets a sub-response, and creates a first response to the first request, including a context in frame creation or frame navigation code. Thus, context such as a domain identification is made available for sharing between the first web frame and a second web frame without altering a document object model of a web page of the first web frame, and without imposing a same-origin policy workaround. Sharing the context allows the proxy to ascertain a policy based on the context, so it can apply the policy in reactions to subsequent requests. Context sharing allows window frames to be associated together in the proxy, and informs browser rendering.

Abstract: A first network node (100; 200) is configured to, —compute a first shared key (245) to protect confidentiality from the first identity of the second network node and the local key material to protect confidentiality of the first network node, —compute a second shared key (246) to protect integrity from the second identity of the second network node and the local key material to protect integrity of the first network node, —encrypt a message using the first shared key, and —compute a first message authentication code over the message using the second shared key.

Abstract: Various systems, methods, and apparatuses relate to managing data transmissions from one or more Internet of Things (IoT) devices. A method includes discovering, by a discovery engine, one or more Internet of Things (IoT) devices; tracking, by the discovery engine, data transmission from the one or more IoT devices; generating, by a privacy lens communicably coupled to the discovery engine, a privacy rule regarding the data transmission from the one or more IoT devices; and applying, by the privacy lens, the privacy rule to the one or more IoT devices, the privacy rule configured to control data transmission from the one or more IoT devices.

Abstract: Techniques for performing identity and access management for an equipment-specific human machine interface (HMI) are provided. One technique includes detecting via a HMI application configured to control an equipment a request from a user agent to access a configuration of the equipment. In response to the detection, the request is re-directed from a first authentication mechanism used by the HMI application to control access to the equipment to a second authentication mechanism provided by an identity provider. After re-directing the request to the identity provider, it is determined that the user agent has been successfully authenticated using the second authentication mechanism. An access grant then is then provided, via the HMI application, to the user agent in response to the request to access the configuration of the equipment.

Abstract: Methods, systems, and computer-readable media are directed towards receiving, at an untrusted component, a query for a data store. The query includes a plurality of data operations. The data store is accessible by the untrusted component. A first proper subset of data operations is determined from the plurality of data operations that do not access sensitive data within the data store. A second proper subset of data operations is determined from the plurality of data operations that access sensitive data within the data store. The first proper subset of data operations is executed, at the untrusted component, to create first results. The second proper subset of data operations is sent to a trusted component for execution. Second results based on the sending the second proper subset of data operations are received from the trusted component. Results to the query are returned based on the first results and the second results.

Abstract: A device authenticates a request to verify a user. The device accesses a face image that depicts a face of the person and includes a characteristic noise pattern inserted by a camera of the device. The device also accesses a geolocation at which the device captured the face image and inputs the face image and the geolocation into an artificial intelligence engine that outputs a face score, a device score, and a location score. The device next submits the request with the scores to a server machine and obtains an authentication score from the server machine. The device then presents an indication that the request to verify the person is authentic based on a comparison of the obtained authentication score to a threshold authentication score.

Abstract: Systems, methods, and apparatuses for providing a central location to manage permissions provided to third-parties and devices to access and use user data and to manage accounts at multiple entities. A central portal may allow a user to manage all access to account data and personal information as well as usability and functionality of accounts. The user need not log into multiple third-party systems or customer devices to manage previously provided access to the information, provision new access to the information, and to manage financial or other accounts. A user is able to have user data and third-party accounts of the user deleted from devices, applications, and third-party systems via a central portal. The user is able to impose restrictions on how user data is used by devices, applications, and third-party systems, and control such features as recurring payments and use of rewards, via a central portal.

Abstract: In an example, a machine-readable medium includes instructions that, when executed by a processor, cause the processor to order, as part of an execution of a trusted process, a plurality of processes into a sequence comprising a first process, at least one intermediate process, and a last process. The machine-readable medium may further comprise instruction to cause the processor to generate, as part of an execution of the first process, a value based on a code portion of the process following the first process in the sequence, and to generate, as part of an execution of each intermediate process, a respective value based on the value generated by the process preceding the intermediate process in the sequence and based on a code portion associated with the process following the intermediate process in the sequence.

Abstract: A multi-level secure switch includes a security enforcer logic chip, a switch chip, a management processor, and a plurality of physical ports. The security enforcer logic chip is configured to receive and transmit a plurality of data packets, each having an associated security level. The switch chip is configured to transmit the data packets to and receive the data packets from the security enforcer logic chip. The management processor is configured to provide security parameters to the security enforcer logic chip. Each of the plurality of physical ports have an associated security threshold and transmit and receive data packets to and from the security enforcer logic chip. The security enforcer logic chip is configured to transmit a data packets to a physical port only when the security level associated with data packet is compatible with the security threshold associated with the physical ports.

Abstract: According to one embodiment, a system receives an intermediate result generated by a compiler based on source code, where the intermediate result includes one or more vulnerability indicators indicating one or more lines of the source code being potentially vulnerable. The system performs a grey box fuzzing on a first executable code generated from the intermediate result to generate a first set of seed inputs. The system calculates a vulnerability score for each of the seed inputs of the first set based on the vulnerability indicators for the lines of the source code reachable but has not been explored by the grey box fuzzing. The system selects one of the seed inputs in the first set having a highest vulnerability score. The system performs a concolic execution using the selected seed input as priority, the concolic execution being performed on a second executable code generated from the intermediate result.

Abstract: The technology disclosed relates to detecting a data attack on a local file system. The detecting includes scanning a list to identify files of the local file system that have been updated within a timeframe, reading payloads of files identified by the scanning, calculating current content properties from the payload of the files, obtaining historical content properties of the files, determining that a malicious activity is in process by analyzing the current content properties and the historical content properties to identify a pattern of changes that exceeds a predetermined change velocity. Further, the detecting includes determining that the malicious activity is in process by analyzing the current content properties and known patterns of malicious metadata to identify a match between the current metadata and the known patterns of malicious metadata, determining a machine/user that initiated the malicious activity, and implementing a response mechanism that restricts file modifications by the machine/user.

Abstract: Aspects of the disclosure relate to preventing unauthorized access to secured information systems. A computing platform may receive, from an end user desktop computing device, a request to login to a user account associated with a user account portal. In response to receiving the request, the computing platform may generate an authentication token in an authentication database and may send a notification to at least one registered device linked to the user account. After sending the notification, the computing platform may receive, from the at least one registered device, an authentication response message. If the authentication response message indicates that valid authentication input was received, the computing platform may update the authentication token to indicate that the request to login to the user account has been approved. After updating the authentication token, the computing platform may provide, to the end user desktop computing device, access to a portal interface.

Abstract: A system and method for intercepting intra-network traffic for smart appliance behavior analysis. A network traffic hub is configured to intercept network traffic between a switch and a router. A smart appliance sends a message to the router, such as a DHCP request when the smart appliance joins the network. The router sends a response to the smart appliance. The network traffic hub intercepts and modifies the response to instruct the smart appliance to send all future intra-network traffic through the network traffic hub and the router. In some embodiments, the network traffic hub alters a network mask in the response message to instruct the smart appliance to send traffic through the network traffic hub. The network traffic hub then extracts data from the network traffic and uses that data for behavior analysis of smart appliances.

Abstract: A methodology as described herein allows cyber-domain tools such as computer aided-manufacturing (CAM) to be aware of the existing information leakage. Then, either machine process or product design parameters in the cyber-domain are changed to minimize the information leakage. This methodology aids the existing cyber-domain and physical-domain security solution by utilizing the cross-domain relationship.

Abstract: The technology disclosed relates to detecting a data attack on a file system stored on an independent data store. The detecting includes scanning a list to identify files of the independent data store that have been updated within a timeframe, assembling current metadata for files identified by the scanning, obtaining historical metadata of the files, determining that a malicious activity is in process by analyzing the current metadata of the files and the historical metadata to identify a pattern of changes that exceeds a predetermined change velocity. Further, the detecting includes determining that the malicious activity is in process by analyzing the current metadata of the files and known patterns of malicious metadata to identify a match between the current metadata and the known patterns of malicious metadata, determining a machine/user that initiated the malicious activity, and implementing a response mechanism that restricts file modifications by the determined machine/user.

Abstract: A system provides analysis of computer application vulnerabilities via multidimensional correlation and prioritization. The system may begin by generating a data repository of each application within a computing environment. Once the data repository is generated, the system may assess the dependencies, relationships, and vulnerabilities of the applications and processes used within the system. The system may perform assessments across multiple dimensions and/or metrics (e.g., impacts on users, devices, networks, applications, and/or data). Based on performing said assessments, the system may calculate relatedness and/or dependency scores across the dimensions or metrics, where the scores may be used to generate a prioritization scheme for making changes to application code or applying updates.

Abstract: Methods, systems, and computer program products are described herein for detecting malicious cloud-based resource allocations. Such detection may be achieved using machine learning-based techniques that analyze sequences of cloud-based resource allocations to determine whether such sequences are performed with a malicious intent. For instance, a sequence classification model may be generated by training a machine learning-based algorithm on both resource allocation sequences that are known to be used for malicious purposes and resource allocation sequences that are known to be used for non-malicious or benign purposes. Using these sequences, the machine learning-based algorithm learns what constitutes a malicious resource allocation sequence and generates the sequence classification model.

Abstract: One or more embodiments described herein disclose methods and systems that are directed at facilitating access to and retrieval of data concealed on a distributed ledger-based network (DLN) with the use of zero-knowledge proof (ZKP) techniques. The methods and systems allow for the encryption, using an encryption key, of data related to a transaction between participants of the DLN, the encryption of the encryption key using a public key of an auditor of the transaction, and the generation of a ZKP that the encryption key used to encrypt the data corresponds to the encryption key encrypted using the public key such that the encrypted encryption key and/or the encrypted data are available to the auditor after the ZKP is verified by a self-executing code segment of the DLN. The ZKP also includes a proof that the encrypted data includes the transaction data.

Abstract: Systems and methods are provided for receiving a request to access a service catalog from a computing device associated with a tenant with authorization to access a custom microservice and the core microservices of the service catalog, and determining that the service catalog associated with the tenant comprises the custom microservice. The systems and methods further provide for determining routing information from the service catalog to make a request to the custom microservice, routing the request to the custom microservice based on the determined routing information, wherein the request is routed to a tenant computing system associated with the custom microservice, receiving a payload from the tenant computing system associated with the custom microservice, and generating a user interface comprising representations corresponding to the custom microservice and each of the core microservices, the representations corresponding to the custom microservice based on the received payload.

Abstract: Systems and methods are provided for use in enabling, providing, and managing digital identities in association with mobile communication devices. One exemplary method includes capturing an image of a physical document comprising a biometric of a user associated with the physical document, and extracting the biometric from the image and converting it to a biometric template. The method also includes capturing a biometric of the user and comparing it to the biometric template. The method then includes, when the captured biometric matches the biometric template, transmitting a message to an identification provider comprising at least the image of the physical document and the biometric template, whereby the biometric template is verified against a repository, and binding data representative of the mobile communication device, a mobile application included therein, and the biometric template and/or the captured biometric of the user into a token.