Abstract: A device with one-time-programmable (OTP) memory, boot code, volatile memory, and non-volatile memory. Boot code may use information in OTP to authenticate code of an implicit owner of the electronic device; receive a first create owner container request; create a first owner container comprising a first signed data image; store the first owner container; and use the first signed data image to authenticate first executable code associated with the first owner. Boot code may transfer ownership from the first owner to a second owner, including authenticating a signed transfer of ownership command using a key stored in the first owner container and creating a second owner container comprising a second signed data image associated with the second owner; storing the second owner container; revoking the first owner container; and using the second signed data image to authenticate second executable code associated with the second owner of the electronic device.

Abstract: Various systems and methods for dynamic access policy provisioning in a connected device framework are described herein. In an example, the techniques for policy provisioning may include resource update access policy automation, directory resource access policy automation, or hidden resources access policy automation, as monitored and operated with an access management service (AMS). In an example, the AMS monitors resources to receive a notification when they change. If the change observed is an addition or deletion of a resource object, the AMS responds by performing security analysis of devices hosting the new resource(s), which may further result in device onboarding actions. The AMS may further respond by evaluating link semantics to determine which other devices and resources may need updated access control list (ACL) policies.

Abstract: A method of managing distribution of a document and access to its contents with security in a network having nodes is described. The nodes may have digital processors for remote communication over a wide area network and local data stores. The exemplary method includes a node sending a document in encrypted format and including a payload, and control data including destination data, access control data, and signature data, and a document destination list. The sending node may only send the document to nodes on the destination list. A node may receive the document, decrypt at least some of the document, and process the document according to the control data by extracting the control data and managing document payload access and document storage and user access according to the control data.

Abstract: A data analytics system is disclosed that can include a data repository configured to store data for multiple clients, a metadata repository separate from the data store, an access control system, and a policy store. The data analytics system can automatically generate metadata for data in the data repository using a metadata engine, the metadata including technical metadata and usage metadata, and store the metadata in the metadata repository. The data analytics system can obtain a client policy governing access to the data. The data analytics system can receive a request to provide the data, the request including instructions to create a pipeline to provide the data. The data analytics system can authorize, by the access control system, the request using the policy and usage metadata; create the pipeline using the technical metadata; and provide the data using the pipeline.

Abstract: An illustrative computing system for a weblink content scanning system scans an electronic message for the presence of one or more weblinks. The computing system accesses, in a sandbox computing environment, content linked to the one or more weblinks. The computing system generates a hash of the accessed content and/or content linked to weblinks accessible via the accessed content. The computing system scans the content accessed via the one or more weblinks for a presence of malicious content and categorizes the scanned content accessed via the one or more weblinks (e.g., safe, malicious, and the like), associates the categorization with each corresponding hash, and saves such information to a data store for future analysis. Based on a result of this analysis, the computing system allows delivery of the original electronic message or generates a modified electronic message for delivery to a recipient device.

Abstract: The technology disclosed relates to an introspector that scans an organization's accounts on cloud storage services and detects resources on the cloud storage services configured to store the organization's data, and identifies the detected resources in a resource list. The technology disclosed further includes an inline proxy that controls manipulation of the detected resources based on the resource list.

Abstract: Examples described herein include systems and methods for performing distributed encryption across multiple devices. An example method can include a first device discovering a second device that shares a network. The device can identify data to be sent to a server and calculate a checksum for that data. The device can then split the data into multiple portions and send a portion to the second device, along with a certificate associated with the server for encrypting the data. The first device can encrypt the portion of data it retained. The first device can receive an encrypted version of the second portion of the data sent to the second device. The first device can merge these two portions and send the merged encrypted data to the server, along with the checksum value. The server can decrypt the data and confirm that it reflects the original set of data.

Abstract: A method (300) for linking a common vulnerability and exposure, CVE, (106) with at least one synthetic common platform enumeration, CPE, (112) wherein the CVE (106) comprises a summary of a vulnerability, is disclosed. The method (300) comprising: receiving (S302) the summary of the CVE (106) from a vulnerability database, VD, (104); extracting (S304) information from the summary of the CVE (106) using a Natural Language Processing, NLP, model; building (S306) at least one synthetic CPE (112) based on the extracted information; and linking (S308) the CVE (106) with the at least one synthetic CPE (112).

Abstract: Techniques of service to service authentication in distributed computing systems are disclosed herein. One example technique includes identifying a token type of a security token and an authentication scheme indicated in an access request for authenticating the access request. The example technique also includes using a combination of the identified token type of the security token and the authentication scheme indicated in the access request as a key to locate an authentication pattern in a mapping table and identifying an authentication policy corresponding to the authentication pattern. The example technique can then include applying the identified authentication policy to the received data package to authenticate the access request based on the security token and conditionally providing the client service access to the platform service.

Abstract: Techniques provided herein employ a device monitoring service to provide task to content consumption devices that are steaming digital media from the streaming infrastructure. The tasks, when implemented by the content consumption devices, may reveal differences in task performance between authorized devices, which have the authorization to access the digital media, and imposter devices, which exploit vulnerabilities in the streaming pipeline to access the digital media. In addition, the techniques provided herein may include a machine learning/artificial intelligence model that is trained to recognize authorized and imposter content consumption devices based on their task performance.

Abstract: A system for generating an identity-based Non-Fungible Token (NFT) that uses, as a least a portion of the input file, a verified identity of the user. Once generated, the identity-based NFT is stored within a distributed trust computing network, which provides for verifying the authenticity and unalerted state of the NFT. Subsequently, the identity-based NFT can be accessed via the distributed trust computing network to verify the identity of the user. Additionally, the NFT may use other verified data as a portion of the input file, such as verified identity of users having a familial relationship with the user, verified life events, and/or verified user preferences. Further, the NFT may include one or more markers that identify a familial relationship and are configured to link the NFT to other NFTs associated with the related users.

Abstract: A first computer, in data registration processing: determines a type of biometric information for encryption with which the data is to be encrypted; acquires the determined type of biometric information for encryption from a user of the first computer; generates, from each piece of the acquired biometric information for encryption, a public key based on a predetermined algorithm; transmits the public key to a second computer; and transmits the data encrypted with the public key to the third computer, the first computer, in data presentation processing: acquires the encrypted data from a third computer; acquires the determined type of biometric information for decryption from the user of the first computer; generates, from each piece of the acquired biometric information for decryption, a private key based on the predetermined algorithm; decrypts the encrypted data with use of the private key; and presents each piece of the decrypted registered data.

Abstract: Aspects of the present disclosure enable a system with limited computing resources to remotely perform security testing of a large number of host devices. These host devices may be included as part of a single networked computing environment or may be distributed among multiple networked computing environments. The networked computing environments may be associated with a single entity or multiple entities. The system can allocate its limited computing resources among the host devices based on a type of security testing and the amount of host devices to be tested. Further, the system can obtain secure access to the remote networking environment through a secure virtual private network connection to an on-site access system installed at a physical location of the networked computing environment.

Abstract: The current embodiments include systems and techniques for sharing information between vendors where the information is siloed due organizational constraints. Vendors that provide services for one entity of an organization may be unknown to another entity within the same organization. The systems and techniques provided herein facilitate sharing of this information of the vendor across various entities in the organization.

Abstract: There are provided systems and methods for detecting malicious email addresses using email metadata indicators. Digital accounts may be attacked by malicious computing processes or other actions that attempt to compromise the security of accounts and/or perform account takeovers. To increase security of the accounts and account data, the service provider may interface with a digital address and/or identifier provider, such as an email provider to request metadata indications of addresses. The metadata indicator may include a score associated with whether the address is compromised or being used for fraudulent purposes. This score may be based on usages of the address over a period of time, connections of the address, and other activities. The indicator may be used to determine whether to allow data changes to the account's data.

Abstract: An authentication correlation (AC) computing device is provided. The AC computing device includes a processor and a memory. The AC computing device receives a first authentication request from a requesting computer device including an account identifier, a first timestamp, and at least one authentication factor, and determines a first security level of the first authentication request. The AC computing device stores the first security level and the first timestamp. The AC computing device is also configured to receive a second authentication request including the account identifier and a second timestamp, determine that the second authentication satisfies an authentication rule based on the account identifier, the second timestamp, and the stored authentication data wherein the rule defines a timeframe and an authentication threshold, and generate an authentication response based on the determination and the authentication rule wherein the authentication response includes an approval indicator.

Abstract: The present disclosure provides systems, methods, and computer-readable media for implementing security polices at software call stack level. In one example, a method includes generating a call stack classification scheme for an application, detecting a call stack during deployment of the application; using the call stack classification scheme during runtime of the application, classifying the detected call stack as one of an authorized call stack or an unauthorized call stack to yield a classification; and applying a security policy based on the classification.

Abstract: A plurality of different types of resource access events are identified. For example, a resource access event may be an administration event where a user is given certain access rights to view/modify a resource, such as, a database record. A plurality of blocks are generated, where each block is associated with an individual one of the plurality of different types of resource access events. The plurality of blocks are added to a first resource access blockchain. The blockchain can be used to track the various types of resource access events.

Abstract: Testing software applications often requires a balancing of thoroughness versus the time and computing resources available to perform such tests. Certain data handling operations may potentially expose data to unauthorized parties. However, not all data is equal; some data requires a greater degree of protection than other data, which may be based on a security context (e.g., rule, law, policy, etc.). By generating rules determined by a particular context, extraneous tests on data outside of the context, may be omitted. Unnecessary tests may be omitted and the results of each analysis process correlated to identify actual vulnerabilities and omit false positives, such as vulnerabilities to data that does not require the same degree of care to avoid unauthorized exposure.

Abstract: A computer-implemented method (100) and system (1) for determining a metadata M for securing a controlled digital resource such as computer software using a distributed hash table (13) and a peer-to-peer distributed ledger (14). This is a blockchain such as the Bitcoin blockchain. The method includes determining (110) a data associated with the computer software and determining (120) a first hash value based on the computer software. A second hash value based on the data and the computer software may be determined (130). The method further includes sending 140, over a communications network (5), the data, the first hash value and the second hash value to an entry for storage in a distributed hash table (13). The second hash value may be a key of a key-value pair. The data and the first hash value may be a value in the key-value pair. A metadata (M) that is based on the second hash value may be determined (150) for storage on the peer-to-peer distributed ledger (14).