Abstract: One or more security groups associated with a cloud provider are determined. One or more network polices associated with a container-orchestrator system are determined. One or more network security policies are generated based on the one or more determined security groups associated with the cloud provider and the one or more determined network policies associated with the container. The one or more network security policies are distributed to one or more VM instances of a cloud network. The one or more VM instances are configured to enforce network security based on the one or more network security policies.

Abstract: A network can operate a WiFi access point with credentials. An unconfigured device can support a Device Provisioning Protocol (DPP), and record bootstrap public keys and initiator private keys. The network can record bootstrap public and responder private keys and operate a DPP server. A responder proxy can establish a secure and mutually authenticated connection with the network. The network can (i) derive responder ephemeral public and private keys, (ii) record the initiator bootstrap public key, and (iii) select a responder mode for the responder. The network can derive an encryption key with at least the (i) recorded the initiator bootstrap public key and (ii) derived responder ephemeral private key. The network can encrypt credentials using at least the derived encryption key and send the encrypted credentials through the responder proxy to the initiator, which can forward the encrypted credentials to the device, thereby supporting a device configuration.

Abstract: A method includes receiving a build request containing build step instructions from a user. The build step instructions specify a usage of containers within memory hardware for building an output container. The containers include at least one private container having private contents and/or at least one public container having public contents. The method also includes authenticating the user initiating the build request and determining whether the user is authorized to access the private containers. When the user is authenticated and authorized to access the private containers, the method includes obtaining the containers specified by the build step instructions from the memory hardware, executing the build step instructions to build the output container while using the received containers, and outputting the built output container.

Abstract: Techniques are provided to dynamically generate response actions that may be used to investigate and respond to a security alert. Different prediction models are initially trained using a corpus of training data. This training data is obtained by identifying previous security alerts and then grouping together alert clusters. An analysis is performed to identify which steps were used to respond to the alerts in each group. These steps are fed into a prediction model to train the model. After multiple models are trained and after a new security alert is received, one model is selected to operate on the new alert, where the model is selected because it is identified as being most compatible with the new alert. When the selected model is applied to the new alert, the model generates a set of recommended steps that may be followed to investigate and/or respond to the new alert.

Abstract: A method for processing partial tasks in a distributed storage network (DSN) includes receiving a partial task request message for a DS execution unit, where the partial task request message includes corresponding partial tasks. The method continues by processing each partial task request message in accordance with the processing parameters to produce task request slice groupings, generating slices, such that each message is directed at a corresponding DS execution unit, and the sending the slice groupings and the task request slice groupings to the selected DS execution units for storage therein. The method continues by retrieving at least a decode threshold number of task response slices of one or more task response slice groupings from the DS execution units, decoding the task response slices, retrieving at least a decode threshold number of partial result slices, and decoding the partial results slices and processing the partial results to produce a result.

Abstract: Examples disclosed herein relate to securing a controller of a device. The controller is to determine whether a network interface of the device is connected to the Internet. Communications are restricted on the network interface in response to the port having access to the Internet. In some examples, the restriction can be related to a vulnerability.

Abstract: Processes being executed by a host system and associated with a first address space layout may be identified. An indication of abnormal behavior from at least one of the processes that are being executed by the host system may be received. A request for a new process to be executed by the host system may be received. In response to the indication of the abnormal behavior and the request to provide the new process, a second address space layout may be generated for the new process that is different than the first address space layout. The new process may be generated in view of the second address space layout.

Abstract: The technology presented herein improves incident handling in an IT environment. In a particular example, a method provides identifying a first incident in the IT environment. From incident handling information that indicates how a plurality of previous incidents were handled by one or more users, the method provides identifying first information of the incident handling information corresponding to one or more first previous incidents of the plurality of previous incidents that are similar to the first incident. The method further provides determining a suggested course of action from the first information and presenting the suggested course of action to a user of the information technology environment.

Abstract: A system for validating software security analysis findings includes a non-transitory computer readable medium and a processor. The non-transitory computer readable medium stores a source truth dataset including criteria for validating characteristics of findings. The processor receives a finding from a software security analysis tool that performs scan on application code. The processor identifies a characteristic from the finding. The processor selects a criterion from the non-transitory computer readable medium for validating the identified characteristic. The processor determines a validity score for the finding based on whether the selected criterion is met. The processor determines whether the finding is false positive by comparing the validity score to a predetermined validity threshold. If the finding is true positive, a graphical user interface displays the finding.

Abstract: A method of data reduction in a partially encrypted volume includes receiving data to be stored on a storage array, decrypting the data using a first encryption key to generate first decrypted data, and decrypting the data using a second encryption key to generate second decrypted data. The method further includes comparing, by a storage array controller, a first compressibility value of the first decrypted data to a second compressibility value of the second decrypted data. The method further includes storing the first decrypted data if the first compressibility value is greater than or equal to the second compressibility value. The method further includes storing the second decrypted data if the second compressibility value is greater than the first compressibility value.

Abstract: The present disclosure provides a communication system and method, among other things. As a non-limiting example, the method includes enabling access to entries of personal digital data for a plurality of users; enabling at least some of the personal digital data for the plurality of users to be retrieved by a query that contains an identification of a first user and authentication information associated with the first user; receiving a group identifier that is stored with reference to personal digital data of the first user; and distributing relationship digital data that describes a relationship between the first user and the second user based on the existence of the group identifier.

Abstract: Techniques and devices for seamless authentication using radar are described. In some implementations, a radar field is provided through a radar-based authentication system. The radar-based authentication system can sense reflections from an object in the radar field and analyze the reflections to determine whether the object is a person. In response to determining that the object is a person, the radar-based authentication system can sense an identifying characteristic associated with the person. Based on the identifying characteristic, the radar-based authentication system can determine that the person is an authorized user.

Abstract: Various embodiments of the present application set forth a computer-implemented method that includes receiving, by a trusted tunnel bridge and from a first application executing in a first network, a first encrypted data packet, where the first encrypted data packet includes an encrypted portion of data, and a destination device identifier (DDI). The method further includes determining, by the trusted tunnel bridge, a particular device in a second network and associated with the DDI included in the first encrypted data packet. The method further includes sending, by the trusted tunnel bridge directly to the particular device, the first encrypted data packet.

Abstract: A system and method for remote monitoring and management of an instant issuance system is provided. The embodiments provide secure communication between different entities within the instant issuance system. Security can be established via mutual authentication between the communicating entities of the instant issuance system prior and/or concurrent with a communication taking place.

Abstract: A method for rendering a webpage is disclosed. Initially, a request to render a webpage is received from a browser. Next, content of the webpage to be rendered on the browser is received from a publisher. Then, an advertisement to be inserted in the webpage to be rendered on the browser is received from a chooser that is different from the publisher. The advertisement is selected by requesting a type of data regarding the webpage, receiving the data regarding the webpage of the requested type, and selecting the advertisement based on the data regarding the webpage of the requested type. The type of data regarding the webpage is one or more of an extract of the webpage, a summary of the webpage, a keyword relating to the webpage, a category of the webpage, meta data about or from the webpage, and a compression of the webpage.

Abstract: A node enables sharing data connectivity between a consumer device and a broker device, and receives from a first packet routing node a request for a consumer authorization certificate. The request includes a subscriber identity. Based on the subscriber identity authorizing the subscriber for sharing data connectivity; a consumer authorization certificate is generated using a private encryption key associated with the node. The consumer authorization certificate includes the subscriber identity of the subscriber. The consumer authorization certificate is returned to the first packet routing node. A request for a data connectivity service for the subscriber is received from a second packet routing node. The request includes a consumer agreement certificate and a broker identity. The consumer agreement certificate is signed using a private key associated with the subscriber and includes the subscriber identity. The consumer agreement certificate is valued.

Abstract: Technologies for privacy-safe security policy evaluation are disclosed herein.

Abstract: Systems, methods, and software described herein provide for identifying recommended feature sets for new security applications. In one example, a method of providing recommended feature sets for a new security application includes identifying a request for the new security application, and determining a classification for the new security application. The method further provides identifying related applications to the new security application based on the classification, and identifying a feature set for the new security application based on features provided in the related applications.

Abstract: A processor-implemented method for a secure processing environment for protecting sensitive information is provided. The processor-implemented method may include receiving encrypted data and routing the encrypted data to the secure processing environment. Then the encrypted data may be decrypted and fields containing sensitive information may be found. The method may also include obfuscating the sensitive information and returning, by the secure processing environment, the decrypted data and obfuscated data.

Abstract: A misuse detection electronic control unit in a vehicle network system including a plurality of electronic control units that communicate with one another through buses in accordance with a CAN protocol includes a transceiver unit that performs a reception step of receiving a target data frame and a reference data frame transmitted through the buses, wherein the target data frame is a data frame having a first identifier and wherein the reference data frame is a data frame having a second identifier different from the first identifier and a misuse detection process unit that performs a detection step of performing, as misuse detection for the target data frame, evaluation in accordance with a reception timing of the reference data frame and a reception timing of the target data frame on the basis of a certain rule specifying a reception interval between the reference data frame and the target data frame.