Abstract: In one respect, there is provided a system for training a neural network adapted for classifying one or more scripts. The system may include at least one processor and at least one memory. The memory may include program code that provides operations when executed by the at least one processor. The operations may include: reducing a dimensionality of a plurality of features representative of a file set; determining, based at least on a reduced dimensional representation of the file set, a distance between a file and the file set; and determining, based at least on the distance between the file and the file set, a classification for the file. Related methods and articles of manufacture, including computer program products, are also provided.

Abstract: Privacy preserving secure task automation. A method may include generating, by a first section of a platform, a pair of encryption keys (private and shared secret keys); receiving, by a second section of the platform, platform user data, trigger service user data; and action service user data, wherein the user of the services and platform are the same; sending the shared secret key to the services; storing the private key in the first section; receiving from the trigger service, by the second section, a first communication encrypted with the shared secret key, regarding occurrence of a trigger; determining, by the first section, that the trigger corresponds to the user of the platform; encrypting a second message with the shared secret key, requesting invocation of the action based on the trigger; and transmitting the second encrypted message to the action service without the data related to the user of the platform.

Abstract: The present invention discloses an external terminal protection device for data flow control and a corresponding protection system. The external terminal protection device includes: an interface control module, used for providing a plurality of data interfaces respectively connected to a protected host and one or more external devices; and a system control module, used for monitoring in real time a data transmission state of each data interface in the interface control module, and controlling the data flow of each data interface. The present invention realizes the functions of performing protocol filtering and auditing on various types of data flow without installing flow monitoring and security protection software on the protected host, and achieves the effects of low-latency network auditing and high-reliability protocol filtering, thereby comprehensively eliminating potential security hazards such as Trojan Horse virus implantation and flow anomaly that may be generated by the interfaces.

Abstract: A policy system enforces data security policies for requests from accessing data stored on a distributed data storage system received from a client device. The policy enforcement system can determine user credentials from the requests. The enforcement system then determines whether the user credentials allow the request to retrieve the data and if yes, whether the user credentials allow the request to retrieve the data without obligations. Upon determining that user credentials allow the request to retrieve the data without obligations, the policy enforcement system directs the client device to communicate directly with a name node of the data storage system, short-circuiting additional data retrieval and filtering of the policy system.

Abstract: Systems and methods for multi-factor authentication using graphical passwords. An access request that includes an identifier and which identifies a protected resource is received from a client device. An interface is generated having a plurality of graphical objects for presentation at random locations on a display of the client device as defined by an object map. The plurality of graphical objects include a null object and a set of user-defined objects associated with the identifier that define a graphical password. Input data including an input event for each detected interaction with the interface is received. Each input event identifies a position on the display at which a corresponding interaction was detected. Using the object map, it is determined that the input data satisfies the graphical password. Access to the protected resource is granted in response to determining that the input data satisfies the graphical password.

Abstract: Disclosed are various embodiments for generating a physics-based CAPTCHA. In a physics-based CAPTCHA, an object is placed within a scene so that a visually observable change occurs to the object. The scene is animated so that the visually observable change occurs to the object. Before and after imagery can be captured and used as a challenge and a response. Incorrect responses can be generated by altering the scene or object.

Abstract: A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user's position or department), behavioral attributes, and other criteria.

Abstract: A method, apparatus, and computer program product are provided to access a web site. In the context of a method, the method includes acquiring a web address that meets a preset condition, determining a server corresponding to the web address and establishing a transport layer connection therewith. The method further includes upon receiving an instruction for accessing a website corresponding to the web address, using the transport layer connection to send a network request to the server for acquiring the webpage content of the website. Such method can save time for establishing a transport layer connection, thereby improving the efficiency of accessing a web site.

Abstract: Identification of malicious network domains through use of links analysis of graph representation of network activity, such as a bipartite graphs. An example method includes setting an initial reputation score for each of a plurality of host computers and each of a plurality of domains accessed by the plurality of host computers; until a predefined condition is satisfied, iteratively rescoring the reputation scores for each of the plurality of host computers based upon the reputation scores of the plurality of domains; and rescoring the reputation scores for each of the plurality of domains based upon the reputation scores of the plurality of host computers; and determining, based upon the rescored reputation scores for each of the plurality of host computers and the rescored reputation scores for each of the plurality of domains, whether one or more domains amongst the plurality of domains are exhibiting malicious behavior.

Abstract: A managed container may have a managed cache storing content managed by or through an application gateway server computer. The managed container may receive a request for content from an application running in a secure shell provided by the managed container on a client device. The managed container may determine whether the client device is within a specified geographical location. If not, the managed container may deny or restrict the application access to the requested content. The access denial or restriction may continue until a connection is made to the application gateway server computer or until the client device has returned to within the specified geographical location. If the client device is within the specified geographical location, the managed container may provide or restore access to requested content. Embodiments of the managed container can therefore perform geofencing by disabling or limiting access to content based on predetermined secure/insecure designations.

Abstract: Embodiments of an application gateway architecture may include an application gateway server computer communicatively connected to backend systems and client devices operating on different platforms. The application gateway server computer may include application programming interfaces and services configured for communicating with the backend systems and managed containers operating on the client devices. The application gateway server computer may provide applications that can be centrally managed and may extend the capabilities of the client devices, including the ability to authenticate across backend systems. A managed container may include a managed cache and may provide a secure shell for applications received from the application gateway server computer. The managed container may store the applications in the managed cache and control access to the managed cache according to rules propagated from at least one of the backend systems via the application gateway server computer.

Abstract: Implementations of this specification provide a method and an apparatus for creating a blockchain account and verifying blockchain transactions. An example method performed by a blockchain platform includes receiving a transaction, the transaction including at least an initiator field that specifies an account to be created, a receiver field that specifies a pre-determined field value, and a data field that specifies a user-defined key control rule. The user-defined key control rule includes at least one 3-tuple, and each 3-tuple includes a key identifier, an action identifier, and a permission setting. The blockchain platform seals the transaction into a block, and sends the sealed transaction to at least one other full node in the blockchain network.

Abstract: In one example, an apparatus such as an authorization server and method for secure communication between constrained devices issues cryptographic communication rights among a plurality of constrained devices. Each of the plurality of constrained devices comprises no more than one cryptographic algorithm code module per cryptographic function. The method includes receiving a cryptographic communication rights request associated with at least a first of the plurality of constrained devices in response to a cryptographic algorithm update request, and includes providing a response including an identification of a subset of the plurality of constrained devices that have cryptographic communication rights with the identified first of the plurality of constrained devices. A software update server then updates the cryptographic code modules in the sub-set of the plurality of constrained devices.

Abstract: A method performed by a computing system includes receiving from a client component of an enterprise application, a request destined for a service component of the enterprise application, the request comprising authentication data and request data, the authentication data being associated with a current user of the client component, the user associated with an organization. The method further includes performing an authentication process to create principal data and role data associated with the request, the principal data identifying a user. The method further includes using the authentication data and request data, determining a current tenant of the client component. The method further includes replacing the principal data with updated principal data, the updated principal data identifying the organization. The method further includes updating the role data associated with the request to create updated role data that indicates roles of the user within the organization.

Abstract: A method includes determining to share access to a directory between a first web services account and a second web services account that lacks access to the directory, wherein the directory is managed by a directory service that executes within a first on-demand configurable pool of shared computing resources, and wherein the second web services account is associated with a second on-demand configurable pool of shared computing resources. The method includes generating a virtual directory for the second web services account, wherein the virtual directory comprises one or more virtual resources that are representations of resources on the directory, and wherein the virtual directory further comprises a reference to the directory. The method further includes receiving an access request to the directory from the second web services account, wherein the access request is received via the reference from the virtual directory to the directory, and then granting the access request.

Abstract: A remote wipe message or notification may be sent from a server computer to one or more target client devices associated with a user. A managed container running on a target client device associated with the user and having a managed cache storing content managed by or through the server computer may, in response to the remote wipe message or notification, deleting the managed content or a portion thereof from its managed cache. The managed container may send back an acknowledgement or message to the server computer that it had completed the remote wipe. The remote wipe functionality can avoid having to deal with individual applications running on the client device and therefore can eliminate the complexity of having to deal with individual applications. Furthermore, the remote wipe can be done independently of the local operating system and without affecting non-managed information/applications on the client device.

Abstract: Devices and processes perform federation of tokenization services. A tokenization federation service establishes trust relationships between tokenization services that substitute tokens for sensitive data and acts as a mechanism for token portability among distinct tokenization domains. The tokenization federation service receives a request from a tokenization service to establish a tokenization federation group, and receives membership policy information, token rules and token access policy information from the tokenization service for federation that are all associated with the federation and stored. The tokenization federation service receives another request from another tokenization service to join the federation, and if the membership policy allows, is made a member of the federation group. Access by the members to tokens is regulated in accordance with the access policy.

Abstract: Authenticator plugin interface for an enterprise virtualization portal is provided. An example method for evaluating a portal access request may comprise: receiving, by a virtualization management platform, a request initiated by a requestor for access to an enterprise virtualization portal associated with the virtualization management platform, the request comprising a login credential; transmitting, to a first authentication system, a first authentication query comprising an identifier of a first data type, and a first value of the first data type, wherein the first value is derived from the login credential; receiving a first response message comprising an identifier of a second data type, and an authentication response of the second data type; and responsive to evaluating the authentication response, granting the requestor access to the enterprise virtualization portal.

Abstract: A method for implementing adaptive policy based computer security is described. In one embodiment, the method may include monitoring a behavior of a user on a computing device associated with the user, determining whether the user triggers one or more policy triggers associated with a broad policy or at least one sub-policy of the broad policy, or both, and upon determining the user triggers at least one policy trigger during the monitoring period, implementing a customized version of the broad policy on the computing device. In some cases, the method may include implementing the broad policy on the computing device upon determining the user does not trigger any of the one or more policy triggers. In other cases, the method may include triggering at least one of the policy triggers based at least in part on a requested action and determining whether the requested action includes a security threat.

Abstract: A protecting method and system for malicious code, and a monitor apparatus are provided. The monitor apparatus circulates a monitor module obtained from a combination of a plurality of antivirus systems in a communication system, so as to monitor a plurality of electronic apparatuses in the communication system. When the monitor module is circulated to one of the electronic apparatuses and the malicious code is detected, a protection result is decided and one or more corresponding process actions are executed based on the protection result by the monitor module.