Abstract: As described herein, a system, method, and computer program are provided for an unattended trap for a brute force attack. A brute force attack on private data in a computer network is detected. Secret information expected by the brute force attack is generated. At least one honeypot having the secret information is created in the computer network. A state of the at least one honeypot is updated based on simulated activity.

Abstract: An exemplary method comprises generating receiving an authentication request from a graphical user interface on a first computing device; generating a first encrypted media element; displaying the encrypted media element on the GUI; receiving a second encrypted media element from a second computing device; upon determining that the first and second encrypted media elements have a positive match, querying an identification value associated with the second computing device; receiving the identification value associated with the second computing device; upon the identification value matching a data record within a database, determining an account associated with the data record within the database; and authenticating the first computing device by granting the first computing device access to the account associated with the second computing device.

Abstract: An identity profile of a user is tracked using previous message communications of the user. A message identified as potentially from the user is received. The identity profile of the user is identified and obtained. Information is extracted from a header of the received message. A security risk assessment of the received message is determined at least in part by comparing the extracted information with one or more corresponding entries of the identity profile of the user. A security action is performed based on the determined security risk assessment.

Abstract: Systems, methods, and apparatuses of using biometric information to authenticate a first device of a user to a second device are described herein. A method includes storing, by the first device, a first key share of a private key and a first template share of a biometric template of the user. The second device stores a public key, and one or more other devices of the user store other key shares and other template shares. The first device receives a challenge message from the second device, measures biometric features of the user to obtain a measurement vector, and sends the measurement vector and the challenge message to the other devices. The first device receives partial computations, generated using a respective template share, key share, and the challenge message, from the other devices, uses them to generate a signature of the challenge message and send the signature to the second device.

Abstract: A method and a system for accelerating verification procedure for an image file are provided. In the method, the system retrieves an image file from a first non-volatile memory, and calculates a hash value with respect to the image file. A combination of the hash value, a public key and a digital signature is compared with another hash value, public key and digital signature backup in a second non-volatile memory. A comparison result is generated for verifying the image file in the first non-volatile memory. After the image file is verified, the system can load the image file. Instead of the conventional technology that uses digital signature to verify the image file, the present method can effectively accelerate the verification procedure.

Abstract: Protecting sensitive data from unauthorized disclosure is provided. For example, systems, methods, and computer readable storage devices are described that may be operable or configured to tokenize sensitive data attributes that may be included in a data file received from a client. Tokens that are anonymized but representative of the attributes may be generated and mapped to the sensitive data attributes. A tokenized data file may be de-tokenized and re-tokenized to perform processes that require the sensitive data attributes. A document may be transformed to protect the sensitive data attributes while reducing risk of disclosure of the sensitive data.

Abstract: A computer-implemented method to inject security semantics into database queries. The method includes receiving, by a database system, a query, wherein the query is received from a host and the query is generated by a first user account. The method also includes, generating an access plan for the query. The method further includes, determining a first portion of the access plan matches a first security syntax. The method includes, injecting, in response to determining the first portion of the access plan matches the first security syntax, the first security syntax into the access plan. The method further includes, executing the query. The method includes, returning a set of results of the query to the host.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for secure communication based on random key derivation. An example method includes receiving an initial symmetric key shared between the key depot device and a host device. The method also includes receiving seed data shared between the key depot device and the host device. The method also includes establishing a connection to a client device. The method also includes generating, by key derivation circuitry of the key depot device, a first symmetric key based at least on a portion of the seed data. The method also includes causing transmission of the first symmetric key to the client device. The method also includes generating a key allocation indication that identifies an authentication target and comprises an indication of the generation of the first symmetric key. The method also includes causing transmission of the key allocation indication to the host device.

Abstract: Disclosed herein are system, method, and computer program product embodiments for managing the dissemination of documents using downstream control. A document linking system may facilitate the creation of a document link, graphical document link, and/or a corresponding document token. This link may be distributed downstream via messages, emails, or other applications. The document linking system may track document interactions, trace locations, and/or control individualized downstream access. The document linking system may provide instructions to a document delivery system to integrate a plugin or widget into its corresponding application (e.g., a messaging or email application). A user using the application may select a GUI object to access the document linking system and generate a document link. This link may then be embedded into a message or email and disseminated. The document linking system may also generate graphical document links that may be scanned with a camera to access the document.

Abstract: Systems, methods, and computer program products are provided for quantum computing (QC) detection. An example QC detection system includes QC detection data generation circuitry that generates QC detection data. The QC detection system also includes cryptographic circuitry that distorts the QC detection data via a first post-quantum cryptographic (PQC) technique and generates a pair of asymmetric cryptographic keys including a public cryptographic key and a private cryptographic key. The cryptographic circuitry further generates encrypted QC detection data based on the pair of asymmetric cryptographic keys and destroys the private cryptographic key. The QC detection system further includes data monitoring circuitry that monitors a set of data environments for electronic information related to the encrypted QC detection data.

Abstract: Method, system, and programs provide automatic anonymization of protected data items when a request is associated with authentication via a ticket. Ticket authentication includes sending a ticket to a recipient address. The ticket is included in a request for information. Responsive to receiving a request with a ticket, an example system may determine if the ticket is still valid and, if so, generate mock identifiers for any identifiers in information provided back to the requestor, replace the identifiers with their corresponding mock identifiers, as well as delete any protected information from the information provided back to the requestor. The system may store a mapping of the identifiers with their mock identifiers by session id. These mappings may be deleted after a predetermined time, so that the mapping is valid only for a particular session for a limited time.

Abstract: Systems, apparatuses and methods include technology that generates a signature based on one or more characteristics of an artificial intelligence (AI) model. The AI model is in a source code. The technology generates a compiled blob based on the AI model and embeds an identifier based on the signature into a metadata field of the compiled blob.

Abstract: A method of providing a data disclosure to a requester can include: receiving a data subject request from a requester, the data subject request including a request for stored personal data; categorizing the element data into one of a plurality of tiers based on a sensitivity level of the element data; assigning an assigned tier to the element data and associated data values; determining a level of detail of the associated data values for each of the element data to provide based on the assigned tier; and providing a data disclosure report to the requester, wherein the data disclosure report includes the level of detail of data values for each of the element data based on the assigned tier.

Abstract: This application discloses a cyber threat deception method and system, and a forwarding device. The forwarding device obtains a deception target set, where the deception target set includes a deception target, and the deception target includes an unused internet protocol (IP) address or an unopened port number on a used IP address. The forwarding device receives an IP packet from a host, and determines whether a destination party that the IP packet requests to access belongs to the deception target set. If the destination party that the IP packet requests to access belongs to the deception target set, the forwarding device sends the IP packet to a honeypot management server. The forwarding device receives a response packet, returned by the honeypot management server, of the corresponding IP packet. The forwarding device sends the response packet to the host.

Abstract: Use of embedded metadata for data privacy compliance is provided. In a data store, self-managed data is maintained including metadata specifying retention policy data. Responsive to a self-update to scrub PII from the self-managed data being indicated by the retention policy data, the PII is removed from the self-managed data maintained by the data store. Responsive to a self-update to delete the self-managed data from the self-managed data being indicated by the retention policy data, the self-managed data is removed from the data store.

Abstract: The present disclosure relates to a system, method, and computer program for graph-based multi-stage attack detection in which alerts are displayed in the context of tactics in an attack framework, such as the MITRE ATT&CK framework. The method enables the detection of cybersecurity threats that span multiple users and sessions and provides for the display of threat information in the context of a framework of attack tactics. Alerts spanning an analysis window are grouped into tactic blocks. Each tactic block is associated with an attack tactic and a time window. A graph is created of the tactic blocks, and threat scenarios are identified from independent clusters of directionally connected tactic blocks in the graph. The threat information is presented in the context of a sequence of attack tactics in the attack framework.

Abstract: A connection-based service impersonates request-based security for requests from clients that do not include credentials for the requests (e.g., data plane requests made via a connection-oriented security). A connection between a client and a connection-based service is established based on connection credentials that are based on security credentials from a request-based security service. The credentials are sent by a security component of the service to a local agent of the remote security service to be authenticated by the security service. An impersonation token is returned by the security service and cached by the local agent. Requests from the client to perform operations do not include credentials. For each request, the service passes an identifier for the client and the operation to a local authorization component that calls the agent for authorization of the requested operation. The agent uses the impersonation token to obtain authorization for the requested operation.

Abstract: Noncustodial techniques for granular encryption and decryption are provided. One example method can include receiving a selection of a data object for encryption from a plurality of data objects in a data package via a user interface; receiving a message from a remote server; generating an encryption key for the data object using the message; encrypting the data object with the encryption key to create an encrypted data object; storing the at least one portion of the message associated with the encrypted data object in a metadata file; encrypting the metadata file using a user encryption key to create an encrypted metadata file; and transmitting the encrypted data object and the encrypted metadata file to a database for storage.

Abstract: A key exchange technique of performing a key exchange among N (?2) parties, which can conceal metadata on communication, is provided. A key exchange method includes: a first key generation step in which a communication device Ui generates a first key; a first anonymous broadcast step in which the communication device Ui anonymously broadcasts the first key with a set R-{Ui} being designated for i?{1, . . . , n} and the communication device Ui anonymously broadcasts the first key with ? being designated for i?{n+1, . . . , N}; a second key generation step in which the communication device Ui generates a second key; a second anonymous broadcast step in which the communication device Ui anonymously broadcasts the second key with the set R-{Ui} being designated for i?{1, . . . , n} and the communication device Ui anonymously broadcasts the second key with ? being designated for i?{n+1, . . . , N}; and a session key generation step in which the communication device Ui generates a session key SK for i?{1, . . .

Abstract: Based on analyzing a serverless function associated with a first role, a set of security permissions granted to the serverless function is identified based on the first role and a first attribute of the serverless function. A least privilege role indicating a set of least privilege security permissions for the serverless function is generated based, at least in part, on the first attribute. Based on comparing the least privilege role with the first role, it is determined if the set of security permissions granted to the serverless function is more permissive than the set of least privilege security permissions. Based on determining that the set of security permissions granted to the serverless function is more permissive than the set of least privilege security permissions, the first role is reported as over-permissive.