Abstract: Systems and methods for protecting data including user data. A recommendation service is disclosed that receives verifiable claims from a user. A verifiable output is generated from the verifiable claims. The verifiable output can be provided to service providers and allows the service providers to personalize their services to the user. The user's data is protected and exposure of the user's data is controlled by the user.

Abstract: One example method includes packaging a containerized application into at least two images. The first image may include the main application and the second image includes a decryptor. Sensitive information associated with the application is encrypted and included in the second image. The decryptor operates separately from the main application. After the decryptor successfully completes, the main application is run. The main application may include a copier layer to copy any data decrypted by the decryptor into the main application.

Abstract: One example method includes inserting a signal layer in an image, the signal layer indicating that a sensitive layer in the image is a candidate for encryption, creating a single layer archive file that includes the sensitive layer, encrypting the single layer archive file to create an encrypted layer, constructing a new image that includes the encrypted layer, inserting, in the new image, a decryptor layer that is operable to decrypt the encrypted layer, and designating the decryptor layer as an entry point of the new image.

Abstract: One example method includes inserting a signal layer in an image, the signal layer indicating that a sensitive layer in the image is a candidate for encryption, creating a single layer archive file that includes the sensitive layer, encrypting the single layer archive file to create an encrypted layer, constructing a new image that includes the encrypted layer, inserting, in the new image, a decryptor layer that is operable to decrypt the encrypted layer, and designating the decryptor layer as an entry point of the new image.

Abstract: Masking a data rate of transmitted data is disclosed. As data is transmitted from a production site to a secondary site, the data rate is masked. Masking the data rate can include transmitting at a fixed rate, a random rate, or an adaptive rate. Each mode of data transmission masks or obscures the actual data rate and thus prevents others from gaining information about the data or the data owner from the data transfer rate.

Abstract: One example method includes inserting a signal layer in an image, the signal layer indicating that a sensitive layer in the image is a candidate for encryption, creating a single layer archive file that includes the sensitive layer, encrypting the single layer archive file to create an encrypted layer, constructing a new image that includes the encrypted layer, inserting, in the new image, a decryptor layer that is operable to decrypt the encrypted layer, and designating the decryptor layer as an entry point of the new image.

Abstract: One example method includes bringing up a clone application in a validation environment, replaying recorded incoming network traffic to the clone application, obtaining a response of the clone application to the incoming network traffic, comparing the response of the clone application to recorded outgoing network traffic of the production application, and making a validation determination regarding the clone application, based on the comparison of the response of the clone application to recorded outgoing network traffic of the production application. When the clone application is not validated, the example method includes identifying and resolving a problem relating to the clone application.

Abstract: Masking a data rate of transmitted data is disclosed. As data is transmitted from a production site to a secondary site, the data rate is masked. Masking the data rate can include transmitting at a fixed rate, a random rate, or an adaptive rate. Each mode of data transmission masks or obscures the actual data rate and thus prevents others from gaining information about the data or the data owner from the data transfer rate.

Abstract: Embodiments for detecting malicious modification of data in a network, by: setting, by a first layer of network resources, a number of markers associated with input/output (I/O) operations of the network; saving the markers, location, and associated metadata in a marker database; reading, by a second layer of the network resources, the markers corresponding to relevant I/O operations; and verifying each scanned I/O operation against a corresponding marker to determine whether or not data for a scanned specific I/O operation has been improperly modified for the first and second layers and any intermediate layer resulting in a fault condition, and if so, taking remedial action to flag or abort the specific I/O operation.

Abstract: One example method includes packaging a containerized application into at least two images. The first image may include the main application and the second image includes a decryptor. Sensitive information associated with the application is encrypted and included in the second image. The decryptor operates separately from the main application. After the decryptor successfully completes, the main application is run. The main application may include a copier layer to copy any data decrypted by the decryptor into the main application.

Abstract: One example method includes inserting a signal layer in an image, the signal layer indicating that a sensitive layer in the image is a candidate for encryption, creating a single layer archive file that includes the sensitive layer, encrypting the single layer archive file to create an encrypted layer, constructing a new image that includes the encrypted layer, inserting, in the new image, a decryptor layer that is operable to decrypt the encrypted layer, and designating the decryptor layer as an entry point of the new image.

Abstract: Masking a data rate of transmitted data is disclosed. As data is transmitted from a production site to a secondary site, the data rate is masked. Masking the data rate can include transmitting at a fixed rate, a random rate, or an adaptive rate. Each mode of data transmission masks or obscures the actual data rate and thus prevents others from gaining information about the data or the data owner from the data transfer rate.

Abstract: Network level Moving Target Defense techniques are provided with substantially continuous access to protected applications. An exemplary method comprises identifying a first application listening to a first port or a first network address; notifying the first application to listen to a second port or a second network address; notifying at least one additional application that the first application is listening to the second port or the second network address; and notifying the first application to unlisten to the first port or the first network address, wherein the first application operates in a substantially continuous manner during a change from listening to one or more of the first port and the first network address and listening to one or more of the second port and the second network address. The first application can be a stateful application having persistent storage.

Abstract: A plurality of containers related to one or more containerized applications are managed by monitoring an execution of the one or more containers; determining that a given one of the one or more containers exhibits anomalous behavior; and in response to the determining, adjusting a retention time of the given container, wherein the retention time of the given container determines when the given container is one or more of terminated and changes role to a honeypot container. The anomalous behavior comprises, for example, the given container exhibiting behavior that is different than a learned baseline model of the given container or including program code consistent with malicious activity. An alert notification of the anomalous behavior is optionally generated. The retention time of the given container can be adjusted for example, to an interval between deployment of the given container and the time the anomalous behavior is detected.

Abstract: Systems and methods for protecting data including user data. A recommendation service is disclosed that receives verifiable claims from a user. A verifiable output is generated from the verifiable claims. The verifiable output can be provided to service providers and allows the service providers to personalize their services to the user. The user's data is protected and exposure of the user's data is controlled by the user.

Abstract: A tracing mechanism is provided for analyzing session-based attacks. An exemplary method comprises: detecting a potential attack associated with a session from a potential attacker based on predefined anomaly detection criteria; adding a tracing flag identifier to a response packet; sending a notification to a cloud provider of the potential attack, wherein the notification comprises the tracing flag identifier; and sending the response packet to the potential attacker, wherein, in response to receiving the response packet with the tracing flag identifier, the cloud provider: determines a source of the potential attack based on a destination of the response packet; forwards the response packet to the potential attacker based on the destination of the response packet; and monitors the determined source to evaluate the potential attack. The response packet is optionally delayed by a predefined time duration and/or until the cloud provider has acknowledged receipt of the notification.

Abstract: Embodiments for detecting malicious modification of data in a network, by: setting, by a first layer of network resources, a number of markers associated with input/output (I/O) operations of the network; saving the markers, location, and associated metadata in a marker database; reading, by a second layer of the network resources, the markers corresponding to relevant I/O operations; and verifying each scanned I/O operation against a corresponding marker to determine whether or not data for a scanned specific I/O operation has been improperly modified for the first and second layers and any intermediate layer resulting in a fault condition, and if so, taking remedial action to flag or abort the specific I/O operation.

Abstract: The life cycle of one or more containers related to one or more containerized applications is managed by determining that a predefined retention time for a first container of the plurality of containers has elapsed; in response to the determining, performing the following honeypot container creation steps: suspending new session traffic to the first container; maintaining the first container as a honeypot container; and identifying communications sent to the honeypot container as an anomalous communication. Alert notifications are optionally generated for the anomalous communication.

Abstract: Existing policies enforced at or above an operating system (OS) layer of a device are obtained. Translation rules are stored that include data structure descriptions of conditions, corresponding actions performed when the conditions are satisfied, and attributes specified in the existing policies, and attributes of one or more layers below the OS layer that are relevant to policy enforcement in the one or more layers below the OS layer. The existing policies are parsed using the data structure descriptions to identify the conditions, corresponding actions, and attributes specified in the existing policies. New policies are generated that are consistent with the existing policies. The new policies include the identified attributes specified in the existing policies and the attributes relevant to policy enforcement in the one or more layers below the OS layer. The new policies are enforced in the one or more layers below the OS layer.

Abstract: Network level Moving Target Defense techniques are provided with substantially continuous access to protected applications. An exemplary method comprises identifying a first application listening to a first port or a first network address; notifying the first application to listen to a second port or a second network address; notifying at least one additional application that the first application is listening to the second port or the second network address; and notifying the first application to unlisten to the first port or the first network address, wherein the first application operates in a substantially continuous manner during a change from listening to one or more of the first port and the first network address and listening to one or more of the second port and the second network address. The first application can be a stateful application having persistent storage.