Abstract: Systems, methods, and computer-readable media for fuzzy-searches on encrypted messages include maintaining, in an indexer, a dictionary of words appearing in a message history. Upon receiving a query including at least one search term, a fuzzy search of the dictionary using the at least one search term is performed to determine one or more fuzzy-matching words in the dictionary, and one or more search tokens are generated from the one or more fuzzy-matching words, the one or more search tokens including encrypted versions of the one or more fuzzy-matching words. The one or more search tokens are provided to a search service for searching a database of encrypted messages of the message history, where the at least one search term may not have an exact match with any of the words in the dictionary.

Abstract: A non-transitory computer readable medium comprising instructions stored thereon, the instructions effective to cause at least one processor to: establish trustworthiness of an application installed on a endpoint, the established trustworthiness is sufficient for an enterprise security infrastructure to treat the application installed on the endpoint and the endpoint as a trusted application and a trusted endpoint; negotiate with the trusted endpoint to determine a traffic inspection method for traffic flows originating at the trusted application that is destined for a service, the traffic inspection method is determined based on at least the trusted application, and the service; and instruct the trusted application of the determined traffic inspection method.

Abstract: Methods are provided for discovering related attributes with respect to an element in a customer data record, based on provided associations and for generating new associations between various elements of the customer data record. In these method, the context service system obtains, from a subscriber, a lookup request including a first blinded attribute. The first blinded attribute is obtained by applying an oblivious pseudo random function (OPRF) to a first element of a data record. The method further includes the context service system identifying at least one second blinded attribute associated with the first blinded attribute in a shared data partition of the context service system and providing, to the subscriber, at least one second element of the data record associated with the at least one second blinded attribute.

Abstract: Systems, methods, and computer-readable media for fuzzy-searches on encrypted messages include maintaining, in an indexer, a dictionary of words appearing in a message history. Upon receiving a query including at least one search term, a fuzzy search of the dictionary using the at least one search term is performed to determine one or more fuzzy-matching words in the dictionary, and one or more search tokens are generated from the one or more fuzzy-matching words, the one or more search tokens including encrypted versions of the one or more fuzzy-matching words. The one or more search tokens are provided to a search service for searching a database of encrypted messages of the message history, where the at least one search term may not have an exact match with any of the words in the dictionary.

Abstract: Systems, methods, and computer-readable media for fuzzy-searches on encrypted messages include maintaining, in an indexer, a dictionary of words appearing in a message history. Upon receiving a query including at least one search term, a fuzzy search of the dictionary using the at least one search term is performed to determine one or more fuzzy-matching words in the dictionary, and one or more search tokens are generated from the one or more fuzzy-matching words, the one or more search tokens including encrypted versions of the one or more fuzzy-matching words. The one or more search tokens are provided to a search service for searching a database of encrypted messages of the message history, where the at least one search term may not have an exact match with any of the words in the dictionary.

Abstract: A computer system applies security policies to web traffic while maintaining privacy. A network security agent is authenticated by a client application to dynamically obtain one or more security policies, wherein the client application and the network security agent are configured to execute on a device and the network security agent is capable of communicating with a source of security policies. Connection information is obtained that includes a request to initiate an encrypted connection with a destination entity. The client application determines whether the encrypted connection between the client application and the destination entity is permitted according to the security policy and based on the connection information. The encrypted connection between the client and the destination entity is established in response to determining that the encrypted connection is permitted. Embodiments may further include a method and computer program product for applying security policies to web traffic.

Abstract: This disclosure describes techniques for authenticating one or more devices of a user in association with cloud computing services. The techniques include generating credential portions. The credential portions may be used in a signing protocol between one of the user devices and a cloud authenticator. The signing protocol may generate a signature that may be used in authentication with a cloud computing service. Furthermore, the user may be able to use any one of the user devices to log in to an online service after enrolling only a single user device with the online service. As such, the cloud authenticator may assist multiple user devices to authenticate with the cloud computing service.

Abstract: A method includes establishing an application layer transport layer security (ATLS) connection between a network device and a cloud server by sending, from the network device, TLS records in transport protocol (e.g., HTTP) message bodies to the cloud server, the ATLS connection transiting at least one transport layer security (TLS) proxy device, receiving, from the cloud server via the ATLS connection, an identifier for a certificate authority, establishing a connection with the certificate authority associated with the identifier and, in turn, receiving from the certificate authority credentials to access an application service different from the cloud server and the certificate authority, and connecting to the application service using the credentials received from the certificate authority.

Abstract: Methods are provided for discovering related attributes with respect to an element in a customer data record, based on provided associations and for generating new associations between various elements of the customer data record. In these method, the context service system obtains, from a subscriber, a lookup request including a first blinded attribute. The first blinded attribute is obtained by applying an oblivious pseudo random function (OPRF) to a first element of a data record. The method further includes the context service system identifying at least one second blinded attribute associated with the first blinded attribute in a shared data partition of the context service system and providing, to the subscriber, at least one second element of the data record associated with the at least one second blinded attribute.

Abstract: Systems, methods, and computer-readable media for fuzzy-searches on encrypted messages include maintaining, in an indexer, a dictionary of words appearing in a message history. Upon receiving a query including at least one search term, a fuzzy search of the dictionary using the at least one search term is performed to determine one or more fuzzy-matching words in the dictionary, and one or more search tokens are generated from the one or more fuzzy-matching words, the one or more search tokens including encrypted versions of the one or more fuzzy-matching words. The one or more search tokens are provided to a search service for searching a database of encrypted messages of the message history, where the at least one search term may not have an exact match with any of the words in the dictionary.

Abstract: A computer system applies security policies to web traffic while maintaining privacy. A network security agent is authenticated by a client application to dynamically obtain one or more security policies, wherein the client application and the network security agent are configured to execute on a device and the network security agent is capable of communicating with a source of security policies. Connection information is obtained that includes a request to initiate an encrypted connection with a destination entity. The client application determines whether the encrypted connection between the client application and the destination entity is permitted according to the security policy and based on the connection information. The encrypted connection between the client and the destination entity is established in response to determining that the encrypted connection is permitted. Embodiments may further include a method and computer program product for applying security policies to web traffic.

Abstract: A non-transitory computer readable medium comprising instructions stored thereon, the instructions effective to cause at least one processor to: establish trustworthiness of an application installed on a endpoint, the established trustworthiness is sufficient for an enterprise security infrastructure to treat the application installed on the endpoint and the endpoint as a trusted application and a trusted endpoint; negotiate with the trusted endpoint to determine a traffic inspection method for traffic flows originating at the trusted application that is destined for a service, the traffic inspection method is determined based on at least the trusted application, and the service; and instruct the trusted application of the determined traffic inspection method.

Abstract: A process for implementing temporary rules for network devices is described. In one embodiment, the process includes a controller receiving a manufacturer usage description (MUD) identifier from a first device. The controller retrieves a MUD file associated with the MUD identifier. The controller registers a device identifier associated with the first device with a delegated controller determined based on the MUD file. The delegated controller is configured to generate a dynamic policy for the first device. The controller receives a dynamic policy from the delegated controller for the first device. The dynamic policy may be configured to permit a communication session between the first device and a second device. The controller forwards the dynamic policy to an access control device in communication with the first device to enable the access control device to permit the communication session between the first device and the second device.

Abstract: A method includes establishing an application layer transport layer security (ATLS) connection between a network device and a cloud server by sending, from the network device, TLS records in transport protocol (e.g., HTTP) message bodies to the cloud server, the ATLS connection transiting at least one transport layer security (TLS) proxy device, receiving, from the cloud server via the ATLS connection, an identifier for a certificate authority, establishing a connection with the certificate authority associated with the identifier and, in turn, receiving from the certificate authority credentials to access an application service different from the cloud server and the certificate authority, and connecting to the application service using the credentials received from the certificate authority.

Abstract: Embodiments of an inspection system and method for a collection of information objects, for example, a collection of executable software applications may be inspected for computer viruses, or a collection of genomes may be inspected for common or unique gene sequences. Information objects may contain identified sequences of instructions, each of which may be labeled with a symbol. In the software context, programming languages may include symbols that indicate functionality. In some embodiments, an inspection of the statistical properties of the information objects and their included symbols may allow for the symbols (and thus instruction sequences) to be grouped into logical components. In some embodiments, objects that include individual logical components may be grouped together. These groupings and their dependencies may be used to determine the structure of each object by detailing its constituent components, how they relate or depend on one another, and how the information object may function.

Abstract: Embodiments of an inspection system and method for a collection of information objects, for example, a collection of executable software applications may be inspected for computer viruses, or a collection of genomes may be inspected for common or unique gene sequences. Information objects may contain identified sequences of instructions, each of which may be labeled with a symbol. In the software context, programming languages may include symbols that indicate functionality. In some embodiments, an inspection of the statistical properties of the information objects and their included symbols may allow for the symbols (and thus instruction sequences) to be grouped into logical components. In some embodiments, objects that include individual logical components may be grouped together. These groupings and their dependencies may be used to determine the structure of each object by detailing its constituent components, how they relate or depend on one another, and how the information object may function.