Abstract: An authenticating device assigns an application identifier and an application secret value to a customer application, receives a first resource authorization request from a first instance of multiple replicated instances of a customer application, where the first instance is installed in a first machine, and receives a second resource authorization request from a second instance of the multiple replicated instances of the customer application, where the second instance is installed in a second machine. The authenticating device generates, responsive to the first resource authorization request, a first token using a first network address associated with the first machine, the application identifier and the application secret value, and returns, to the first instance of the customer application, the generated first token for use in requesting access to a resource server.

Abstract: Systems, computer program products, and methods are described herein for a system for establishing secure access for users in a process data network. The present invention is configured to create a block chain of resource information based on at least aggregated information associated with past transfer of resources executed by an entity; analyze the block chain of resource information to determine a pattern associated with the past transfer of resources executed by the entity; receive an indication that the entity has executed a transfer of resources; receive information associated with the transfer of resources; compare the information associated with the transfer of resources with the pattern associated with the past transfer of resources executed by the entity to determine a match; and allow the execution of the transfer of resources.

Abstract: A token-based routing system that includes an out-of-network transfer processor configured to receive a transfer request, a sender token, and a receiver token and to identify an institution associated with a sender based on the sender token. The out-of-network transfer processor is configured to determine a membership for an institution associated with a receiver based on the receiver token. The out-of-network transfer processor is configured to facilitate a transfer from the institution associated with the sender to the receiver using service network resources in response to determining that the membership for the institution associated with the receiver indicates an in-network institution.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for controlling access to APIs. One of the methods includes receiving a request from a client for a computer authorization challenge to access an application programming interface; determining a computer authorization challenge with a difficulty of completion that satisfies a target computational cost for the application programming interface; and providing the computer authorization challenge to the client for access to the application programming interface.

Abstract: Systems and techniques are provided for controlling requests for resources from remote computers. A remote computer's ability to access a resource is determined based upon the computer's operating environment. The computer or computers responsible for controlling access to a resource will interrogate the remote computer to ascertain its operating environment. The computer or computers responsible for controlling access to a resource may, for example, download one or more interrogator agents onto the remote computer to determine its operating environment. Based upon the interrogation results, the computer or computers responsible for controlling access to a resource will control the remote computer's access to the requested resource.

Abstract: Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.

Abstract: A method includes, after expiration of a first passcode, receiving, at an access point, a first access request from a first device. The first access request may be encrypted based on the first passcode. The method further includes determining whether an identifier of the first device is included in a device list associated with the first passcode. The device list includes identifiers of devices that accessed the access point using encryption based on the first passcode before the expiration of the first passcode. The method also includes, in response to a determination that the identifier of the first device is included in the device list generating, at the access point, data representing a second passcode by encrypting the second passcode using the first passcode. The method further includes sending the data representing the second passcode to the first device from the access point.

Abstract: A proxy that requests, and then analyzes, some test characteristics of a client to generate a client signature profile. When the test characteristics change in a manner to suggest that the client has been spoofed or infected, the proxy could trigger appropriate security measures to adjust communication protocols with the client. The test characteristics could also be randomly selected, and if the wrong test characteristics are sent to the server by the client in response to a request for test characteristics, another security alert could be triggered.

Abstract: A method for providing a browser using browser processes separated based on access privileges and an apparatus using the method. The method includes acquiring a first address corresponding to a first webpage; acquiring a first set of terminal access privileges based on the first address from a privilege control list and executing a first browser process corresponding to the first set of terminal access privileges; determining whether to allow rendering by comparing the first set of terminal access privileges with a second set of terminal access privileges corresponding to a second webpage when the first browser process attempts to render the second webpage; and if the rendering is not allowed, blocking the first browser process from rendering and rendering the second webpage by executing a second browser process corresponding to the second set of terminal access privileges.

Abstract: A system and method is disclosed for establishing authenticated Bluetooth Low Energy communication session between a slave device and a master device. The slave device lacks ability to control which mater device can connect to it; however, the after connection authentication process enables a slave device to terminate connection with unauthenticated master device.

Abstract: Apparatuses, methods, and program products are disclosed for accessing a network. One method includes receiving, at a second information handling device, a request from a first information handling device for access to a network accessible via the second information handling device. The method also includes determining, based on the request, whether the first information handling device is trusted by the second information handling device. The method includes determining network credentials including a username and a password for accessing the network in response to the first information handling device being trusted. The method also includes transmitting the network credentials from the second information handling device to the first information handling device.

Abstract: An apparatus including an in-network transfer processor configured to receive a transfer request, a sender token, and a receiver token, to identify an institution associated with a sender based on the sender token, and to identify an institution associated with a receiver based on the receiver token. The in-network transfer processor is configured to facilitate an internal transfer to the sender when the sender and the receiver are the same user and to facilitate an internal transfer to the receiver when the sender and the receiver are different users. The in-network transfer processor is configured to facilitate a transfer to the receiver using service network resources when the membership for the institution associated with the receiver indicates an in-network institution and to facilitate a transfer to the institution associated with the receiver using secondary network resources when the membership for the institution associated with the receiver indicates an out-of-network institution.

Abstract: There is provided a method of authenticating a user in a network. The method can be executed on a server. The method comprises: acquiring a non-authorized user-behavior model associated with a non-authorized access to a network resource by an unauthorized entity, the non-authorized user-behavior model having been generated during blocking the non-authorized access to the network resource by the unauthorized entity; retrieving from a log stored on the network server, an indication of a plurality of users, each respective user associated with a respective user-behavior model; responsive to one of the respective user-behavior model matching the non-authorized user-behavior model, associating a user account associated with the respective user associated with the one of the respective user-behavior model with a security-violation parameter; responsive to the security-violation parameter, restricting user activity within the user account.

Abstract: The present disclosure includes a method of maintaining rating groups and receiving, from a first user, a selection of a first rating group, from among the rating groups, to be applied to a set of users associated with the first user. Next, method includes receiving, from a user, a request for a piece of content from the content and determining that the user from which the request was received belongs to the set of users associated with the first user. The method also includes accessing information associated with the first rating group and determining whether the first rating group includes a rating for the requested piece of content. The method also includes determining whether or not to provide information to the requesting user conditioned on the indication or absence of a rating for the requested piece of content within the first rating group.

Abstract: Embodiments of the invention are directed to a system, method, or computer program product for generating and using a block chain distributed network for tracking and validating protocols and other operations associated with the transition of one or more resources from being arranged in a consolidated, privately-held structure to being arrange and/or distributed in a publicly available structure. In example implementations, the block chain database is used and updated to reflect the status degree of completion of protocols associated with the identification, characterization, and dissemination of resource characteristics and resource shares, including the fractional distribution of resource portions to effectuate the efficient transition of a resource.

Abstract: Embodiments enable a system to determine, authorize, and adjust access, writing, retrieval, and validation rights of users and entities associated with one or more distributed block chain networks. The system is capable of receiving an authorization request from a user to conduct an action associated with the block chain distributed network, determine a security level associated with the user, and either authorize or screen the user from conducting the action based on the determined security level. The system may adjust the security level of the user by requesting and receiving additional authorization credentials from the user. Furthermore, the system may adjust the security level of one or more users based on security or functionality needs of the block chain distributed network.

Abstract: A method for providing guest access to a guest user for a network resource device based on proximity includes provisioning a plurality of network resource devices with a set of guest-on boarding information, receiving a request for guest access from a guest user for the network resource devices, determining if the guest user is within a certain distance of at least one of the network resource devices, and if the guest user is within the certain distance of at least one of the network resource devices identify each such network resource device as a proximate device. The method also includes providing a first set of guest on-boarding information to the guest user, via one of the proximate devices. The first set of guest on-boarding information includes a first unique identifier, and guest access credentials are provided to the guest user upon receipt of the first unique identifier.

Abstract: A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for DevOps personnel who do not have persistent access to restricted data or the ability to modify the cloud computing environment to gain access to restricted data. When JIT access to a resource is requested by a DevOps device, the JIT service retrieves a JIT policy for the resource that includes geolocation criteria limiting the geolocation from which JIT access can be automatically granted. The geolocation of the DevOps device is evaluated against the geolocation criteria. If the geolocation criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the DevOps device.

Abstract: A virtual business mobile device can be provisioned on a personal mobile device, by binding a mobile application for provisioning the business mobile device to a privileged component of a host operating system of the personal mobile device, wherein the binding enables a software virtualization layer and a management service component of the mobile application to execute in a privileged mode. The mobile application is then able to download a virtual phone image for the business mobile device and security-related policy settings relating to use of the business mobile device from a mobile management server, wherein the software virtualization layer is able to launch a virtual machine for the business mobile device based on the virtual phone image. Once the virtual phone image has been downloaded, the management service component initiates a periodic attempt to establish a connection with the mobile management server to comply with the downloaded security-related policy settings.

Abstract: In accordance with one or more embodiments, aspects of the disclosure provide efficient, effective, and convenient ways of uploading and authenticating content. In particular, a user device may receive validating information from a wireless networking device. The user or client device may record a content item, and may insert a validation tag based on the validating information. The user or client device may then send the content item to the wireless networking device. The wireless networking device may receive the content item at a first location and may determine the validity of the content item based on the validating information. The user device may continually interact with wireless networking devices as it travels to continually upload content items while establishing the validity of the time and location of the content items.

Abstract: The present disclosure generally relates to an interface system and method of interfacing to generate data compatible with an external system in an oil and gas asset supply chain, and in particular to an interface and interface method for generating secure and verifiable data to prevent tampering, injection of unwanted data resulting from an unauthorized access along a supply chain. An interface generates and transforms data in an oil and gas supply chain for compatibility with external systems. Collected data is captured by an industrial control system sensor or data collector, and transferred to a secure intermediary hardware platform to interface with a software component. The collected data is then modified using a business rules engine to create enhanced data and events created from the enhanced data.

Abstract: A tokenization system that includes a tokenizer, a token and alias directory, and a network node. The tokenizer is configured to generate tokens. The token and alias directory is configured to store tokens. The network node is configured to receive user information for a user and to determine a membership for an institution associated with the user based on the user information. The network node is configured to send an authorization request to an authorization processer in response to determining that the membership for the institution associated with the receiver indicates an in-network institution and to receive an authorization approval in response to sending the authorization request. The network node is further configured to send a token request to the tokenizer, to receive a token in response to the token request, and to store the token in the token and alias directory.

Abstract: Methods and systems for verifying the identity and trustworthiness of a user of an online system are disclosed. In one embodiment, the method comprises receiving online and offline identity information for a user and comparing them to a user profile information provided by the user. Furthermore, the user's online activity in a third party online system and the user's offline activity are received. Based on the online activity and the offline activity a trustworthiness score may be calculated.

Abstract: Methods and apparatus for real-time security monitoring on a computing device are presented. A system may define privileges to access hardware interfaces for each process of a plurality of processes executing on a computing device. The privileges may be defined in a privileged operating system level that controls root access to an operating system. In response to a determination that a process is attempting to access a hardware interface, the system may determine whether the process is privileged to access the hardware interface by checking the privileges. In response to determining that the process is not privileged to access the hardware interface, the intrusion detection agent may terminate the process.

Abstract: The instant disclosure is directed to an attack/unwanted activity detecting firewall for use in protecting authentication-based network resources. The instant system is adapted for installation inline or in sniffer mode. In various embodiments, defined rules are applied to network traffic to determine whether certain types of attacks are occurring on the network resources. If one such attack is detected, the system provides for several potential responses, including for example disconnecting the attacking remote machine, requiring the user at that machine to re-authenticate, and/or requiring a second factor of authentication from the user at that machine. In some example embodiments, regardless of any activity required of a user at the remote machine suspected of malicious behavior, the disclosed system generates an alarm or other alert for presentation as appropriate, such as via a graphical user interface or a third-party system using an API.

Abstract: A method (and structure) includes receiving, as input data into a computer-implemented processing procedure, at least one listing of at least one of time series data and potential candidate periods of potential beaconing activity. The input data is processed, using a processor on a computer, to evaluate the input data as if the input data represents data points of an input analog signal subject to principles of communication theory and having determinable statistical characteristics.

Abstract: The present disclosure relates to a network device that detects a deauthentication and/or disassociation attack in a wireless local area network (WLAN). In example implementations, the network device selects a random Media Access Control (MAC) address that is unused in the WLAN. The network device then transmits a request using the selected MAC address over a shared wireless communication channel. Next, the network device transmits a response using a MAC address corresponding to the network device over the shared wireless communication channel. Subsequently, the network device receives a disconnection request using the selected MAC address over the shared wireless communication channel. In response to receiving the disconnection request, the network device can detect an attacker device in the WLAN.

Abstract: Methods and systems for intrusion detection include determining a causality trace for a flagged event. Determining the causality trace includes identifying a hot process that generates bursts of events with interleaved dependencies, aggregating events related to the hot process according to a process-centric dependency approximation that ignores dependencies between the events related to the hot process, and tracking causality in a reduced event stream that comprises the aggregated events. It is determined whether an intrusion has occurred based on the causality trace. One or more mitigation actions is performed if it is determined that an intrusion has occurred.

Abstract: A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

Abstract: Embodiments of the present disclosure relate to a data analysis system that may automatically generate memory-efficient clustered data structures, automatically analyze those clustered data structures, automatically tag and group those clustered data structures, and provide results of the automated analysis and grouping in an optimized way to an analyst. The automated analysis of the clustered data structures (also referred to herein as data clusters) may include an automated application of various criteria or rules so as to generate a tiled display of the groups of related data clusters such that the analyst may quickly and efficiently evaluate the groups of data clusters. In particular, the groups of data clusters may be dynamically re-grouped and/or filtered in an interactive user interface so as to enable an analyst to quickly navigate among information associated with various groups of data clusters and efficiently evaluate those data clusters in the context of, for example, a fraud investigation.

Abstract: The present invention relates to a method of providing an automated reaction to malicious polymorphic messages, comprising the steps of: a) applying a handling process on non-reported messages for detecting existing polymorphic messages that are maliciously similar to one or more messages that are classified as suspicious, thereby enabling to define the detected non-reported polymorphic messages as suspicious; and b) applying mitigating actions to neutralize said suspicious non-reported detected messages.

Abstract: A system is configured for protecting web applications at a host by analyzing web application behavior to detect malicious client requests. Example embodiments described herein include a proxy configured to handle network traffic between a host and clients. The proxy includes two request classification mechanisms, first a list of known clients, malicious and non-malicious, for identifying known malicious and known non-malicious requests and second a web application firewall for determining a classification for unknown requests (e.g., not originating from a known client). The classification itself may be distributed. The proxy determines whether a request is known non-malicious, known malicious, or unknown. The proxy collects request attributes for the known malicious and known non-malicious requests for the generation of a model based on the attributes of the known requests. The proxy passes the unknown requests to the WAF for determining a classification based on their attributes using the model.

Abstract: Examples relate to distributed detection of malicious cloud actors. In some examples, outgoing cloud packets from the cloud server are intercepted and processed to determine if a preliminary threshold is exceeded, where the outgoing cloud packets are used to identify a customer. At this stage, a potential outgoing intrusion event of a number of potential outgoing intrusion events is generated when the preliminary threshold is exceeded. The potential outgoing intrusions events are used to update an aggregate log, where the aggregate log tracks a customer subset of the cloud servers that is associated with the customer. In response to analyzing the aggregate log to determine that cloud traffic by the customer to the destination address exceeds an intrusion threshold, a notification of malicious activity by the customer is provided, wherein the intrusion threshold is satisfied at a higher cloud activity level than the preliminary threshold.

Abstract: Techniques described and suggested herein include various systems and methods for determining risk levels associated with transiting data, and routing portions of the data in accordance with the determined risk levels. For example, a risk analyzer may apply risk classifiers to transiting data to determine overall risk levels of some or all of the transiting data. A traffic router may route transiting data according to determined risk profiles for the data. A sandbox may be implemented to compare, for a given input, expected and observed outputs for a subset of transiting data, so as to determine risk profiles associated with at least the subset.

Abstract: Network security risk assessment systems and methods are provided. The system has a remote subscriber computer, a risk assessment viewer application, and a risk assessment server that receives a list of software applications operating within the subscriber organization network and a plurality of properties for each of the software applications, and receives a list of organizational nodes within the subscriber organization and a plurality of properties for each of the organizational nodes, determines one or more risk assessment scores and transmits a notification to the remote subscriber computer when a predefined reporting threshold is exceeded.

Abstract: A system analyzes various qualitative data to identify security threats to computing devices. Qualitative data refers to data that may describe a security threat, such as user sentiment or intent data, user online comments, discussions on Web sites, offers for sale on electronic commerce (e-commerce) Web sites, blogs, news articles, and so forth. The qualitative data is analyzed, and data that is classified by the system as indicating malware is identified and acted upon (e.g., notifications provided to the appropriate users and/or devices). The use of qualitative data allows the system to be proactive in protecting against security threats. By analyzing the qualitative data, expected or future security threats to computing devices can be identified and mitigated (possibly even prevented) before any computing devices are attacked.

Abstract: Apparatus and methods described herein relate to a global workspace management compute device that can generate a workspace hierarchy tree representing a hierarchy of a set of workspaces in a network. A local workspace management compute device operatively coupled to the global workspace management compute device can, when operative, calculate workspace cyber-threat data for a local workspace in the set of workspaces based on data from a global workspace, and can provide the calculated workspace cyber-threat data to a local workspace interface so that the local workspace interface displays a representation of the set of workspaces in the network. After receiving modifications of portions of the local workspace cyber-threat data, the local workspace management compute device can define a child node of the local workspace based on the modifications. The local workspace interface can modify the representation of the set of workspaces in the network based on the child node.

Abstract: The disclosure is directed towards systems and methods for improving security in a computer network. The system can include a planner and a plurality of controllers. The controllers can be deployed within each zone of the production network. Each controller can be configured to assume the role of an attacker or a target for malicious network traffic. Simulations of malicious behavior can be performed by the controllers within the production network, and can therefore account for the complexities of the production network, such as stateful connections through switches, routers, and other intermediary devices. In some implementations, the planner can analyze data received from the controllers to provide a holistic analysis of the overall security posture of the production network.

Abstract: The disclosure is directed towards systems and methods for improving security in a computer network. The system can include a planner and a plurality of controllers. The controllers can be deployed within each zone of the production network. Each controller can be configured to assume the role of an attacker or a target for malicious network traffic. Simulations of malicious behavior can be performed by the controllers within the production network, and can therefore account for the complexities of the production network, such as stateful connections through switches, routers, and other intermediary devices. In some implementations, the planner can analyze data received from the controllers to provide a holistic analysis of the overall security posture of the production network.

Abstract: The disclosure is directed towards systems and methods for improving security in a computer network. The system can include a planner and a plurality of controllers. The controllers can be deployed within each zone of the production network. Each controller can be configured to assume the role of an attacker or a target for malicious network traffic. Simulations of malicious behavior can be performed by the controllers within the production network, and can therefore account for the complexities of the production network, such as stateful connections through switches, routers, and other intermediary devices. In some implementations, the planner can analyze data received from the controllers to provide a holistic analysis of the overall security posture of the production network.

Abstract: Various embodiments assess security risks of users in computing networks. In some embodiments, an interaction item is sent to an end user electronic device. When the end user interacts with the interaction item, the system collects feedback data that includes information about the user's interaction with the interaction item, as well as technical information about the electronic device. The feedback is compared to a plurality of security risk scoring metrics. Based on this comparison, a security risk score for the user with respect to a computing network.

Abstract: A list of electronic mail (e-mail) accounts is extracted from an electronic mail system. A list of electronic mail accounts, with forwarding enabled, are identified as a set of collection accounts. A dropbox account is identified, from the collection accounts, as a destination e-mail account for the forwarded collection accounts. The collection accounts that forward to the dropbox account that has in excess of a threshold number of collection accounts forwarding to it, are identified as malicious e-mail collection accounts and are forwarded to a resolution system, for resolution.

Abstract: Methods and systems for providing secure computing environments. Features of the present invention use a plurality of integrated security controls to ensure security of a computing environment. More specifically, features of the present invention detect discrepancies between a node's behavior and a defined policy to identify and remedy malicious behavior.

Abstract: Noisy tokens can be placed in locations of client end stations such that local operations performed upon the noisy tokens generate network traffic. A traffic monitoring module (TMM) can determine normal activity patterns of network traffic resulting from one or more of the placed noisy tokens being activated by one or more non-malicious operations, and identify that other network traffic resulting from one or more of the noisy tokens being activated does not meet the one or more normal activity patterns. In response, the TMM can cause an alert to be generated.

Abstract: A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

Abstract: A system for the categorization of interlinked information items, the system comprising: a trust flow module which is configured to receive a seed trust list of one or more first information items, the seed trust list associating the one or more first information items with one or more categories; and a trust flow module configured to: associate a respective trust value with each of the one or more categories for the one or more first information items; and iteratively pass at least part of the or each trust value to one or more further information items to generate, for each of the one or more further information items, at least one accumulated trust value associated with a category of the one or more categories, such that the one or more further information items can be categorized based on the at least one accumulated trust value and associated category.

Abstract: Disclosed are systems and methods for protection of a technological system (TS) from cyber attacks. An exemplary method comprises: obtaining a real state of the TS; initializing a cybernetic control system (CCS) by synchronizing the CCS with the TS; comparing, by the CCS, the real state of the TS with an ideal state of the TS; based on the comparison, identifying a deviation of the real state of the TS from the ideal state of the TS; when the deviation is identified, checking an integrity of at least functional interconnections of the states of one or more elements of the TS; determining whether the ideal state of the TS is a modeling error based on one or more confirmed sustained functional interconnections between elements of the TS; and identifying anomalies in the TS based on one or more disturbed functional interconnections between elements of the TS.

Abstract: A method is provided for verifying a data exchange channel between a first client, a second client, and a server that is communicatively coupled to the first client and the second client, respectively. The first client exchanges a sequence of updates to an information item with the second client through the data exchange channel and each of the first client, the second client, and the server maintains a respective copy of update sequence history of the information item. First, the first client sends a security audit query to the server from the first client, the security audit query including an audit identifier that is shared by the first client and the second client. After receiving a query response from the server, the query response including a copy of the update sequence history maintained by the server, the first client compares the update sequence history in the query response with a copy of corresponding update sequence history maintained by the first client.

Abstract: A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

Abstract: A login page of an online service is received in a user computer. False credentials, such as a false user identifier (ID) and a false password, are entered into the login page to login to the online service. The login page is classified as phishing when the online service does not serve a legitimate login-fail page in response to the entry of the false credentials in the login page.