Abstract: The present invention relates to methods, processes, and systems for monitoring security policy violations in a computer network. Details of such monitoring include creating a rule according to a security policy, determining if the rule is violated by a value of a variable, and recording security events and comparing the number of events to a threshold.

Abstract: The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside.

Abstract: Technologies are shown for trust delegation that involve receiving a first request from a subject client and responding by sending a first token having first permissions to the subject client. A second request from a first actor includes the first token and responding involves linking the first actor to the subject client in a trust stack and sending a second token to the first actor with second permissions, the second token being a first complex token that identifies the subject client and the first actor. A third request from a second actor includes the second token and responding to the third request involves linking the second actor to the first actor in the trust stack, and sending a third token to the second actor partner with third permissions, the third token being a second complex token that identifies the first actor and the second actor.

Abstract: A computing system may include a server, and a client computing device in communication with the server and operating a local mobile OS. One of the client computing device and the server may be configured to compare a notification message with a database of flagged terms to determine whether the notification message includes a flagged term. If the notification message includes the flagged term and the local mobile OS is in a locked state, the notification message is revised by replacing the flagged term with a placeholder term, and the revised notification message is displayed on a display.

Abstract: A content model data base stores past target information, which includes past first video information acquired in advance, reference IDs, which are linked with the past target information, and which correspond to contents, and three or more levels of degrees of content association between the past target information and the reference IDs. A first acquiring unit acquires the target information from a user terminal, a first evaluation unit looks up the content model database and acquires ID information, which includes the degrees of content association between the target information and the reference IDs, and a judging unit judges the ID information. Contents that correspond to the ID information are output to the user terminal based on the result of judgment by the judging unit.

Abstract: A content model data base stores past target information, which includes past first video information acquired in advance, reference IDs, which are linked with the past target information, and which correspond to contents, and three or more levels of degrees of content association between the past target information and the reference IDs. A first acquiring unit acquires the target information from a user terminal, a first evaluation unit looks up the content model database and acquires ID information, which includes the degrees of content association between the target information and the reference IDs, and an output unit outputs the contents corresponding to the ID information. After the output from the output unit, the ID information, acquired by the first evaluation unit, is stored in an ID history unit.

Abstract: A method for wrapped keys with access control predicates includes obtaining a cryptographic key for content. The method also includes encrypting the content using the cryptographic key and generating an encryption request. The encryption request requests that a third party cryptography service encrypts an encapsulation of the cryptographic key and an access control condition governing access to the content. The method also includes communicating the encryption request to the third party cryptography service. The encryption request includes the cryptographic key.

Abstract: A system, a method, and a computer program for protecting data traffic from a communication device against fingerprinting or privacy leakage. The method can include receiving data traffic from a communication device connected to a network, analyzing the received data traffic to determine network activity or operational characteristics of the communication device, generating forged data traffic for the network based on the determined network activity or operational characteristic of the communication device, and transmitting the forged data traffic to an external communication device that is located outside the network. The forged data traffic can add an entropy factor to the data traffic from said communication device connected to the network.

Abstract: A method for execution by one or more storage units of a dispersed storage network (DSN). The method begins by receiving, at a first storage unit, a request for a partial task. The method continues by generating a slice request, to one or more additional storage units, when the first storage unit does not contain all encoded data slices required to execute the partial task. The method continues by receiving the at least one additional encoded data slice from the one or more additional storage units and performing the partial task on the first encoded data slice and the at least one additional encoded data slice to produce at least partial results.

Abstract: A system and method for real-time attestation which attests to the untouchability of processors from external influences. The system and method comprise a security mechanism that extracts information about a program's full-control execution path and then validates that information with a highly isolated guard process during runtime, which is running in a trusted environment. This trusted guard application also acts as a remote attester client and sends the currently running control flow graph to a remote attestator server on demand.

Abstract: Systems and methods for a machine-learning driven fine-grained file access control approach are provided. According to one embodiment, a server associated with an enterprise network can obtain and store information regarding historical user behavior of users of the enterprise network by observing file access requests initiated by the users. The server receives a file access request initiated by a user, which relates to a file stored within the enterprise network in encrypted form. In response to receipt of the file access request, the server determines a risk score for the user based on multiple factors, including information regarding historical user behavior, the file access request and observed data determined based on the file access request so that based on the risk score, access to the file is permitted by returning a decryption key for the file or denied by withholding the decryption key.

Abstract: To commission an industrial automation control system, IACS, a computing device generates commands to automatically set or verify a security configuration of the IACS. The commands are generated by the computing device based on a machine-readable security baseline, and, optionally, based on a machine-readable configuration file of the IACS.

Abstract: A method performed by a computer system including: accessing a specification that specifies a plurality of modules to be implemented by the computer program for processing the one or more values of the one or more fields in the structured data item; transforming the specification into the computer program that implements the plurality of modules, wherein the transforming includes: for each of one or more first modules of the plurality of modules: identifying one or more second modules of the plurality of modules that each receive input that is at least partly based on an output of the first module; and formatting an output data format of the first module such that the first module outputs only one or more values of one or more fields of the structured data item.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system that cryptographically controls access to data. An example method may include: selecting a set of cryptographic attributes in view of a characteristic of a computing device; obtaining, by a processing device, a cryptographic key; encrypting, by the processing device, the cryptographic key in view of the set of cryptographic attributes to produce a wrapped key; and providing the wrapped key and at least one of the cryptographic attributes to the computing device, wherein the at least one cryptographic attribute facilitates deriving the cryptographic key from the wrapped key.

Abstract: A system and method of providing security for an application. A request to use an application to perform an operation using information is received from an operator by a computer system. In response to receiving the request, an operator identity assurance level of the operator and characteristics of the operation using the information are determined. An operation assurance level for the operation is determined based on the characteristics of the operation using the information. It is determined whether the operator identity assurance level of the operator satisfies the operation assurance level for the operation. The operator is allowed to use the application to perform the operation using the information in response to a determination that the operator identity assurance level of the operator satisfies the operation assurance level for the operation.

Abstract: The present disclosure is directed to systems and methods of detecting a side-channel attack detecting a translation lookaside buffer (TLB) miss on a virtual address lookup caused by the speculative execution of an instruction and determining that the physical memory address associated with the virtual address lookup contains a privileged object or a secret object. Range register circuitry determines whether the physical memory address is located in an address range containing privileged objects or secret objects. Performance monitoring counter (PMC) circuitry generates an interrupt in response to receipt of information indicative of the TLB miss and information indicative that the physical memory address contains a privileged object or a secret object. The PMC circuitry causes the storage of information associated with the speculatively executed instruction causing the virtual address lookup.

Abstract: Private network request forwarding can include receiving a request from a user for Internet services over a public network. Private network request forwarding can include analyzing the request and determining whether the request is legitimate. Private network request forwarding can include forwarding the request to an entity through a private network when it is determined that the request is legitimate, wherein the user has access to the entity through a proxy.

Abstract: Described embodiments provide systems and methods for learning across multiple application delivery controllers and updating settings across the application delivery controllers. A profile can be generated based on selection of a set of intermediary devices managed by a device. The set of intermediary devices configured to load balance data of an application hosted in different computing environments. Activity can be identified at the intermediary devices with use of a firewall. The activity having an appearance of a malicious attack on at least one intermediary device of the set. The device can determine if the activity is permissible or a violation based on a comparison of an aggregation of data records for the identified activity and a threshold. The device can provide a notification to at least one intermediary device of the set to configure the at least one intermediary device to allow the activity or prevent the activity.

Abstract: Techniques are disclosed relating to authenticating communications. A computer system may generate a master private key usable to derive user-specific private keys for a plurality of users hosted by a particular application. The computer system may generate master public configuration information usable to derive user-specific public keys for the plurality of users. The computer system may send that configuration information to a directory service accessible to applications that communicate with the particular application. The computer system may receive, from the particular application, a request for a user-specific private key for one of the plurality of users. The request may include an identifier of the user. The computer system may perform a key derivation function to generate a particular user-specific private key based on the master private key and the identifier of the user. The computer system may send the particular user-specific private key to the particular application.

Abstract: A security platform architecture is described herein. The security platform architecture includes multiple layers and utilizes a combination of encryption and other security features to generate a secure environment.

Abstract: Methods and systems are provided for preventing unauthorized communication with an end device on a network, the system comprising an external device and a communication device.

Abstract: Embodiments for providing automated selection of optimal disk types for virtualized storage by defining a minimum number of backup samples, selecting, if the minimum number of backup samples is not met for a backup operation, a solid state drive (SSD) for a virtual machine (VM) storage for a disaster recovery operation, otherwise selecting a hard disk drive (HDD) for the VM storage. The method further defines a cold HDD threshold (CHT) value and a minimal percentage of backups (PPT) value, and obtains a cold backup count based on the CHT value. It compares a ratio of the cold backup count to an amount of backups (AB) for the disaster recovery operation to the defined PPT value, and if the ratio is greater than the PPT value, it selects the SSD rather than HDD for the VM storage.

Abstract: The present disclosure relates to systems, methods, and computer-readable media for implementing an efficient and flexible policy-driven approach to securing a computing device. For example, systems disclosed herein can identify any number of security policies including configuration states associated with configuration settings of a client device. The systems disclosed herein can further enforce the security policies by performing an enforcement operation including an idempotent operation that enables a computing device to both diagnose as well as remedy security issues identified by an agent on a computing device. The systems disclosed herein further include features and functionality that enable a computing device to be compliant with multiple security standards without performing redundant enforcement operations.

Abstract: An embodiment of the present invention is directed to a Channel Dynamic Multifactor Authentication. This solution provides the capability to select a multifactor authentication channel (e.g., email, SMS, etc.) dynamically based on multiple sources of risk scoring input data. The risk decision engine may determine an optimal lowest risk delivery channel for delivery of a one-time passcode and/or implement an additional or alternative mechanism for user authentication or verification.

Abstract: A tool uses a graph-based approach to analyze scripts to determine whether the scripts pose security threats when executed. The tool breaks down scripts into component steps and generates a graph based on those steps. The tool then converts the graph into a vector and compares that vector with clusters of other vectors. Based on that comparison, the tool determines whether the script will cause a security vulnerability. If the script causes a security threat when executed, the script may be prevented from executing.

Abstract: Embodiments of the present disclosure relate to managing admin-controlled access of external resources to group-based communication interfaces associated with an organization, via a group-based communication system including APIs for improved external resource permissioning, provisioning, and access handling. Embodiments include methods, computer program products, apparatuses, and systems configured to receive an external resource access request, determine an organization identifier, obtain an admin response indication, set an external resource permission status for the external resource based on the admin response indication, and cause rendering of the requested group-based communication interface based on the admin response indication. Embodiments further relate to provisioning and handling requests for services associated with an external resource by managing one or more single-interface access tokens linked to a multi-interface access token.

Abstract: A computing device is configured to retrieve network security configuration information from a computer network and generate a security configuration map which readily enables a user to detect defects in the security configuration with respect to a security policy. The computing device retrieves firewall configurations from security appliances in the network which operate firewalls, and processes the firewall configurations to generate a set of corresponding standardized firewall configurations. These are processed to identify enclaves containing network nodes which are associated with respective security sensitivity values based on the security policy. The computing device monitors and detects inter-node network traffic.

Abstract: A method for converting data on a computer from an original encrypted format to a new encrypted format without exposing the data in a decrypted state during the conversion process. The computer(s) is locked during the conversion process. The computer data is now re-encrypted to the new format, the original encryption is then removed, and the new encryption software is applied. Finally, the computer with its newly-encrypted data is unlocked for normal usage.

Abstract: A method for controlling a device includes: sending a command signed by an operator's signature to a server; verifying, in the server, that the operator is authenticated to transmit the command; assigning, in the server, a criticality level and an authorization level to the command; depending on the criticality level and the authorization level, sending an approval request relating to the command to at least one control user; approving or denying the approval request by at least a subset of the at least one control user; sending the denied or approved approval request back to the server; determining, in the server, whether the command was approved by sufficiently many control users based on the criticality level and the authorization level; and sending the command to the device for being carried out by the device in case the command was approved by sufficiently many control users, wherein at last one of the at least one control user and the operator is remote from each other.

Abstract: In a public cloud that stores data in a database system for a plurality of entities as primary data and as one or more secondary backup copies of the primary data, the data being stored in predefined data fields of data records, personal private data of each entity is stored encrypted using an encryption/decryption key that is unique to each different entity. The encryption/decryption keys are stored in the cloud in a key store of a key management system. To delete the personal private data of a particular entity, as to comply with the right to be forgotten pursuant to GDPR regulations, or otherwise, the encryption/decryption key for that particular entity is deleted from the key store to render permanently inaccessible all copies of that entity's personal private data.

Abstract: A system with an interactive user interface for a plurality of users to author an electronic document simultaneously is described. The system displays visual feedback on the interface to prevent the users from interfering with one another. The system displays data from a remote database linked into the document based on unique identifiers. The data is displayed as an “artifact.” The system monitors and tracks each user's access category level, as well as the access category level of each piece of data pulled from the remote database. The system compares a user's category level to the data from the database to make visible only the portions of the document the user has the appropriate access category level to view and/or modify. The portions of the document that have a higher category level than the user will be hidden from the user either in part or completely. Also, there may be an indicator to the user of such redacted or hidden content from the user's viewer.

Abstract: Methods, systems and computer-program products are directed to a Privacy Engine for evaluating initial electronic documents to identify document content categories for portions of content within the electronic documents, with respect to extracted document structures and document positions, that may include privacy information for possible redaction via visual modification. The Privacy Engine builds a content profile based on detecting information at respective portions of electronic document content that indicate one or more pre-defined categories and/or sub-categories. For each respective portion of electronic document content, the Privacy Engine applies a machine learning model that corresponds with the indicated category (or categories and sub-categories) to determine a probability value of whether the respective portion of content includes data considered likely to be privacy information.

Abstract: A security unit for an industrial control system comprises an interface adapted to communicate with a plurality of components of an industrial control system via a data network, a security assignor adapted to access a first component among the plurality of components via the interface, and further adapted to assign a first security level pertaining to the first component to the first component. The security assignor is further adapted to access a second component among the plurality of components via the interface, and to assign a second security level pertaining to the second component to the second component. The security assignor is adapted to assign the first security level and the second security level to the first component and the second component, respectively, in accordance with a system security level pertaining to the industrial control system.

Abstract: Disclosed is an orthogonal access control system based on cryptographic operations provided by multi-hop proxy re-encryption (PRE) that strictly enforces only authorized access to data by groups of users, scalable to large numbers of users. Scalable delegation of decryption authority can be shared with a plurality of members of a group whether those members be users or devices, and members of a group can further create sub groups and delegate decryption authority to those members, whether users or devices. Members are granted access via generation of transform keys, and membership or access can be revoked merely be deleting the transform key—no elimination of the encrypted data, regardless of its storage location, is needed.

Abstract: Embodiments disclosed herein provide systems and methods for digital identity management and permission controls within distributed network nodes. A network node may receive a request to generate a new digital identity record for an entity. The network node may retrieve a template based on an entity type; and receive information, reference documents, and biometric information for the new digital identity record. The network node may associate and store the received information to the data fields in the new digital identity record, generate respective one directional cryptographic hashes of the reference documents and the biometric information, and store the hashes in the new digital identity record while storing the reference documents and biometric information in a non-blockchain repository. The network node may generate a digital identity record block for the new digital identity record, encrypt the digital identity record block, and append the encrypted block to the latest valid blockchain.

Abstract: An access control system includes a processor configured to provide a trusted execution environment isolated from a rich execution environment. A rich OS operates in the rich execution environment while a trusted OS operates in the trusted execution environment. A plurality of protected data files are stored in non-volatile memory. When a process requests access to a protected data file, the computer system can permit the requesting process to access the requested data file only if a validated application token is present that corresponds to the requesting process. An application token is generated for the associated application by: detecting initiation of a first process associated with the associated application; determining that a valid user code is available within the trusted execution environment; and generating the application token using the valid user code upon determining that the valid user code is available within the trusted execution environment.

Abstract: A server includes a memory and a message processor. The memory stores a data record that includes a credential stored in association with an access restriction indicator, and further includes a cryptographic key. The processor is configured to receive from a network device an access request that includes the credential and a token. The token includes a first data layer and a second data layer that incorporates the first data layer and is encrypted with the cryptographic key. The processor is configured to determine that, prior to the access request, the credential was stored in the data record in association with the access restriction indicator; recover the first data layer from the token by (i) locating the cryptographic key in the data record, and (ii) decrypting the second encrypted data layer with the cryptographic key. The processor is configured to provide the network device with the first data layer.

Abstract: Programmatic mechanisms that enable the automatic assignment of categories to network entities based on observed evidence. Agents gather observation data that identifies observations made by agents about the network and a plurality of nodes of the network. The agents provide the observation data to a classification module, which assigns a device category to the nodes of the network based on the observation data and a probabilistic node model. The probabilistic node model considers several probabilities to ascertain a recommended device category for a particular node, such as probabilities based on a manufacturer of a node, an operating system executing on a node, information about other nodes in the local vicinity of a node, and an administrator web page associated with a node. The classification module may also assign a particular network category to the network based on the observation data and a probabilistic network model.

Abstract: A method and apparatus for improving security of a Java sandbox is provided. The method includes performing a permission check on a to-be-checked code, determining whether a method bypassing the permission check exists in a call stack of the code, and if a method bypassing the permission check exists, determining whether methods in the call stack have a signature. The method also includes determining that the to-be-checked code has a security problem if the methods have no signature.

Abstract: The present invention provides a system, method and apparatus for increasing relevance of a content provided to a visitor by a content provider by providing one or more server computers and at least one data storage communicably coupled to the one or more server computers, receiving at least a portion of a visitor token and at least a portion of a content provider token at the one or more server computers from a content provider device, determining whether a release of an anonymous unfilled demand for the visitor is authorized based on the visitor token, the content provider token and one or more preferences stored in the at least one data storage, and sending at least a portion of the anonymous unfilled demand for the visitor to the content provider device when the release is authorized.

Abstract: Systems and methods for assigning scores to objects based on evaluating triggering conditions applied to datasets produced by search queries in data aggregation and analysis systems. An example method may comprise: executing, by one or more processing devices, a search query to produce a dataset comprising one or more data items derived from source data; and responsive to determining that at least a portion of the dataset satisfies a triggering condition, modifying a score assigned to an object to which the portion of the dataset pertains.

Abstract: Disaster recovery resource provisioning is provided. Infrastructure resource objects are grouped into a plurality of resource pools based on resource characteristics of each respective infrastructure resource object. A set of resource capabilities is provided for seamless resource provisioning for each resource pool in the plurality of resource pools. A class of service is mapped to a resource pool corresponding to a workload spread across multiple environments considering primary workload production and secondary disaster recovery requirements. Resources are automatically provisioned from the class of service required in providing disaster recovery for the workload based on characteristics of the workload, cost, business needs, and service level agreement metrics corresponding to the disaster recovery.

Abstract: Methods, systems, and computer-readable media for optimizing web pages using a rendering engine are presented. In some embodiments, a cloud service computing platform may receive, via a communication interface and from a user device, a request for a web page. Subsequently, the cloud service computing platform may retrieve, via the communication interface, and from a server, the web page. Further, the cloud service computing platform may render, using a headless browser, the web page to identify a plurality of content parts associated with the web page. Next, the cloud service computing platform may optimize the plurality of content parts associated with the web page. Additionally, the cloud service computing platform may transmit, via the communication interface and to the user device, the plurality of optimized content parts associated with the web page. Subsequently, the user device may render the plurality of optimized content parts associated with the web page.

Abstract: A method for identifying and/or authenticating a user on a device, the method comprising: requesting identification or authentication of the user for a first task; determining a first threshold in dependence on the first task; selecting a first authentication process from a plurality of authentication processes; determining a confidence score in dependence on a performance of the selected first authentication process, wherein the confidence score indicates a level of confidence in the user's identity; determining whether the confidence score is above or below the first threshold; and if the confidence score is below the first threshold, selecting a second authentication process from the plurality of authentication processes, otherwise identifying or authenticating the user for the first task.

Abstract: Technologies are shown for trust delegation that involve receiving a first request from a subject client and responding by sending a first token having first permissions to the subject client. A second request from a first actor includes the first token and responding involves linking the first actor to the subject client in a trust stack and sending a second token to the first actor with second permissions, the second token being a first complex token that identifies the subject client and the first actor. A third request from a second actor includes the second token and responding to the third request involves linking the second actor to the first actor in the trust stack, and sending a third token to the second actor partner with third permissions, the third token being a second complex token that identifies the first actor and the second actor.

Abstract: A method of a digital identity system generating a sharing token for authenticating a bearer to a validator, wherein a data store of the digital identity system holds a plurality of attributes of the bearer, the method comprising implementing by the digital identity system the following steps: receiving at the digital identity system from a bearer an electronic sharing token request, wherein the token request identifies at least one of the bearer's attributes in the data store selected for sharing with a validator; in response to the electronic token request, generating a sharing token, which is unique to that request, for presentation by the bearer to a validator; associating with the unique sharing token at the digital identity system the identified at least one bearer attribute; and issuing to the bearer the unique sharing token; and wherein later presentation of the unique sharing token to the digital identify system by a validator causes the at least one bearer attribute associated with the sharing token

Abstract: In a managed system controlled by multiple policy managers, conflicts between the policies of the managers are resolved by generating a satisfaction measure to be transmitted to policy managers together with sensor data, indicative of how closely the sensor data satisfies the policy which caused it. This satisfaction measure is used to determine whether actuators controlled by the other policy managers should be triggered by the sensor data. This allows policies to co-operate to prevent conflict between the conflicting requirements of different policies.

Abstract: Described herein is a method of processing location and level changes for managed devices, which includes a child device sensing a move to a new location and level in a tree structure including levels having different permissions and policies, and the child device receiving permissions and policies for the new location and level via a master clone file. Also described is a method of updating policies in a device in a fleet of image forming devices that includes identifying a setting in the device that should not be updated automatically, setting a respective flag associated with the identified setting, thereby indicating that the setting is not to be updated automatically, receiving a file with updated policy values, and updating settings of the device according to the updated policy values except for the identified setting. Also described is a method for processing exemption requests in a fleet of image forming devices.

Abstract: A system includes a memory, a survey engine, and a reporting engine. The memory stores identifying information of a plurality of users. The survey engine determines a question to present to each user of the plurality of users and determines an interval for each user of the plurality of users. The determined interval for a first user of the plurality of users is different from the determined interval for a second user of the plurality of users. For each user, the survey engine communicates to that user, based on the stored identifying information, the determined question for that user according to the determined interval for that user and receives a response from each user of the plurality of users. The reporting engine generates a report based on the received response from the plurality of users.

Abstract: Exemplary embodiments relate to techniques for improving startup times of a cloud-based virtual servers in response to a spike in service usage (although other applications are contemplated and described). According to some embodiments, in response to a request to provision a new virtual server in a cluster, high-priority services (e.g., those that enable the server to respond to system health checks or that support an application providing the service) are started while lower-priority services are delayed. In some embodiments, prior to receiving such a request, a new server may be started and then hibernated to create a “hot spare.” When the request is received, the hot spare may be taken out of hibernation to quickly bring the hot spare online. It is contemplated that the delayed-startup and hot spare embodiments may be used together to further improve performance.