Abstract: A method for controlling a device includes: sending a command signed by an operator's signature to a server; verifying, in the server, that the operator is authenticated to transmit the command; assigning, in the server, a criticality level and an authorization level to the command; depending on the criticality level and the authorization level, sending an approval request relating to the command to at least one control user; approving or denying the approval request by at least a subset of the at least one control user; sending the denied or approved approval request back to the server; determining, in the server, whether the command was approved by sufficiently many control users based on the criticality level and the authorization level; and sending the command to the device for being carried out by the device in case the command was approved by sufficiently many control users, wherein at last one of the at least one control user and the operator is remote from each other.

Abstract: A method for converting data on a computer from an original encrypted format to a new encrypted format without exposing the data in a decrypted state during the conversion process. The computer(s) is locked during the conversion process. The computer data is now re-encrypted to the new format, the original encryption is then removed, and the new encryption software is applied. Finally, the computer with its newly-encrypted data is unlocked for normal usage.

Abstract: In a public cloud that stores data in a database system for a plurality of entities as primary data and as one or more secondary backup copies of the primary data, the data being stored in predefined data fields of data records, personal private data of each entity is stored encrypted using an encryption/decryption key that is unique to each different entity. The encryption/decryption keys are stored in the cloud in a key store of a key management system. To delete the personal private data of a particular entity, as to comply with the right to be forgotten pursuant to GDPR regulations, or otherwise, the encryption/decryption key for that particular entity is deleted from the key store to render permanently inaccessible all copies of that entity's personal private data.

Abstract: A system with an interactive user interface for a plurality of users to author an electronic document simultaneously is described. The system displays visual feedback on the interface to prevent the users from interfering with one another. The system displays data from a remote database linked into the document based on unique identifiers. The data is displayed as an “artifact.” The system monitors and tracks each user's access category level, as well as the access category level of each piece of data pulled from the remote database. The system compares a user's category level to the data from the database to make visible only the portions of the document the user has the appropriate access category level to view and/or modify. The portions of the document that have a higher category level than the user will be hidden from the user either in part or completely. Also, there may be an indicator to the user of such redacted or hidden content from the user's viewer.

Abstract: A security unit for an industrial control system comprises an interface adapted to communicate with a plurality of components of an industrial control system via a data network, a security assignor adapted to access a first component among the plurality of components via the interface, and further adapted to assign a first security level pertaining to the first component to the first component. The security assignor is further adapted to access a second component among the plurality of components via the interface, and to assign a second security level pertaining to the second component to the second component. The security assignor is adapted to assign the first security level and the second security level to the first component and the second component, respectively, in accordance with a system security level pertaining to the industrial control system.

Abstract: Methods, systems and computer-program products are directed to a Privacy Engine for evaluating initial electronic documents to identify document content categories for portions of content within the electronic documents, with respect to extracted document structures and document positions, that may include privacy information for possible redaction via visual modification. The Privacy Engine builds a content profile based on detecting information at respective portions of electronic document content that indicate one or more pre-defined categories and/or sub-categories. For each respective portion of electronic document content, the Privacy Engine applies a machine learning model that corresponds with the indicated category (or categories and sub-categories) to determine a probability value of whether the respective portion of content includes data considered likely to be privacy information.

Abstract: Disclosed is an orthogonal access control system based on cryptographic operations provided by multi-hop proxy re-encryption (PRE) that strictly enforces only authorized access to data by groups of users, scalable to large numbers of users. Scalable delegation of decryption authority can be shared with a plurality of members of a group whether those members be users or devices, and members of a group can further create sub groups and delegate decryption authority to those members, whether users or devices. Members are granted access via generation of transform keys, and membership or access can be revoked merely be deleting the transform key—no elimination of the encrypted data, regardless of its storage location, is needed.

Abstract: Embodiments disclosed herein provide systems and methods for digital identity management and permission controls within distributed network nodes. A network node may receive a request to generate a new digital identity record for an entity. The network node may retrieve a template based on an entity type; and receive information, reference documents, and biometric information for the new digital identity record. The network node may associate and store the received information to the data fields in the new digital identity record, generate respective one directional cryptographic hashes of the reference documents and the biometric information, and store the hashes in the new digital identity record while storing the reference documents and biometric information in a non-blockchain repository. The network node may generate a digital identity record block for the new digital identity record, encrypt the digital identity record block, and append the encrypted block to the latest valid blockchain.

Abstract: An access control system includes a processor configured to provide a trusted execution environment isolated from a rich execution environment. A rich OS operates in the rich execution environment while a trusted OS operates in the trusted execution environment. A plurality of protected data files are stored in non-volatile memory. When a process requests access to a protected data file, the computer system can permit the requesting process to access the requested data file only if a validated application token is present that corresponds to the requesting process. An application token is generated for the associated application by: detecting initiation of a first process associated with the associated application; determining that a valid user code is available within the trusted execution environment; and generating the application token using the valid user code upon determining that the valid user code is available within the trusted execution environment.

Abstract: A server includes a memory and a message processor. The memory stores a data record that includes a credential stored in association with an access restriction indicator, and further includes a cryptographic key. The processor is configured to receive from a network device an access request that includes the credential and a token. The token includes a first data layer and a second data layer that incorporates the first data layer and is encrypted with the cryptographic key. The processor is configured to determine that, prior to the access request, the credential was stored in the data record in association with the access restriction indicator; recover the first data layer from the token by (i) locating the cryptographic key in the data record, and (ii) decrypting the second encrypted data layer with the cryptographic key. The processor is configured to provide the network device with the first data layer.

Abstract: Programmatic mechanisms that enable the automatic assignment of categories to network entities based on observed evidence. Agents gather observation data that identifies observations made by agents about the network and a plurality of nodes of the network. The agents provide the observation data to a classification module, which assigns a device category to the nodes of the network based on the observation data and a probabilistic node model. The probabilistic node model considers several probabilities to ascertain a recommended device category for a particular node, such as probabilities based on a manufacturer of a node, an operating system executing on a node, information about other nodes in the local vicinity of a node, and an administrator web page associated with a node. The classification module may also assign a particular network category to the network based on the observation data and a probabilistic network model.

Abstract: A method and apparatus for improving security of a Java sandbox is provided. The method includes performing a permission check on a to-be-checked code, determining whether a method bypassing the permission check exists in a call stack of the code, and if a method bypassing the permission check exists, determining whether methods in the call stack have a signature. The method also includes determining that the to-be-checked code has a security problem if the methods have no signature.

Abstract: The present invention provides a system, method and apparatus for increasing relevance of a content provided to a visitor by a content provider by providing one or more server computers and at least one data storage communicably coupled to the one or more server computers, receiving at least a portion of a visitor token and at least a portion of a content provider token at the one or more server computers from a content provider device, determining whether a release of an anonymous unfilled demand for the visitor is authorized based on the visitor token, the content provider token and one or more preferences stored in the at least one data storage, and sending at least a portion of the anonymous unfilled demand for the visitor to the content provider device when the release is authorized.

Abstract: Systems and methods for assigning scores to objects based on evaluating triggering conditions applied to datasets produced by search queries in data aggregation and analysis systems. An example method may comprise: executing, by one or more processing devices, a search query to produce a dataset comprising one or more data items derived from source data; and responsive to determining that at least a portion of the dataset satisfies a triggering condition, modifying a score assigned to an object to which the portion of the dataset pertains.

Abstract: Disaster recovery resource provisioning is provided. Infrastructure resource objects are grouped into a plurality of resource pools based on resource characteristics of each respective infrastructure resource object. A set of resource capabilities is provided for seamless resource provisioning for each resource pool in the plurality of resource pools. A class of service is mapped to a resource pool corresponding to a workload spread across multiple environments considering primary workload production and secondary disaster recovery requirements. Resources are automatically provisioned from the class of service required in providing disaster recovery for the workload based on characteristics of the workload, cost, business needs, and service level agreement metrics corresponding to the disaster recovery.

Abstract: Methods, systems, and computer-readable media for optimizing web pages using a rendering engine are presented. In some embodiments, a cloud service computing platform may receive, via a communication interface and from a user device, a request for a web page. Subsequently, the cloud service computing platform may retrieve, via the communication interface, and from a server, the web page. Further, the cloud service computing platform may render, using a headless browser, the web page to identify a plurality of content parts associated with the web page. Next, the cloud service computing platform may optimize the plurality of content parts associated with the web page. Additionally, the cloud service computing platform may transmit, via the communication interface and to the user device, the plurality of optimized content parts associated with the web page. Subsequently, the user device may render the plurality of optimized content parts associated with the web page.

Abstract: Technologies are shown for trust delegation that involve receiving a first request from a subject client and responding by sending a first token having first permissions to the subject client. A second request from a first actor includes the first token and responding involves linking the first actor to the subject client in a trust stack and sending a second token to the first actor with second permissions, the second token being a first complex token that identifies the subject client and the first actor. A third request from a second actor includes the second token and responding to the third request involves linking the second actor to the first actor in the trust stack, and sending a third token to the second actor partner with third permissions, the third token being a second complex token that identifies the first actor and the second actor.

Abstract: A method for identifying and/or authenticating a user on a device, the method comprising: requesting identification or authentication of the user for a first task; determining a first threshold in dependence on the first task; selecting a first authentication process from a plurality of authentication processes; determining a confidence score in dependence on a performance of the selected first authentication process, wherein the confidence score indicates a level of confidence in the user's identity; determining whether the confidence score is above or below the first threshold; and if the confidence score is below the first threshold, selecting a second authentication process from the plurality of authentication processes, otherwise identifying or authenticating the user for the first task.

Abstract: A method of a digital identity system generating a sharing token for authenticating a bearer to a validator, wherein a data store of the digital identity system holds a plurality of attributes of the bearer, the method comprising implementing by the digital identity system the following steps: receiving at the digital identity system from a bearer an electronic sharing token request, wherein the token request identifies at least one of the bearer's attributes in the data store selected for sharing with a validator; in response to the electronic token request, generating a sharing token, which is unique to that request, for presentation by the bearer to a validator; associating with the unique sharing token at the digital identity system the identified at least one bearer attribute; and issuing to the bearer the unique sharing token; and wherein later presentation of the unique sharing token to the digital identify system by a validator causes the at least one bearer attribute associated with the sharing token

Abstract: In a managed system controlled by multiple policy managers, conflicts between the policies of the managers are resolved by generating a satisfaction measure to be transmitted to policy managers together with sensor data, indicative of how closely the sensor data satisfies the policy which caused it. This satisfaction measure is used to determine whether actuators controlled by the other policy managers should be triggered by the sensor data. This allows policies to co-operate to prevent conflict between the conflicting requirements of different policies.

Abstract: Described herein is a method of processing location and level changes for managed devices, which includes a child device sensing a move to a new location and level in a tree structure including levels having different permissions and policies, and the child device receiving permissions and policies for the new location and level via a master clone file. Also described is a method of updating policies in a device in a fleet of image forming devices that includes identifying a setting in the device that should not be updated automatically, setting a respective flag associated with the identified setting, thereby indicating that the setting is not to be updated automatically, receiving a file with updated policy values, and updating settings of the device according to the updated policy values except for the identified setting. Also described is a method for processing exemption requests in a fleet of image forming devices.

Abstract: A system includes a memory, a survey engine, and a reporting engine. The memory stores identifying information of a plurality of users. The survey engine determines a question to present to each user of the plurality of users and determines an interval for each user of the plurality of users. The determined interval for a first user of the plurality of users is different from the determined interval for a second user of the plurality of users. For each user, the survey engine communicates to that user, based on the stored identifying information, the determined question for that user according to the determined interval for that user and receives a response from each user of the plurality of users. The reporting engine generates a report based on the received response from the plurality of users.

Abstract: Exemplary embodiments relate to techniques for improving startup times of a cloud-based virtual servers in response to a spike in service usage (although other applications are contemplated and described). According to some embodiments, in response to a request to provision a new virtual server in a cluster, high-priority services (e.g., those that enable the server to respond to system health checks or that support an application providing the service) are started while lower-priority services are delayed. In some embodiments, prior to receiving such a request, a new server may be started and then hibernated to create a “hot spare.” When the request is received, the hot spare may be taken out of hibernation to quickly bring the hot spare online. It is contemplated that the delayed-startup and hot spare embodiments may be used together to further improve performance.

Abstract: There are provided systems and methods for tracking data flow through data services using a processing request identifier in callstack data. During processing requests with a service provider, each request is assigned a particular identifier, called a correlation identifier. The correlation identifier is stored in callstack data and may be used to map these individual data processing flows for the requests to the data processing services of the service provider used during the flows. Once the data flows are determined the actual used services may be identified. The mapping system may also provide for removal of erroneous callstack and reassembly of callstack data during asynchronous service calls. Additionally, the data flows may be used to see where multiple callstacks have divergent data flows. A service provider may utilize the data flows for determination of service usage rates.

Abstract: Methods for machine-learned detection and removal of malicious software within a network are provided. Methods may record environment behavior of an application and a plurality of components. The plurality of components may touch the application. Methods may generate a baseline dataset based on the recorded environment behavior. Methods may schedule snapshots of the application. Methods may take snapshots of the application and the components based on the scheduling. Methods may store the snapshots in a repository. Methods may monitor the application and the components, using the stored snapshots, for any deviation in the environment behavior. Methods may detect a deviation in the behavior of the application or components. Methods may take a snapshot, outside of the scheduling, of the application and components upon detection of the deviation. Methods may determine that the deviation is unwarranted. Methods may revert the application and components back to a previous version.

Abstract: The disclosed embodiments provide a system for processing a query of profile data. During operation, the system obtains a set of profile fields requested in a query of profile data and one or more profile view settings associated with the query. Next, the system determines, based on the set of profile fields and the profile view setting(s), one or more downstream calls to omit from a set of downstream calls available to generate a result of the query. The system then generates one or more additional downstream calls in the set of downstream calls to resolve a parameter used to generate a result of the query. Finally, the system uses the parameter to generate the result of the query without making the downstream call(s).

Abstract: A system and method of correcting an anomaly in a split computer network, where the split computer network includes a first subnet, connecting one or more requestor nodes to a first intermediary node, and a second subnet, connecting the first intermediary node to one or more approver nodes may include performing, by at least one processor associated with the first intermediary node: monitoring transactions between the one or more requestor nodes and the one or more approver nodes, via the first intermediary node; analyzing the monitored transactions, to obtain a transaction pattern; probing communication between an examined requestor node and at least one approver node; analyzing the probed communication, in view of the transaction pattern, to identify a suspected transaction anomaly; and producing a suggestion of at least one corrective action, based on the suspected transaction anomaly.

Abstract: A method for machine learning based document editing is provided. The method may include receiving, from a client, one or more inputs associated with a document. A recommendation to include and/or exclude a clause, a term, and/or a line item from the document may be generated by at least processing the one or more inputs with a machine learning model. The recommendation to include and/or exclude the clause, the term, and/or the line item from the document may be provided to the client. Related systems and articles of manufacture, including computer program products, are also provided.

Abstract: Systems and methods are provided for monitoring and logging all activity occurring in a system. The logged activity may include keystroke entries input into the system, user and/or application interactions with the system, access restriction conflicts, and the like. The logged activity may be stored in at least two datastores, at least one of which is an immutable, append-only datastore. Storage of the logged activity in the immutable, append-only datastore is performed using hash algorithms. Attempts at manipulating or at hiding malicious or unauthorized activity can be recognized due to all activity being captured in the immutable, append-only datastore.

Abstract: Aspects of the subject disclosure may include, for example, generating a digital certificate responsive to an authentication of a user according to a dynamic biometric process, associating the digital certificate with a transaction record for the transaction, storing information associated with authentication conditions of the dynamic biometric process, receiving an access request associated with the transaction, and providing access to the transaction record, the information associated with the authentication conditions of the dynamic biometric process or a combination thereof responsive to the access request, where granting of the access is according to transmitting an access acknowledgement to equipment of the user, or obtaining another authentication to allow permission to access or a combination thereof. Other embodiments are disclosed.

Abstract: Generally described, one or more aspects of the present application correspond to machine learning techniques for generating realistic question-answer (QA) pairs for populating an initial community ask feature of electronic store item detail pages. The machine learning model can use a shared encoder to generate an embedding of a seed sentence from existing description of an item, and then pass that embedding to a question decoder to generate a question. The embedding of the seed sentence can be combined with a state representation of the question and provided to an answer decoder, which can generate an answer to the generated question. This can help overcome the cold start problem, where customers are less likely to ask questions about items that have no existing QA set. This can also help surface relevant information about items in a concise QA format that is easy for customers to find and read.

Abstract: A device comprising: a physical unclonable function (PUF) device configured to generate an output value based on hardware characteristics of the PUF device; and a processor connected to the PUF device, the processor configured to: execute a cryptographic operation in a sequence of ordered stages including a first stage and a second stage, the executing comprising: in the first stage: recovering a first secret value based on a first output value obtained from the PUF device; executing a first sub-operation using the first secret value; and removing unobscured values from memory prior to execution of a subsequent stage; in the second stage: recovering a second secret value based on a second output value obtained from the PUF device; and executing a second sub-operation using the second secret value to enable execution of a cryptographic operation encoded with at least the first secret value and the second secret value.

Abstract: A method and system for handling sensitive data required by an application in a secure computer system. An external computer system that is external to the secure computer system receives a transformed request message that includes one or more data aspects having tokenized data that has replaced transformed sensitive data after sensitive data in the one or more aspects had been transformed from a data format required by a service in the external computer system into a data format required by the application. The external computer system generates a response message from the transformed request message by including, in the response message, annotations with transform instructions for transforming the transformed sensitive data, from the data format required by the service into the data format required by the application, after the tokenized data has been replaced by the transformed sensitive data in the one or more data aspects.

Abstract: A system for implementing header enrichment or header injections in proprietary networks for authenticating users, conducting user risk assessments, and obtaining user information.

Abstract: A first hash value is calculated by using a first input value that is stored in a first set of registers. The first hash value is then stored in a second set of registers. A second input value is stored in the first set of registers after calculating the first hash value. The second hash value is calculated based on the first hash value and the second input value. During the calculating of the second hash value, the first hash value is shifted from the second set of registers to a portion of the first set of registers when the calculating of the second hash value has reached a state where the portion of the first set of registers is no longer used to store the second input value.

Abstract: A method for implementing zone-restricted behavior of a computing device includes identifying wireless access points using the computing device, determining a number of authorized wireless access points from the wireless access points identified by the computing device, determining that the computing device is located within a restricted access zone when the number of authorized wireless access points identified by the computing device exceeds a predetermined threshold of authorized wireless access points identified, and enabling a zone mode of the computing device when the computing device is determined to be located within the restricted access zone.

Abstract: There is described a method for mitigating a power-denial of service attack on a first device by a second device, the method comprising: transmitting, from the first device to the second device, a first communication comprising a first task to be solved by the second device; receiving, at the first device from the second device, a second communication comprising one of a proposed solution to the first task and at least one trust credential; verifying, at the first device, the second communication; responsive to an unsuccessful verification of the second communication, transmitting, from the first device to the second device a third communication comprising a second task to be solved by the second device.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for receiving, from a client device of a user, an ad request for an ad space of a seller, the ad space being for presentation in a user interface of an application executing on the client device, creating a bid request for bidding on the ad space, sending the bid request to one or more bidders, the bidders representing one or more buyers, receiving one or more bids from one or more of the bidders, each bid corresponding to a respective buyer and a creative, selecting, from the received bids, a winning bid corresponding to a particular buyer and a particular creative, and identifying a visibility profile for the particular buyer and, based thereon, providing data associated with the user to the particular buyer.

Abstract: Systems and methods are disclosed for activating a personalized user profile on a device based on the detection of an outlying user input. A media guidance application detects a user input that is inconsistent with an active user profile. In response, the media guidance application identifies a candidate user that both shares a location with the device and has a user profile consistent with the user input. The media guidance application activates the user profile of the candidate user as a temporary active user profile on the device.

Abstract: Techniques for computer security, and more specifically timestamp-abased authentication, are described. Some implementations provide an authentication method that utilizes an authentication process that is shared as a secret between a first and second computing system. The process provides as output a number that is based on a timestamp. The first computing system executes the authentication process using a timestamp obtained from its clock. The resulting number is transmitted to the second computing system, possibly along with other authentication data, such as a username and/or password. In response, the second computing system executes the authentication process using a timestamp obtained from its clock. If the numbers generated by the first and second computing systems match, the first computing system is authenticated.

Abstract: A system and method for encrypting portions of data for storage in a remote network have been provided. The system comprises a memory with instructions executable by a processor to receive data for forwarding to a server device, wherein the received data comprises an indication of one or more portions of the received data to be encrypted; identify a portion comprising the one or more portions of the received data based at least in part on the indication; encrypt the identified portion of the data; generate a payload that comprises the encrypted portion and one or more unencrypted portions of the received data; and transmit, to the server device, the payload.

Abstract: Disclosed are examples of decentralized systems and related apparatus, devices, computer program products, and methods for secure access of digital content. In some implementations, a first request from a client to access encrypted digital content includes a call on a digital contract. The call passes an ephemeral key set encrypted with a public key of a consumer. A transaction identifying the first request in association with the encrypted ephemeral key set is recorded in the digital contract. The transaction is identified by a transaction identifier (ID), which is sent to the client. A second request from the client includes: an authorization token including the transaction ID, and a signature of the consumer. Authorization of the consumer is verified based on the authorization token. A transaction identifying one or more keys is recorded in the digital contract. The digital content can be re-encrypted and sent to the client.

Abstract: In one implementation, a computer-implemented method includes receiving, at a computing device and from a computer server system, digital content that is for sale and that is received without having yet been purchased by a user of the computing device; storing the digital content locally on the computing device in a manner that prohibits user access to the digital content; after storing the digital content: receiving user input that indicates the user is purchasing at least a portion of the stored digital content; and in response to the received user input, storing information that indicates the user purchased the portion of the digital content and providing the user with access to the purchased portion of the digital content; and in response to detecting that the computing device is communicatively connected to the computer server system over a network, providing the stored information to the computer server system.

Abstract: A method for managing security settings of a print device using a lockdown mode includes receiving a request for enabling a lockdown mode. The lockdown mode prevents modifications to configurations of one or more components of the print device. The method further includes activating the lockdown mode. Activating the lockdown mode includes modifying a plurality of security settings corresponding to lockdown configurations of the one or more components of the print device, and disabling one or more modes that a user may use to modify the plurality of security settings. The method includes storing the plurality of security settings and the associated lockdown values in a security module, performing a compliance check to detect if current values associated with the plurality of security settings have changed by comparing to the lockdown values, and performing a remediation action in response to detecting that the one or more security settings have changed.

Abstract: The present disclosure relates to systems and methods for communicating over a IoT network, including encrypting and decrypting communications of data over the network for providing enhanced security. The following also discloses systems for IoT device initialization, automation, data capture, security, providing alerts, personalization of settings, and other objectives described in the disclosure. Methods of establishing and monitoring IoT network communications is also disclosed.

Abstract: Techniques are disclosed for implementing scalable port range policies across a plurality of categories that support application workloads. In one example, a policy agent receives, from a centralized controller for a computer network, a plurality of policies. Each policy of the plurality of policies includes one or more policy rules, and each of the one or more policy rules specifies one or more tags specifying one or more dimensions for application workloads executed by the one or more computing devices and a corresponding port range. The policy agent assigns, based on a policy rule, a port range specified by the policy rule to objects of the one or more computing devices that belong to categories described by the one or more dimensions of the one or more tags of the policy rule. The categories support the application workloads and are assigned to the tags by a centralized controller.

Abstract: Systems and methods are described for receiving an input binary file, extracting character string information from the input binary file, defining search parameters to include a software name and associated software version as a name-version pair, applying the search parameters to the extracted character string information to detect instances of the name-version pair, and querying a vulnerability database based on the name-version pair to identify a vulnerability in the input binary file.

Abstract: Access between a plurality of nodes of the computing environment is controlled by a key server. The key server receives from one node of the plurality of nodes, a request for a shared key, in which the shared key is created for a selected node pair. A determination is made by the key server as to whether the one node is a node of the selected node pair. In one example, the determining checks an alternate name of the one node to determine whether it matches an alternate name associated with the shared key. Based on determining the one node is a node of the selected node pair, the key server provides the shared key to the one node.

Abstract: A computer device for effecting an authentication procedure associated with a service provider or an application, including a plurality of sensors; and one or more processors in communication with the sensors and non-transitory data storage including, stored thereon, a plurality of instructions which, when executed, cause the one or more processors to perform the steps of (a) receiving an authentication procedure request; (b) determining a hierarchy of authentication processes for the authentication procedure; (c) selecting an authentication process from the hierarchy of authentication processes; and (d) executing the authentication process.

Abstract: A method, a system, and a computer readable medium for determining a readiness of a computerized network against distributed denial of service (DDoS) attacks are provided herein. The system may include: an interface configured to obtain properties characterizing the computerized network; a knowledge base containing a plurality of rules taking into account DDoS risks and best practice related thereto; and a computer processor configured to: analyze the properties using the knowledge base to yield an analysis; and determine a readiness of the computerized network against DDoS attacks, based on the analysis. In some embodiments, the properties are obtained by analyzing a filled-in questionnaire relating to the computerized network under test. In other embodiments, these properties are automatically derived from databases containing data pertaining to the computerized network.