Abstract: Techniques are described with respect to facilitating password creation via a secure device in a defined corporate environment. An associated method includes receiving an authentication request associated with an authorized client of a client system in the defined corporate environment and initializing the secure device with respect to the client system responsive to validating the authentication request. The method further includes creating a password for the client system in compliance with policy criteria associated with the defined corporate environment, encrypting the password, and distributing the password via at least one predetermined technique. In an embodiment, the method further includes creating access control credentials for the client system in compliance with the policy criteria associated with the defined corporate environment.

Abstract: Techniques for securing control and user plane separation in mobile networks (e.g., service provider networks for mobile subscribers, such as for 4G/5G networks) are disclosed. In some embodiments, a system/process/computer program product for securing control and user plane separation in mobile networks in accordance with some embodiments includes monitoring network traffic on a mobile network at a security platform to identify an Packet Forwarding Control Protocol (PFCP) message associated with a new session, in which the mobile network includes a 4G network or a 5G network; extracting a plurality of parameters from the PFCP message at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network.

Abstract: A data transfer method and a virtual switch, where when receiving a data packet, the virtual switch extracts characteristic information of the data packet, and determines, based on the extracted characteristic information of the data packet, whether an expedited forwarding rule is configured for a data stream to which the data packet belongs. If the expedited forwarding rule is configured for the data stream to which the data packet belongs, the virtual switch bypasses a LINUX bridge to directly send the data packet to a receive end, thereby reducing times of data packet switching between a kernel mode and a user mode, and improving data packet forwarding efficiency.

Abstract: A method and a corresponding runtime environment for migrating an instance of an actor of an application are provided. An initiating runtime environment performs a method comprising selecting, based on obtained security attributes for a set of target runtime environments, a target runtime environment from the set of target runtime environments for migration of the instance of the actor. The method comprises migrating the instance of the actor to the selected target runtime environment once the target runtime environment has been selected.

Abstract: This application provides a key configuration method. A session management network element receives a request for end-to-end communication and obtains a security policy, where the security policy is determined based on at least one of: a user security requirement that is of the user equipment and that is preconfigured on a home subscriber server, a service security requirement from the user equipment, a security capability requirement supported by the user equipment, a security capability requirement from a carrier network, and a security requirement of a device on the other end of the end-to-end communication. The session management network element obtains a protection key used for protecting the end-to-end communication. The session management network element sends the security policy to the devices on two ends of the end-to-end communication.

Abstract: Methods and systems establish a traffic policy for a personal electronic device based on one or more physical characteristics of the device. In some aspects, a database of traffic policies is maintained. The traffic policies are for accessing a network via a wireless communications link. A network access unit receives a request from a personal electronic device to access the network. The request is analyzed to determine a physical characteristic of the device. A traffic policy is established from the database for the device based, at least in part, on the determined physical characteristic of the device. Transmission of network traffic for the device is then scheduled based at least in part, on the established traffic policy.

Abstract: Artificial Intelligence (“AI”) apparatus and method are provided that correlate and consolidate operation of discrete vendor tools for detecting cyberthreats on a network. An AI engine may filter false positives and eliminate duplicates within cyberthreats detected by multiple vendor tools. The AI engine provides machine learning solutions to complexities associated with translating vendor-specific cyberthreats to known cyberthreats. The AI engine may ingest data generated by the multiple vendor tools. The AI engine may classify hardware devices or software applications scanned by each vendor tool. The AI engine may decommission vendor tools that provide redundant cyberthreat detection. The AI engine may display operational results on a dashboard directing cyberthreat defense teams to corroborated cyberthreats and away from false positives.

Abstract: Systems and methods for managing a network are described. A view of current state of the network is maintained where the current state of the network characterizes network topology and network constituents, including network entities and network elements residing in or on the network. Events are announced that correspond to changes in the state of the network and one or more network elements can be configured accordingly. Methods for managing network traffic are described that ensure forwarding and other actions taken by network elements implement globally declared network policy and refer to high-level names, independently of network topology and the location of network constituents. Methods for discovering network constituents are described, whereby are automatically configured. Routing may be performed using ACL and packets can be intercepted to permit host to continue in sleep mode. The methods are applicable to virtual environments.

Abstract: Systems and methods include obtaining telemetry from a plurality of security agents each operating on a device in a network, wherein the telemetry is collected locally related to datagram protocol packets; analyzing the telemetry to determine applications associated with the datagram protocol packets flowing in the network and virtual circuits between each of the applications; determining enforcement policies for each application that communicates with other applications over a datagram protocol; and providing the enforcement policies to the plurality of security agents for allowing and blocking communications associated with the datagram protocol.

Abstract: Protecting against potentially harmful app (PHA) installation on a mobile device. In some embodiments, a method may include identifying apps already installed on multiple mobile devices, identifying PHAs in the apps already installed on the multiple mobile devices, training a machine learning classifier, based on the apps already installed on multiple mobile devices, to predict a likelihood that each of the PHAs will be installed on any mobile device, identifying one or more apps already installed on a particular mobile device, predicting, using the machine learning classifier, a likelihood that a target PHA of the PHAs will be installed on the particular mobile device based on the one or more apps already installed on the particular mobile device, and in response to the likelihood being higher than a threshold, performing a remedial action to protect the particular mobile device from the target PHA.

Abstract: Described embodiments provide systems and methods for generating firewall configuration profiles for firewalls. An intermediary device may modify a request from a client to access the server to include a payload provided by the device. The payload may include an action type selected from a plurality of action types used to probe the server for a corresponding security vulnerability of a plurality of security vulnerabilities. The device may transmit, to the server, the request including the payload to cause the server to provide a response to the device. The device may determine that the server is susceptible to a security vulnerability of the plurality of security vulnerabilities corresponding to the action type based at least on the response. The device may generate a configuration profile for the firewall to restrict requests of the action type to access the server from clients.

Abstract: A network node comprising: a message handling module configured to control the sending of messages to one or more output ports of the network node based on a rule set stored at the network node, the rule set comprising one or more rules; a communication module configured to receive at least one update to the rule set from a controller node, separate from the network node, for changing the rule set; a supervisor module configured to verify that the changes to the rule set instructed by the update comply with at least a first set of rule-compliance-criteria and, if so, the network node is configured to modify the rule set to implement the changes of the update and, if not, the network node is configured not to implement the changes to the rule set.

Abstract: A collaboration system manages a plurality of content objects that are shared by multiple users at corresponding user devices in corresponding computing environments. Policies that govern interactions over the plurality of content objects are established. A content object upload request from a first user belonging to a first enterprise is processed by the collaboration system and then the content object is shared with a second user of a second enterprise. Security characteristics pertaining to the second user, and/or the second enterprise, and/or the second user's devices are initially unknown or unverified. As such, upon receiving interaction events raised by a user device of the second user, a set of interaction attributes associated with the interaction events are gathered. One or more trust policies are applied to the interaction attributes to evaluate security conditions that correspond to the interaction events. A response is generated based on the evaluated security conditions.

Abstract: Disclosed embodiments relate to a system having a processor adapted to activate multiple security levels for the system and a monitoring device coupled to the processor and employing security rules pertaining to the multiple security levels. The monitoring device restricts usage of the system if the processor activates the security levels in a sequence contrary to the security rules.

Abstract: Systems, methods, and software described herein provide for responding to security threats in a computing environment based on the classification of computing assets in the environment. In one example, a method of operating an advisement computing system includes identifying a security threat for an asset in the computing environment, and identifying a classification for the asset in relation to other assets within the computing environment. The method further provides determining a rule set for the security threat based on the classification for the asset and initiating a response to the security threat based on the rule set.

Abstract: A method, system and computer-usable medium for generating a user behavior profile, comprising: monitoring user interactions between a user and an information handling system; converting the user interactions and the information about the user into electronic information representing the user interactions; generating a unique user behavior profile based upon the electronic information representing the user interactions and the information about the user; storing information relating to the unique user behavior profile within a user behavior profile repository; and, storing information referencing the unique user behavior profile in a user behavior blockchain.

Abstract: This disclosure describes techniques that enable a security monitoring application to detect the use of plaintext sensitive data by a user application on a user device. The security monitoring application may reside on a user device or may reside on a standalone device, such as a security monitoring controller, within an enterprise network. The security monitoring application may be configured to intercept a computing operation executed by a user application that includes user-plane data. In doing so, the security monitoring application may determine whether the user-plane data includes plaintext sensitive data and if so, quarantine the user-plane data.

Abstract: A device determines that a policy is to be executed. The device retrieves rules, resource identifiers, and data provider identifiers associated with the policy. The device asynchronously retrieves resources from data providers that are called for by the rules, and executes each of the rules as their corresponding resources are retrieved. The device identifies a group of rules that have failed. The device calculates a risk score for each rule of the group and generates an alert for each rule of the group. The device outputs a report including each alert, each of the alerts being prioritized in the report based on the risk score of their corresponding rule.

Abstract: In some implementations, a method includes receiving, for each of multiple users, user activity data describing actions taken by the user by use of a user device over a period of time, determining, for each user and based on the actions taken by the user over the period of time and user responsibility data that describe responsibilities of the user, a risk assessment representative of a security risk resulting from the actions taken by the user by use of the user device, and determining, by the data processing apparatus, for each user and based on the risk assessment determined for the user, whether to implement a user-specific remedial action directed to risk mitigation.

Abstract: A system is provided including a database and a server. The database stores a plurality of cloud computing service accounts created on a cloud computing platform, a plurality of roles associated with each cloud computing service account, and a plurality of policies associated with each role. The server is in data communication with the database and containing a role risk rating engine. The role risk rating engine is configured to: select a first role of the plurality of roles from the database; retrieve the plurality of policies associated with the first role; determine a risk rating for the first role based on the plurality of policies associated with the first role; store the risk rating of the first role in the database; receive a query requesting the risk rating of the first role; and in response to the query, transmit the risk rating of the first role.

Abstract: A device for processing data, including at least two data interfaces, a first data interface of the at least two data interfaces being designed to at least temporarily exchange first data with at least one first external unit according to a first communication protocol, in particular CAN and/or FlexRay and/or LIN and/or MOST and/or Ethernet, a second data interface of the at least two data interfaces being designed to at least temporarily exchange data with a second external unit and/or the first external unit according to a second communication protocol, which is different than the first communication protocol, the device including a security unit, which is designed to at least temporarily carry out at least one security function with regard to at least one of the at least two data interfaces.

Abstract: Systems, methods, and non-transitory computer-readable media can be configured to determine a video embedding for a video content item based at least in part on a first machine learning model. A set of music embeddings can be determined for a set of music content items based at least in part on a second machine learning model. The set of music content items can be ranked based at least in part on the video embedding and the set of music embeddings.

Abstract: Methods, systems, devices, and tangible non-transitory computer readable media facilitating assignment and/or dynamic application of a permission rule to a group of entities. In an example embodiment, the disclosed technology can: define a group of entities having a common attribute; assign a permission rule to the group of entities based at least in part on the common attribute; project the permission rule onto one or more entities in the group of entities based at least in part on assignment of the permission rule to the group of entities; obtain data indicative of a change in group membership status of an entity in the group of entities; and/or update a projection of the permission rule onto the entity to modify an association of the entity with the group of entities and/or the permission rule based at least in part on receipt of the data.

Abstract: A method and system for continuously configuring a web application firewall (WAF) are provided. The method includes receiving a request directed at a protected web application, wherein the request is received from a client device associated with a trusted user account, and wherein the protected web application is protected by the WAF; validating the received request based on at least a signature included in a header of the received request; when the received request is validated, generating an authorization rule based on the received request, wherein the authorization rule allows access to a resource of the protected web application designated in the received request, wherein the generated authorization rule is included in at least one whitelist the WAF is configured with; and configuring the WAF with the generated authorization rule to allow the received request and subsequent request to be directed to the resource of the protected web application.

Abstract: Embodiments for enabling or disabling application features according to application-specific security settings are described. The application-specific security settings can control when particular security levels, corresponding to authentication procedures, are required. The security levels can correspond to authentication procedures such as requiring no password, only requiring a PIN, allowing authentication by biometrics, or requiring a password. The application-specific security settings can control security levels based on a variety of circumstances such as setting particular security levels for particular locations, setting different security levels based on time since last device use, etc. In various implementations, the security levels can be mapped to application features to enable or disable.

Abstract: Techniques for process privilege escalation protection in a computing environment are disclosed. For example, the disclosure describes a system/process/computer program product for process privilege escalation protection in a computing environment that includes monitoring a process executed on a computing device, detecting an unauthorized change in a token value associated with the process, and performing an action based on a policy (e.g., a kernel protection security policy/rule(s), which can include a whitelisted set of processes and/or configured actions/responses to perform for other/non-whitelisted processes) in response to an unauthorized change in the token value associated with the process.

Abstract: A data storage system has multiple tiers of data storage including an upper tier having a lower access latency and a lower tier having a higher access latency. A storage controller of the data storage system receives, via an interface, an access request of a workload for a target file system object, where the target file system object has an associated temperature. In response to the access request for the target file system object, the storage controller accesses the target file system object in the data storage and conditions update of the associated temperature of the target file system object based on at least one of a set including the interface and the workload. The storage controller distributes a collection of file system objects including the target file system object among the multiple tiers based on respective heats of file system objects in the collection.

Abstract: Systems and methods of performing identity verification across different geographical or jurisdictional regions are provided. In one exemplary embodiment, a method by a first network node comprises sending, by the first network node located in a first geographical or jurisdictional region, to a second network node located in a second geographical or jurisdictional region, an indication of an identity verification associated with a certain identity based on personally identifiable information of that identity received by the first network node from the second network node. Further, the identity verification is determined based on whether the PII data of the certain identity corresponds to PII data of at least one of a plurality of identities associated with the first region and stored in one or more databases located in the first region and on identity verification rule(s) associated with the first region.

Abstract: A method includes receiving an event, the event associated with a digital signature in a first time-based message comprising a first trusted time stamp token generated using a first hash of digitally signed content from a trusted timing authority; generating a first block on a distributed ledger; generating a second hash of the first trusted time stamp token; receiving a second trusted time stamp token from the trusted timing authority in response to transmitting the second hash to the trusted timing authority; and generating a second block on the distributed ledger; wherein verification of data integrity of the digitally signed content is provided via the first hash of the digitally signed content and second hash of the first trusted time stamp token and via the hash of the first block and a hash of the second block.

Abstract: Systems, methods, and software described herein enhances how security actions are implemented within a computing environment. In one example, a method of implementing security actions for a computing environment comprising a plurality of computing assets includes identifying a security action in a command language for the computing environment. The method further provides identifying one or more computing assets related to the security action, and obtaining hardware and software characteristics for the one or more computing assets. The method also includes translating the security action in the command language to one or more action procedures based on the hardware and software characteristics, and initiating implementation of the one or more action procedures in the one or more computing assets.

Abstract: An authentication model dynamically adjusts authentication factors required for access to a remote resource based on changes to a risk score for a user, a device, or some combination of these. For example, the authentication model may conditionally specify the number and type of authentication factors required by a user/device pair, and may dynamically alter authentication requirements based on changes to a current risk assessment for the user/device while the remote resource is in use.

Abstract: Provided is a process for mobile-initiated authentications to web services. Credential values of the user are established within a trusted execution environment of the mobile device and representations are transmitted to a server. The user of the mobile device may authenticate with the mobile device to the server, which may convey access to a web-based service from a relying device. The server may pass credentials corresponding to the web-service received from the mobile device and verified to permit user access to the web-service to the relying device. The relying device presents credentials to the web-service to login, authenticate, or otherwise obtain user-level permission for the user on the relying device. The user of the mobile device may authenticate with the mobile device to the server, and may initiate the authentication process from the mobile device, without inputting credentials corresponding to the web-service on the relying device.

Abstract: A highly secure networked system and methods for storage, processing, and transmission of sensitive information are described. Sensitive, e.g. personal/private, information is cleansed, salted, and hashed by data contributor computing environments. Cleansing, salting, and hashing by multiple data contributor computing environments occurs using the same processes to ensure output hashed values are consistent across multiple sources. The hashed sensitive information is hashed a second time by a secure facility computing environment. The second hashing of the data involves a private salt inaccessible to third parties. The second hashed data is linked to previously hashed data (when possible) and assigned a unique ID. Prior to a data dictionary being accessible by a researcher computing device, the data dictionary undergoes compliance and statistical analyses regarding potential re-identification of the source unhashed data. The data dictionaries are viewable by researchers as certified views via a secure VPN.

Abstract: A PLC includes a program storing section which stores a user program, a program executing section which repeatedly executes the user program, a device storing section having a plurality of devices which are memory regions referred to by the program executing section, a device recording section which records a device value stored in any one of the plurality of devices in time series, and a saving section which saves, when a predetermined saving condition is satisfied, the device value recorded by the device recording section and the user program or identification information of the user program stored in the program storing section in correspondence with each other in a memory.

Abstract: Provided is a method, computer program product, and system for modifying an input command by a virtual assistant. A processor may receive an input command from a user. The processor may determine a contextual environment surrounding a virtual assistant. The processor may detect, based on the contextual environment, sensitive information in the input command. The processor may replace the sensitive information with generic information. The processor may respond to the input command with an output response based, in part, on the generic information.

Abstract: Methods and systems are provided for identifying suspect Internet Protocol (IP) addresses, in accordance with embodiments described herein. In particular, embodiments described herein include obtaining a set of login pairs comprising login identifiers (e.g., user identifiers) and IP addresses used in attempts to login to a source. A set of IP clusters is generated using the set of login pairs. Each IP cluster can include one or more IP addresses identified as related based on a login identifier being used to attempt to login to the source via multiple IP addresses or an IP address being used to attempt to login to the source via multiple login identifiers. Thereafter, it is determined that a particular IP cluster exceeds a threshold amount of IP addresses. Each of the IP addresses within the particular IP cluster is designated as a suspect IP address.

Abstract: A method and edge device for controlling data exchange of an industrial edge device with an industrial automation arrangement and a data cloud, wherein the edge device includes a first communication connection to the industrial automation arrangement and a second communication connection to a network of the data cloud, where the edge device includes applications exchanging data, and where the edge device includes a control device to control the data to be exchanged, wherein whether data exchange of an application is controlled via the first communication connection and the data exchange is implemented directly via the second communication connection or vice versa is defined for each application, where a data flow control device ensures simultaneous direct data exchange by an application via both communication connections does not occur, such that rigorous checking of applications or containers within the applications with respect to data security is not required.

Abstract: Various approaches are disclosed to virtualizing intrusion detection and prevention. Disclosed approaches provide for an embedded system having a hypervisor that provides a virtualized environment supporting any number of guest OSes. The virtualized environment may include a security engine on an internal communication channel between the guest OS and a virtualized hardware interface (e.g., an Ethernet or CAN interface) to analyze network traffic to protect the guest OS from other guest OSes or other network components, and to protect those network components from the guest OS. The security engine may be on a different partition than the guest OS and the virtualized hardware interface providing the components with isolated execution environments that protect against malicious code execution. Each guest OS may have its own security engine customized for the guest OS to account for what is typical or expected traffic for the guest OS.

Abstract: Techniques for trusted roaming between identity federation based networks. A first wireless access point (AP) receives a roaming request from a wireless station (STA), to roam from the first AP to a second AP. The first AP is associated with a first access network provider (ANP), the second AP is associated with a second ANP, and the first ANP is different from the second ANP. Authentication information relating to the STA is transmitted from the first ANP to the second ANP using a trusted connection. The trusted connection was previously established between the first ANP and the second ANP based on a query to an identity federation to which both the first and second ANP belong. The STA is de-associated from the first AP. The STA is re-associated at the second AP using the transmitted authentication information.

Abstract: A Sentinel System For an Online Device (“SOD”) is disclosed that is capable of protecting a computing device from mining and tracking.

Abstract: An application service provider (ASP) subscribes to a slice of the network of the mobile operator to offer its users on mobile devices a better-quality transport service. For example, the ASP subscribes to and pays for, say, a premium network slice dedicated for the use of its premium users that are on mobile devices. When a premium user accesses the application (and gets authorized by it), the application sends identifiers of the application/user to the Slice Identifier Function (SIF) of the mobile operator, which in turn directs the configuration of the core network components as well as the RAN attached to said user's mobile device according to the application's slice policies. As another example, the ASP subscribes to and pays for the default network slice for a differentiated treatment. When SIF identifies the application, it gives its users a higher QoS/priority than other users within the same slice.

Abstract: A method includes receiving a data capture event affecting personal data of a user stored in at least one storage device of a computing system and mapped in a privacy graph database. Personal data of the user may be identified in the data capture event and classified into the data categories. In response to the data capture event, a mapping of user-centric nodes associated with the at least one user associated with other users in the privacy graph database is automatically updated using the classified personal data in the data capture event. A request by a requester for personal data of at least one specific user stored in the at least one storage device is received. The privacy graph database is queried to provide the requested personal data and locations of the requested personal data of the at least one specific user in the request stored in the computing system.

Abstract: Systems and methods for managing data stream identity are provided. Ownership information regarding a data stream may be analyzed to identify at least one owner. The data stream may be filtered to identify at least one portion that is associated with the identified owner. A unique identifier may be assigned to the identified portion. The identified portion may be stored in memory in association with the assigned unique identifier and information regarding the identified owner. Access to the identified portion may be controlled based on settings set by the identified owner.

Abstract: Systems and methods described herein support compartment quotas in a cloud infrastructure environment. Cloud administrators do not generally have the ability to restrict resource usage in existing clouds. Granting a user permission to create resources allows them to create any number of resources up to a predefined account limit. Compartment quotas allow admins to restrict a user's resource usage to the appropriate level allowing fine-tuned cost control.

Abstract: In an example embodiment, a communication type registry is introduced that stores information about various versions of various communication types permitted within a system. A communication type owner defines a new communication type with a name, version number, and version details, and registers this information with the communication type registry. All source applications and target applications that have registered with the communication type registry then get notified when there is a new communication type or new version of an existing communication type available. Optionally a central repository can be used to store updates for all the source applications and target applications, where those applications can know to look for those updates.

Abstract: Some embodiments provide API (Application Programming Interface) authorization platform that allows API-authorization policy stacks to be created and enforced. Policy stacks (called “stacks”) define API-authorization policies across different sets of managed resources in a workspace. A stack in some embodiments defines a uniform set of one or more API-authorization policies for multiple different sets of resources so that the set of policies do not have to be specified independently for each set of resources. By instituting common policies across multiple managed resource sets (also called managed systems), stacks can be used to guarantee uniform baseline policies for the workspace.

Abstract: A building management system including one or more circuits configured to receive a selection of an object associated with one of a building system, a piece of equipment, or a space of one or more building systems, one or more pieces of equipment, and/or one or more spaces of a building; determine the one or more pieces of equipment related to the object and/or the one or more spaces related to the object; and generate a graphical user interface illustrating (i) a relationship of the object with (a) the one or more pieces of equipment related to the object and/or (b) the one or more spaces related to the object and/or (ii) a control path between the object and (a) the one or more pieces of equipment related to the object and/or (b) the one or more spaces related to the object.

Abstract: Systems, computer program products, and methods are described herein for mapping information security configurations across technology platforms. The present invention is configured to electronically receive, from a computing device associated with a technology infrastructure, one or more responses to one or more queries; extract one or more security information and event management (SIEM) fields from the one or more responses; map the one or more SIEM fields to a generic content schema of a common information security model; generate a unique SIEM map for the technology infrastructure based on at least mapping the one or more SIEM fields to the generic content schema of the common information security model; generate a use case for the technology infrastructure using the common information security model; and transform the use case generated using the common information security model using the unique SIEM map.

Abstract: Systems and methods for dynamic communication routing based on consistency weighting and routing rules are disclosed. A computing device can receive a communication including content data. The communication can be stored in a queue position of a primary queue. For example, the primary queue can include a plurality of queue positions for storing communications. The communication can be retrieved from the queue position of the primary queue and analyzed. In some instances, analyzing can include parsing the content data for a keyword. A keyword can correspond to a secondary queue. When the keyword is identified in the communication, the communication can be stored in the secondary queue that corresponds to the keyword. A terminal device associated with the secondary queue can be identified. A retrieval request to access the communication from the secondary queue can be received, and the communication can be routed to the terminal device.

Abstract: Methods, apparatus, systems and articles of manufacture to determine provenance for data supply chains are disclosed. Example instructions cause a machine to at least, in response to data being generated, generate a local data object and object metadata corresponding to the data; hash the local data object; generate a hash of a label of the local data object; generate a hierarchical data structure for the data including the hash of the local data object and the hash of the label of the local data object; generate a data supply chain object including the hierarchical data structure; and transmit the data and the data supply chain object to a device that requested access to the data.