Abstract: The technical solution relates to technologies for detecting fraudulent serial user verification requests.

Abstract: The present invention extends to methods, systems, and computer program products for identifying and consenting to permissions for workflow and code execution. Aspects of the invention can be used to automatically scan a workflow or code definition to identify (potentially all) the actions/triggers a workflow or program intends to perform on behalf of a user. The user is shown the actions/triggers the workflow or program intends to perform (e.g., at a user interface) before consent to perform the actions/triggers is granted. As such, a user is aware of intended actions/triggers of a workflow or program before granting consent. Further, since actions/triggers are identified from the workflow or code definition (and not formulated by an author), permission requests better align with permissions that workflow or program functionality actually uses during execution.

Abstract: Techniques for securing control and user plane separation in mobile networks (e.g., service provider networks for mobile subscribers, such as for 4G/5G networks) are disclosed. In some embodiments, a system/process/computer program product for securing control and user plane separation in mobile networks in accordance with some embodiments includes monitoring network traffic on a mobile network at a security platform to identify an Packet Forwarding Control Protocol (PFCP) message associated with a new session, in which the mobile network includes a 4G network or a 5G network; extracting a plurality of parameters from the PFCP message at the security platform; and enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network.

Abstract: Disclosed herein are systems and methods that allow for secure access to websites and web-based applications and other resources available through the browser. Also described are systems and methods for invocation of a secure web container which may display data representative of a requesting party's application at a user's machine. The secure web container is invoked upon receipt of an API call from the requesting party. Thus, described in the present specification are systems and methods for constructing and destroying private, secure, browsing environments (a secure disposable web container), insulating the user and requesting parties from the threats associated with being online for the purposes of providing secure, policy-based interaction with a requesting party's online services.

Abstract: A specialized service engine receives data from an entity located in one domain about transactions performed by the entity with other entities from another domain. The service engine determines if the entity must follow the rules regarding selected resources in the other domain. The service engine then determines which of the rules established by the other domain the entity must follow. The service engine then determines and communicates to another computer of the entity the burden of complying with the rules of the other domain. The service engine then further computes the cost of the burden, and communicates the computed cost to the other computer.

Abstract: Systems and methods include receiving messages from local security agents each on a host in a network, wherein the messages include network topology of the network in terms of addresses and sockets; incrementally creating a network topology of the network based on the messages; determining security policies for one or more microsegments in the network based on flow data and the network topology; and providing the security policies to respective hosts for local implementation of the one or more microsegments.

Abstract: Methods, systems, apparatuses, and computer-readable storage mediums are described for authorizing publishing of a message and/or a subscription from an Internet of Things (IoT) device. In an example system, a message broker receives a list of attributes from a claims provider. The message broker determines whether publishing of the message is authorized based at least on the list of attributes, and publishes the message if it is determined that the publishing is authorized. The message broker may also receive a subscription specifying a topic filter. The message broker determines whether the subscription is authorized for the IoT device based at least on the list of attributes, and transmits a subscription message to the IoT device if it is determined that the subscription is authorized.

Abstract: Communications service programs (e.g., packet-switched phone and conferencing software with recordings and voicemail) are enabled to process user data files using custom encryption methods, where the existing service programs should migrate to work with the encrypted data files. A framework is introduced between application and system layer for replacing the major file routines to apply user file encryption routines in a manner that is transparent for existing service programs without requiring re-compiling.

Abstract: What is disclosed is tagging a first flow of a multi-tenant virtual private network (VPN) with a first tag. Continuously tracking, based on the first tag, the first flow of the multi-tenant VPN. Capturing one or more characteristics of the first flow of the multi-tenant VPN. Categorizing the first flow of the multi-tenant VPN based on the one or more characteristics of the first flow. Providing the categorization of the first flow to a first tenant of the multi-tenant VPN. Receiving, based on input from the first tenant and the categorization of the first flow, a first policy. Enforcing the first policy on the first flow based on the first tag of the first flow and the continuous tracking of the first flow.

Abstract: Computer-implemented methods, apparatuses, and computer program products are provided for frequency based operations. An example computer-implemented method includes receiving a request for data transfer of a plurality of data elements of a production data environment to a non-production data environment. The method includes determining an access frequency associated with each data element and grouping each data element into a first set of data elements or a second set of data elements based upon the determined access frequency. The method further includes refreshing the first set of data elements according to a first refresh protocol defining a first refresh rate and refreshing the second set of data elements according to a second refresh protocol defining a second refresh rate less than the first refresh rate. The method also includes outputting the plurality of data elements to the non-production data environment.

Abstract: Systems and methods of dynamic management of private data during communication between a remote server and a user's device, including receipt of a request for retrieval of at least one data packet from the user's device, wherein the user's device is configured to provide a response corresponding to the received request, determination of at least one communication data type of the at least one data packet corresponding to the received request, receipt of a privacy preference for the user's device, wherein the privacy preference comprises a list of allowed data packet communication types for sharing during communication, modification of data packets corresponding to requests for sharing of responses that are not compatible with the received privacy preference and maintenance of communication between the remote server and the user's device, with sharing of the modified data packet.

Abstract: A wireless network system configured to secure a wireless service provided to at least one wireless device from a wireless network, the wireless network system includes a secure network server implemented in at least one of a network operator cloud and a mobile network operator implementing the wireless network. The secure network server being configured to implement at least one of the following: a unique Access Point Name (APN), an International Mobile Equipment Identity (IMEI) whitelist, a virtual private network (VPN) over encrypted network, a dedicated firewall, a whitelist of IP addresses, and a unique SIM.

Abstract: The present disclosure relates to computer-implemented methods, software, and systems for managing cloud application in a transparent multiple availability zone cloud platform. A request to access a cloud application running on the multiple availability zone cloud platform is received. The request can include an application location for accessing the cloud application. A network address corresponding to the application location is determined. In response to determining the network address, a first availability zone of the multiple availability zone cloud platform that is currently active to process the request is determined. A plurality of network locations corresponding to a host component of the application location is determined by a first load balancer. A network location of the plurality of network locations for processing the request is identified based on load balancing criteria.

Abstract: Systems and methods for controlling access to a blockchain are disclosed. The systems and methods are comprised of a security agent, a controller, an authenticator, a rules engine, and a policy engine. In certain embodiments, the security agent receives a message from an application, parses the message, and transmits the message to the controller if the message comprises one or more predetermined applicable rules or policies. The controller receives the message with its rules and policies, queries the rules engine and the policy engine to apply the rules and policies, and transmits an authentication request to the authenticator. The authenticator then requests an authentication signal from a user and transmits the results to the controller. The controller applies the results and forwards them to the security agent, which may or may not release the message to the blockchain depending the results.

Abstract: Provided is a retention-replacement probability generation device that is capable of generating retention-replacement probability that realizes retention-replacement perturbation of a suitable level. Included are: a global optimal solution determining unit that, outputs a global optimal solution in a case where a global optimal solution exists that is a replacement probability of the attribute values in which the transition matrix P and histogram vector expression v of the attribute values yield ?Pv?v?=0; a region generating unit that, in a case where the global optimal solution does not exist, generates a region that is defined by an inequality equivalent to conditions for both replacement probabilities corresponding to i'th and j'th attribute values satisfying ?-differential privacy, and an inequality equivalent to conditions for the replacement probability of one and the retention probability of the other corresponding to the i'th and the j'th attribute values satisfying ?-differential privacy.

Abstract: A system of automatically managing assignments of users to user groups comprises a processor to implement instructions for an automatic user group manage (AUGM) to access to two or more users and the assignments of the users to the user groups, observe activity of the users, calculate user behavior signatures for one of at least two users of the users, at least one user of the users and one group of the user groups, or at least two groups of the user groups, calculate a numeric degree of variance between at least two of the user behavior signatures, compare the calculated degree of variance to at least one threshold, and determine if a behavior of one of the at least two users, the at least one user and the one group, or the at least two groups are similar or different.

Abstract: According to an example aspect of the present invention, there is provided a method, comprising: receiving user information provided by a user equipment, associating spatiotemporal information with the user information on the basis of location of at least one wireless access network device in communication with the user equipment, generating a proof of location indication transaction associated with the user information on the basis of the spatiotemporal information, and providing the proof of location indication transaction to a distributed ledger.

Abstract: The present invention relates to a container-oriented Linux kernel virtualizing system, at least comprising: a virtual kernel constructing module, being configured to provide a virtual kernel customization template for a user to edit and customize a virtual kernel of a container, and generate the virtual kernel taking a form of a loadable kernel module based on the edited virtual kernel customization template; and a virtual kernel instance module, being configured to reconstruct and isolate a Linux kernel, and operate a virtual kernel instance in a separate address space in response to a kernel request from a corresponding container. The container-oriented Linux kernel virtualizing system of the present invention is based on the use of a loadable module.

Abstract: A system includes an orchestrator to receive a first request for resources for a workload of a tenant and to select a first node cluster in a first compute domain to be provisioned for the workload. The system also includes a first security manager to run in a trusted execution environment of one or more processors to receive attestation results for a second node cluster from a second security manager in a second compute domain, and to establish the first node cluster and the second node cluster as a trusted group of node clusters for the workload based, at least in part, on determining that a first compute node in the first node cluster meets one or more security requirements of a workload execution policy associated with the workload and that the attestation results indicate that a second compute node in the second node cluster meets the one or more security requirements.

Abstract: A firewall uses information about an application that originates a network request to determine whether and how to forward the request over a network. The firewall may more generally rely on the identity of the originating application, the security state of the originating application, the security state of the endpoint, and any other information that might provide an indication of malicious activity, to make routing and forwarding decisions for endpoint-originated network traffic.

Abstract: A cloud node in a cloud-based system includes one or more processors and memory storing instructions that, when executed, cause the one or more processors to: communicate with a user associated with a tenant of a plurality of tenants; obtain policy and configuration for the user based on the tenant, from a central authority in the cloud-based system; provide the one or more cloud services to the user, based on the policy and configuration; and crawl one or more cloud providers having a plurality of files for the user, based on the policy and configuration. The cloud node is inline between a user device of the user and the Internet, as well as connected to the one or more cloud providers.

Abstract: A method includes receiving, by a processing device of a content sharing platform, a request for desired content from a client device, the content being stored in a content delivery network (CDN). The method further includes generating, based on data available to the content sharing platform, a partial trust metric associated with the client device, wherein the partial trust metric is to be used by a CDN server to make a decision regarding access to the desired content by the client device. The method further includes generating a response to the content request, wherein the response comprises one or more resource locators for accessing the desired content in the CDN, and the partial trust metric. The method further includes sending the response to the client device to enable the client device to request the desired content from the CDN server using the resource locator(s) and the partial trust metric.

Abstract: An authentication method includes registering in an authentication service associated with an application, a ID of a wearable device, disposing the wearable device proximate to a smart device that does not have the application, to provide the ID and an identifier for the application, wherein the smart device stores a document, receiving in the authentication service from the smart device, a communication including the ID, the identifier, and the document, wherein the smart device receives the application in response to the identifier, determining in the authentication service, whether an authentication service is approved in response to the ID, digitally signing in the authentication service, the document to form a digitally signed document, in response to the document and to determining that the authentication service is approved, outputting with the authentication service, the digitally signed document to the smart device.

Abstract: A security protection method and device based on industrial Internet is provided. The disclosure relates to the technical field of network security and realize the isolation between the Internet and the industrial Internet platform intranet by deploying the exit firewall, and there is no restriction from the industrial Internet platform intranet to the Internet, and only necessary ports are opened from the Internet to the industrial Internet platform intranet. By deploying a regional firewall, isolation between the intranet core server and each of the secondary nodes is realized. The regional firewall is deployed on the wide area network router, and the second access policy of secondary nodes and intranet core servers is preset. After the second access policy is formulated, only the IP and service ports of specific hosts are opened, and all other accesses are prohibited.

Abstract: A computing device includes a display, and a browser to access applications for display in a browser window. Each application is associated with a respective browser tab within the browser window. A processor is coupled to the display to display content from an application associated with a selected browser tab, and to classify the selected browser tab. The processor enables app protection to selectively block screenshots of the displayed content based on the classification of the selected browser tab.

Abstract: The disclosure provides a method for wireless communication performed by gateway device, a gateway device and a computer-readable storage medium. The method for wireless communication performed by gateway device, includes: performing network state detection; determining a network state based on a result of network state detection; receiving a network request of application layer; and transmitting a network response of the application layer based on the network state.

Abstract: Systems, methods, and software described herein manage traffic rules in association with fully qualified domain names (FQDNs). In one implementation, a domain name system (DNS) security service obtains a FQDN associated with a DNS request by a computing device. The DNS security service determines a first score for the FQDN based on trust factors associated with the FQDN and determines whether the first score satisfies one or more criteria. When the first score satisfies the one or more criteria, the DNS security service evaluates host posture information associated with an IP address in the DNS response for the FQDN, updates the first score to a second score based on the host posture information, and determines a traffic rule for the FQDN based on the second score.

Abstract: Systems and methods are provided for learning normal behavior for user roles of an application running within a cluster of container orchestration platform and based thereon proactively taking action responsive to suspicious events. According to one embodiment, an event data stream is created by an API server of the cluster. The data for each event includes information regarding a request made to an API exposed by the API server with which the event is associated and a user of the application by which the event was initiated. The data is augmented with a role associated with the user and an anomaly threshold for the role. Normal behavior is learned by an ML algorithm of respective user roles by processing the augmented data. When an anomaly score associated with a particular event is output by the ML algorithm that exceeds the anomaly threshold, a predefined or configurable action is triggered.

Abstract: Systems and methods for local encryption are provided. According to one implementation, a microservice system is configured to operate according to an open standard schema and having a distributed microservice framework. The microservice system includes a processing device and a memory device, where the memory device is configured to store a computer program having instructions that, when executed, enable the processing device to perform certain steps. For example, the processing device may be configured to automatically create an encrypted version of sensitive data. Next, the processing device may be configured to incorporate the encrypted version of the sensitive data within a model associated with the microservice system.

Abstract: Various aspects described herein relate to presenting electronic patient data accessing information. Data related to a plurality of access events, by one or more employees, of electronic patient data can be received. A set of access events of the plurality of access events can be determined as constituting, by the one or more employees, possible breach of the electronic patient data. An alert related to the set of access events can be provided based on determining that the set of access events constitute possible breach of the electronic patient data.

Abstract: Disclosed herein are a communication technique for merging, with an IoT technology, a 5G communication system for supporting a data transmission rate higher than that of a 4G system; and a system therefor. Embodiments herein disclose a method of protecting sensitive user plane traffic in an User Equipment (UE) (100), the method comprising: transmitting, to a network (200), by the UE (100) a first NAS message comprising an indicator indicating that the UE (200) supports of a secure channel for domain name system (DNS); receiving, from the network (200), by the UE (100) a second NAS message including DNS server security information in response to transmitting the first NAS message; and transmitting, to the network (200), by the UE (100) the DNS over the secure channel based on the DNS server security information.

Abstract: Methods and systems for providing multiple techniques to a customer premises equipment to acquire network connectivity. A method for acquiring an Internet Protocol (IP) lease includes sending, by a network device at a customer premises to a service provider system, a request for a preferred acquisition posture, where the network device is provisioned with multiple acquisition postures including the preferred acquisition posture, receiving, by the network device from the service provider system, a selected acquisition posture, attempting, by the network device, to acquire the IP lease using the selected acquisition posture, and operating, by the network device, using the acquired IP lease.

Abstract: A system, method, and computer-readable medium for performing a data center monitoring and management operation. The data center monitoring and management operation includes: submitting a request for a workload instance to a cloud service provider; establishing a secure communication channel between the cloud service provider and a data center monitoring and management console; exchanging information between the cloud service provider and the data center monitoring and management console via the secure communication channel, the information including a verifiable workload instance identity; and, using the verifiable workload instance identity to authenticate a workload instance provided by the cloud service provider.

Abstract: An application isolation method, system and device, and a computer-readable storage medium. The method includes: determining a target application to be isolated in Kubernetes; acquiring isolation polices of components in the target application, creating an initial network security policy corresponding to the target application; on the basis of the isolation policies, modifying a pushing rule, a popping nule and a matching label of the initial network security policy, so as to obtain a target network security policy; converting the target network security policy into an Iptables rule that matches the Kubernetes; and isolating the target application on the basis of the Iptables rule.

Abstract: A method disclosed includes receiving data from a plurality of data sources in a broadcast core network for transmission over a radio access network (RAN). The method includes assigning radio spectrum resources for transmitting the data over the RAN according to a policy guidance set by a plurality of network operators for sharing the radio spectrum resources and generating a baseband packet corresponding to the data at a distributed unit (DU) in the RAN. The method includes collecting transmission data from a plurality of user equipments (UEs) in the RAN for training a machine learning algorithm and scheduling transmission of the generated baseband packet to a remote unit (RU) over a fronthaul in a radio topology of a plurality of radio topologies under control of the machine learning algorithm according to the policy guidance. The generated baseband packet is compatible for transmission in the plurality of radio technologies.

Abstract: Methods, systems, and computer storage media provide a privacy compliance notification indicating a database's level of compliance with a privacy policy after restoring the database to the database's backup copy. The database is associated with a database management engine. The database supports privacy-based first-class data entities. The privacy-based first-class data entities are database entities having privacy system-level metadata properties associated with data operations in a database language syntax. The privacy compliance notification may be generated based on determining whether a privacy database operation associated with a database journal and a privacy journal has been executed on a database since the database was restored to a backup copy of the database.

Abstract: A system, method, and computer-readable medium for performing a data center monitoring and management operation. The data center monitoring and management operation includes: generating a request for a client identifier or an access token for access to a target application programming interface (API); obtaining an access policy associated with the target API; determining a least privileged API access permission based upon the access policy associated with the target API; and, using the client identifier or access token to access the target API when the least privileged API access permission allows access to the target API.

Abstract: Techniques for implementing and enforcing a security policy in a secure element are disclosed. The secure element enforces the security policy to grant and/or deny access, such as from an application processor, to configuration of the device peripheral components and access to data of the device peripheral components across one or more bus architectures, such as an I3C bus. Implementing an access control policy in a secure element allows execution of code within the isolated secure element hardware processor, preventing software attacks that may emanate from code running in the application processor. This design also benefits from hardware protections against physical attacks.

Abstract: Disclosed are various embodiments for enabling an enrolled client device of a user to access an enterprise resource via a second enrolled client device of the user. One such method comprises launching, by the first client device, a peer-to-peer communication channel between the first client device and a second client device of the user that is online with the management server; transmitting, by the first client device, a peer-to-peer offline access mode request over the peer-to-peer communication channel for the first client device to be given access to an enterprise resource that is being managed by the management server, wherein the request includes instructions for the second client device to forward the request to the management server, wherein the request further includes enterprise resource identification and verification data showing that the first client device is in compliance with a compliancy policy of the management service.

Abstract: A risk-aware access control system and related methods are provided. In accordance with one aspect of the present disclosure, there is a provided a method of risk-aware access control, comprising: detecting a request to perform an action with respect to two factors, the factors being of a factor type selecting people, devices, documents, and location, wherein the factors are of a different factor type; determining a coupling associated with the requested action based on the factors of the requested action; determining a risk level associated with the coupling; denying the requested action in response to a determination that the risk level does not match a security policy; and allowing the requested action in response to a determination that the risk level matches the security policy.

Abstract: Techniques for using an end-to-end policy controller to utilize an inventory of enforcement points to generate a chain of enforcement points having capabilities to enforcement individual operations of an intent-based security policy associated with an entity accessing a resource. A network controller may intelligently split an intent-based security policy and send portions thereof to enforcement points along a path configured for an entity to access a resource. For example, a portion of a security policy corresponding to an operation may be mapped to and implemented by an enforcement point having a capability to perform the operation. Once each operation of a security policy has been mapped to an enforcement point, a chain of enforcement points may be generated.

Abstract: Methods and systems are presented for providing a data control framework that enables storing, sharing, and transferring of data in a secure manner. Data files stored in data repositories are scanned. Content associated with different section of each data file is analyzed, and each section is tagged with a sensitivity level based on the content and a subject matter derived for the data file. Each data file is also assigned to a clearance classification based on an expected viewer of the data file. When sections from a first data file is being transferred to a second data file, a data control mechanism is triggered. If a particular section from the first data file is incompatible with the second data file, the data control mechanism may prevent the particular section from being transferred to the second data file, while allowing the remaining sections being transferred to the second data file.

Abstract: A correlation engine and policy manager (CPE) system includes: a persistent database, a cache database, an event gate, an event enricher, an event transformer, and an event dispatcher. The event gate obtains event data from at least one event source, and forwards the event data to the event enricher. The event enricher enriches the event data with additional data in the cached business layer data of the cache database, and forwards the enriched event data to the event transformer. The event transformer applies one or more policies in a cached business layer data of the cache database to the enriched event data to obtain transformed event data, and outputs the transformed event data to be stored in the persistent database. The event dispatcher dispatches output data to cause or prompt an action responsive to the transformed event data satisfying the at least one policy.

Abstract: Methods and systems are described for generating dynamic conversational responses sensitive to different emotional contexts using machine learning models. The dynamic conversational responses may be generated in real time and reflect the likely emotional context by detecting socially close entities and events in user input.

Abstract: Various embodiments leverage artificial intelligence in identifying and potentially resolving compliance issues (e.g., with regulatory requirements, client-specified requirements, certification conditions, etc.), or preventing violations of law, rules and regulations. The AI can be configured to automatically generate requests for information. For example, a system analysis component can be configured to identify a specific compliance target (e.g., a branch location) and select or automatically generate questions to collect responsive information to ensure compliance, identify potential violations, and define any evidence required to identify or resolve issues (e.g., prove compliance, support potential violations, flagged issues, etc.). According to one example, the system can use trained AI models to analyze a set of rules and/or requirements to efficiently build questionnaires to address or demonstrate compliance.

Abstract: Contents of client-initiated handshake messages of a security protocol are obtained at a handshake processing offloader configured for an application. The offloader uses a first security artifact (which is inaccessible from a front-end request processor of the application) and the contents of the handshake messages to generate a second security artifact. The second security artifact is transmitted to the front-end request processor, which uses it to perform cryptographic operations for client-server interactions of the application.

Abstract: Methods, apparatus, and systems for enabling an application function to influence access traffic steering, switching, splitting control are described. In one example aspect, a wireless communication method includes transmitting a request from an application function to a network function to enable a creation or an update of a policy or a rule for traffic routing. The request includes one or more parameters indicating traffic routing information for one or more user devices. The one or more parameters comprise at least an access type preference for the one or more user devices. The method also includes receiving a response from the network function indicating the creation or the update of the policy or the rule for traffic routing.

Abstract: Examples described herein relate to a network device apparatus that includes a network interface card to process a received packet. In some examples, based on the received packet only including one or more frames for which acknowledgement of receipt is offloaded to the network interface card, generate an acknowledgement (ACK) message to acknowledge receipt of the received packet. In some examples, a frame for which acknowledgement of receipt is offloaded to the network interface card comprises a STREAM frame compatible with quick User Datagram Protocol (UDP) Internet Connections (QUIC). In some examples, a computing platform is coupled to the network interface card. In some examples, based on the received packet only including any frame for which acknowledgement of receipt is not offloaded to the network interface, the computing platform is to generate an ACK message for the received packet.

Abstract: Disclosed are various approaches for determining a version of an application for a user to access based at least in part an overall posture of the user and the device launching the application. An application can support multiple delivery mechanisms to allow a user different ways to access the service provided by the application. A posture level (e.g., level of risk, level of compliance) associated with the overall posture of a device and user accessing an application is determined. The posture level can be used to select which version of the application should be launched by the device in order to provide the best experience for the user while ensuring that security is considered.

Abstract: Disclosed herein are system, method, and computer program product embodiments for managing and tracking the deployment of a cloud control within a cloud network where creation of the cloud control may be distributed between different user devices in the cloud network. A cloud control is implemented using a control policy which is composed of one or more components that provide functions for executing a functionality of the cloud control. A component workflow manager delegates control of the one or more components to different user devices and tracks the development workflow of the components as they progress through workflow states until they are ready for deployment within the cloud network.