Abstract: Provided are an environment map management device, an environment map management system, an environment map management method, and a program that are capable of generating a common environment map that takes into consideration privacy of each of users simultaneously with securing a space covered by an environment map available to the each of users. A processing data transmitting section accesses an individual environment map available to a user of interest. The processing data transmitting section accesses a common environment map available to a plurality of users including the user of interest. A SLAM processing execution section adds, to the individual environment map, environment information generated on the basis of sensing data acquired by a tracker used by the user of interest. A transmitting control section controls whether or not to add the environment information to the common environment map, according to a privacy attribute corresponding to the environment information.

Abstract: Systems and methods disclosed can evaluate security detection rules in a network security computing environment. Results for a processed log of security events can be retrieved. The results can identify determined outcomes for instances triggering security detection rules. The security detection rules can detect specific behavior on a network by being processed against a log of security events. Scores for the security detection rules can be determined based on the results of the processed log of security events and the determined outcomes. The security detection rules can be ranked based on the scores, from highest to lowest score. The highest score can indicate that a corresponding rule is performing worst among the security detection rules and the lowest score can indicate that a corresponding rule is performing best among the security detection rules. A rules score report can be generated based on the ranked rules.

Abstract: The technology disclosed teaches incident-driven and user-targeted data loss prevention that includes a CASB controlling infiltration via cloud-based services storing documents in use by organization users, by monitoring manipulation of the documents. The CASB identifies the cloud-based services that the particular user has access to and at least one document location on the cloud-based services to inspect for sensitive documents, in response to receiving an indication that user credentials have been compromised. The CASB performs deep inspection of documents identified as stored at the location and detects at least some sensitive documents. Based on the detected sensitive documents, the CASB determines an exposure for the organization due to the particular user.

Abstract: A highly secure networked system and methods for storage, processing, and transmission of sensitive information are described. Sensitive, e.g. personal/private, information is cleansed, salted, and hashed by data contributor computing environments. Cleansing, salting, and hashing by multiple data contributor computing environments occurs using the same processes to ensure output hashed values are consistent across multiple sources. The hashed sensitive information is hashed a second time by a secure facility computing environment. The second hashing of the data involves a private salt inaccessible to third parties. The second hashed data is linked to previously hashed data (when possible) and assigned a unique ID. Data dictionaries are created for particular individuals provided access to the highly secure information, e.g. researchers.

Abstract: Embodiments disclosed are directed to ensuring resource compliance within a cloud-based environment using a compliance system. The embodiments include steps for performing pre-provisioning checks of resources, such as network protocols, prior to their deployment within the cloud-based environment. The compliance system may include a number of components for performing the pre-provisioning check including a maintenance module, a collection module, and an evaluation module, which are used to evaluate the resource prior to deployment in the cloud-based environment.

Abstract: Techniques for auto-starting a VPN in a MAM environment are disclosed. A MAM-controlled application is launched on a computer system. Policy is queried and a determination is made as to whether to auto-start a VPN application based on the policy. Based on the policy, the VPN application is auto-started, and the VPN application initiates a VPN tunnel that is usable by at least the MAM-controlled application. Network communications transmitted to or from the MAM-controlled application then pass through the VPN tunnel.

Abstract: Established user habits in carrying multiple wirelessly detectable devices are used to provide or substantiate authentication. In some embodiments, simply detecting that expected devices are co-located within a limited spatial region is sufficient to establish that the devices are being carried by a single individual. In other embodiments, particularly where the potential for spoofing by multiple individuals is a concern, single-user possession of the devices may be confirmed by various corroborative techniques. This approach affords convenience to users, who may be working at a device that lacks the necessary modality (e.g., a fingerprint or vein reader) for strong authentication.

Abstract: Methods and systems for generating an integrated structure for the data from disparate data domains that may be used to aggregate, compare, and/or provide recommendations based on the data available from the disparate domains. The integrated structure may further be accessible to users to perform functions (e.g., searches, filtering operations, etc.) in real-time and receive outputs (e.g., in a user interface).

Abstract: A Domain Name System (DNS) device stores data indicative of a user device and data indicative of a policy setting a level of access of the user device to a responding device. The DNS device receives, from the user device, a request for an Internet Protocol address of the responding device. The DNS device determines, based upon the request and the data indicative of the user device, that the policy applies to the request. The DNS device applies the policy in response to the determining.

Abstract: Described are methods and systems for using policies to comply with a person's request for data pertaining to the person, pursuant to applicable data privacy laws. A policy is retrieved responsive to receiving a query that includes data to identify records that store data pertaining to the person. The policy indicates first and second database objects, and respective first and second sets of fields, which store data that pertains to persons. The policy is applied. Applying the policy includes retrieving, as first values, data stored in the first set of fields of a first record associated with the data in the query, and retrieving, as second values, data stored in the second set of fields of a second record associated with the first record. The first and second values, and the names of the fields from which they were retrieved, are stored in a document.

Abstract: A system for managing security on a cloud management platform portal (CMPP (1)), the system comprising a set of routines (scripts) which are executed on a computing device or processor allowing the cloud management platform portal to contact a cloud automation service (CAS (4)) so as to provision services to a customer, and a ServiceNow (2) (SNOW) application comprising at least one of a set of routines comprising at least one of certain specified network Standard Service Requests and/or network activity Standard Service Requests.

Abstract: The system determines whether content such as an image is suitable for content modification based on one or more criteria. The system includes decision engines or modules configured to evaluate one or more suitability metrics based on corresponding criteria such as publication status, restriction status, context, compatibility, and classification. If content is unsuitable for content modification because of entities or context depicted therein, privacy status, incompatibility with content modification, properties of the content file itself, or other aspects, the system generates a tag indicating the content is unsuitable for content modification. If content is suitable for content modification because of entities or context depicted therein, publication status, compatibility with content modification, properties of the content file itself, or other aspects, the system generates a content modification tag indicating the content is suitable for content modification.

Abstract: Disclosed herein is an example communication apparatus that includes processor circuitry to execute instructions to: determine a context of a message; perform a comparison of the context of the message with a target recipient emotional state; apply a rule to select an action for the message based on the comparison; cause performance of the action; determine an effect of the action on an emotional state of a user; and update the rule based on the effect.

Abstract: The present invention extends to methods, systems, and computer program products for identifying and consenting to permissions for workflow and code execution. Aspects of the invention can be used to automatically scan a workflow or code definition to identify (potentially all) the actions/triggers a workflow or program intends to perform on behalf of a user. The user is shown the actions/triggers the workflow or program intends to perform (e.g., at a user interface) before consent to perform the actions/triggers is granted. As such, a user is aware of intended actions/triggers of a workflow or program before granting consent. Further, since actions/triggers are identified from the workflow or code definition (and not formulated by an author), permission requests better align with permissions that workflow or program functionality actually uses during execution.

Abstract: An automated system tracks digital service providers (DSP) data management agreements, and user behavior, individually and in aggregate, to determine potential changes for a personal/corporate privacy charter. The personal/corporate privacy charter is thus dynamically adaptable to permit users to continue to engage seamlessly in accordance with user/corporate target goals with digital service providers (DSPs) and similar entities.

Abstract: A system and method for automatic offload in multi SIM devices. The system comprises a learning module [108] to learn the SIM slot ID of the inserted desired operator, the structure alignment and field information, wherein feedback of the learnt information is provided to the network server [114]. A method selection module [110] analyzes the structure alignment and field information for mapping unique connection methods to different devices. A WiFi configuration and connection module [112] uses appropriate WiFi configuration and attempts connection to desired Service Providers enterprise Wi-Fi AP using the determined connection method.

Abstract: The present invention relates to a method and system for tracking the movement of data elements as they are shared and moved between authorized and unauthorized devices and among authorized and unauthorized users.

Abstract: In one embodiment, a device classification service receives telemetry data indicative of behavioral characteristics of a plurality of devices in a network. The service obtains side information for the telemetry data. The service applies metric learning to the telemetry data and side information, to construct a distance function. The service uses the distance function to cluster the telemetry data into device clusters. The service associates a device type label with a particular device cluster.

Abstract: Various embodiments of the present invention provide methods, apparatuses, systems, computing devices, and/or the like that are configured to enable effective and efficient monitoring of software application frameworks. For example, certain embodiments of the present invention provide methods, apparatuses, systems, computing devices, and/or the like that are configured to perform software application framework monitoring using an interactive software application platform monitoring dashboard comprises a set of user interfaces (e.g.

Abstract: A system, method, and computer-readable medium are disclosed for implementing a cybersecurity system having security policy visualization. At least one embodiment is directed to a computer-implemented method for implementing security policies in a secured network, including: retrieving a set of rules of a security policy; analyzing the set of rules of the security policy using one or more Satisfiability Modulo Theory (SMT) operations to reduce a dimensionality of the security policy; and generating a visual presentation on a user interface using results of the SMT operations, where the visual presentation includes visual indicia representing one or more targeted policy dimensions with respect to one or more fixed policy dimensions. In at least one embodiment, two or more security policies are presented with visual indicia representing differences between the security policies, including representations of one or more targeted policy dimensions with respect to one or more fixed policy dimensions.

Abstract: A system, method, and computer-readable media for providing contextual data loss prevention (DLP) within a group-based communication system. At least a portion of a DLP policy may be suspended within a DLP engine based on a context for which a user input is to be displayed. Accordingly, the user input may be displayed without interference from the DLP engine.

Abstract: A method includes executing a configuration engine on one or more data processing device(s) of a computing system. In accordance with the execution, the method also includes discovering at least a subset of a number of resources associated with a target environment of the computing system, generating an environment definition associated with the target environment, building baseline configurations, policies, and metadata for at least the subset of the number of resources, and versioning the aforementioned data.

Abstract: A computer-implemented method, executed by one or more email detection computers, receives from a computer network, a first email message from a first sender account to a first recipient account and having a plurality of attributes. The method determines that the first email message is a phishing email, extracts a subset of attributes, normalizes transformable attributes, and generates a hash representation from fixed attributes and the normalized transformable attributes, stores the hash representation in a database, receives a second email message, and determines that the second email message is a phishing email based on the stored hash representation.

Abstract: In some aspects, a method for mediation of a screenshot capture by a client application based on policy includes identifying, by a client application on a client device, a policy for mediating one or more screenshots of content displayed via the client application. An embedded browser within the client application accesses a network application of one or more servers. The method further includes intercepting, by the client application, a request to capture a screenshot of at least a portion of the network application being displayed, determining, by the client application, one or more mediation actions to perform on the screenshot responsive to the policy, performing, by the client application, the one or more mediation actions on the screenshot, and providing, by the client responsive to the request, the screenshot resulting from the one or more mediation actions.

Abstract: In one embodiment, a service receives captured traffic flow data regarding a traffic flow sent via a network between a first device assigned to a first network zone and a second device assigned to a second network zone. The service identifies, from the captured traffic flow data, one or more cryptographic parameters of the traffic flow. The service determines whether the one or more cryptographic parameters of the traffic flow satisfy an inter-zone policy associated with the first and second network zones. The service causes performance of a mitigation action in the network when the one or more cryptographic parameters of the traffic flow do not satisfy the inter-zone policy associated with the first and second network zones.

Abstract: Methods and systems are disclosed for enhancements in email communication. In some embodiments, address-context information of an email message is rendered to aid the user in various user interface scenarios. These scenarios include user interfaces for a Reply All command and a Send command. The activation of the Reply All command in some embodiments is enabled with a predefined gesture on the user interface that is different from a gesture or gestures used for other commands such as the Reply command. The gesture required for the activation of the Send command can be changed based on the command that was activated to create the email message to be sent.

Abstract: A signature device (30) acquires a signature key SK(x?) in which an attribute vector x? is set over a basis B* of a basis B and the basis B*, which are dual bases in dual vector spaces. The signature device (30) generates a signature sig for a message MSG by setting predicate information of arithmetic branching programs (ABP) for the signature key SK(x?). The signature device (30) outputs the signature sig and the message MSG to a verification device (40).

Abstract: A risk-aware access control system and related methods are provided. In accordance with one aspect of the present disclosure, there is a provided a method of risk-aware access control, comprising: detecting a request to perform an action with respect to two factors, the factors being of a factor type selecting people, devices, documents, and location, wherein the factors are of a different factor type; determining a coupling associated with the requested action based on the factors of the requested action; determining a risk level associated with the coupling; denying the requested action in response to a determination that the risk level does not match a security policy; and allowing the requested action in response to a determination that the risk level matches the security policy.

Abstract: Systems, computer program products, and methods are described herein for implementing an intelligent validation protocol within a cloud infrastructure. The present invention is configured to receive a request to invoke the intelligent validation protocol on one or more cloud service component clusters; determine one or more operating systems associated with the one or more cloud service component clusters; determine one or more validation requirements for the one or more operating systems; dynamically invoke, using the intelligent validation protocol, a multi-checkpoint validation subroutine on the one or more operating systems; determine whether the one or more operating systems meet the one or more validation requirements; initiate a dashboard script configured to generate an analysis interface indicating whether the one or more operating systems meet the one or more validation requirements; and transmit control signals configured to cause the computing device of the user to display the analysis interface.

Abstract: Disclosed herein are systems and methods for protecting a user's devices based on types of anomalies. In one aspect, an exemplary method comprises, determining, by a feature determiner, one or more values of features of a user's activity performed using at least one of the user's devices, detecting, by an anomaly detector, anomalies indicative of at least one threat to information security of the user's devices based on the one or more values of the features, for each detected anomaly, identifying, by the anomaly detector, a type of the anomaly and at least one device that is a source of the anomaly, wherein the type of anomaly is identified using an anomaly classifier and one or more values of features, and for each user's device, modifying, by a device protector, one or more information security settings of the user's device based on the identified type of the anomaly.

Abstract: Methods and systems for authenticating users based on contextual data in a privacy preserving way are disclosed.

Abstract: Techniques are directed to controlling access to resources on a message bus of a network communication device. The techniques may include, by the network communication device, processing a message bus access policy file uniquely corresponding to a process. The message bus access policy file may include a certificate securely associating the message bus access policy file with the process. The techniques may further include, by the network communication device, based at least in part on the processing the message bus access policy file, exposing one or more resources of the network communication device to the process on the message bus, in a manner corresponding to at least one resource access permission indication contained within the message bus access policy file.

Abstract: A method includes: generating a manifest of assets during the target time interval; labeling each asset in the manifest of assets with a set of attributes exhibited by the asset during the target time interval; defining a first attribute category exhibiting a first combination of attributes; assigning a first action to the first attribute category; identifying a subset of assets in the manifest of assets matching the first attribute category, each asset in the subset of assets exhibiting a set of attributes including the first combination of attributes; and executing the first action on the first subset of assets.

Abstract: A system provides for authorization of data access and processing functions within a distributed server network using a delegated proof-of-stake consensus mechanism. In particular, the system may use assign authorization levels to each node within the network environment. Certain actions or processes performed within the network (e.g., potentially damaging actions) may require that the node proposing the action meets a threshold authorization level before authorizing the action. The system may further increase or decrease authorization levels for each node depending on the outcomes of the proposed actions. In this way, the system may provide a secure way to authorize certain actions or processes taken within a computing environment.

Abstract: A transactional method and system of managing access to API services based on the performance of computational tasks by an end-user is disclosed. The system and method are configured to identify requests from an end-user to an API for services that are associated with a transactional cost. This cost is passed on to the end-user by generation of a computational task assignment to be completed by the client computing system. Once the assignment has been performed, the end-user may be granted access to the requested service.

Abstract: The method comprises the steps of: the Policy and Charging Rules Function (PCRF) receiving (Step 1) user's subscription information, in order to determine an initial policy; the Policy and Charging Enforcement Function (PCEF) applying (Step 2) the initial rules; the Policy and Charging Enforcement Function (PCEF) triggering (Step 3) the Extended Online Charging System (EOCS) for the user's service/network resource usage; the Extended Online Charging System (EOCS) rating and charging (step 4) the user, in real time; the Extended Online Charging System (EOCS) triggering (Step 5) a change of policy in the Policy and Charging Rules Function (PCRF); the Policy and Charging Rules Function (PCRF) determining (Step 6) new rules for the new policy; the Policy and Charging Enforcement Function (PCEF) receiving (Step 7) the new rules and applying them.

Abstract: There is disclosed in one example an enrollment over secure transport (EST)-capable gateway device, including: a hardware platform including a processor and a memory; a first network interface to communicatively couple to an external network, including an external DNS server; a second network interface to communicatively couple to a home network; a caching DNS server including a local DNS cache, and logic to provide DNS services to the home network; and an EST proxy to authenticate to a local endpoint on the home network, provision a DNS server certificate on the local endpoint, provision an authentication domain name (ADN) on the local endpoint, and provide encrypted domain name system (DNS) services to the local endpoint.

Abstract: The present invention extends to methods, systems, and computer program products for deriving unified insights ad logs from DevOps Cl/CD tools and pipeline data. In general, a data transformer facilitates data normalization and serialization converting raw data across multiple DevOps tools and stores the data into a Data Lake in accordance with a customized schema. A continuous orchestrator sequences, aggregates and contextualizes the logs, providing an intuitive way of troubleshooting issues across a DevOps environment, historical data for compliance and audit purposes, and a build manifest for root cause analysis. The continuous orchestrator also processes the logs and leverages a KPI framework, providing intelligent dashboards across 90+ KPI's and a plurality of different dimensions (Planning, Development/pipelines, security, quality, operations, productivity and source code) to help customers make smart decisions and do more with less.

Abstract: A system and computerized method for generating an improved cyber-security rule ordering for cyber-security threat detection or post-processing activities conducted by a rules-based cyber-security engine deployed within a network device is described. Herein, historical metadata associated with analytics conducted on incoming data by a rule-based cyber-security engine and in accordance with a plurality of rules is described. These rules are arranged in a first ordered rule sequence. The historical metadata is analyzed to determine one or more salient rules from the plurality of rules. The plurality of rules are reprioritized by at least rearranging an order to a second ordered rule sequence with the one or more salient rules being positioned toward a start of the second ordered rule sequence. Thereafter, the rule-based cyber-security engine operates in accordance with the reprioritized rule set that is arranged in the second ordered rule sequence to achieve improved performance.

Abstract: Configuration monitoring is performed using a computer-based system and method by identifying misconfigured settings through the collection of large amounts of configuration data from diverse sources. The configuration data is then analyzed to identify misconfigured items. Automation of such configurations is implemented using machine learning to analyze existing configurations as well as new configurations. By using machine learning, the computer-based system and method can predict a pass state or a fail state of the configuration of a newly connected system in an organization. A logistic regression classifier is trained using old complying configuration data and data reflecting industry standards. The trained classifier can predict and classify whether a new configuration passes or fails the industry standards based on the training data of old configuration data.

Abstract: A management server retrieves access logs associated with a plurality of identities and generates a plurality of behavioral scores for the plurality of identities. The behavioral score for a particular identity increases responsive to access approvals and decreases responsive to access denials for that particular identity. A proxy server receives a first request to access a resource associated with a first identity of the plurality of identities and determines a zero trust access policy for the resource. When a first behavioral score for the first identity satisfies a behavioral score threshold for the zero trust access policy, the proxy server provides the resource. The proxy server receives a second request to access the resource associated with a second identity. When a second behavioral score for the second identity fails to satisfy the behavioral score threshold, the proxy server performs an action defined in the zero trust access policy.

Abstract: A system and method for securing virtual cloud assets in a cloud computing environment against cyber threats. The method includes: determining a location of a snapshot of at least one virtual disk of a protected virtual cloud asset, wherein the virtual cloud asset is instantiated in the cloud computing environment; accessing the snapshot of the virtual disk based on the determined location; analyzing the snapshot of the protected virtual cloud asset to detect potential cyber threats risking the protected virtual cloud asset; and alerting detected potential cyber threats based on a determined priority.

Abstract: Methods, computer program products, and systems are presented. The method computer program products, and systems can include, for instance: receiving, by a manager node, from a plurality of compute nodes metrics data, the manager node and the plurality of compute nodes defining a first local cluster of a first computing environment, wherein nodes of the compute nodes defining the first local cluster have running thereon container based applications, wherein a first container based application runs on a first compute node of the plurality of compute nodes defining the first local cluster, and wherein a second compute node of the plurality of compute nodes defining the first local cluster runs a second container based application; wherein the manager node has received from an orchestrator availability data specifying a set of compute nodes available for hosting the first application.

Abstract: Disclosed is a system to optimize rule weights for classifying access requests so as to manage rates of false positives and false negative classifications. A rules suggestion engine may suggest a profile of classification rules to a merchant for access requests. The system can optimize weights for the profile of rules using a cost function based on a training set of historical access requests, for example using stepwise regression or machine learning (ML). The system can compute a profile score based on the optimized weights, for example by summing the weights. The system statistically analyzes the profile score using classification thresholds and the historical access requests. The system can perform receiver operating characteristic (ROC) analysis for various threshold values, enabling a user to select a suitable threshold. The system can further optimize by adding or removing rules from the profile of rules.

Abstract: The innovation disclosed and claimed herein, in one or more aspects thereof, illustrates systems and methods for providing a technical control to a technically pervasive problem of inadvertent capture of items in a computing environment, returning control of what happens to such items in technical environments that have become widespread and intrusive. The innovation provides a system for users to control the types of items that pervasive computing environment elements may process without their express control and with technical countermeasures in a relatively unobtrusive manner.

Abstract: The technology disclosed herein enable a consumer to verify the integrity of services running in trusted execution environments. An example method may include: receiving, by a broker device, a request to verify that a service is executing in a trusted execution environment, wherein the request comprises data identifying the service; determining, by the broker device, a computing device that is executing the service; initiating, by the broker device, a remote integrity check of the computing device executing the service; receiving, by the broker device, integrity data of the trusted execution environment of the computing device; and providing, by the broker device, the integrity data to a consumer device associated with the service.

Abstract: Systems, methods and non-transitory computer readable media for controlling access in privacy firewalls are provided. A request to access a content of an element may be received, the content of the element may include a first portion and a second portion, the first portion may include identifiable information and the second portion may include no identifiable information. A permission record corresponding to the element may be accessed. In response to a first value in the permission record, access may be provided to the content of the element, including access to the first and second portions, and in response to a second value in the permission record, partial access may be provided to the content of the element, the partial access may include access to the second portion and may exclude access to the first portion.

Abstract: Described herein are techniques for providing one or more users with access to content obtained from a plurality of content providers. In some embodiments, such techniques may comprise maintaining a number of access credentials associated with a plurality of different content providers, obtaining access to a plurality of media content libraries, each of the plurality of media content libraries managed by a content provider of the plurality of different content providers, and providing the plurality of media content libraries to at least one user device as a single library of media content. Such techniques may further comprise receiving, from the user device, a selection of a media content from the single library of media content and providing, to the user device, access to the selected media content within a corresponding media content library of the plurality of media content libraries using an access credential.

Abstract: A terminal receiving a push message is provided. The terminal sets service control condition which specifies application identifier (app ID) corresponding to service that the terminal is allowed to receive, wherein the service control condition is contained in push message control policy. And the terminal then receives a push message, matching the push message control policy, sent by a server.

Abstract: Techniques for providing innocent until proven guilty (IUPG) solutions for building and using adversary resistant and false positive resistant deep learning models are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of content associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the content associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.