Abstract: A communication control apparatus according to one aspect of the present invention determines whether a message to be transmitted from an information processing apparatus include at least one attached file, when the message is transmitted from the information processing apparatus to one or more destinations via a network. When the communication control apparatus has determined that the message to be transmitted includes said at least one attached file, the communication control apparatus acquires approval of transmission of said at least one attached file from an approver, and transmits the message including said at least one attached file to said one or more destinations, on condition that approval of transmission of said at least one attached file has been received from the approver.

Abstract: Systems and methods for securing data transmissions using distance measurements are disclosed. A mobile device (such as a smart phone) and a base station can use ultra-wideband technology to determine the distance between the two devices. The distance measurements produced by the mobile device and the base station can be compared, directly or indirectly by the mobile device, the base station, and/or an access device to determine whether the mobile device is present at an access device or if the mobile device is not present at the access device (as expected during a relay attack). If the mobile device is not present at the access device, the access device can prevent or cancel an interaction based on the data transfer (e.g., opening a locked door of a secure building in response to receiving an access credential from the mobile device).

Abstract: Various embodiments of an apparatus, method(s), system(s) and computer program product(s) described herein are directed to a Geographic Archiving Engine. The Geographic Archiving Engine identifies a geographical region associated with a regulated user account requesting access to a virtual meeting. The Geographic Archiving Engine instantiates a regional virtual meeting participant instance for the identified geographical region. The Geographic Archiving Engine captures, via the regional virtual meeting participant instance, a communication channel(s) of the virtual meeting. The Geographic Archiving Engine generates an archival file(s) based on the communication channel data captured by the regional virtual meeting participant instance. The Geographic Archiving Engine generates a translated file(s) by applying a compliance policy, associated with a regulated user account(s), to the one or more archival files.

Abstract: Systems and methods for dynamic, hyper context-based microsegmentation are described. In one aspect, a computing device is detected on a network. A network hyper context is assigned to the computing device based on network properties and computing device properties associated with the computing device. A policy defining a segment identifier identifying a network segment and corresponding to the network hyper context is accessed. The segment identifier is assigned to the computing device. The computing device is segmented onto the network responsive to detecting the computing device.

Abstract: The present disclosure includes, responsive to a request from a user device, performing a security check based on policy associated with the user device, wherein the policy includes setting related to content filtering and security; responsive to the security check, performing one of: directly allowing the request to the Internet based on the security check determining the request is allowed by the settings; directly blocking the request based on the security check determining the request is disallowed by the settings; and forwarding the request to a system for inline inspection based on the security check determining the request includes suspicious content, wherein responsive to the inline inspection, the request is one of allowed and blocked.

Abstract: A computer implemented method of remote access computer security, the method comprising steps a computer processor is programmed to perform, the steps comprising: by a computer, receiving and combing data on a client device, data on a user of the client device, data on a network, and data on an information technology service, determining a policy for controlling remote access to the information technology service based on the combined data, and controlling remote access of the user to the information technology service using the remote client device over the network, based on the determined policy.

Abstract: A process for establishing a future 2-way authentication between a client application and an application server. In operation, an OIDC server receives a request from the client application to establish a secure connection from the client application. The request includes a certificate generated using a public-private key pair associated with the client application or a user, and authentication credentials associated with the client application or the user. The OIDC server establishes that the authentication credentials are valid, and provisions a cryptographic identifier of the certificate associated with the request to a list of trusted certificates. The OIDC server then provides one or more application servers with access to the list of trusted certificates to enable the application servers to authenticate the client application based on verifying that cryptographic identifier of the certificate presented by the client application is provisioned into the list of trusted certificates.

Abstract: A service for providing messaging extension apps can be an online store that can be browsed and searched for the apps. The store uses extension app identifiers which are related to app identifiers that are sent between devices in a conversation of messages so that a receiving device can, when it does not have the extension app installed to interact with received content, use the extension app identifier to download and install the required extension app. In one embodiment, the download and install can occur while the messaging app remains the foreground app, and the messaging app adds an icon of the newly installed extension app into a browsable tray in the UI of the messaging app.

Abstract: The method for automatically generating a playbook performed by a computing apparatus according to the present disclosure comprises periodically collecting asset information and CTI (Cyber Threat Intelligence) information of a target network, extracting TTP (Tactics, Techniques, Procedure) information using the collected asset information and the collected CTI information, retrieving a data source of the extracted TTP information, generating a temporary playbook including a data component matching a detection method of the extracted TTP information among a plurality of data components of the retrieved data source, verifying validity of the temporary playbook based on data component order information of the temporary playbook and determining whether rearrangement of data components included in the temporary playbook is needed, and rearranging data components included in the temporary playbook, and storing it as a final playbook.

Abstract: A node, that includes a processor executing a first operating system, a peripheral port connected to a peripheral device, where the peripheral port is configured to block access to the peripheral device, a system control processor executing a second operating system, where the system control processor is configured to perform a method for providing access of the peripheral device to the first operating system, the method that includes receiving a peripheral access message from a remote authentication server, where the peripheral access message includes a peripheral device identifier associated with the peripheral device, and in response to receiving the peripheral access message, unblocking the access to the peripheral device.

Abstract: Disclosed are various approaches to automate vulnerability assessment implement policy-based mitigation. A plurality of vulnerability records from respective ones of a plurality of vulnerability feeds are aggregated. Each of the plurality of vulnerability records are stored in a standardized format. A plurality of enterprise-specific severity scores are generated by calculating an enterprise-specific severity score for each of the plurality of vulnerability records. Then, a web page can be created that includes at least a subset of the plurality of enterprise-specific severity scores and respective ones of the plurality of vulnerability records.

Abstract: Described herein are techniques for providing one or more users with access to content obtained from a plurality of content providers. In some embodiments, such techniques may comprise maintaining a number of access credentials associated with a plurality of different content providers, obtaining access to a plurality of media content libraries, each of the plurality of media content libraries managed by a content provider of the plurality of different content providers, and providing the plurality of media content libraries to at least one user device as a single library of media content. Such techniques may further comprise receiving, from the user device, a selection of a media content from the single library of media content and providing, to the user device, access to the selected media content within a corresponding media content library of the plurality of media content libraries using an access credential.

Abstract: Systems, devices and processes are provided to facilitate the authentication of media player devices for media streaming. Specifically, the various embodiments provide a media player device authentication technique that monitors the locations of media player devices to determine a pattern of device co-location with a primary device. The media player devices can then be selectively designated as confirmed devices based on their determined pattern of device co-location with a primary media player device. Those media player devices that are designated as confirmed devices can then be selectively enabled for media streaming. Conversely, media player devices that are not designated as confirmed devices based on a pattern of co-location can be prevented from receiving media streams even when they have the correct login information and password.

Abstract: A method scalably authorizes requests. A request to authorize access to a resource is received. A plurality of policies controlling the request is identified. The plurality of policies are concurrently processed. A decision for a policy is received. The decision is of a plurality of decisions corresponding to the plurality of policies. The policy is of the plurality of policies. The decision is determined using a machine learning model and the request. An aggregate decision is generated from the plurality of decisions. A token to access the resource is transmitted in response to the aggregate decision.

Abstract: Systems and methods are described for improving the utilization of an extended display system. Some aspects relate to an extended display generator having an input stream module to generate or receive input streams. Input streams may be generated locally (e.g., by a game engine) or remotely (e.g., from the internet). A function module of the generator provides functions that modify or extract information from the input streams. Then extended display generator applies a template to the input streams and function outputs, defining how such display content is presented to a user. A graphical user interface is used to specify which input streams, functions, and visual template should be used. The extended display shows the selected input stream(s) and the functional output(s) in a format defined by the visual template.

Abstract: Aspects of the present disclosure are directed to controlling access to resources in a network. In an embodiment, a gateway system receives a packet requesting access to a resource in the network, and identifies access control policies to be applied in determining whether or not to permit access to said first resource. The gateway system applies a higher-layer policy and then a lower-layer policy on the packet to determine whether or not to forward the packet to the network and forwards the packet to the network only if it is determined to forward the packet. The higher-layer policy and lower-layer policies are according to respective layers of a networking model.

Abstract: A stream of events is received at a local security agent running on an endpoint at an enterprise network. The local security agent may detect an event of a first event type and may generate an aggregate event with subsequent events of the first event type in the stream. The local security agent may then transmit the aggregate event to a security resource for detecting security threats.

Abstract: Systems and methods include identifying a cloud application; performing one or more automated scripts to determine a first set of attributes of the cloud application; obtaining a second set of attributes of the cloud application based on a manual analysis; obtaining weighting factors for the first set of attributes and the second set of attributes; determining a risk score of the cloud application based on the first set of attributes and the second set of attributes and the associated weighting factors; and displaying the risk score of the cloud application. The steps can further include enforcing security policies for the cloud application based on the risk score, such as via one of a cloud-based system and a Cloud Access Security Broker (CASB) system.

Abstract: Various example embodiments for supporting security for containerized applications may be configured to support security for containerized applications deployed to customer devices. Various example embodiments for supporting security for containerized applications that are deployed to customer devices may be configured to properly secure and validate containerized applications that are deployed to customer devices.

Abstract: The present technology discloses storing data in a peer-to-peer network. A first computing device identifies other computing devices in the peer-to-peer network. Each of the computing devices have an established social relationship with at least another one of the computing devices. A degree of connection between the first computing device and each of the other computing devices is detected. A group of the other of computing devices is selected based on the degree of connection for storing the data, and a storage trust level is assigned to each of the other computing devices in the group. The storage trust level of each of the other computing devices is based on the established social relationship. The data is then transmitted to each of the other computing devices in the group for storage.

Abstract: An asynchronous stream of security events is added to a data lake for enterprise security by identifying groups of related events related to a security threat, and creating rules to fold these related events into a single security event along with metadata. The folding rules may then be applied to security events in the event stream to compress data in the data lake and improve detection efficiency.

Abstract: A software mechanism for controlling data use in compliance with applicable legal standards and directives via a symbolic instruction set that additionally creates a mathematical net-sum to provide a data compliance validation key for use of that data in software, firmware and hardware. In some embodiments, the software mechanism identifies and tags via a symbolic instruction set the standards and directives applicable to data elements as a result of laws, technical and industry standards, contractual obligations, and other sources of norms, in order to streamline data compliance in forthcoming uses of that data. In other embodiments, a symbolic instruction set creates compliance-validation keys utilizing a net-sum method across applicable data norms to provide cryptographic zero-knowledge proof of the compliance of such data for software, firmware and hardware uses.

Abstract: A computer-implemented method of generating in a display a dynamic accessibility diagram representing a firewall configuration of a firewall in a computer network. A computer generates in the display a pair of concentric rings representing the firewall, including outer and inner concentric rings each having segments respectively representing remote address ranges and local address ranges of the ACL rules. Selection of a segment causes generation of an accessibility curve between the selected segment and a pairing segment, thereby graphically representing accessibility between the corresponding remote and local address ranges.

Abstract: A method for monitoring endpoint devices affiliated with a computer network includes: for each security technology, accessing a set of objects generated by the security technology during a time interval and representing characteristics endpoint devices configured with the security technology, partitioning object groups representing individual endpoint devices, and aggregating characteristics represented in each object group into an endpoint device container associated with the security technology and containing identifying data and status data representing one endpoint device; identifying a first subset of endpoint devices configured with first and second security technologies based on correspondence between data contained endpoint device containers associated with the first and second security technologies; and identifying a second subset of endpoint devices configured with the first security technology and excluding the second security technology based on absence of correspondence between data contained in

Abstract: A constrained decoding technique incorporates token constraints into a beam search at each time step of a decoding process in order to generate viable candidate sequences that are syntactically and semantically correct. The token constraints identify source code tokens or sequences of tokens that should appear in a candidate sequence. The token constraints are generated from checking whether a token predicted at each decoding step is feasible for a partial solution based on the production rules of the grammar of the programming language, the syntactic correctness of a partial sequence, and/or static type correctness.

Abstract: There is provided a data processing apparatus that includes an input policy filter that receives input data and an input provenance that relates to the input data. The filter forwards some or all of the input data and the input provenance according to at least one input policy. A processing environment receives the input data forwarded by the input policy filter and processes the input data to generate output data. A management environment produces an attestation of the processing environment and produces an output provenance based on the input provenance and the attestation. An output policy filter receives the output data and the output provenance and forwards the output data and the output provenance according to at least one output policy.

Abstract: In some implementations, a scheduling system may receive a scheduling tag to define a custom schedule that includes one or more downtime windows for a cloud resource over a scheduling period. The scheduling system may determine a regular continuous schedule for the cloud resource that recurs over multiple scheduling periods based on the one or more downtime windows defined in the scheduling tag. The scheduling system may determine at a current scan time, whether a target state for the cloud resource is a running state or a suspended state based on the one or more uptime windows and the one or more downtime windows included in the regular continuous schedule. The scheduling system may align a current state of the cloud resource with the target state.

Abstract: Symbolic link based placeholders are used for cloud stored data synchronization. To synchronize cloud stored data, placeholders may be implemented as bidirectional symbolic links to a location that has a custom virtual file system (VFS) mounted. When a symbolic link is opened, the operating system may be directed to the custom VFS. The custom VFS may hydrate the file through a synchronization engine, and place the hydrated file at the location of the original symbolic link. The custom VFS may then redirect back to the primary file system of the operating system to allow the operation on the file to complete. Complexity and resource consumption may be reduced by passing placeholder requests instead of all requests through the custom VFS.

Abstract: A method is provided for performing selective inspection of network traffic associated with a plurality of network-connected smart devices using a Man-In-The-Middle (MITM) gateway. The MITM gateway operate in a first mode or a second mode for each of the network-connected smart devices. The first mode configures the MITM gateway to perform inspection of network traffic associated with the respective network-connected smart device, and the second mode configures the MITM gateway to not perform any inspection of network traffic associated with the respective network-connected smart device. The MITM gateway is changed to operate in the second mode for a respective network-connected smart device when it is detected that the MITM gateway operating in the first mode is adversely affecting the operation of the respective network-connected smart device.

Abstract: A technique to provide early detection of ransomware is disclosed. Message traffic from secure gateways is monitored. Statistical anomaly detection and behavioral anomaly detection is performed. Visualization and alerts may be generated to aid operators to identify ransomware attacks and take proactive measures. In one implementation, the early detection of ransomware is performed in the cloud.

Abstract: A dynamic API security policy is enforced at runtime. This can be done without having access to the API specification or code. A flow of execution initiated by the API is tracked at runtime, and a data object used by the API is identified. Specific data labels are assigned to specific fields of the data object used by the API. The specific data labels consistently identify data fields of specific types. The API security policy that is enforced prohibits specific actions concerning data fields of specific types, which are also consistently identified in the security policy. Actions in the tracked flow of execution that violate the API security policy are detected at runtime, and security actions are taken in response. In some implementations, these dynamic API security techniques are supplemented with static API security analysis of an API specification and a set of rules concerning API risk assessment.

Abstract: Disclosed are various embodiments for configurable security policies in radio-based networks. In one embodiment, a security event detection rule or a security event mitigation rule for a radio-based network is accessed. The radio-based network includes a radio access network and an associated core network. At least a portion of the radio-based network is operated by a cloud provider on behalf of an organization. A security event is detected based at least in part on the security event detection rule. At least one action is performed in response to the security event based at least in part on the security event mitigation rule.

Abstract: Presented is a network security system (NSS) that reliably detects malleable C2 traffic. The NSS intercepts outgoing transactions from user devices associated with user accounts. The NSS filters out transactions to known benign servers and analyzes remaining transactions for indicators of malleable command and control (C2) including heuristic, anomalous, and pattern-based detections. The NSS lowers the user confidence score associated with the user account or the user device based on the severity and number of detected indicators for each impacted outgoing transaction. When the user confidence score decreases below a threshold, the NSS implements a restricted security protocol for future outgoing transactions. Based on the detected indications, the NSS can identify malleable C2 attacker servers and add them to a blacklist of destination servers to further identify infected user accounts and devices.

Abstract: Disclosed are approaches for a launcher application with connectivity detection for shared mobile devices. In some examples, among others, a management service component, a client device component, an enterprise environment component, or other connectivity endpoints associated with a plurality of applications can be identified. At least one response to requests transmitted to the connectivity endpoints can be received. A mode of connectivity can be determined based on the response. An application which is launchable in the mode of connectivity can be launched in an instance in which a selectable representation for the application is selected in a user interface.

Abstract: Data storage techniques for services in a network are described herein. In an example, a computer system determines a mapping between a first data schema associated with first data storage by a first service in a first data store and a second data schema associated with second data storage by a second service in a second data store. The computer system receives an event associated with an element and determines, based on the mapping and the event, an operation to be performed on a first attribute of the element that is stored in the first data store the second data store. The computer system generates, based on the mapping, notifications indicating a time for the operation associated with the first attribute to be performed by the first service and the second service. The computer system sends the notifications to the first service and to the second service.

Abstract: Systems and methods for enforcement of secure data communications between nodes of a Controller Area Network (CAN) bus implemented in a vehicle are provided. According to one embodiment, a node coupled with the CAN bus receives a data frame broadcast from a source node and extracts information from the data frame. The node analyzes coherence between the extracted information and historical information observed by the node. When a result of the analyzing coherence indicates that the data frame is valid (i.e., the extracted information is coherent with the historical information), the node updates the historical information based on the data frame; otherwise the node drops the data frame to discontinue processing of the data frame.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for training a policy neural network having a plurality of policy parameters and used to select actions to be performed by an agent to control the agent to perform a particular task while interacting with one or more other agents in an environment. In one aspect, the method includes: maintaining data specifying a pool of candidate action selection policies; maintaining data specifying respective matchmaking policy; and training the policy neural network using a reinforcement learning technique to update the policy parameters. The policy parameters define policies to be used in controlling the agent to perform the particular task.

Abstract: A method includes determining that access permissions associated with a service of a computing system have been revoked, identifying one or more access policy sets including access policy rules associated with the service, removing the access policy rules associated with the service from the one or more access policy sets, and marking one or more decision execution paths of a policy decision point associated with the service with a feature flag.

Abstract: Systems and methods for generating min-increment counting bloom filters to determine count and frequency of device identifiers and attributes in a networking environment are disclosed. The system can maintain a set of data records including device identifiers and attributes associated with device in a network. The system can generate a vector comprising coordinates corresponding to counter registers. The system can identify hash functions to update a counting bloom filter. The system can hash the data records to extract index values pointing to a set of counter registers. The system can increment the positions in the min-increment counting bloom filter corresponding to the minimum values of the counter registers. The system can obtain an aggregated public key comprising a public key. The system can encrypt the counter registers using the aggregated shared key to generate an encrypted vector. The system can transmit the encrypted vector to a networked worker computing device.

Abstract: In some aspects, the disclosure is directed to methods and systems for graph-based analysis, filtering, and access control. A knowledge graph may be generated for a resource and/or group of resources, with connections from nodes representing entities (e.g. devices, users, user groups, etc.) into nodes associated with the resource identifying access policies and authorization levels. Access controls may be applied in real time, and data may be dynamically filtered or cleaned to prevent exfiltration and protect privacy. Rules need not be explicitly or manually encoded, but rather may be implicit through the connections between resource nodes and entity nodes, allowing for high scalability.

Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine-readable instructions that may cause the processor to determine a code fingerprint of a document containing a macro, in which the code fingerprint corresponds to a functionality of the macro. The processor may also determine whether the code fingerprint of the document matches a cluster code fingerprint associated with a cluster of documents. Based on a determination that the code fingerprint matches the cluster code fingerprint associated with the cluster of documents, the processor may determine whether the cluster of documents has been identified as being malicious or benign. In addition, based on a determination that the cluster of documents has been identified as being malicious or benign, the processor may handle the document as being malicious or benign while preventing the document from being sent to a sandbox environment for detonation of the document.

Abstract: There are provided systems and methods for iframe injection in mobile web browser applications for web browser extension opt-in. A service provider may provide a mobile application web browser extension, which may operate in conjunction with a mobile application web browser. The extension may interface with the web browser in order to determine data for browsed websites and user interactions and provide offers and savings to users during electronic transaction processing. In order to use the extension with the web browser, an opt-in preference and permission may be required. To provide this opt-in, the extension may cause the web browser to navigate to and load a webpage of the service provider. The extension may then inject an iframe that calls another domain, and a script of the extension executes in the iframe. The script may then infer that a permission has been granted.

Abstract: A computer-implemented method for configuring an access protection system which is suitable for regulating a data communication link of a computer-implemented application between a first computer network and a second computer network is provided. For this purpose, the computer-implemented application is run in the first computer network in a production environment or in an image of the first computer network in a test system. A data communication link of the computer-implemented application to the second computer network is determined by a sensor and a configuration rule is derived therefrom for the access protection system for permitting the data communication link of the computer implemented application between the first computer network and the second computer network in the production system. Also provided are a device, a test system, an access protection system, a computer program product and a computer-readable data carrier.

Abstract: A dynamic environment (e.g., an automated industrial process) has multiple conditions in response to which corresponding actions are required, and comprises various equipment, control device(s) to control the equipment, and one or more sensors to generate input signal(s) representing a monitored condition of the environment. A control system for the environment comprises a master processor and one or more co-processors, wherein the master processor configures a given co-processor to evaluate only a first subset of conditions expected to occur in the environment within a specified time period (e.g., less than a response time of the master processor), and to provide first control information representing an action to be taken if a particular condition of the first subset is satisfied.

Abstract: Techniques for providing deep learning for malicious URL classification (URLC) using the innocent until proven guilty (IUPG) learning framework are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of one or more URLs associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the one or more URLs associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

Abstract: A method at a computing system is described. The method comprises receiving on behalf of a user a request for information, determining access credentials of the user, and based at least on the access credentials, identifying a first portion of the information that the user has permission to access, and a second portion of the information that the user does not have permission to access. The method further comprises obtaining synthesized data configured to replace at least part of the second portion of the information, the synthesized data being different than the second portion of information, relevant to the request, and not including any information that the user does not have permission to access, and providing a data set for access by the user, the data set including the first portion of the information and the synthesized data.

Abstract: Examples disclosed herein relate to systems and methods for generating and implementing a security profile. Disclosed methods may include the steps of generating a customer intent interface configured to receive input comprising a value associated with an intent parameter; receiving, via the customer intent interface, security intent information comprising the value and the intent parameter; generating a configuration file based on the security intent information; based on the configuration file, generating a security profile for a target device; and generating, by code generator framework, one or more scripts based on the security profile.

Abstract: Examples described herein relate to deferred authentication in secure boot systems. An untrusted component is identified in a boot sequence in a trusted execution environment. A secure boot authentication of the untrusted component is deferred for a predetermined period and access to hardware resources is restricted. An image digest and privilege rights including access to hardware resources associated with the untrusted component is obtained in an untrusted execution environment. A request including the image digest and the privilege rights is sent to a central node over a secure connection. A response including a signature based on image digest and approved privileges is received from the central node. The untrusted component is authenticated in the trusted execution environment using the signature before expiry of the predetermined period. Access to the hardware resources is provided to the untrusted component in the trusted execution environment based on the approved privileges.

Abstract: Methods, systems, and apparatus are described providing social networking engines. Specifically, the present specification relates to a method for implementing software containers implementing social network engines that may be configured to act in a zero-knowledge environment. In such implementations, all information pertaining to the social network engine associated with a user that is stored in the container is solely that of a user unless explicitly shared by the user. In some implementations, the containers may be configured to participate in a publish-and-subscribe network in order to share information. In addition, the containers may be provisioned with controls so that global operators may comply with local privacy rules.

Abstract: The present disclosure involves systems, software, and computer implemented methods for integrated data privacy services. An example method includes determining to initiate an integrated end of purpose protocol for an object of an object type. Target applications are determined that are allowed to process objects of the object type for at least one purpose, based on identified purpose information. An end-of-purpose query is provided to the target applications and an end-of-purpose status is received from each target application that indicates whether the application is able to block the object. The received statuses are evaluated to determine whether an aligned end of purpose has been reached for the object. In response to determining that the aligned end of purpose has been reached for the object, a block command is provided to each of the multiple applications that instructs a respective application to locally block the object.