Abstract: Presented herein are techniques to manage a wireless local area network. A method includes defining a plurality of geographical zones corresponding to a geographical area that is serviced by a common service set identifier for a wireless local area network, assigning a pre-shared key to a mobile station based on the plurality of geographical zones, wherein the pre-shared key is associated with predetermined policies for a user of the mobile station, associating a media access control address of the mobile station with the pre-shared key, and controlling access of the mobile station to the wireless local area network based on the predetermined policies.

Abstract: The disclosure is directed towards proxy services for the secure uploading of file-system tree structures. A method includes receiving, at a web security service, an indication that client device to upload content to a storage cloud provider. The proxy service performs a security scan of the content while the content is stored on the client device. A security and/or a privacy concern is identified in the content stored on the client device. A security and/or privacy mitigation action is performed in response to identifying the security and/or privacy concern.

Abstract: An improved method in a computing environment for establishing access for individuals in at least one enterprise with one or more services provided by a plurality of service providers through the use of a Common Authorization Management (CAM) service is described herein. Through the CAM service, an enterprise administrator can group together one or more individuals at one enterprise, identify access rights to one or more services in the plurality of service providers for each group of individuals based on security data defined by a service provider administrator, and associate individuals from the subset of the plurality of groups at each enterprise with access rights to one or more services provided by the plurality of service providers.

Abstract: Data theft protection for a computing device is provided by flagging a suspicious user within the pre-boot environment by systematic evaluation to determine suspicious location and/or anomalous user behavior. Depending on a suspicion score and a risk evaluation, the system automatically triggers one or more actions with respect to the data on the computing device.

Abstract: An illustrative fraud deterrent method includes presenting an identity verification option for a first website displayed in a web-browser, the option including offering a login to a third-party website, unrelated to the first website. The method further includes receiving login information for a first user account on the third-party website and verifying the login information through a verification service associated with the third-party website, to verify that the login information is valid for the first user account, identified by the login information. The method additionally includes verifying an identity at the first website, responsive to the verification.

Abstract: A security and IT “essentials” application (or “app”) for a data intake and query system are described, where the essentials apps provide functionality that generally make security and IT easier for users. Four categories of functionality are provided by the essentials apps including: (1) finding content, (2) learning how a data intake and query system security app works, (3) improving production and deploying the security tools successfully, and (4) measuring users' success. The described security and IT essentials apps help users better understand where to begin with using a data intake and query system, enable users to see a data intake and query system in action, and provides in-product help and guidance, thereby enabling users to more readily obtain insights into their own IT environments and to enable operational and security improvements in those environments.

Abstract: A data anonymization pipeline system for managing holding and pooling data is disclosed. The data anonymization pipeline system transforms personal data at a source and then stores the transformed data in a safe environment. Furthermore, a re-identification risk assessment is performed before providing access to a user to fetch the de-identified data for secondary purposes.

Abstract: A method, a system, and a non-transitory computer readable medium are disclosed for a voice based application blocker. The method includes receiving, on a gateway, a text message from a mobile device; tokenizing, on a processor of the gateway, the text message into at least a user and a purpose, the purpose being denying or granting access of the user to one or more applications from the gateway; and creating, on a firewall of the gateway, blocking rules for the user to the one or more applications from the gateway.

Abstract: A system and method for an adaptive network of network access nodes comprises a global network operations center (GNOC) receiving operator inputs and generating a global policy according to the operator inputs. The GNOC and/or a distributed network gateway (GW) generate configuration commands for configurations for at least one of the network access nodes based on the global policy, transmit the configuration commands to at least one of the network access nodes, and receive telemetry from at least one of the network access nodes. The distributed network GW transmits a summary of key performance indicators (KPIs) to the GNOC and the GNOC revises the global policy according to the summary of KPIs.

Abstract: Embodiments of the present specification disclose identity registration methods, apparatuses, and devices. One method comprising: identifying description information from a user for a secure application configured to obtain trusted data to be installed; retrieving installation package data corresponding to the secure application based on the description information; installing the secure application in a trusted execution environment (TEE) based on the installation package data; and adding the description information to a digital identity document of the user recorded on a blockchain.

Abstract: System and method of detecting malicious interactions in a computer network, the method including generating, by a processor, at least one decoy segment, broadcasting, by the processor, the generated at least one decoy segment in a public database, monitoring, by the processor, communication within the computer network to identify interactions associated with the generated at least one decoy segment, determining, by the processor, at least one indicator of compromise (IOC) for the identified interactions, and blocking communication between the computer network and any computer associated with the determined at least one IOC.

Abstract: A method including receiving, from a user device, a transmission packet for communication to a destination device; determining, based on an IP address of the destination device, whether the user device is permitted to transmit to the IP address; determining, based on determining that the user device is permitted to transmit to the IP address, whether the user device is permitted to transmit to a port associated with the IP address; determining, based on determining that the user device is permitted to transmit to the port, whether the user device is permitted to utilize a protocol utilized by the user device to transmit the transmission packet; and determining, based on determining that the user device is permitted to utilize the protocol, whether the user device is permitted to utilize a web application utilized by the user device to transmit the transmission packet is disclosed. Various other aspects are contemplated.

Abstract: Systems and methods are provided for performing operations including: receiving, via a messaging application of a user device, a request to recover access to an account of a user of the messaging application; accessing a first object corresponding to a first key; receiving, from a first friend of the user on the messaging application, a second object corresponding to a first portion of a second key; receiving, from a second friend of the user on the messaging application, a third object corresponding to a second portion of the second key; deriving the second key based on the second and third objects; and recovering access to the account of the user based on the first key and the second key.

Abstract: In one aspect, a computerized method for implementing dual-layer computer-system security in a private enterprise computer network includes the step of generating a user profile, wherein the user has access to the private enterprise computer network, wherein the user profile comprises an information comprises a specified user usage of the private enterprise computer network. The computerized method includes the step of setting a specified trigger value with respect to the specified user usage of the private enterprise computer network. The computerized method includes the step of detecting that the user usage exceeds the trigger value. The computerized method includes the step of modifying an access privilege of the user to the private enterprise computer network.

Abstract: A system for providing an interactive presentation to an audience device is provided. The system interfaces with a database storing presentation content and a workspace. The workspace stores the presentation content and additional content and storing one or more access policies and being associated with a first user. The system comprises a processor for executing one or more modules comprising a content creation and updating module configured to enable an updating of the presentation content and the additional content according to the one or more access policies; and a content access interface module configured to determine one or more portions of the presentation content and the additional content for accessing at the audience device according to the one or more access policies. A method for providing an interactive media presentation is also provided.

Abstract: Data privacy information pertaining to particular data hosted by a first workload provisioned to a first location can be received. The first workload can be monitored to determine whether the first workload is accessed by a second workload, determine whether the second workload is indicated as being authorized, in the data privacy information, to access the particular data hosted by first workload, and determine whether the second workload has access to the particular data hosted by the first workload. If so, the first workload can be automatically provisioned to a second location to which provisioning of the first workload is allowed based on the data privacy information.

Abstract: Systems and methods for encryption support for virtual machines. An example method may comprise initializing, by a firmware module associated with a virtual machine running on a host computer system, an exclusion range register associated with the virtual machine with a value specifying a first portion of guest memory, wherein the first portion of the guest memory comprises an exclusion range marked as reserved; encrypting, by the firmware using an ephemeral encryption key, a second portion of the guest memory; booting, by a hypervisor of the host computer system, the virtual machine; and responsive to intercepting, by the hypervisor, a privileged instruction executed by the virtual machine, performing at least one of: copying data for performing the privileged instruction to the first portion of the guest memory or copying data for performing the privileged instruction from the first portion of the guest memory.

Abstract: According to some embodiments, a method performed by a classification scanner comprises receiving an electronic message and determining whether the electronic message includes an express indication from the user indicating that a classification applies to the electronic message. In response to determining that the electronic message does not include the express indication that the classification applies to the electronic message, the message further comprises sending the electronic message to a machine learning scanner. The machine learning scanner is adapted to use a machine learning policy to determine whether the classification applies to the electronic message.

Abstract: A data privacy protection system is disclosed that comprises listener(s) that receive and store data including non-personal identifiable information (PII) and PII in data sets in a database and agent(s) that access each data set from the database, obtain the non-PII data and exclude the PII data to create non-PII data sets, and transmit the non-PII data sets to a third-party server. The system further comprises an anonymization framework that obtains the PII data from the data sets and stores some of the PII data in a raw PII data set. The anonymization framework distributes anonymization work on the stored PII data to queues based on hashed device identifiers associated with the stored PII data, performs the anonymization work on the stored PII data according to the queues to create an anonymized PII data set, and transmits the anonymized PII data set to the third-party server.

Abstract: Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has a set of one or more servers that acts as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The server set in some embodiments also enforces these API-authorizing policies. Conjunctively, or alternatively, the server set in some embodiments distributes the defined policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls. From an associated application, a local agent receives API-authorization requests to determine whether API calls received by the application are authorized.

Abstract: The disclosed subject matter relates to systems, methods, and media for media session concurrency management with recurring license renewals. More particularly, the disclosed subject matter relates to using recurring license renewals for concurrent playback detection and concurrency limit enforcement for video delivery services and managing server resources for handling such recurring license renewals.

Abstract: The present disclosure relates to techniques for enforcing control policies on one more software as a service (SaaS) platforms from a centralized security control platform. An integration component is configured to integrate SaaS accounts with the security enforcement platform. The security enforcement platform executes functions that facilitate the creation of control policies on SaaS accounts. Exemplary control polices can be created to manage or control file sharing activities, user authentication, plugin usage, and/or other functions and features that may impact the security of the files or content included on the SaaS accounts. Activity events generated by the integrated SaaS accounts can be monitored by the security control platform. The activity events monitored by the security enforcement platform can be utilized to enforce the control policies and facilitate verification of file sharing activities.

Abstract: Systems and methods for facilitating an analysis of software vulnerabilities are described. The system receives a first request to present software vulnerabilities of a virtual machine on a production machine. The system receives a first request to present software vulnerabilities of a virtual machine on a production machine. The first request includes a first selection including a virtual machine identifier identifying the virtual machine on the production machine. The software vulnerabilities include a first software vulnerability. The system presents a first electronic user interface including software vulnerabilities for the virtual machine. The system receives a second request including a second selection identifying a first software vulnerability. The system presents a second electronic user interface including presenting recovery point identifiers corresponding to snapshot images stored on a database.

Abstract: This Application sets forth techniques for cellular wireless service management for a secondary mobile wireless device assisted by a primary mobile wireless device, including delayed delivery of an electronic subscriber identity module (eSIM) to the secondary mobile wireless device for subscription to cellular wireless service of a mobile network operator (MNO).

Abstract: Systems and methods for adjusting the behavior of an endpoint security agent based on a network location are provided. According to an embodiment, an agent of an endpoint device identifies whether a security service of a cloud-based security service is not reachable or is unresponsive. The security service is associated with a particular security function implemented by the agent. When the security service is not reachable or is unresponsive, the agent further determines whether the endpoint device is within a trusted network of multiple trusted networks that have been previously registered with the cloud-based security service by querying a trusted network determination service associated with the cloud-based security service. When the determination is affirmative, the particular security feature is configured for operating inside a trusted network. When the determination is negative, the particular security feature is configured for operating outside a trusted network.

Abstract: Some embodiments provide a method for network management and control system that manages one or more logical networks. From a first user, the method receives a definition of one or more security zones for a logical network. Each security zone definition includes a set of security rules for data compute nodes (DCNs) assigned to the security zone. From a second user, the method receives a definition of an application to be deployed in the logical network. The application definition specifies a set of requirements. Based on the specified set of requirements, the method assigns DCNs implementing the application to one or more of the security zones for the logical network.

Abstract: An automated system tracks digital service providers (DSP) data management agreements, DSP behavior, and user behavior, individually and in aggregate, to determine recommended alternatives for content/service sites/providers than those used by a user. The alternatives are selected based on their scoring and congruency or compliance with a user's target privacy data treatment parameters.

Abstract: Methods and devices for determining whether a mobile device has been compromised. The mobile device has a managed portion of memory and an unmanaged portion of memory, a managed profile and an unmanaged profile, and the managed profile includes files stored in the managed portion of memory and the unmanaged profile includes files stored in the unmanaged portion of memory. The managed profile is governed by a device policy set by a remote administrator. File tree structure information for the unmanaged profile of the mobile device is obtained that details at least a portion of a tree-based structure of folders and files in the unmanaged portion of memory. It is determined from the file tree structure information that the mobile device has been compromised and, based on that determination, an action is taken.

Abstract: According to some implementations, a data policy compliance service causes the display of a dashboard, wherein the dashboard identifies a first geographic region in which there is a datacenter hosting an organization instance of a customer of a cloud-based software provider. Responsive to user interaction, the data policy compliance service causes the display of the dashboard to reflect information regarding a possible migration of the organization instance from the first geographic region to a second geographic region of the plurality of geographic regions. The information includes a set of one or more compliance assessment metrics reflecting a level of compliance of the organization instance with data privacy and/or data security laws, regulations, and/or policy.

Abstract: An indication of a set of premises between which network traffic is to be routed via a private fiber backbone of a provider network is obtained. Respective virtual routers are configured for a first premise and a second premise, and connectivity is established between the virtual routers and routing information sources at the premises. Contents of at least one network packet originating at the first premise are transmitted to the second premise via the private fiber backbone using routing information obtained at the virtual routers from the routing information source at the second premise.

Abstract: In some examples, an access control policy controller in a computer network may receive a request to create an access control policy that permits a role to perform one or more functions in the computer network. The access control policy controller may determine one or more operations performed on one or more objects in the computer network to perform the one or more functions based at least in part on tracking performance of the one or more functions in the computer network. The access control policy controller may create the access control policy for the role that permits the role to perform the one or more operations on the one or more objects in the computer network.

Abstract: Systems and methods to identify a software vulnerability are described. The system receives a message identifying a software vulnerability. The system identifies snapshot images taken of a production machine and stored in a database. The snapshot images include a snapshot image including a virtual machine. The snapshot images are identified being based on the message. The system identifies whether the snapshot images include the software vulnerability. The system registers the software vulnerability in association with a snapshot image in the database responsive to the identification of the snapshot image of the virtual machine including the software vulnerability.

Abstract: Techniques for data source driven expected network policy control are described. A policy enforcement service receives, from a compute instance in a virtual network implemented within a service provider system, a request to access data. The policy enforcement service determines that a virtual network security condition of a policy statement is not satisfied. The policy statement was configured by a user for use in controlling access to the data. The virtual network security condition defines a condition of the virtual network that is to be met. The policy enforcement service performs one or more security actions in response to the determination that the virtual network security condition of the policy statement is not satisfied.

Abstract: Some embodiments of the invention provide a method for defining code-based policies. The method generates a policy-builder first view of a policy for display in a graphical user interface (GUI) by processing a syntax tree that is generated from a code second view of the policy. The method receives, through the policy-builder first view, a modification to a portion of the policy. To reflect the modification, the method updates a portion of the syntax tree that corresponds to the portion of the policy that is affected by the modification. Based on the updating of the syntax tree, the method updates the code second view by modifying a portion of the code second view that corresponds to the updated portion of the syntax tree.

Abstract: Various examples for discovering policy bindings between group policy rules in a legacy management framework and unified endpoint management rules that are utilized in a modern mobile device management (MDM) device management framework. A configuration state view can allow an administrator to understand inconsistencies or conflicts between group policy rules and UEM rules.

Abstract: A computer-implemented method, implemented by one or more computers including hardware and software. The method includes determining whether a computer system contains data subject to a protection policy; in response to a determination that the computer system contains data or information subject to said protection policy, determining whether the data is already subject to protection according to said protection policy; and in response to said determining, that the computer system contains data or information that is not already subject to protection according to said protection policy, applying or implementing the protection policy on the data or information.

Abstract: Disclosed are various embodiments for automatically creating device campaigns. A computing device first determines that a second version of a software package assigned to an existing device campaign has been uploaded to a data store. The existing device campaign can include an existing compliance policy applicable to individual IoT endpoints assigned to the existing device campaign. The compliance policy may specify that a first version of the software package be installed on the individual IoT endpoints. In response, to the change, the computing device can create a new device campaign that includes a new compliance policy applicable to the individual IoT endpoints assigned to the new device campaign. The new compliance policy may specify that the second version of the software package be assigned to the individual IoT endpoints.

Abstract: Techniques for storage management involve: receiving, at a storage server, an access request for target data from a client, wherein the access request occurs in a session between the storage server and the client; determining, based on attribute information of the client, security information of the session, wherein the security information indicates whether the session is subjected to antivirus protection; and executing, based on the security information, an access operation specified by the access request on the target data. Therefore, the performance of the storage server can be improved while the security of the storage server is ensured.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to detect drift in a hybrid cloud environment. An example apparatus to detect drift in a hybrid cloud environment includes a configuration model determiner to, after deployment of a blueprint in the hybrid cloud environment, generate a first model including first relationships of a first plurality of resources corresponding to the blueprint, the blueprint including a plurality of properties in which at least one of the plurality of properties is agnostic of type of cloud, an inventor model determiner to generate a second model including second relationships of a second plurality of resources as deployed in the hybrid cloud environment based on the blueprint, and a drift determiner to determine a drift value based on the first relationships and the second relationships, the drift value representative of a difference between the first relationships and the second relationships.

Abstract: Some embodiments provide a method for visualizing a realization status of configuration changes for a set of logical entities of a logical network. The method generates a first presentation of a list of logical entities and a realization status for each logical entity in the list, where the realization status indicates whether all configuration changes for the logical entity have been realized. In response to a selection of a particular logical entity in the displayed list for which at least one configuration change has not been realized, the method generates a second presentation comprising a view of pending configuration changes for the selected particular logical entity.

Abstract: In one embodiment, a secure object transfer system is described. The system features a virtual private cloud network (VPC) and a controller. The VPC includes a plurality of gateways and a network load balancer, which configured to conduct a load balancing scheme on access messages from computing devices deployed within an on-premises network to direct the access memory to one of the plurality of gateways for storage or retrieval of an object from a cloud-based storage element. Each gateway includes Fully Qualified Domain Name (FQDN) filtering logic to restrict access of the computing devices to certain cloud-based storage elements in accordance with a security policy. The controller is configured to maintain and update the security policy utilized by each gateway of the plurality of gateways.

Abstract: Systems and methods include implementing dynamic runtime code manipulation to modify application code associated with calls related to networking, with the calls implemented by application software executed as a serverless workload; intercepting the calls from the application software based on the modified application code; determining whether to permit the calls based on a set of policies; responsive to permitting a call, making the call to an operating system interface on behalf of the application software; and, responsive to not permitting the call, providing a failure notification to the application software.

Abstract: A computer security system includes a test management system and associated communication architecture that enables creation of customized tests of computer security application features. A server stores a test script in a custom scripting language. The test script includes a set of control statements that may be organized in a decision tree to control facilitation of the test. Clients poll the server to independently obtain and execute the control statements. Execution of the control statements control which clients participate in a test, which feature will be tested in the test, and what telemetry data will be collected from the clients to evaluate the test. The server evaluates the telemetry data to determine an outcome of the test and determines whether to further distribute or roll back the tested feature based on the test outcome. The testing can be utilized to rapidly and robustly deploy features that will enhance computer security.

Abstract: Disclosed are various examples for client device migration to utilize management platform features. In some examples, the client device is identified as compatible with a management platform. A migration of the client device to utilize a management platform feature is accepted through a user interface. A management platform account is created with a management platform service. A management profile is installed on the client device. The profile is compatible with the management platform. The management platform feature is enabled on the client device.

Abstract: A data management computing system for tracking data protection compliance of a plurality of entities using a data management (“DM”) server is provided. The DM server includes at least one processor programmed to: (i) receive, from a requesting entity, a personally identifying information (“PII”) consent request for access to a requested PII set of a user, (ii) determine at least one PII item associated with a reason code, (iii) compare the at least one PII item to the requested PII set, (iv) generate a consent recommendation, (v) transmit the consent recommendation to the user, (vi) receive a response indicating user consent, (vii) transmit, to the requesting entity, a notification indicating the user consent for the requesting entity to retrieve the at least one PII item from a third-party PII storage entity, and (viii) update a user profile to track the requesting entity with the at least one PII item.

Abstract: In some implementations, a user device (e.g., a computing device) can perform client-side personalization of search results. For example, a computing device can obtain search results matching user specified search parameters from a server device and/or from various services on the user device. The user device can score the search results based on various search result item attributes. After scoring, the user device can promote or demote search results items based on whether the search results item is relevant to recent user behavior. The promotion and/or demotion of search results items can cause search results items scores to be adjusted to generate a personalized score for each search result. The search results can then be ordered and/or presented based on the personalized score for each search results item. When presenting search results items, the user device can present information indicative of the source of the search results items.

Abstract: A computer-implemented method, a computer program product, and a computer system for using a mobile device to authenticate a user to access a secure facility. An authentication service determines whether the mobile device of the user is locked. The authentication service requests the user to unlock the mobile device and determines whether the user has unlocked the mobile device. The authentication service retrieves, from the mobile device, a first token and a MAC address. The authentication service retrieves, from a database, a token identifier of the mobile device and a personal identifier of the user. The authentication service generates a second token, based on the token identifier, the personal identifier, and the MAC address. The authentication service determines whether the first and the second tokens match. The authentication service grants the user access to the secure facility, in response to the first and the second tokens matching.

Abstract: Techniques and arrangements for performing data analysis in order to generate connections between merchants. For instance, a payment service may determine, based at least in part on transaction information, that a first customer conducted a first transaction at a first merchant followed a subsequent transaction at a second merchant. The payment service may further determine that a second customer conducted a second transaction at the first merchant followed by a subsequent transaction at a third merchant, Based on transaction information associated with the first transaction and the second transaction, the payment service may create a buyer profile including the first customer and second customer. Upon the payment service receiving a request to process a third transaction between the first merchant and the second customer, the payment service can generate a recommendation that the second customer conduct a subsequent transaction to the third transaction at the second merchant rather than the third merchant.

Abstract: Disclosed is an apparatus for distributed processing of an identical packet in high-speed network security equipment, including: a plurality of analysis modules for each determining whether vulnerability analysis is required by analyzing a received packet; a circular queue for receiving the packet from an analysis module initially determining that the vulnerability analysis is required and storing the received packet as a bucket structure; and a plurality of analysis engines for each performing different vulnerability analyses for the packet acquired from the circular queue based on a packet address of the bucket structure, in which the bucket structure includes a packet data storage unit and packet use information storage units which are as many as the plurality of analysis engines, and the packet use information storage units store packet use information of the plurality of respective analysis engines, respectively.

Abstract: Embodiments of the disclosure relate to verifying a watermark of an artificial intelligence (AI) model for a data processing (DP) accelerator. In one embodiment, a system receives an inference request from an application. The system extracts the watermark from an AI model having the watermark. The system verifies the extracted watermark based on a policy. The system applies the AI model having a watermark to a set of inference inputs to generate inference results. The system sends a verification proof and the inference results to the application.