Abstract: A computerized method for restricting communications between virtual private cloud networks comprises creating a plurality of security domains. Each of the plurality of security domains identifies gateways associated with one or more virtual private cloud networks. Also, the method features generating transit routing data stores in accordance with each of the plurality of security domains; determining whether a connection policy exists between at least a first security domain and a second security domain of the plurality of security domains; and precluding communications between gateways associated with the first security domain and gateways associated with the second security domain in response to determining that no connection policy exists between the first security domain and the second security domain.

Abstract: An example operation may include one or more of monitoring, by a blockchain node, a delivery of a service to a first node from a second node based on a service contract and an order retrieved from a blockchain, determining, by the blockchain node, an incremental charge for a partial delivery of the service based on the monitoring, and executing, by the blockchain node, a smart contract to issue the incremental charge for the partial delivery of the service, and responsive to a resolution of a dispute raised for the incremental charge, add the incremental charge to an incremental invoice.

Abstract: A device may include a processor configured to establish a data traffic flow for a user equipment (UE) device and determine per flow descriptor attributes associated with the data traffic flow, wherein the per flow descriptor attributes identify at least a source, a destination, and a protocol associated with the data traffic flow. The processor may be further configured to determine at least one additional per flow descriptor attribute for the data traffic flow and send the per flow descriptor attributes and the at least one additional per flow descriptor attribute to a network exposure device of a core network, wherein the network exposure device is configured to communicate with servers outside the core network.

Abstract: The present invention relates to a system method of provisioning mobile device security settings to provide authorized users with secure access. The system and method uses a generated, computer-readable authentication code that is read by a mobile device. The authentication code enables an unprovisional mobile device to request security credentials to enable a user of the mobile device to connect to a secured system.

Abstract: Methods and apparatus for allowing an individual to preserve his/her privacy and control the use of the individual's images and/or personal information by other, without disclosing the identity of the individual to others, are described. In various embodiments the individual seeking privacy provides his/her identifying information, images, and sharing preferences indicating desired level of privacy to a control device which is then stored in a customer record. The control device can be queried to determine if an image or other information corresponds to a user who has restricted use of his/her image or other information in a public manner. Upon receiving a query the control device determines using the stored customer record whether an individual has authorized use of his or her image. Based upon the determination a response is sent to the querying device indicating whether the use of the image and/or individual's information is authorized.

Abstract: A solution is proposed for reviewing a control of access in an information technology system. A corresponding method comprises retrieving an indication of granted accesses to objects, being granted to subjects according to policies based on attributes. Virtual roles (each defined by one or more of the attributes) are determined according to a correlation among access types of the granted accesses and the attributes of the subjects being granted them. A computer program and a computer program product for performing the method are also proposed. Moreover, a system for implementing the method is proposed.

Abstract: An authentication model dynamically adjusts authentication factors required for access to a remote resource based on changes to a risk score for a user, a device, or some combination of these. For example, the authentication model may conditionally specify the number and type of authentication factors required by a user/device pair, and may dynamically alter authentication requirements based on changes to a current risk assessment for the user/device while the remote resource is in use.

Abstract: A node provides a service to a client node in a network. The node is configured to execute a code for providing the service to the client node in an enclave of a trusted execution environment (TEE) and to execute a code library in the enclave to attest to the client node the identity of the service provided. The service provided to the client node may be a distributed service including a result of a cooperation of a plurality of neighbor nodes, which are connected to the node either directly or through other intermediate nodes. The code library is configured to attest to the client node the identity of the distributed service.

Abstract: Techniques for associating manufacturer usage description (MUD) security profiles for Internet-of-Things (IoT) device(s) with secure access service edge (SASE) solutions, providing for automated and scalable integration of IoT devices with SASE frameworks. A MUD controller may utilize a MUD uniform resource identifier (URI) emitted by an IoT device to fetch an associated MUD file from a MUD file server associated with a manufacturer of the IoT device. The MUD controller may determine that a security recommendation included in the MUD file is to be implemented by a cloud-based security service provided by the SASE service and cause the IoT device to establish a connection with a secure internet gateway associated with the cloud-based security service. Additionally, or alternatively, the MUD file may include SASE extensions indicating manufacturer recommended cloud-based security services. Further, cloud-based security services may be implemented if local services are unavailable.

Abstract: A device that is configured to receive user activity information that includes information about user interactions with a network device for a plurality of users. The device is further configured to input the user activity information into a first machine learning model that is configured to receive user activity information and to output a set of bad actor candidates based on the user activity information. The device is further configured to filter the user activity information based on the set of bad actor candidates. The device is further configured to input the filtered user activity information into a second machine learning model that is configured to receive the filtered user activity information and to output system exposure information that identifies network security threats. The device is further configured to identify network security actions based on the network security threats and to execute the network security actions.

Abstract: A system, method, and computer program product are provided for consent management. A method may include receiving a first data request for user data associated with a user, the user data stored in a user data database; communicating a consent request to the requester system; receiving a consent response from the requester system; storing consent data associated with the consent response for the user data requested in the first data request in an immutable ledger; receiving a consent verification request from the user data database, the consent verification request based on a second data request for the user data from the requester system to the user data database; verifying the consent verification request based on the consent data; and communicating a consent verification response to the user data database, the consent verification response indicating consent from the user to share the user data with the requester system.

Abstract: A vehicle computer system includes one or more sensors configured to receive input regarding a vehicle's environment, and a controller in communication with the one or more sensors of the vehicle. The controller is configured to identify a cyber-attack on one or more vehicle controllers in the vehicle, and respond to the cyber-attack based upon at least the vehicle environment.

Abstract: Provided in some embodiments are systems and methods for determining a data flow path including a plurality of network devices for routing data from a first network device to a second network device; determining for the network devices one or more flow rules that specify an input for receiving data, an output for outputting data, and a role tag indicative of a role of a network device, where the role tag for one or more flow rules for a first network device of the network devices indicates a source role; distributing, to the network devices, the one or more flow rules; determining malicious activity on the data flow path; determining that the first network device is a source based at least in part on the role tag for the first network device; and sending, to the first network device, a blocking flow rule to inhibit routing of malicious data.

Abstract: A control plane system for providing data exchange between a plurality of gateway endpoints using a secure tunnel between the gateway endpoints. The system includes an end-user device, a cloud control plane, and a cloud provider. The end-user device includes a client endpoint providing a request for accessing data using a gateway device by sending data packets. The cloud control plane uses a data plane and a control plane for provisioning the request. The control plane is isolated from the data plane. Routing information of network traffic is received, a tenant associated with the request is identified and isolated. A network policy associated with the access to the data is identified based on the network patterns. The network policy specifies routing for access to the data and the secure tunnel. The access to the data is provided from the cloud provider to the client endpoint on the gateway device.

Abstract: A method for controlling a robot is provided. The method includes the steps of: acquiring information on status of communication connections between a plurality of robots located in a serving place, wherein the status of communication connections between the plurality of robots is specified with respect to at least one relay robot among the plurality of robots; and determining a communication scheme to be used between the plurality of robots, with reference to the information on the status of communication connections between the plurality of robots.

Abstract: Embodiments are directed to managing and monitoring endpoint activity in secured networks. In response to a client request being provided to an agent associated with the resource server. A driver associated with the resource server may be determined based on the client request. The client request may be provided to the resource server via a second network connection. Responses from the resource server may be provided to a server-tee module such that the server-tee module provides a copy of the responses to the server-handler module; employing the server-handler module to generate log information based on the copied responses; employing the server-tee module to modify the responses from the resource server such that the responses are forwarded to the client via the first network connection over the overlay network; or the like.

Abstract: Specification covers new algorithms, methods, and systems for: Artificial Intelligence; the first application of General-AI (versus Specific, Vertical, or Narrow-AI) (as humans can do) (which also includes Explainable-AI or XAI); addition of reasoning, inference, and cognitive layers/engines to learning module/engine/layer; soft computing; Information Principle; Stratification; Incremental Enlargement Principle; deep-level/detailed recognition, e.g., image recognition (e.g., for action, gesture, emotion, expression, biometrics, fingerprint, tilted or partial-face, OCR, relationship, position, pattern, and object); Big Data analytics; machine learning; crowd-sourcing; classification; clustering; SVM; similarity measures; Enhanced Boltzmann Machines; Enhanced Convolutional Neural Networks; optimization; search engine; ranking; semantic web; context analysis; question-answering system; soft, fuzzy, or un-sharp boundaries/impreciseness/ambiguities/fuzziness in class or set, e.g.

Abstract: Techniques for automated identification of false positives in DNS tunneling detectors are disclosed. In some embodiments, a system, process, and/or computer program product for automated identification of false positives in DNS tunneling detectors includes receiving a set of passive DNS data, wherein the set of passive DNS data includes a DNS query and a DNS response for resolution of the DNS query for each of a plurality of DNS queries; extracting a plurality of features associated with each domain in the set of passive DNS data; and classifying DNS tunneling activities and performing false positive reduction using the plurality of features associated with each domain in the set of passive DNS data to reduce false positive detections.

Abstract: Disclosed are examples related to data driven interfaces for decoupling management system components from a manufacturer or a platform of client devices managed by the management system. In some examples, among others, a system can generate a data driven interface template that can be used to cause rendering of a data driven user interface for configuring a profile payload of a device profile for the client device. The system can generate, based on values associated with the data driven user interface, a profile document in an instance in which values are obtained from the data driven user interface. In some aspects, the profile document is a generic representation of the profile payloads for the platform, the manufacturer or the type of the client device.

Abstract: A computer-implemented method of monitoring activity of devices in a network is provided. The method comprises passively collecting data regarding how the devices access the network, and for each device on the network, identifying all other devices on the network with which the device communicates. All communication traffic from the devices to outside the network is identified. A determination is made if there are any required updates and if patches for the devices execute in a fashion defined as safe. A number of risk indicators for privacy risks are determined according to device communication within the network, device communication to outside the network, and update and patch execution. A visualization of any identified risk factors is displayed to a user through a user interface.

Abstract: There is disclosed in one example a network gateway device, including: a hardware platform including a processor and a memory; a network interface, including network interface hardware; and instructions encoded within the memory to instruct the processor to: receive from an endpoint device, via the network interface, a signed security posture data structure, the signed security posture data structure including information about a security posture of the endpoint device; cryptographically verify the signed security posture data structure; and according to the signed security posture data structure, assign a network security policy to the endpoint device.

Abstract: Systems and methods disclosed can evaluate security detection rules in a network security computing environment. Results for a processed log of security events can be retrieved. The results can identify determined outcomes for instances triggering security detection rules. The security detection rules can detect specific behavior on a network by being processed against a log of security events. Scores for the security detection rules can be determined based on the results of the processed log of security events and the determined outcomes. The security detection rules can be ranked based on the scores, from highest to lowest score. The highest score can indicate that a corresponding rule is performing worst among the security detection rules and the lowest score can indicate that a corresponding rule is performing best among the security detection rules. A rules score report can be generated based on the ranked rules.

Abstract: Provided are an environment map management device, an environment map management system, an environment map management method, and a program that are capable of generating a common environment map that takes into consideration privacy of each of users simultaneously with securing a space covered by an environment map available to the each of users. A processing data transmitting section accesses an individual environment map available to a user of interest. The processing data transmitting section accesses a common environment map available to a plurality of users including the user of interest. A SLAM processing execution section adds, to the individual environment map, environment information generated on the basis of sensing data acquired by a tracker used by the user of interest. A transmitting control section controls whether or not to add the environment information to the common environment map, according to a privacy attribute corresponding to the environment information.

Abstract: Established user habits in carrying multiple wirelessly detectable devices are used to provide or substantiate authentication. In some embodiments, simply detecting that expected devices are co-located within a limited spatial region is sufficient to establish that the devices are being carried by a single individual. In other embodiments, particularly where the potential for spoofing by multiple individuals is a concern, single-user possession of the devices may be confirmed by various corroborative techniques. This approach affords convenience to users, who may be working at a device that lacks the necessary modality (e.g., a fingerprint or vein reader) for strong authentication.

Abstract: A highly secure networked system and methods for storage, processing, and transmission of sensitive information are described. Sensitive, e.g. personal/private, information is cleansed, salted, and hashed by data contributor computing environments. Cleansing, salting, and hashing by multiple data contributor computing environments occurs using the same processes to ensure output hashed values are consistent across multiple sources. The hashed sensitive information is hashed a second time by a secure facility computing environment. The second hashing of the data involves a private salt inaccessible to third parties. The second hashed data is linked to previously hashed data (when possible) and assigned a unique ID. Data dictionaries are created for particular individuals provided access to the highly secure information, e.g. researchers.

Abstract: The technology disclosed teaches incident-driven and user-targeted data loss prevention that includes a CASB controlling infiltration via cloud-based services storing documents in use by organization users, by monitoring manipulation of the documents. The CASB identifies the cloud-based services that the particular user has access to and at least one document location on the cloud-based services to inspect for sensitive documents, in response to receiving an indication that user credentials have been compromised. The CASB performs deep inspection of documents identified as stored at the location and detects at least some sensitive documents. Based on the detected sensitive documents, the CASB determines an exposure for the organization due to the particular user.

Abstract: Described are methods and systems for using policies to comply with a person's request for data pertaining to the person, pursuant to applicable data privacy laws. A policy is retrieved responsive to receiving a query that includes data to identify records that store data pertaining to the person. The policy indicates first and second database objects, and respective first and second sets of fields, which store data that pertains to persons. The policy is applied. Applying the policy includes retrieving, as first values, data stored in the first set of fields of a first record associated with the data in the query, and retrieving, as second values, data stored in the second set of fields of a second record associated with the first record. The first and second values, and the names of the fields from which they were retrieved, are stored in a document.

Abstract: Embodiments disclosed are directed to ensuring resource compliance within a cloud-based environment using a compliance system. The embodiments include steps for performing pre-provisioning checks of resources, such as network protocols, prior to their deployment within the cloud-based environment. The compliance system may include a number of components for performing the pre-provisioning check including a maintenance module, a collection module, and an evaluation module, which are used to evaluate the resource prior to deployment in the cloud-based environment.

Abstract: Methods and systems for generating an integrated structure for the data from disparate data domains that may be used to aggregate, compare, and/or provide recommendations based on the data available from the disparate domains. The integrated structure may further be accessible to users to perform functions (e.g., searches, filtering operations, etc.) in real-time and receive outputs (e.g., in a user interface).

Abstract: Implementations of the present disclosure include providing a graph representative of a network, a set of nodes representing respective assets, each edge representing one or more lateral paths between assets, the graph data including configurations affecting at least one impact that has an effect on an asset, determining multiple sets of fixes for configurations, each fix having a cost associated therewith, incorporating fix data of the sets of fixes into the graph, defining a set of fixes including one or more fixes from the multiple sets of fixes by defining an optimization problem that identifies one or more impacts that are to be nullified and executing resolving the optimization problem to define the set of fixes, each fix in the set of fixes being associated with a respective configuration in the graph, and scheduling performance of each fix in the set of fixes based on one or more operational constraints.

Abstract: Techniques for auto-starting a VPN in a MAM environment are disclosed. A MAM-controlled application is launched on a computer system. Policy is queried and a determination is made as to whether to auto-start a VPN application based on the policy. Based on the policy, the VPN application is auto-started, and the VPN application initiates a VPN tunnel that is usable by at least the MAM-controlled application. Network communications transmitted to or from the MAM-controlled application then pass through the VPN tunnel.

Abstract: Computer-implemented methods, apparatuses, and computer program products are provided for frequency based operations. An example computer-implemented method includes receiving a request for data transfer of a plurality of data elements of a production data environment to a non-production data environment. The method includes determining an access frequency associated with each data element and grouping each data element into a first set of data elements or a second set of data elements based upon the determined access frequency. The method further includes refreshing the first set of data elements according to a first refresh protocol defining a first refresh rate and refreshing the second set of data elements according to a second refresh protocol defining a second refresh rate less than the first refresh rate. The method also includes outputting the plurality of data elements to the non-production data environment.

Abstract: A Domain Name System (DNS) device stores data indicative of a user device and data indicative of a policy setting a level of access of the user device to a responding device. The DNS device receives, from the user device, a request for an Internet Protocol address of the responding device. The DNS device determines, based upon the request and the data indicative of the user device, that the policy applies to the request. The DNS device applies the policy in response to the determining.

Abstract: Provided herein are systems and methods for configuring trace events. A system includes at least one hardware processor coupled to a memory and configured to instantiate a user code runtime to execute user-defined function (UDF) code. The user code runtime is instantiated within a sandbox process of an execution node. An application programming interface (API) call is detected during execution of the UDF code. The API call includes one or more configurations of a trace event. Telemetry information is collected based on the one or more configurations. The telemetry information is associated with the trace event using a telemetry API. The telemetry API corresponds to the API call. The telemetry information is formatted using the telemetry API, to generate structured telemetry information. The at least one hardware processor causes ingestion of the structured telemetry information into an event table.

Abstract: An automated system tracks digital service providers (DSP) data management agreements, and user behavior, individually and in aggregate, to determine potential changes for a personal/corporate privacy charter. The personal/corporate privacy charter is thus dynamically adaptable to permit users to continue to engage seamlessly in accordance with user/corporate target goals with digital service providers (DSPs) and similar entities.

Abstract: Disclosed herein is an example communication apparatus that includes processor circuitry to execute instructions to: determine a context of a message; perform a comparison of the context of the message with a target recipient emotional state; apply a rule to select an action for the message based on the comparison; cause performance of the action; determine an effect of the action on an emotional state of a user; and update the rule based on the effect.

Abstract: The present invention extends to methods, systems, and computer program products for identifying and consenting to permissions for workflow and code execution. Aspects of the invention can be used to automatically scan a workflow or code definition to identify (potentially all) the actions/triggers a workflow or program intends to perform on behalf of a user. The user is shown the actions/triggers the workflow or program intends to perform (e.g., at a user interface) before consent to perform the actions/triggers is granted. As such, a user is aware of intended actions/triggers of a workflow or program before granting consent. Further, since actions/triggers are identified from the workflow or code definition (and not formulated by an author), permission requests better align with permissions that workflow or program functionality actually uses during execution.

Abstract: The system determines whether content such as an image is suitable for content modification based on one or more criteria. The system includes decision engines or modules configured to evaluate one or more suitability metrics based on corresponding criteria such as publication status, restriction status, context, compatibility, and classification. If content is unsuitable for content modification because of entities or context depicted therein, privacy status, incompatibility with content modification, properties of the content file itself, or other aspects, the system generates a tag indicating the content is unsuitable for content modification. If content is suitable for content modification because of entities or context depicted therein, publication status, compatibility with content modification, properties of the content file itself, or other aspects, the system generates a content modification tag indicating the content is suitable for content modification.

Abstract: A system for managing security on a cloud management platform portal (CMPP (1)), the system comprising a set of routines (scripts) which are executed on a computing device or processor allowing the cloud management platform portal to contact a cloud automation service (CAS (4)) so as to provision services to a customer, and a ServiceNow (2) (SNOW) application comprising at least one of a set of routines comprising at least one of certain specified network Standard Service Requests and/or network activity Standard Service Requests.

Abstract: A computer-implemented method, executed by one or more email detection computers, receives from a computer network, a first email message from a first sender account to a first recipient account and having a plurality of attributes. The method determines that the first email message is a phishing email, extracts a subset of attributes, normalizes transformable attributes, and generates a hash representation from fixed attributes and the normalized transformable attributes, stores the hash representation in a database, receives a second email message, and determines that the second email message is a phishing email based on the stored hash representation.

Abstract: Various embodiments of the present invention provide methods, apparatuses, systems, computing devices, and/or the like that are configured to enable effective and efficient monitoring of software application frameworks. For example, certain embodiments of the present invention provide methods, apparatuses, systems, computing devices, and/or the like that are configured to perform software application framework monitoring using an interactive software application platform monitoring dashboard comprises a set of user interfaces (e.g.

Abstract: In some aspects, a method for mediation of a screenshot capture by a client application based on policy includes identifying, by a client application on a client device, a policy for mediating one or more screenshots of content displayed via the client application. An embedded browser within the client application accesses a network application of one or more servers. The method further includes intercepting, by the client application, a request to capture a screenshot of at least a portion of the network application being displayed, determining, by the client application, one or more mediation actions to perform on the screenshot responsive to the policy, performing, by the client application, the one or more mediation actions on the screenshot, and providing, by the client responsive to the request, the screenshot resulting from the one or more mediation actions.

Abstract: A system, method, and computer-readable medium are disclosed for implementing a cybersecurity system having security policy visualization. At least one embodiment is directed to a computer-implemented method for implementing security policies in a secured network, including: retrieving a set of rules of a security policy; analyzing the set of rules of the security policy using one or more Satisfiability Modulo Theory (SMT) operations to reduce a dimensionality of the security policy; and generating a visual presentation on a user interface using results of the SMT operations, where the visual presentation includes visual indicia representing one or more targeted policy dimensions with respect to one or more fixed policy dimensions. In at least one embodiment, two or more security policies are presented with visual indicia representing differences between the security policies, including representations of one or more targeted policy dimensions with respect to one or more fixed policy dimensions.

Abstract: A method includes executing a configuration engine on one or more data processing device(s) of a computing system. In accordance with the execution, the method also includes discovering at least a subset of a number of resources associated with a target environment of the computing system, generating an environment definition associated with the target environment, building baseline configurations, policies, and metadata for at least the subset of the number of resources, and versioning the aforementioned data.

Abstract: A system and method for automatic offload in multi SIM devices. The system comprises a learning module [108] to learn the SIM slot ID of the inserted desired operator, the structure alignment and field information, wherein feedback of the learnt information is provided to the network server [114]. A method selection module [110] analyzes the structure alignment and field information for mapping unique connection methods to different devices. A WiFi configuration and connection module [112] uses appropriate WiFi configuration and attempts connection to desired Service Providers enterprise Wi-Fi AP using the determined connection method.

Abstract: A system, method, and computer-readable media for providing contextual data loss prevention (DLP) within a group-based communication system. At least a portion of a DLP policy may be suspended within a DLP engine based on a context for which a user input is to be displayed. Accordingly, the user input may be displayed without interference from the DLP engine.

Abstract: The present invention relates to a method and system for tracking the movement of data elements as they are shared and moved between authorized and unauthorized devices and among authorized and unauthorized users.

Abstract: In one embodiment, a device classification service receives telemetry data indicative of behavioral characteristics of a plurality of devices in a network. The service obtains side information for the telemetry data. The service applies metric learning to the telemetry data and side information, to construct a distance function. The service uses the distance function to cluster the telemetry data into device clusters. The service associates a device type label with a particular device cluster.

Abstract: In one embodiment, a service receives captured traffic flow data regarding a traffic flow sent via a network between a first device assigned to a first network zone and a second device assigned to a second network zone. The service identifies, from the captured traffic flow data, one or more cryptographic parameters of the traffic flow. The service determines whether the one or more cryptographic parameters of the traffic flow satisfy an inter-zone policy associated with the first and second network zones. The service causes performance of a mitigation action in the network when the one or more cryptographic parameters of the traffic flow do not satisfy the inter-zone policy associated with the first and second network zones.

Abstract: A system for controlling an electricity supply to a load comprises at least one battery for storing energy. The system also comprises a controller for determining when to switch between a first mode wherein electricity is supplied to the load from a mains electricity circuit; and a discharging mode wherein electricity is supplied from the battery to the load via the mains electricity circuit. The determining is based on information associated with the electricity supply.