Abstract: Disclosed are various examples for client device migration to utilize management platform features. In some examples, the client device is identified as compatible with a management platform. A migration of the client device to utilize a management platform feature is accepted through a user interface. A management platform account is created with a management platform service. A management profile is installed on the client device. The profile is compatible with the management platform. The management platform feature is enabled on the client device.

Abstract: In some implementations, a user device (e.g., a computing device) can perform client-side personalization of search results. For example, a computing device can obtain search results matching user specified search parameters from a server device and/or from various services on the user device. The user device can score the search results based on various search result item attributes. After scoring, the user device can promote or demote search results items based on whether the search results item is relevant to recent user behavior. The promotion and/or demotion of search results items can cause search results items scores to be adjusted to generate a personalized score for each search result. The search results can then be ordered and/or presented based on the personalized score for each search results item. When presenting search results items, the user device can present information indicative of the source of the search results items.

Abstract: A computer security system includes a test management system and associated communication architecture that enables creation of customized tests of computer security application features. A server stores a test script in a custom scripting language. The test script includes a set of control statements that may be organized in a decision tree to control facilitation of the test. Clients poll the server to independently obtain and execute the control statements. Execution of the control statements control which clients participate in a test, which feature will be tested in the test, and what telemetry data will be collected from the clients to evaluate the test. The server evaluates the telemetry data to determine an outcome of the test and determines whether to further distribute or roll back the tested feature based on the test outcome. The testing can be utilized to rapidly and robustly deploy features that will enhance computer security.

Abstract: A data management computing system for tracking data protection compliance of a plurality of entities using a data management (“DM”) server is provided. The DM server includes at least one processor programmed to: (i) receive, from a requesting entity, a personally identifying information (“PII”) consent request for access to a requested PII set of a user, (ii) determine at least one PII item associated with a reason code, (iii) compare the at least one PII item to the requested PII set, (iv) generate a consent recommendation, (v) transmit the consent recommendation to the user, (vi) receive a response indicating user consent, (vii) transmit, to the requesting entity, a notification indicating the user consent for the requesting entity to retrieve the at least one PII item from a third-party PII storage entity, and (viii) update a user profile to track the requesting entity with the at least one PII item.

Abstract: A computer-implemented method, a computer program product, and a computer system for using a mobile device to authenticate a user to access a secure facility. An authentication service determines whether the mobile device of the user is locked. The authentication service requests the user to unlock the mobile device and determines whether the user has unlocked the mobile device. The authentication service retrieves, from the mobile device, a first token and a MAC address. The authentication service retrieves, from a database, a token identifier of the mobile device and a personal identifier of the user. The authentication service generates a second token, based on the token identifier, the personal identifier, and the MAC address. The authentication service determines whether the first and the second tokens match. The authentication service grants the user access to the secure facility, in response to the first and the second tokens matching.

Abstract: Techniques and arrangements for performing data analysis in order to generate connections between merchants. For instance, a payment service may determine, based at least in part on transaction information, that a first customer conducted a first transaction at a first merchant followed a subsequent transaction at a second merchant. The payment service may further determine that a second customer conducted a second transaction at the first merchant followed by a subsequent transaction at a third merchant, Based on transaction information associated with the first transaction and the second transaction, the payment service may create a buyer profile including the first customer and second customer. Upon the payment service receiving a request to process a third transaction between the first merchant and the second customer, the payment service can generate a recommendation that the second customer conduct a subsequent transaction to the third transaction at the second merchant rather than the third merchant.

Abstract: Disclosed is an apparatus for distributed processing of an identical packet in high-speed network security equipment, including: a plurality of analysis modules for each determining whether vulnerability analysis is required by analyzing a received packet; a circular queue for receiving the packet from an analysis module initially determining that the vulnerability analysis is required and storing the received packet as a bucket structure; and a plurality of analysis engines for each performing different vulnerability analyses for the packet acquired from the circular queue based on a packet address of the bucket structure, in which the bucket structure includes a packet data storage unit and packet use information storage units which are as many as the plurality of analysis engines, and the packet use information storage units store packet use information of the plurality of respective analysis engines, respectively.

Abstract: Embodiments of the disclosure relate to verifying a watermark of an artificial intelligence (AI) model for a data processing (DP) accelerator. In one embodiment, a system receives an inference request from an application. The system extracts the watermark from an AI model having the watermark. The system verifies the extracted watermark based on a policy. The system applies the AI model having a watermark to a set of inference inputs to generate inference results. The system sends a verification proof and the inference results to the application.

Abstract: Techniques for providing network slice-based security in mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for network slice-based security in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network; extracting network slice information for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the network slice information.

Abstract: An application development assistance system in which optimal security measures can be taken at positions in need of security measures under an application development environment using a flow diagram analyzes an input application description file and outputs application data information and module information. A data importance level judgment unit decides importance levels of data exchanged between modules on the basis of the application data information.

Abstract: Disclosed is detecting identification documents in image-borne identification documents and protecting against loss of the image-borne identification documents. A trained deep learning (DL) stack is used to classify production images by inference as containing a sensitive image-borne identification document, with the trained stack configured with parameters determined using labelled ground truth data for the identification documents and examples of other image documents. The trained DL stack is configured to include a first set of layers closer to an input layer and a second set of layers further from the input layer, with the first set pre-trained to perform image recognition before exposing the second set of layers of the stack to the labelled ground truth data for the image-borne identification documents and examples of other image documents, and using the inferred classification of the sensitive image-borne identification document in a DLP system to protect against loss by image exfiltration.

Abstract: A computer system and method provides cloud-based network security software as a service in a distributed computing environment. A computer system executing on a portion of hardware computing resources associated with the distributed computing environment receives a security service request from a customer platform device external to the distributed computing environment, the request identifying a customer platform asset within the distributed computing environment and instructing that a security service selected by the customer platform device be provided to the identified customer platform asset. In response to receiving the security service request, a network security software component associated with the selected security service on one or more virtual machines within the distributed computing environment is executed to provide the selected security service to the identified customer platform asset.

Abstract: Example methods and systems disclosed herein facilitate the introduction and use of client-specified object encryption within a computing environment using remote third-party storage systems, where data objects stored on the remote third-party storage systems were previously either stored in unencrypted form or encrypted with a single key tied to an account that owns the data. In some embodiments, the encryption is introduced into the system in gradual stages, so as to minimize or entirely eliminate data availability downtime. In some embodiments, the introduction of client-specified object encryption involves registration of a user function on the third-party storage system, where the user function handles object decryption in response to requests of content consumers for data objects stored by the third-party storage system.

Abstract: A request for use of an application programming interface (API) is received. Context associated with the request is determined. Based on the context, a challenge is generated, which can be used for determining whether to permit the use of the API. A response to the challenge is received. Based on the response, the request can be facilitated for using the API.

Abstract: Techniques for providing a feedback mechanism to enforce a security policy are provided. In some embodiments, dynamic resolution of Fully Qualified Domain Name (FQDN) address objects in policy definitions includes receiving a security policy that includes a domain name (e.g., the network policy can include a network security rule that is based on the domain name); and periodically updating Internet Protocol (IP) address information associated with the domain name based on a feedback mechanism that utilizes network logs (e.g., implemented using a learning process for FQDN to IP address mappings) to facilitate a more effective security policy enforcement.

Abstract: Methods and systems for deploying images to computing systems include predicting an environment for a plurality of processing nodes. Image deployment to the plurality of processing nodes is simulated to determine a subset of the plurality of processing nodes for deployment. One or more images is pre-loaded to the subset of the plurality of processing nodes in advance of a deployment time.

Abstract: Disclosed is a system to optimize rule weights for classifying access requests so as to manage rates of false positives and false negative classifications. A rules suggestion engine may suggest a profile of classification rules to a merchant for access requests. The system can optimize weights for the profile of rules using a cost function based on a training set of historical access requests, for example using stepwise regression or machine learning (ML). The system can compute a profile score based on the optimized weights, for example by summing the weights. The system statistically analyzes the profile score using classification thresholds and the historical access requests. The system can perform receiver operating characteristic (ROC) analysis for various threshold values, enabling a user to select a suitable threshold. The system can further optimize by adding or removing rules from the profile of rules.

Abstract: In a fraud-detection method for use in an in-vehicle network system including a plurality of electronic control units (ECUs) that exchange messages on a plurality of networks, a plurality of fraud-detection ECUs each connected to a different one of the networks, and a gateway device, a fraud-detection ECU determines whether a message transmitted on a network connected to the fraud-detection ECU is malicious by using rule information stored in a memory. The gateway device receives updated rule information transmitted to a first network among the networks, selects a second network different from the first network, and transfers the updated rule information only to the second network. A fraud-detection ECU connected to the second network acquires the updated rule information and updates the rule information stored therein by using the updated rule information.

Abstract: A network intrusion system for a protected network includes a ruleset module configured to receive metadata for rules. The metadata describes, for each of the rules, a set of associated network vulnerabilities. The ruleset module is configured to access vulnerability information describing a set of cumulative vulnerabilities that each is present in at least one network device within the protected network. The network intrusion system includes a rule management module configured to, for each rule of the plurality of rules: identify the set of associated network vulnerabilities described by the metadata for the rule, determine whether there is a match between any of the set of associated network vulnerabilities and the set of cumulative vulnerabilities, and, in response to determining that there is no match, transmit a first command signal to a network security module. The first command signal instructs the network security module to disable the rule.

Abstract: Systems, methods, and computer products are described herein for identifying data inconsistencies within database tables associated with an application. A master data inconsistency evaluator receives data including at least one selection parameter within at least one database table. By the master data inconsistency evaluator evaluates the at least one selection parameter by comparing the at least one selection parameter with other database tables associated with the application to identify data inconsistencies. The master data inconsistency evaluator repairs the data inconsistencies to further facilitate an error free transaction.

Abstract: Disclosed herein are methods, computer readable media, and devices for performing software updates. In one embodiment, a method is disclosed comprising initializing a storage space of a secure storage device into a plurality of portions; copying an update program to a first portion in the portions and copying update data to a second portion of the portions; generating a first golden measurement for the first portion and a second golden measurement for the second portion; measuring the first portion; updating or rolling back an update to the secure device in response to determining that the measuring of the first portion does not match the first golden measurement of the first portion; and verifying an update operation upon determining that the measuring of the first portion matches the first golden measurement of the first portion.

Abstract: Techniques for security management in communication systems are provided. For example, a method comprises maintaining a list of networks that support access for a set of restricted local operator services, checking whether a set of conditions for triggering access to the set of restricted local operator services is satisfied, receiving a request for access to the set of restricted local operator services, and initiating, upon satisfaction of the set of conditions, a search of the list of networks to find a network for access to the set of restricted local operator services.

Abstract: Systems and methods for securely pairing a transmitting device with a receiving device are described. The systems and methods may communicate with a first device via a first communication method over a wireless communication network. The systems and methods may transmit, to the first device via a second communication method, a first sensory pattern representing a first key. In addition, the system and methods may communicate with the first device via the first communication method using the first key.

Abstract: Systems and methods are disclosed for data protection in a cluster of data processing accelerators (DPAs) using a policy that partitions the DPAs into one or more group of DPAs in the cluster. A host device instructs the DPAs to organize themselves into non-overlapping groups according to a policy for each DPA in the cluster. The policy indicates, for each DPA, one or more other DPAs the DPA is to establish a communication link with, to implement the grouping. Once grouped, the host device and a DPA can access all resources of the DPA. DPAs in the same group as a first DPA can access non-secure resources, but not secure resources, of the first DPA. DPAs in a different group from the first DPA cannot access any resources of the first DPA. A scheduler in the host device can allocate processing tasks to any group in the cluster.

Abstract: The invention discloses a dual-modes switching method for blocking a network connection, comprising: a data packet collecting step of collecting data packets transmitting from all network nodes in a network segment, a data packet analyzing step of analyzing the data packets collected to obtain network node identification data, a list comparing step of comparing the network node identification data with identification data registered in an information device list to determine an illegal network node, an illegal-network-node-type determining step of determining what kind of type the illegal network node is, and a network connection blocking step of switching a first network connection blocking mode and a second network connection blocking mode according to the type of the illegal network node, thereby blocking the network connection of the illegal network.

Abstract: The present disclosure relates to computer-implemented methods, software, and systems for managing cloud application in a transparent multiple availability zone cloud platform. A request to access a cloud application running on the multiple availability zone cloud platform is received. The request can include an application location for accessing the cloud application. A network address corresponding to the application location is determined. In response to determining the network address, a first availability zone of the multiple availability zone cloud platform that is currently active to process the request is determined. A plurality of network locations corresponding to a host component of the application location is determined by a first load balancer. A network location of the plurality of network locations for processing the request is identified based on load balancing criteria.

Abstract: Various embodiments provide an approach to controlled access of websites based on website content, and profile for the person consuming the data. In operation, machine learning techniques are used to classify the websites based on community and social media inputs, crowdsourced data, as well as access rules implemented by parents or system administrators. Feedback from users/admins of the system, including the instances of allowed or denied access to websites, in conjunction with other relevant parameters, is used for iterative machine learning techniques.

Abstract: A system, computer program product and method for providing high delivery performance in a value chain network utilizing a finite capacity planning and scheduling model.

Abstract: Example methods and systems for logical network health check. One example may comprise obtaining network configuration information and network realization information associated with a logical network; processing the network configuration information and the network realization information to determine the following: (a) network configuration health information specifying a network configuration issue and a first remediation action; and (b) network realization health information specifying a network realization issue and a second remediation action; and providing, to a user device, multiple user interfaces (UIs) specifying the first health information and the second health information along with a visualization of the logical network. In response to detecting an instruction initiated by the user device using at least one of the multiple UIs, the first remediation action or the second remediation action may be performed.

Abstract: A predetermined access control policy is generated with reference to a lineage table and a metadata table to be stored in a policy table, and an access control policy which should be applied or recommended to treated data is provided with reference to the policy table.

Abstract: An image capturing device may capture image data for processing to form an image. The image capturing device may perform a hashing procedure on the image data, wherein performing the hashing procedure generates a hash value of the image data. The image capturing device may provide, to an image authentication device, the hash value of the image data, wherein the hash value of the image data is to be used by the image authentication device to validate the image based on a request to authenticate the image received from a receiving device. The image capturing device may process the image data to form the image for display to a user. The image capturing device may provide, after providing the hash value of the image data to the image authentication device, the image for display to the user.

Abstract: A computer-readable medium contains cybersecurity configuration settings (CCS) generating file(s) including instructions when executed cause a processor of a computer located at a node in a networked system having computers including at least one computer system class to generate CCS. The CCS generating file includes group policy objects (GPOs) applicable to all computers, policy setting scripts that are applicable to <all the computer s, and group policy definition files which provide a policy setting library for the computer class. Execution of the CCS generating file at the node automatically generates the CCS for cybersecurity protection of the node. The computer class can include computer classes that include ?2 different operating systems, and there can be a CCS generating file for each computer class. The CCS generating file can be a single multi-class CCS generating file that includes a plurality of CCS generating files.

Abstract: A system for determining a software package for deployment based on a user request receives a request from the user to access software packages to perform a particular task. The system determines particular software packages for the user, based on an experience level of the user in performing the particular task. The system determines whether a security vulnerability is associated with the determined software packages by scanning the source code of the determined software package and searching for instances where a code portion includes open ports vulnerable to unauthorized access. If it is determined that no security vulnerability is associated with the determined software packages, the system deploys the determined software packages to a computing device from which the user sent the request.

Abstract: A multi-endpoint event graph is used to detect malware based on malicious software moving through a network.

Abstract: One embodiment provides a method, including: receiving a target unstructured document for determining whether the target unstructured document comprises biased information; identifying an objective of the target unstructured document by extracting, from the target unstructured document, (i) entities and (ii) relationships between the entities; creating a structured knowledge base, wherein the creating comprises (i) creating an entry in the structured knowledge base corresponding to the target unstructured document, (ii) identifying other unstructured documents having a similarity to the target unstructured document, and (iii) generating an entry in the structured knowledge base corresponding to each of the other unstructured documents; applying a bias detection technique on the structured knowledge base; and providing an indication of whether the target unstructured document comprises bias.

Abstract: A method may include obtaining, from a user device, a request to access a control system among various control systems. The method may further include determining whether a user associated with the user device is authorized to access the control system based on user information associated with the user in a database. The method may further include generating, in response to determining that the user is authorized, a user code associated with a predetermined time period for accessing the control system. The method may further include transmitting the user code to the user device and the control system. The user code may authenticate a user session between the user device and the control system. The method further includes transmitting, in response to the predetermined time period expiring, a command that terminates the user session between the control system by the user device.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for efficiently processing data to allow for the streamlined assessment of risk ratings for one or more vendors. In various embodiments, the systems/methods may use one or more particular vendor attributes (e.g., as determined from scanning one or more webpages associated with the particular vendor) and the contents of one or more completed privacy templates for the vendor to determine a vendor risk rating for the particular vendor. As a particular example, the system may scan a website associated with the vendor to automatically determine one or more security certifications associated with the vendor and use that information, along with information from a completed privacy template for the vendor, to calculate a vendor risk rating that indicates the risk of doing business with the vendor.

Abstract: The present disclosure relates to systems and methods for identifying highly sensitive modules and taking a remediation or preventative action if such modules are accessed by malicious software. For example, the likelihood that a module is used for an exploit, and is thus sensitive, is categorized as high, medium, or low. The likelihood that a module can be used for an exploit can dictate whether, and to what degree, an application accessing the module is “suspicious.” However, in some instances, a sensitive module may have legitimate reasons to load when used in certain non-malicious ways. The system may also consider a trust level when determining what actions to take, such that an application and/or user having a higher trust level may be less suspicious when accessing a sensitive module as compared to an application or user having a lower trust level.

Abstract: The invention relates to a computer-implemented system for security monitoring of Member accounts in a cloud environment. The Member accounts are provided as instances of cloud services in one or more monitored clouds by one or more cloud service providers. The system is programmed to automatically deploy software agents to the Member accounts. The software agents are configured to monitor activities in the Member accounts and to push security and operations data to a SIEM platform. The security and operations data may comprise alerts and activity logs for the Member accounts, public internet protocol (IP) addresses used by the Member accounts, and identifying information for individuals and information technology (IT) assets associated with the Member accounts. The system includes a user interface to define customized alerts based on the security and operations data, and the system generates and sends the customized alerts to a system administrator or security analyst.

Abstract: Management of IoT devices through a private cloud. An IoT device is coupled to a gateway. A request from the IoT device to connect to a private cloud, wherein the private cloud is used to manage IoT devices, is received at a private cloud control center agent. An identification of the IoT device is determined. The IoT device is onboarded, using the identification, for management through the private cloud. A device profile of the IoT device is generated. The flow of data to and from the IoT device is regulated through application of IoT rules according to the device profile of the IoT device.

Abstract: Methods, systems, and computer storage media for providing resource policy management based on a pre-commit verification engine are provided. Pre-commit verification operations are executed to simulate committing a policy, in a distributed computing environment, for test request instances, without actually committing the policy. In operation, a policy author communicates a policy and one or more test request instances. Based on the policy and the test request instances, an access control manager simulates committing the policy for the test request instances to the computing environment. Simulating committing the policy for test request instances is based on an existing set of policies including a live version of the policy and contextual information corresponding to the policy and the test request instances for the computing environment in which the policy will be applied.

Abstract: In a device including a processor and a memory, the memory includes executable instructions that, when executed by the processor, cause the processor to control the device to perform functions of receiving an access control setting for granting access to an access-controlled resource and a dynamic tag characterizing a member group subject to the access control setting; accessing a data source storing member data including an attribute associated with each member, the attribute including a parameter related to a time or time period. The dynamic tag is mapped to the member data based on (1) the parameter of the attribute and (2) a time or time period associated with the dynamic tag, to identify mapped members forming the member group, wherein the mapped members identified based on a same dynamic tag vary depending on the time or time period associated with the dynamic tag, to identify the member group.

Abstract: Systems and methods are described for improving assessment of security risk based on a user's personal information. Registration of personal information of a user of an organization is received at a security awareness system. Post receiving the registration of the personal information, at least one of an exposure check or a security audit of the personal information of the user is performed by the security awareness system. A personal risk score of the user is then generated or adjusted based at least on a result of one of the exposure check or the security audit.

Abstract: A method may include receiving an event from an event source. The event may correspond to event data. The event source may be a container executing an image. The image may correspond to image metadata including attributes describing the image. The method may further include combining the event data with the image metadata to obtain enriched data, detecting, using the enriched data, a deviation from a policy, and in response to detecting the deviation from the policy, performing an action to enforce the policy.

Abstract: A policy-based printing system is implemented to allow access to a private domain to print using a public domain. The private domain includes private servers that store documents. The public domain includes servers and a printing device. A public policy server uses a domain list and a protocol connection with a private authentication server to validate a user and identify which private domain to access. The public policy server receives requests from the printing device to process a print job of a document in the private domain. If the private server is off-line, then the printing device prints the document and a cost reimbursement request is submitted to account for the printed document.

Abstract: A method for managing a consent receipt under an electronic transaction, comprising: receiving a request to initiate a transaction between the entity and the data subject; providing a privacy policy associated with the entity and based at least in part on the request to initiate the transaction between the entity and the data subject; accessing the privacy policy associated with the entity; storing one or more provisions of the privacy policy associated with the entity; providing a user interface for consenting to the privacy policy associated with the entity; receiving a selection to consent to the privacy policy associated with the entity and based at least in part on the request to initiate the transaction between the entity and the data subject; generating, by a third-party consent receipt management system, a consent receipt to the data subject; and storing the generated consent receipt.

Abstract: A communication method includes receiving, by an access network (AN) node, indication information from a mobility management device. The indication information is indicative of a security policy of a quality of service (QoS) flow. The method also includes obtaining, by the access network node based on the indication information, security information of a radio bearer corresponding to the QoS flow. The security information is indicative of a security policy of the radio bearer. The method further includes sending, by the access network node, an identifier of the radio bearer and the security information of the radio bearer to a terminal.

Abstract: Systems, methods, and other embodiments associated with a framework for compliance report generation are described. In one embodiment, a method includes receiving a data source definition of a set of data sources comprising data for populating compliance reports. The example method may also include retrieving a compliance report definition for a compliance report for a reporting entity. The example method may also include constructing and rendering a user interface populated with a set of user interface elements generated based upon the set of data sources and the compliance report definition. The example method may also include generating the compliance report according to the compliance report definition. The compliance report is populated with data from the set of data sources. The compliance report is sent over a computing network to a remote computing device of the reporting entity.

Abstract: In some examples, a system associates, with a plurality of virtual resources deployed in a cloud environment, properties representative of characteristics of the virtual resources, the properties comprising a performance level of a virtual resource. The system receives a request to create a virtual resource in the cloud environment, and, in response to determining that properties of the virtual resource to be created for the request satisfy a criterion with respect to properties of a given virtual resource of the plurality of virtual resources, selects the given virtual resource as a candidate virtual resource for the request.

Abstract: In one embodiment, a system for managing a virtualization environment includes host machines implementing a virtualization environment, a plurality of clusters of the host machines, a virtualized file server (VFS) comprising a plurality of file server virtual machines (FSVMs), and a VFS cluster manager (CM) configured to distribute storage items among the clusters and receive cluster storage statistics for one or more shares of the VFS. The CM is further configured to, in response to a request from a first FSVM to identify a storage location for a storage item, identify a cluster at which the storage item is to be located based on the cluster storage statistics, identify a second FSVM at which the storage item is to be located based on compute usage statistics of one or more FSVMs in the identified cluster, and send an address of the second FSVM to the first FSVM.