Abstract: A cloud-based system is design with multi-tenancy controls for conducting analytics performed on objects submitted by a subscriber. This system features an analysis monitoring service and an analysis selection services. The analysis monitoring service, operating as a first cloud service, includes logic that is configured to collect metadata associated with an operating state for each of a plurality of clusters and generate cluster selection information. The analysis selection service, operating as a second cloud service and communicatively coupled to the analysis monitoring service, is configured to select a cluster of the plurality of clusters to analyze the object for malware based, at least in part, on the cluster selection information provided from the analysis monitoring service.

Abstract: The present disclosure provides systems and methods that perform structure-based access control. In particular, rather than relying upon a user-specific credential scheme, which can require manual sharing of user-specific credentials and/or switching between the multiple accounts to access the particular devices, applications, or services associated with such accounts, the systems and methods of the present disclosure facilitate user credentials to be inherited by or otherwise assigned to a structure identifier associated with a structure (e.g., a home in which the user resides), thereby generating a set of structure credentials. This enables other users in the structure, who may be part of a collaborative user group, to access devices, applications, and/or services using the structure credentials.

Abstract: A method comprises monitoring, by a processing device, usage activity of one or more resource categories of a computing environment by a user of the computing environment in view of a security profile associated with the user, determining a first probability of selecting a particular resource from a resource category of the one or more resource categories in view of the usage activity of the resource category by the user, determining a second probability that the particular resource is associated with a security exploit in view of historical data for the computing environment, determining a resource vulnerability value for the resource category in view of the first probability and the second probability, and determining a security vulnerability value for the user in view of the resource vulnerability value.

Abstract: The disclosure provides trusted user interface display methods. One example method applied to an electronic device having a foldable screen, includes: changing the foldable screen from a first display status to a second display status in response to a first operation performed by a user on the electronic device; displaying a user interface (UI) of a client application (CA) on a screen corresponding to the second display status; and triggering to display a trusted user interface (TUI) corresponding to the CA on the screen corresponding to the second display status in response to a second operation performed by the user on the UI of the CA, where the TUI is adapted to the screen corresponding to the second display status.

Abstract: Examples of cloud-based provisioning of a computing system are disclosed. In an example, a baseboard management controller (BMC) of the computing system may be configured to establish a secure cloud provisioning connection between a cloud manager and the BMC. UEFI configuration may be received from the cloud manager over the secure cloud provisioning connection. A UEFI shell may be executed during a startup of the computing system initiated by the cloud manager. Based on the UEFI configuration, a provisioning proxy server communicatively coupled to a cloud repository may be identified. A startup script may be requested from the cloud repository over a network connection using a UEFI network stack. The startup script may download an image file via the provisioning proxy server from the cloud repository over the network connection and provision the computing system from the image file.

Abstract: Systems and methods for establishing a secure communication network are provided. For example, a risk mitigation computing device determine a first set of devices on an enhanced security communication network and a second set of devices on a home communication network. The risk assessment computer system may enable a first network connection between the first set of devices and a cloud-based node via the enhanced security communication network and may enable a second network connection between the second set of devices and an internet. The enhanced security communication network and the home communication network may be separate. The risk mitigation computing device may receive headers of data packets transmitted through the enhanced security communication network and correlate the headers of data packets with risk assessment indicators. The risk mitigation computing device may provide a risk score based on the risk assessment indicators correlated with the headers of data packets.

Abstract: An operator node is configured to enable the management of nodes communicatively coupled to the operator node via a network. A selection of node objects is received by the operator node, the selected node objects including software components for inclusion within a node configuration. A configuration policy is generated based on the selected objects, the configuration policy including a set of tests (such as scripts or executables) that, when run, test for the presence of one or more of the selected node objects. A target node is scanned to determine the configuration of the target node, and the set of tests are applied to identify a set of objects identified by the policy but not installed at the target node. The target node is then re-configured to install the identified set of objects at the target node.

Abstract: A method of multi-factor authentication, the method comprising computer executed steps, the steps comprising: from a computer of a cloud service, receiving data identifying a user logged-in to the cloud service after being successfully authenticated using a first authentication factor, communicating with a client device of the logged-in user, for receiving a second authentication factor from the logged-in user, determining whether the second authentication factor received from the logged-in user is valid, based on a result of the determining, determining a first user-permission policy for the logged-in user, and communicating the determined first user-permission policy to the computer of the cloud service, for the cloud service to base a restriction of usage of the cloud service by the logged-in user on.

Abstract: A container escape detection method includes receiving information that is about a plurality of system calls triggered by a monitored container, and matching an occurrence order of the plurality of system calls with at least one group of preset system call orders in an escape detection rule, and determining, based on a matching result, whether the monitored container escapes.

Abstract: Embodiments of the present invention provide a system for dynamic masking of data in a network. The system is configured for receiving, via a graphical user interface, a data access request for accessing data from a user associated with an entity, determining that the data comprises sensitive information, determining that the user is not authorized to access the data, dynamically performing non-scramble masking of the data based on determining that the data comprises sensitive information and that the user is not authorized to access the data, and displaying masked data to the user, via the graphical user interface.

Abstract: Systems and methods are provided for effectuating overlay tunnels between software-defined wide area network (SD-WAN) end-point devices despite the use of IPSec passthrough in one or more network devices, such as modems or routers that exist between the end-point devices. In particular, the Internet Key Exchange (IKE) protocol can be allowed to progress until a modem/router is able to establish an IKE tunnel, after which overlay packets using cloud-managed keys can be allowed to pass through the modem/router. An overlay tunnel may then be established between the end-point devices, and the IKE tunnel can be taken down.

Abstract: Computer-implemented systems and methods update rules engines in a distributed computer system with new rules in a lightweight, non-intrusive, real-time manner. Rules engines are subscribed to a pub/sub service for new rules pertaining to a topic. A rules manager publishes a new rule to the pub/sub service with an associated topic. The rules engines download the new rule and store the new rule in-memory for execution without downtime.

Abstract: Provided is a controller for configuring network devices at different network locations with rules that prevent different sets of clients from accessing specific network resources. The controller may receive a request with an identifier of a first resource from a particular network point of access. The controller may identify one or more network devices (e.g., wireless access point, router, switch, firewall, gateway, etc.) that are in the network path between the particular network point of access and the first resource. The controller may select a particular network device in the network path, may establish a connection to the particular network device, and may configure the particular network device with a rule that prevents access to the first resource from the particular network point of access, while permitting access to other resources from the particular network point of access.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to validate reference media assets in media identification systems. Example apparatus disclosed herein are to identify respective instances of media represented by corresponding candidate media resources to be verified, and cause the respective instances of media to be presented and monitored by corresponding ones of a plurality of virtual machines. Disclosed example apparatus are also to perform a comparison of a first one of the candidate media resources to a corresponding test media resource generated by a first one of the virtual machines that played and monitored a first one of the instances of media represented by the first one of the candidate media resources. Disclosed example apparatus are further to validate the first one of the candidate media resources based on the comparison.

Abstract: A computer-implemented method, according to one embodiment, includes: receiving, at a clustered filesystem from a formatted filesystem, a request to perform a data integrity check for a portion of data. A determination is made as to whether the request includes a filesystem type of the portion of data, and in response to determining that the request includes a filesystem type of the portion of data, another determination is made as to whether the clustered filesystem supports the data integrity check for the filesystem type. In response to determining the clustered filesystem supports the data integrity check, another determination is made as to whether the portion of data is currently available. Furthermore, the computer-implemented method includes causing the data integrity check to be performed in response to determining that the portion of data is currently available. Results of performing the data integrity check are also sent to the formatted filesystem.

Abstract: Systems and methods are provided for receiving, at a network device, a first set of rules from a security controller of an enterprise network, the first set of rules being different from a second set of rules provided to a firewall by the security controller, implementing, at the network device, the first set of rules received from the security controller, generating, at the network device, a first log including metadata based on the first set of rules, the first log being generated on a per flow basis, notifying, at the network device, a NetFlow of the first log including the metadata of the first set of rules, and providing, from the network device, the first log to a cloud-log store by the NetFlow of the network device, the cloud-log store receiving the first log from the network device and a second log from the firewall.

Abstract: A method of collaboration between protecting services associated with one or more domains. Such a method includes: getting a first agent used by a first protecting service to identify an attack on at least one resource managed by a domain protected by the first protecting service; and transmitting, to at least one second agent used by a second protecting service having taken out a subscription to at least one information-sharing service offered by the first protecting service, at least one piece of information relating to the attack identified by the first agent.

Abstract: In an example, an apparatus may include a validation module configured to identify a security policy update from a security as code repository, wherein the identified security policy update is a candidate for deployment to a production environment having a plurality of attributes defined by an infrastructure as code repository; identify, from the plurality of attributes and using the infrastructure as code repository, individual attributes that correspond to the identified security policy update, wherein the identified individual attributes are identical to a subset of the plurality of attributes; generate a test environment based on the identified individual attributes; following deployment of the identified security policy update to the test environment, check for security exceptions or availability exceptions using the test environment; and output validation results based on a result of the checking.

Abstract: An IoT/M2M service layer may be provided with the capability to protect user privacy. This functionality may allow the IoT/M2M service layer to anonymize user data, particularly when user data is shared with third party consumers. A privacy policy service may enable the IoT service layer system to generate anonymization (e.g., privacy) policies based on inputs such as legal obligations, subscriber privacy preferences, and an authorization level of the data consumer. Data anonymization policies may be output from the privacy policy service and may be sent to a data anonymization service, where raw data may be anonymized based on the one or more data anonymization policies. The output from the data anonymization service function may be a privatized (e.g., anonymized) version of data that may prevent the data consumer from discovering one or more identifying characteristics of a user.

Abstract: Techniques for a context-aware secure access service edge (SASE) engine for generating security profile(s) associated with endpoint device(s) accessing the network and using the security profile(s) to evaluate a traffic flow from the endpoint device(s). The SASE engine may execute on an edge device of a computing resource network and may be configured to maintain a security profile database including an endpoint security profile mapping. Endpoint device(s) accessing the network may share endpoint, application, and/or user specific information with the SASE engine so that the SASE engine may generate a security profile specific to the endpoint, application, and/or user. Additionally, an enterprise network, associated with endpoint device(s) accessing the network, may provide default SASE security profile templates to the SASE engine.

Abstract: An information protection device includes a reception unit that receives an image of a screen displayed on a terminal connected to a certain network; an extraction unit that extracts input information for the screen from the image; a determination unit that determines whether or not the input information matches predetermined information; and a control unit that performs, when the input information is determined to be matched with the predetermined information, a control for preventing the input information from being transmitted from the network.

Abstract: Transparent web browsing recording is disclosed. A request is received, at a browser isolation system, from a client browser executing on a client device, to connect with a remote resource. A surrogate browser is provided to facilitate communications between the client browser and the remote resource. A set of browsing activities associated with use of the surrogate browser by the client browser is recorded.

Abstract: Techniques described herein relate to a method for managing data protection feature compatibility. The method may include identifying a host data protection feature update event associated with a host; in response to identifying the host data protection feature update event, obtaining host data protection feature information from the host; updating a host data protection feature information repository using the host data protection feature information; updating data protection feature compatibility information using the host data protection feature information and data protection manager data protection feature information; and sending data protection feature compatibility information associated with the host to the host.

Abstract: In described examples, a method of routing messages in a system on a chip (SoC) includes a secure message router receiving a message including a content, an identifier of the message's sending (origin) functional block and/or of a receiving (destination) functional block, a message secure value, a promote value, and a demote value. A context corresponding to the identifier is retrieved from a memory. The context includes an allow promote value and an allow demote value. The message secure value is increased if the promote value requests the increase and matches the allow promote value. The message secure value is decreased if the demote value requests the decrease and matches the allow demote value. Cleartext corresponding to the content is made accessible by the destination if the context secure value matches the message secure value. The message is then outputted from the secure message router to the destination.

Abstract: Techniques are provided for controlling access entitlement for networking device data. In one example, a geographic location of a networking device is determined. A request to access data associated with the networking device is obtained from a user device. A user parameter of a user associated with the user device is determined. An access policy that controls access to the data based on the geographic location of the networking device and the user parameter is identified. The request to access the data is permitted or denied based on the geographic location of the networking device, the user parameter, and the access policy.

Abstract: The present disclosure relates to systems and methods for identifying highly sensitive modules and taking a remediation or preventative action if such modules are accessed by malicious software. For example, the likelihood that a module is used for an exploit, and is thus sensitive, is categorized as high, medium, or low. The likelihood that a module can be used for an exploit can dictate whether, and to what degree, an application accessing the module is “suspicious.” However, in some instances, a sensitive module may have legitimate reasons to load when used in certain non-malicious ways. The system may also consider a trust level when determining what actions to take, such that an application and/or user having a higher trust level may be less suspicious when accessing a sensitive module as compared to an application or user having a lower trust level.

Abstract: An example method according to some embodiments includes receiving flow data for a packet traversing a network. The method continues by determining a source endpoint group and a destination endpoint group for the packet. The method continues by determining that a policy was utilized, the policy being applicable to the endpoint group. Finally, the method includes updating utilization data for the policy based on the flow data.

Abstract: This disclosure relates to a system and method for at source data masking and discovery of unique identifier for at-source masking. The method reads a table of production database comprising sensitive column from a source database for at source data masking. A unique identifier column is identified, and a temporary table is created which has three or more columns. Columns of temporary table comprises a sensitive column from the table of production database, a column for masked data of sensitive column and a unique identifier column. Sensitive column of the temporary table is masked using a known masking technique and the original data of the sensitive column and the masked data of the sensitive column is inserted into the temporary table. Finally, the production database is updated with the masked data of the sensitive column.

Abstract: Apparatus and methods disclosed herein provide technical solutions improving the security of email messages. An email message may be encrypted so that a predetermined passcode is not required to access the email message. Apparatus and methods may route email messages through a remote portal. The email message may only be transmitted to the recipient via the portal. In some instances, the contents of an email message may not be transmitted from the portal to the recipient. Rather, the recipient may only access the email message from within the portal. Such restricted access may be preferably less complex because the recipient's computer terminal may automatically connect to the portal.

Abstract: The present disclosure provides a system for providing personalization for a target website. The system comprises: an artificial intelligence (AI) engine including one or more machine learning algorithm trained models for providing one or more personalization features; and a personalization module configured for integrating the one or more personalization features into the target website, wherein the one or more personalization features are rendered within a popup widget displayed over the target website.

Abstract: Security techniques for device assisted services are provided. In some embodiments, secure service measurement and/or control execution partition is provided. In some embodiments, implementing a service profile executed at least in part in a secure execution environment of a processor of a communications device for assisting control of the communications device use of a service on a wireless network, in which the service profile includes a plurality of service policy settings, and wherein the service profile is associated with a service plan that provides for access to the service on the wireless network; monitoring use of the service based on the service profile; and verifying the use of the service based on the monitored use of the service.

Abstract: Trusted execution of a workload payload is brokered among multiple trusted execution platforms. The workload payload is received from a source computing system and includes input data, trusted execution code, and one or more trusted execution policies. At least one of the multiple trusted execution platforms is selected based on the one or more trusted execution policies. A brokered payload is generated to include executable trusted execution code and the input data. The brokered payload is communicated to the selected at least one trusted execution platform. A brokered result generated from the brokered payload by the selected at least one trusted execution platform is received. A workload result based on the brokered result is returned to the source computing platform.

Abstract: A method for performing data transfer includes: obtaining source data; populating a staging table with the source data; making a first determination that the source data was successfully populated to the staging table; making a second determination that a target table is available, in which an application is directed to use data in the target table; and initiating, based on the first determination and the second determination, a data source switch of the application, in which the data source switch directs the application to use the source data in the staging table and not use the data in the target table, in which the application uses the source data in the staging table when the data source switch is successful.

Abstract: A computer system may receive one or more requests for access to one or more cloud services and may store the one or more requests in a request log. The computer system may receive one or more access rules applicable to cloud service access rights. The computer system may aggregate the one or more requests of the request log to determine access requirements for a container, the container being configured to store one or more applications. The computer system may generate and store container access policies that define access of a container and the one or more cloud services, the container access policies based at least in part on the aggregated one or more requests and the one or more access rules. The computer system may send the container access policies to a request forwarder of a compute instance in a production environment.

Abstract: Examples disclosed herein relate to source entities of security indicators. Some examples disclosed herein enable identifying, in a security information sharing platform, a security indicator that is originated from a source entity where the security indicator comprises an observable. Some examples further enable determining a reliability level of the source entity based on at least one of: security events, sightings of the observable, a first set of user feedback information that is submitted for the security indicator by users of the security information sharing platform, or a second set of user feedback information that is collected from external resources that are external to the security information sharing platform.

Abstract: A method and a computer program product and an apparatus for securing communication in heterogeneous networks that include devices with different protection levels. The method comprises monitoring, by a security agent installed on a device, communication between the device and external devices. The method comprises determining a level of in-device protection for each device based on available protection thereof. The method further comprises employing, by the security agent, an associated security policy for communications originating from the device, based on the level of in-device protection; such as resources utilized for employing security policies for communications originating from devices are correlated with the protection levels thereof. The method may further comprise enabling sharing security workload between device having trusted security agents to improve performance efficiency thereof.

Abstract: Examples described herein relate to techniques for authenticating a client device by obtaining device-type information during an initial phase of authentication process. According to some examples, identifying a client device intending to connect to a network and sending an identity-request thereto. Receiving an identity-response from the client device along with device-type information. Identifying a device category from a set of device categories corresponding to identified device-type information. Selecting a device policy applicable to the identified device-type information. Authenticating the client device to enable access to the network and applying the selected device policy to the client device.

Abstract: The present invention relates to a method for configuring a second home automation device (D2) by means of replacing a first home automation device (D1), the method comprising the following steps: recording (ERU1) at least one set of configuration data or instructions (cfg1) associated with a unique identifier of a first home automation device (D1); receiving (ERU9) a configuration request from a second home automation device (D2); determining (ERU10) an association between the second home automation device (D2) on the one hand and the first home automation device (D1) on the other hand; determining (ERU11) at least one set of configuration data or instructions (cfg2) associated with the second home automation device (D2); sending (ERU12) at least one configuration message (MCfg) comprising the at least one set of configuration data or instructions (cfg2) to the second home automation device (D2).

Abstract: Systems and methods are disclosed for managing online advertising data secure sharing. One method includes receiving, at a server, a request for proprietary data from a data consumer, the request including a data consumer identifier; retrieving, from a database of proprietary data, proprietary data based on the request; determining, by the server, whether the retrieved proprietary data is at least one of: designated to be processed and designated to have privileges set; processing, by the server, the proprietary data when the server determines the proprietary data is designated to be processed; setting one or more privileges to the proprietary data using the certificate associated with the data consumer identifier when the server determines the proprietary data is designated to have privileges set; encrypting the proprietary data using the certificate associated with the data consumer identifier; and transmitting the encrypted proprietary data to the data consumer.

Abstract: Embodiments decrypt or partially decrypt an encoded message or a private key, the encoded message or private key encoded by a public-key cryptography algorithm. Embodiments encode the public-key cryptography algorithm using a language of a program synthesizer and construct a grammar for the program synthesizer. Embodiments train the program synthesizer with training data comprising input-output pairs and execute the trained program synthesizer to generate a mathematical formula. Embodiments validate the generated mathematical formula and then perform the decrypting using the trained and validated program synthesizer.

Abstract: An information security monitoring system can import indicators of compromise (IOC) definitions in disparate formats from third-party source systems, convert them into editable security definitions in an internal system format, and provide a user interface for composing or editing these security definitions with enhancements, including complex security definitions such as those having a nested Boolean structure and/or those that reference one or more security definitions, a behavioral rule, and/or a vulnerability description. One or more whitelists can be added to handle exceptions. Each composed or modified security definition is then compiled into an executable rule. The executable rule, when evaluated, produces a result indicative of an endpoint security action needed in view of an endpoint event that meets the composed or modified security definition.

Abstract: In one embodiment, a method comprises: tracking, by a first security agent executed within a user network device, a plurality of wireless data networks that are available for connection by the user network device for secure communications with a second network device in a secure peer-to-peer data network, and maintaining a history of each of the wireless data networks; determining for each of the wireless data networks, by the first security agent, a corresponding risk assessment that identifies a corresponding risk in encountering a cyber threat on the corresponding wireless data network; and supplying, to a second security agent executed within the user network device, a recommendation for connecting to a wireless data link identified as avoiding the cyber threat during the secure communications, wherein the user network device has a two-way trusted relationship with the second network device in the secure peer-to-peer data network.

Abstract: A computerized method for restricting communications between virtual private cloud networks comprises creating a plurality of security domains. Each of the plurality of security domains identifies gateways associated with one or more virtual private cloud networks. Also, the method features generating transit routing data stores in accordance with each of the plurality of security domains; determining whether a connection policy exists between at least a first security domain and a second security domain of the plurality of security domains; and precluding communications between gateways associated with the first security domain and gateways associated with the second security domain in response to determining that no connection policy exists between the first security domain and the second security domain.

Abstract: An example operation may include one or more of monitoring, by a blockchain node, a delivery of a service to a first node from a second node based on a service contract and an order retrieved from a blockchain, determining, by the blockchain node, an incremental charge for a partial delivery of the service based on the monitoring, and executing, by the blockchain node, a smart contract to issue the incremental charge for the partial delivery of the service, and responsive to a resolution of a dispute raised for the incremental charge, add the incremental charge to an incremental invoice.

Abstract: The present invention relates to a system method of provisioning mobile device security settings to provide authorized users with secure access. The system and method uses a generated, computer-readable authentication code that is read by a mobile device. The authentication code enables an unprovisional mobile device to request security credentials to enable a user of the mobile device to connect to a secured system.

Abstract: Methods and apparatus for allowing an individual to preserve his/her privacy and control the use of the individual's images and/or personal information by other, without disclosing the identity of the individual to others, are described. In various embodiments the individual seeking privacy provides his/her identifying information, images, and sharing preferences indicating desired level of privacy to a control device which is then stored in a customer record. The control device can be queried to determine if an image or other information corresponds to a user who has restricted use of his/her image or other information in a public manner. Upon receiving a query the control device determines using the stored customer record whether an individual has authorized use of his or her image. Based upon the determination a response is sent to the querying device indicating whether the use of the image and/or individual's information is authorized.

Abstract: A device may include a processor configured to establish a data traffic flow for a user equipment (UE) device and determine per flow descriptor attributes associated with the data traffic flow, wherein the per flow descriptor attributes identify at least a source, a destination, and a protocol associated with the data traffic flow. The processor may be further configured to determine at least one additional per flow descriptor attribute for the data traffic flow and send the per flow descriptor attributes and the at least one additional per flow descriptor attribute to a network exposure device of a core network, wherein the network exposure device is configured to communicate with servers outside the core network.

Abstract: A solution is proposed for reviewing a control of access in an information technology system. A corresponding method comprises retrieving an indication of granted accesses to objects, being granted to subjects according to policies based on attributes. Virtual roles (each defined by one or more of the attributes) are determined according to a correlation among access types of the granted accesses and the attributes of the subjects being granted them. A computer program and a computer program product for performing the method are also proposed. Moreover, a system for implementing the method is proposed.

Abstract: Techniques for associating manufacturer usage description (MUD) security profiles for Internet-of-Things (IoT) device(s) with secure access service edge (SASE) solutions, providing for automated and scalable integration of IoT devices with SASE frameworks. A MUD controller may utilize a MUD uniform resource identifier (URI) emitted by an IoT device to fetch an associated MUD file from a MUD file server associated with a manufacturer of the IoT device. The MUD controller may determine that a security recommendation included in the MUD file is to be implemented by a cloud-based security service provided by the SASE service and cause the IoT device to establish a connection with a secure internet gateway associated with the cloud-based security service. Additionally, or alternatively, the MUD file may include SASE extensions indicating manufacturer recommended cloud-based security services. Further, cloud-based security services may be implemented if local services are unavailable.

Abstract: A device that is configured to receive user activity information that includes information about user interactions with a network device for a plurality of users. The device is further configured to input the user activity information into a first machine learning model that is configured to receive user activity information and to output a set of bad actor candidates based on the user activity information. The device is further configured to filter the user activity information based on the set of bad actor candidates. The device is further configured to input the filtered user activity information into a second machine learning model that is configured to receive the filtered user activity information and to output system exposure information that identifies network security threats. The device is further configured to identify network security actions based on the network security threats and to execute the network security actions.