Abstract: Provided is a method for transferring data in a topic-based publish-subscribe system, including a key distribution server and a number of local client systems that can be coupled to the key distribution server, including: providing a group key by the key distribution server for a group selected from the local client systems, locally deriving a first-order sub-group key for a first-order subgroup of the group by key derivation parameters at least comprising the provided group key and a certain topic of the publish-subscribe system by means of the particular client system of the first-order sub-group, and transferring at least one message cryptographically protected by the derived first-order sub-group key between the client systems of the first-order sub-group. Differentiation within group communication according to topic by specific cryptographic keys is thereby enabled.

Abstract: A method, system, and computer program product for detecting a network application security question is provided. The method includes receiving permission to access social media sources of a user. The social media sources and Internet based sources of the user are monitored in response to receiving the permission and associated data is generated and stored. A request for access to a secure account of the user is received and a list of security questions is presented to the user. The list of security questions is analyzed with respect to the data and each security question is ranked. An answer to a question of the list is received and analyzed and security attributes of the answer with respect to a potential malicious attempt to provide a predicted answer to for access to secure account are determined. A resulting security process with respect to enabling access to the secure account is executed.

Abstract: In accordance with the invention there may be provided a method and corresponding system for controlling the performance of a process conducted via a blockchain. The blockchain may or may not be the Bitcoin blockchain. The process may be a lending process. Advantageously, the invention provides a mechanism which enables the ultimate owner of a property or other asset to borrow funds against that asset, and sets out how this can be achieved in a manner which does not require the return to the investor(s) to be determined through the payment of interest. This makes it compliant with non-interest forms of lending. The invention provides a blockchain-implemented method (and corresponding system) of embedding data in a blockchain transaction (Tx). The method comprises the steps of deriving a public-key-private key cryptographic pair for the data; deriving a signature for the data using the public key-private key cryptographic pair; codifying the data to generate codified metadata for the data.

Abstract: Various embodiments are generally directed to techniques to enforce policies for computing platform resources, such as to prevent denial of service (DoS) attacks on the computing platform resources. Some embodiments are particularly directed to ISA instructions that allow trusted software/applications to securely enforce policies on a platform resource/device while allowing untrusted software to control allocation of the platform resource. In many embodiments, the ISA instructions may enable secure communication between a trusted application and a platform resource. In several embodiments, a first ISA instruction implemented by microcode may enable a trusted application to wrap policy information for secure transmission through an untrusted stack.

Abstract: A method for detecting anomalies in a computer network, in which a message transmitted over the computer network is received or recorded by a node of the computer network; based on at least the message, it is checked by a detection mechanism of the node whether the anomalies have occurred, and an occurrence of the anomalies is either confirmed or refuted according to a predefined detection rule of the detection mechanism.

Abstract: Various embodiments provide an approach to detect intrusion of connected IoT devices. In operation, features associated with behavioral attributes as well as volumetric attributes of network data patterns of different IoT devices is analyzed by means of statistical analysis to determine deviation from normal operation data traffic patterns to detect anomalous operations and possible intrusions. Data from multiple networks and devices is combined in the cloud to provide for improved base models for statistical analysis.

Abstract: A third-party server, delegated by organizations to manage application environment, may maintain a plurality of guided workflow plans. At least one of the guided workflow plans may include one or more steps associated with setting up an interaction control policy. The third-party server may receive an interaction report associated with the organization. The interaction report may include metadata of one or more devices that interacted with other devices. The third-party server may identify a particular device to which existing interaction control policies of the organization are inapplicable. The third-party server may search for additional out-of-band information of the particular device using the metadata in the interaction report. The third-party server may select an applicable guided workflow plan for setting up an applicable interaction control policy for the particular device. A guided workflow may be presented via a graphical user interface according to the applicable guided workflow plan.

Abstract: A system for exchanging authentication data between edge-nodes is provided. The system may include an edge-node network. The network may include a plurality of edge-nodes. Each edge-node may include a pairing module. Each pairing module may receive an instruction to pair with another edge-node. Each pairing module pair with another edge-node. The pairing module may continually transmit verification communications to other edge-nodes. The pairing module may continually discover responsive communications from other edge-nodes. The pairing module may continually receive responsive verification communications from other edge-nodes. Each edge-node may include an executable module. The executable module may determine occurrence of an event. Upon determination of the occurrence of an event, the executable module may analyze a stored event protocol. The protocol including an algorithm for implementing executables in response to an event.

Abstract: Provided are a system and a method for secure access to data, where the data comprises a number of data records each assigned to an entity, such as a user, and where the data records are stored in encrypted form in a database. A first decryption key assigned to a particular entity is used to decrypt the data records assigned to the particular entity. The first decryption keys are stored in a volatile memory, and the first decryption keys assigned to the particular entity are encrypted by an encryption key assigned to the particular entity, and the encrypted first decryption keys are stored in a permanent memory. After the volatile memory is cleared, the encrypted first decryption keys are copied from the permanent memory into the volatile memory, and in the volatile memory, the first decryption keys are decrypted by a second decryption key assigned to the particular entity.

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

Abstract: An analysis apparatus has a transfer path matching unit that is provided with a real browser log La and a browser emulator log Lb as input and identifies, as a specific transfer path, a transfer path that is not transferred to a malicious URL on a pseudo-browser where the transfer path is transferred to the malicious URL on a real browser, based on the malicious URL information in a malicious URL database, and an analysis avoidance code identification unit that identifies an analysis avoidance code that avoids analysis by utilizing a browser-specific function or an implementation difference between the real-browser and the pseudo-browser, among script codes that are executed on a website, based on the specific transfer path.

Abstract: Video content is processed for delivery using an automated process that allows for convenient packaging of encrypted or digital rights management (DRM) protected content in a manner such that the packaged content can be efficiently stored in a content delivery network (CDN) or other content source for subsequent re-use by other media clients without re-packaging, and without excessive storage of unused content data.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for handling data including images with privacy-sensitive data. In one aspect, a method may include recognizing privacy-sensitive sub-image(s) in an acquired or captured image. The sub-image(s) can be included in a second image that is encrypted. The acquired image can be changes by obscuring the privacy-sensitive sub-image(s) of the acquired image so as not to reveal any personal identifiable information.

Abstract: Scanning a virtual disk image for malware without fully extracting the virtual disk image is described herein. An embodiment operates by receiving a selection of a virtual disk image. Virtual storage is initialized based on the virtual disk image. An appliance is launched, and the appliance is configured to access the virtual disk image via the virtual storage. The virtual disk image is scanned for malware using an anti-virus program such that the virtual disk image does not have to be fully extracted. During scanning, on-the-fly decompression, de-deduplication, decryption, and other operations are performed to translate read requests for content on the virtual disk image into raw disk data for the antivirus program.

Abstract: A machine has a network interface circuit to provide connectivity to networked machines. A processor is connected to the network interface circuit. A memory is connected to the processor and the network interface circuit. The memory stores cryptographically protected data, an identity management contract and identity stewards specifying individuals to administer the identity management contract. The memory stores instructions executed by the processor to receive a request to identify a legal identity for a digital identity, collect from certain networked machines, via the network interface circuit, consent from the identity stewards, where the consent includes cryptographic identity packets. The cryptographic identity packets are combined to render the legal identity for the digital identity. Transaction data specifying the legal identity for the digital identity is supplied. The transaction data is recorded to a distributed ledger associated with at least a subset of the networked machines.

Abstract: An embodiment of a semiconductor apparatus may include technology to receive data with a unique identifier, and bypass encryption logic of a media controller based on the unique identifier. Other embodiments are disclosed and claimed.

Abstract: The present disclosure relates to systems and methods that provide a reconfigurable cryptographic coprocessor. An example system includes an instruction memory configured to provide ARX instructions and mode control instructions. The system also includes an adjustable-width arithmetic logic unit, an adjustable-width rotator, and a coefficient memory. A bit width of the adjustable-width arithmetic logic unit and a bit width of the adjustable-width rotator are adjusted according to the mode control instructions. The coefficient memory is configured to provide variable-width words to the arithmetic logic unit and the rotator. The arithmetic logic unit and the rotator are configured to carry out the ARX instructions on the provided variable-width words. The systems and methods described herein could accelerate various applications, such as deep learning, by assigning one or more of the disclosed reconfigurable coprocessors to work as a central computation unit in a neural network.

Abstract: A method for converting data on a computer from an original encrypted format to a new encrypted format without exposing the data in a decrypted state during the conversion process. The computer(s) is locked during the conversion process. The computer data is now re-encrypted to the new format, the original encryption is then removed, and the new encryption software is applied. Finally, the computer with its newly-encrypted data is unlocked for normal usage.

Abstract: A constrained device includes an exterior surface affixed with a public key associated with the constrained device. Alternatively, or in addition, the public key may be included in a container that stores the constrained device. The constrained device also includes memory, which stores a private key, wherein the private key corresponds to the public key that is affixed on the exterior surface of the constrained device. By displaying the public key on the constrained device, a system administrator may document the public key and related information about the device and its intended role in the network without requiring any human interface or any establishment of power or network at the installation site.

Abstract: A method for authorizing execution of a first action is disclosed. The method includes: receiving, from a first client server having access to a human resources database of an organization, a first employee structure indicating an employee status associated with each of one or more employees of the organization; receiving, from a requesting device, a first request to execute a first action; generating a second request to obtain approvals for executing the first action; and selectively transmitting the second request to one or more first employees of the organization, the one or more first employees being identified based on the first employee structure.