Abstract: The technology disclosed herein provides a proof-of-work key wrapping system that uses key fragments to cryptographically control access to data. An example method may include: encrypting a first cryptographic key to produce a wrapped key, wherein the first cryptographic key enables a computing device to access content; splitting a second cryptographic key into a plurality of key fragments, wherein the second cryptographic key is for decrypting the wrapped key; selecting a set of cryptographic attributes for deriving at least one of the plurality of key fragments, wherein the set of cryptographic attributes are selected in view of a characteristic of the computing device; and providing the wrapped key and the set of cryptographic attributes to the computing device, the set of cryptographic attributes facilitating determination of the second cryptographic key.

Abstract: In one embodiment, a traffic analysis service that monitors a network obtains file metadata regarding an electronic file. The traffic analysis service determines a sensitivity score for the electronic file based on the file metadata. The traffic analysis service detects the electronic file within traffic in the network. The traffic analysis service causes performance of a mitigation action regarding the detection of the electronic file within the traffic, based on the sensitivity score of the electronic file.

Abstract: A verification server comprising a memory and a processor programmed to execute instructions stored in the memory. The instructions include receiving a link registration request including a third-party link to a third-party server, validating the third-party server as a result of receiving the link registration request, generating a unique code as a result of validating the third-party server, and generating a custom link that includes the unique code.

Abstract: The present disclosure related to a method and device for assigning application usage permission. The method includes: collecting a first image of a current first user, and when it is recognized that a target application is enabled, judging whether the first image matches a target image corresponding to the target application (S101); if yes, assigning all usage permissions of the target application to the current first user (S102); if not, judging whether there is a first stranger image matching the first image successfully (S103); if yes, assigning a corresponding usage permission of the target application to the current first user according to a collection count corresponding to the first stranger image and a usage permission corresponding to a collection count range threshold (S104); and if not, not assigning the usage permission of the target application to the current first user (S105).

Abstract: Systems and methods for intelligent display of content are disclosed herein. According to one illustrative method, a computing device camera captures an image of a face. The control circuitry determines, based on the captured image, whether at least a portion of the face is directed toward a computing device display. The control circuitry retrieves, from a memory, a rule specifying criteria for determining whether to block or permit presentation of content based on whether one or more faces are directed toward the display. The control circuitry determines, based on the rule and whether at least a portion of the face is directed toward the display, whether to block or permit the presentation of the content, and blocks or permits the presentation of the content via the computing device based on a result of the determining.

Abstract: According to certain implementations, a permissions gateway receives an access request indicating multiple sets of secured data that include high-granularity data stored on multiple secured data repositories. The access request is compared to a permission set with multiple consent parameters, which indicate access types for the secured data. Based on a comparison of the access request to a permission set, the permissions gateway queries, the permission gateway queries a first data repository for a high-granularity dataset that includes a portion of the high-granularity data, and queries a second data repository for a low-granularity dataset that includes a summary of part of the high-granularity data. The permissions gateway generates a multi-granularity response to the access request, based on a combination of the high-granularity dataset and the low-granularity dataset.

Abstract: A system validates the establishment and/or continuation of a connection between two applications over a network. The system uses network application security rules to allow or disallow connections between the two applications. Those rules include definitions of the source and destination applications to which the rules apply. The system automatically updates the application definitions over time to encompass new versions of the applications covered by the security rules, but without encompassing other applications. The system is then capable of applying the updated rules both to the original applications and to the updated versions of those applications. This process enables the security rules to maintain security over time in a way that is consistent with the original intent of the rules even as applications on the network evolve.

Abstract: Analyzing and reporting anomalous internet traffic data by accepting a request for a connection to a virtual security appliance, collecting attribute data about the connection, applying an alert module to the data, and automatically generating an alert concerning an identified incident. An alert system for analyzing and reporting the anomalous internet traffic data. A processor to analyze and report anomalous internet traffic data.

Abstract: Some embodiments are directed to a dealer device for batch-wise provisioning of preprocessing information for a multiparty computation and an evaluator device for batch-wise distributed verification with one or more other evaluator devices of the preprocessing information. The preprocessing information comprises multiple random values and multiple message authentication codes for blinding and integrity checking respectively in the multi-party computation. The multiple random values and a set of proof values together define a checking polynomial. The dealer device computes proof values wherein the checking polynomial is identical to zero. The evaluator device obtains secret-shares of the random values, proof values, and message authentication codes.

Abstract: Disclosed are embodiments for information barriers that are conditional on the type of information being communicated. Information barrier polices provided by the disclosed embodiments selectively allow communication between accounts or groups based on characteristics of the content of the communication. For example, communication between a marketing department and an engineering department may be conditional on the communication not including any sensitive information. The determination of whether the communication includes sensitive information is further designed to provide good performance even in environments that maintain substantial portions of data in an offsite or cloud environment, where latencies associated with searching large datastores can be prohibitive.

Abstract: A framework is provided in which a querying agency can request (via a query entity) encrypted data through a service provider from a data owning agency that stores encrypted data. The framework uses homomorphic encryption. The data may be gallery entities, and each of the elements in the framework operate on doubly-encrypted information. The service provider compares a representation of an encrypted query entity from the querying agency and representations of encrypted gallery entities from the data owning agency, resulting in doubly-encrypted values of a metric between corresponding compared representations. The querying agency gets result(s), based on the metric, which indicate whether it is probable the service provider has data similar to or the same as query data in the query entity. The elements have to perform communication in order for the querying agency or the data owning agency to get cleartext information corresponding to the query entity.

Abstract: A method, at a terminal in a digital communications network, comprising: establishing direct or indirect communication access and linkage between the user-operated terminal and at least one remote computer(s) on which are stored, or by which access is available to prevent legible display of, stored user account object data; displaying indicia, or broadcasting data, representative of or indicating one or more predetermined criteria for selecting a subset of the stored user account object data; collecting data, representative of, or indicating, only the subset of the stored user account object data; and transmitting instructions to prevent legible display of the subset of the stored user account object data, according to the collected data representative of, or indicating, the one or more predetermined criteria for selecting the subset of the stored user account object data, from the terminal to the at least one remote computer(s). A terminal, system, and computer readable medium are also disclosed.

Abstract: A system includes at least one processor to receive training data and generate at least one machine learning rule based on the training data to apply when a condition occurs, continually monitor at least one resource associated with a computing network for the condition in the computing network that may trigger an authorization control modification, the condition comprising one of an active project that uses the at least one resource, a security alert level change, a resource locality change, metadata associated with the condition, a skill assessment, and a business state analysis, determine that the condition has occurred in the computing network, and dynamically and automatically modify a user authorization control for at least one particular user responsive to the machine learning rule.

Abstract: A method, at a terminal in a digital communications network, comprising: establishing direct or indirect communication access and linkage between the user-operated terminal and at least one remote computer(s) on which are stored, or by which access is available to prevent legible display of, stored user account object data; displaying indicia, or broadcasting data, representative of or indicating one or more predetermined criteria for selecting a subset of the stored user account object data; collecting data, representative of, or indicating, only the subset of the stored user account object data; and transmitting instructions to prevent legible display of the subset of the stored user account object data, according to the collected data representative of, or indicating, the one or more predetermined criteria for selecting the subset of the stored user account object data, from the terminal to the at least one remote computer(s). A terminal, system, and computer readable medium are also disclosed.

Abstract: Systems, methods, and software can be used to provide secure sensor data. In some aspects, a computer-implemented method includes: receiving, at a sensor security evaluation application executing on a device, sensor data from a sensor on the device; determining, by the sensor security evaluation application, a security confidence score associated with the sensor data; and transmitting, from the sensor security evaluation application, the security confidence score and the sensor data to a smart machine processor on the device.

Abstract: An apparatus including a processor and a memory, where the processor and the memory are configured to provide a secure execution environment and the memory stores a hardware unique key and a class key. The processor is configured to recover, in the secure execution environment, a certificate signing key based on the class key, where the certificate signing key is associated with a certificate authority. The processor is further configured to derive a device key pair based on the hardware unique key, where the device key pair includes a device public key and a device private key, and generate a device certificate based on the device public key and the certificate signing key. The generated device certificate is configured to be validated based on a public key associated with the certificate authority.

Abstract: Systems and methods for implementing a micro firewall in a mobile application are provided here. Firewall logic can be injected or provided to a mobile application. The firewall logic can provide one or more rules for processing network traffic from application programming interfaces (APIs) of the mobile application. The mobile application having the firewall logic can be made available for installation on a mobile device. The mobile application having the firewall logic can be provided or installed on to a mobile device. During execution of the mobile application, the firewall logic of the mobile application can hook a plurality of API calls of the mobile application relevant to network traffic. The firewall logic can apply one or more rules of the firewall logic to process network traffic corresponding to an API call of the plurality of API calls of the mobile application.

Abstract: A new interact procedure among a user equipment, an infrastructure provider, a virtual network operator and a corresponding access node and a corresponding access point is provided. Thus, the vWLAN can be created and deleted dynamically for the virtual network operator, such that the vWLAN of the virtual network operator can be utilized efficiently. Thereby, the virtual network operator can deploy its vWLANs in the hotspots dynamically according to the requirement. The flexibility is enhanced, while the requirement for the virtual network operator and actual subscription is met.

Abstract: A vehicle-oriented service providing system includes an in-vehicle device and configured to receive commands applied to a control device inside the vehicle, a vehicle information server configured to transmit the commands to the in-vehicle device, and a push information server configured to mediate the transmission of the commands from the vehicle information server to the in-vehicle device. In the commands, a security level prescribed in advance for each of the commands is set. The vehicle information server performs encryption corresponding to the security level on the commands, and requests the push information server for transmission. The in-vehicle device is configured to wait for commands from the push information server. The in-vehicle device is configured to decrypt the received encrypted commands, and solely when encryption corresponding to a security level equal to or higher than the security level set in advance in the commands is performed, execute the commands.

Abstract: A system that includes a threat management server configured to store a device log identifying device information for endpoint devices that have passed authentication. The threat management server is configured to determine that first device information for an endpoint device obtained from a switch and second device information for the endpoint device from the device log file do not match, and, in response, block the endpoint device from accessing a network. The switch is operably coupled to the threat management server and configured to collect the first device information for the endpoint device and send it to the threat management engine.