Abstract: A comprehensive system for chain-of-custody for hardware devices and their components. Specifically, as the components, assemblies and the hardware device are manufactured and/or assembled, non-fungible tokens (NFTs) are generated for each component, assembly and the overall hardware device that indicate that the component, assembly or hardware device is in a certified/verified good state (i.e., have not been tampered with). The NFTs are generated using measured authenticity characteristics (e.g., electro-magnetic, heat, weight, dimensions and the like) of a corresponding component, assembly or hardware device as at least a portion of the input to the hash algorithm. The NFTs are subsequently communicated to a distributed trust computing network at which the nodes converge to verify an authenticity and certifiable state of the NFT, and blocks of data are generated within distributed ledgers that store the verified NFT.

Abstract: According to various embodiments, a method for detecting security vulnerabilities in at least one of cyber-physical systems (CPSs) and Internet of Things (IoT) devices is disclosed. The method includes constructing an attack directed acyclic graph (DAG) from a plurality of regular expressions, where each regular expression corresponds to control-data flow for a known CPS/IoT attack. The method further includes performing a linear search on the attack DAG to determine unexploited CPS/IoT attack vectors, where a path in the attack DAG that does not represent a known CPS/IoT attack vector represents an unexploited CPS/IoT attack vector. The method also includes applying a trained machine learning module to the attack DAG to predict new CPS/IoT vulnerability exploits. The method further includes constructing a defense DAG configured to protect against the known CPS/IoT attacks, the unexploited CPS/IoT attacks, and the new CPS/IoT vulnerability exploits.

Abstract: A Data Leakage Prevention (DLP) device and a method for processing a packet are disclosed. The DLP device receives an IP packet sent by a user device, wherein the IP packet includes TCP port information; and detects whether a first TCP connection is established between the DLP device and the user device. If the first TCP connection is not established, when the IP packet is a data packet, an application layer protocol for transmitting the IP packet is determined by comparing a packet feature of the IP packet with packet features corresponding to respective application layer protocols. When the application layer protocol for transmitting the IP packet is listened to, a pair of TCP connections is established according to the TCP port information, wherein the pair of TCP connections includes the first TCP connection and a second TCP connection between the DLP device and a server.

Abstract: Aspects of the present disclosure describe a method and a system to support execution of the method to perform a cryptographic operation involving identifying an N-word number, X=XN?1 . . . X1Xo, to be squared, performing a first loop comprising M first loop iterations, wherein M is a largest integer not exceeding (N+1)/2, each of the M first loop iterations comprising a second loop that comprises a plurality of second loop iterations, wherein an iteration m of the second loop that is within an iteration j of the first loop comprises computing a product Xa*Xb of a word Xa and a word Xb, wherein a+b=2j+m, j?0 and m?0, and wherein all second loops have an equal number of second loop iterations.

Abstract: A password-less authentication system and method include registering a contactless card of a client with an application service and binding the contactless card to one or more client devices. The contactless card advantageously stores a username and a dynamic password. Accesses by the client to the application service may be made using any client device, and authentication of the accesses may be performed by any client device that includes a contactless card interface and can retrieve the username and dynamic password pair from the contactless card. By storing the username on the card, rather than requiring user input, application security improved because access to and knowledge of login credentials is limited. In addition, the use of a dynamic password reduces the potential of malicious access.

Abstract: A screen unlocking method and apparatus, and a computer device and a storage medium. The method comprises: obtaining interactive information generated when a user performs a predetermined operation; dynamically updating the generated interactive information to a pre-built interactive information database; upon receiving a screen unlocking request, invoking first interactive information in the database according to a first predetermined mode; generating an unlock tag according to said first interactive information; generating, according to the unlock tag, multiple interference tags that are different from the unlock tag; and sending the unlock tag and the multiple interference tags to a terminal device for display, receiving a user's operation for triggering the unlock tag, and unlocking a screen.

Abstract: Some examples of the present disclosure relate to infusing custom qualities into an artificially intelligent entity. In one example, a system can initiate execution of a smart contract that is configured to generate a correlation between a second non-fungible token (NFT) and a first NFT. The first NFT can include personality fields with default values defining default personality characteristics for an artificially intelligent entity. The second NFT can include a personality field with a customized value defining a customized personality characteristic assignable to the artificially intelligent entity. The correlation can be configured to impart the customized personality characteristic to the artificially intelligent entity.

Abstract: Embodiments provide techniques for managing access to files on a computing system. An example method generally includes receiving, from an application, a request by a user to access a specified file on a file system through the application. A permission record is retrieved from a permission repository based on information about the application, the user, and the specified file. A determination is made of whether the user has permission to access a directory in the file system in which the specified file is located, and a determination is made of whether the application is allowed to access the specified file. Based on determining that the user has permission to access the directory in which the specified file is located and determining that the application has permission to access the specified file, the specified file is retrieved from the directory, and the application is granted access to the specified file.

Abstract: Disclosed herein are systems and methods for processing personal data by application of policies. In one aspect, an exemplary method comprises, by the network infrastructure component, analyzing communication protocols between an IoT device and the network infrastructure component, identifying at least one field that contains personal data, for each identified field, analyzing the identified field using personal data processing policies uploaded to the network infrastructure component, and applying the personal data policies for enforcement.

Abstract: One example method, includes checking, by an intelligent time detector service running on a computing system, a trial period duration of software on the computing system, starting, by the intelligent time detector service, a counter for the software, and the counter is operable to generate a counter value based on a clock of the computing system, storing, by the intelligent time detector service, a counter value of the counter, and decommissioning, by the intelligent time detector service, the software after the trial period has expired.

Abstract: The performance of quantum key distribution by systems and methods that use wavelength division multiplexing and encode information using both wavelength and polarization of photons of two or more wavelengths. Multi-wavelength polarization state encoding schemes allow ternary-coded digits, quaternary-coded digits and higher-radix digits to be represented by single photons. Information expressed in a first radix can be encoded in a higher radix and combined with a string of key values to produce a datastream having all allowed digit values of that radix in a manner that allows eavesdropping to be detected without requiring the sender and receiver to exchange additional information after transmission of the information.

Abstract: A processor includes a range register to store information that identifies a reserved range of memory associated with a secure arbitration mode (SEAM) and a core coupled to the range register. The core includes security logic to unlock the range register on a logical processor, of the processor core, that is to initiate the SEAM. The logical processor is to, via execution of the security logic, store, in the reserved range, a SEAM module and a manifest associated with the SEAM module, wherein the SEAM module supports execution of one or more trust domains; initialize a SEAM virtual machine control structure (VMCS) within the reserved range of the memory that is to control state transitions between a virtual machine monitor (VMM) and the SEAM module; and authenticate the SEAM module using a manifest signature of the manifest.

Abstract: A method of detecting anomalous user behavior in a cloud environment includes calculating a first vector that is representative of actions taken during a plurality of previous time intervals; calculating a similarity between the first vector and a second vector that comprises counts of actions taken by the user during a current time interval; comparing the similarity to a baseline threshold to determine whether one or more anomalous actions have occurred; and generating an alert based at least in part on a determination that the one or more anomalous actions have occurred in the cloud environment.

Abstract: This present disclosure generally relates to managing encrypted network traffic using Domain Name System (DNS) responses. One example includes requesting an address; receiving a response from the resolution server including one or more addresses associated with the domain name; associating with the domain name a particular address selected from the received one or more addresses; receiving a request to resolve the domain name; sending a response to the request to resolve the domain name, the sent response including the particular address associated with the domain name; receiving a secure request for a resource, the secure request directed to the particular address associated with the domain name; and determining that the secure request is directed to the domain name based on the association between the particular address and the domain name.

Abstract: This disclosure describes a group-based communication system comprising a group-based communication server and a group-based communication repository. The group-based communication server manages access control parameter discrepancies between a group-based communication channel and a requested resource that is disposed in communication with the group-based communication channel.

Abstract: A module with an embedded universal integrated circuit card (eUICC) can include a profile for the eUICC. The profile can include a first and second shared secret key K for authenticating with a wireless network. The first shared secret key K can be encrypted with a first key, and the second shared secret key K can be encrypted with a second key. The module can (i) receive the first key, (ii) decrypt the first shared secret key K with the first key, and (iii) subsequently authenticate with the wireless network using the plaintext first shared secret key K. The wireless network can authenticate the user of the module using a second factor. The module can then (i) receive the second key, (ii) decrypt the second shared secret key K, and (iii) authenticate with the wireless network using the second shared secret key K. The module can comprise a mobile phone.

Abstract: A system for generating a symmetric key to allow the sharing of information between two entities, wherein the shared information is used to start a server and the symmetric key is established from the private key of a first client and the public key of a second client and for use in a symmetric encryption methodology to encrypt information for transport to the second entity, allowing the second entity to form the same symmetric key to decrypt information with no key transport required.

Abstract: A technique to protect a cloud database located at a database server and accessible from a database client. In this approach, a communication associated with a database session is intercepted. A hostname or network address associated with the communication is then evaluated to determine whether such information can be found in or otherwise derived from data in a database protocol packet associated with the database session. The information typically is placed there unavoidably by the cloud database client and normally cannot be spoofed by a process that does not understand or speak the proper database protocol semantics. Upon a mismatch, the database session is flagged as being potentially associated with a man-in-the-middle (MITM), in which case a given action may then be taken with respect to the database session that is then active. The technique provides for a MITM checkpoint in a cloud database service environment.

Abstract: A scheduler is used to control a target data processing unit among a plurality of data processing units in order to receive a target data block that is to be encrypted. Each of the plurality of data processing units is able to independently complete an encryption operation associated with Advanced Encryption Standard (AES) for a data block. A ciphertext data block corresponding to the target data block is generated, including by performing the encryption operation associated with AES on the target data block using the target data processing unit.

Abstract: A method in one embodiment creates a model of an authentic IC for use in comparisons with counterfeit ICs. The model can be created by determining a first or initial set of points of interest (POIs) on the simulated physical (e.g., gate level) layout and simulating side channel leakage from each POI and then expanding the size of the POI and repeating the simulation and comparing successive simulation results (between successive sizes of POIs for a given POI) to determine if a solution for the size of the POI has converged. The final POIs are then processed in a simulation that can use multiple payloads (e.g., cryptographic data) over the entire set of final POIs, and the resulting data set can be used to create the model.