Abstract: Embodiments relate to data storage systems and data processing systems using a data hub, connector grid, and channel services. The systems can extract raw data from a plurality of source systems, and load and store the raw data at a data hub implemented by a non-transient data store. The systems can receive request to generate data for consumption and, in response, transmit generates data sets to channel services. The system can implement event detection and logging. The system can implement policy enforcement and identity management with access controls.

Abstract: In described examples, a method of routing messages in a system on a chip (SoC) includes a secure message router receiving a message including a content, an identifier of the message's sending (origin) functional block and/or of a receiving (destination) functional block, a message secure value, a promote value, and a demote value. A context corresponding to the identifier is retrieved from a memory. The context includes an allow promote value and an allow demote value. The message secure value is increased if the promote value requests the increase and matches the allow promote value. The message secure value is decreased if the demote value requests the decrease and matches the allow demote value. Cleartext corresponding to the content is made accessible by the destination if the context secure value matches the message secure value. The message is then outputted from the secure message router to the destination.

Abstract: Aspects of a storage device including a memory and a controller are provided. The controller can receive a data stream from a host device, the data stream indicating a plurality of encryption keys associated with the data stream, and segregate the data stream into a plurality of data stream portions based on the plurality of encryption keys. The controller can encode the plurality of data stream portions into a plurality of encoded data stream portions with the plurality of encryption keys. The controller also can generate a mapping indicating an association between each of the plurality of encryption keys with a respective one of the plurality of encoded data stream portions. Thus, the controller may store the plurality of encoded data stream portions and the plurality of encryption keys in the memory based on the mapping, thereby improving security access to data stored in the storage device.

Abstract: The system and methods described allow a content delivery application to provide temporary access to a content item for display on a content access device based on a user obtaining access to the content item initially on another system. The content delivery application receives content accessed confirmation that user access a content item and then monitors whether that access was interrupted. If the access was interrupted, the content delivery application generates a content access bookmark based on a content timeline and stores a content access authorization comprising the content access bookmark and an identifier from the profile. When the user requests the content item, the content delivery application transmits access information corresponding to segments of the content item, based on the content access bookmark to a user's device.

Abstract: A data extraction system includes a registration apparatus, a data storage apparatus, and a query apparatus. The registration apparatus generates registration data including first information obtained by encrypting secret information, which is information that a user wishes to keep secret, by using a secret key and second information obtained by encrypting the secret key by using at least biological information of the user. The data storage apparatus holds the registration data. The query apparatus acquires the registration data by generating a query for acquiring the registration data from the data storage apparatus, extracts the secret key from the registration data by using biological information of the user, and extracts the secret information from the registration data by using the extracted secret key.

Abstract: This application relates to apparatus and methods for automatically determining and enforcing user permissions for applications and application features. In some embodiments, a system includes a server and a user device. The server may determine a user of the user device based on receiving login credential data. The server may further obtain user attributes for the user including, in some examples, a location of the user. The server may further obtain an attribute-based control policy that identifies relationships between a plurality of possible user attributes. For example, the control policy may identify attribute requirements that must be met for enablement of a particular application feature. Additionally, the server may determine user permissions for the user based on the control policy and the user attributes. The server may transmit the user permissions to the user device, and the user device configures the corresponding application according to the user permissions.

Abstract: Cryptographic techniques are disclosed which employ at least a five-pass protocol (5PP) for a cryptographic exchange of a secret data matrix between two computer systems. This 5PP approach improves the functioning of the computer systems by making their encrypted communications more resistant to potential quantum computing-based attacks while still resisting brute-force attacks by eavesdroppers. For example, the 5PP approach can be used to improve public-key cryptography. The system may comprise a first computer system and a second computer system, where a secret data matrix is known by the first computer system but is not shared with the second computer system in unobscured form.

Abstract: The present invention relates to the field of networking and API/application security. In particular, the invention is directed towards methods, systems and computer program products for Application Programming Interface (API) based flow control and API based security at the application layer of the networking protocol stack. The invention additionally provides an API deception environment to protect a server backend from threats, attacks and unauthorized access.

Abstract: Methods for establishing a stateless extranet in a secure communication network include transmitting a consumer NHOP to a provider CPE from a consumer CPE in a control plane. The consumer NHOP is associated with at least one attribute of an NHOP, including an encryption key available with the consumer CPE, to establish a secure communication tunnel in a data plane. The consumer CPE receives a service definition over the control plane associated with a service available with the provider CPE. A service anchor point is created based on an identifier of the service definition. A network address translation (NAT) IP request is transmitted to the provider CPE. The consumer CPE receives a NAT IP from the provider CPE in response to the NAT IP request. The NAT IP is associated with the service anchor point of the consumer CPE. A stateless service is thereby instantiated on the consumer CPE.

Abstract: A computer-implemented access method is provided. The method comprises the steps of: (i) providing a verification data item of a one-way function chain of data items; (ii) submitting, to a blockchain (such as the Bitcoin blockchain), an access blockchain transaction comprising a data item of the chain; (iii) applying the one-way function to the data item to provide an output; (iv) comparing the output of step (iii) to the verification item to provide an outcome; and (v) based on the outcome of step (iv): (a) allocating the output as a further verification data item for verifying a further data item of the chain; and (b) granting access to a resource associated with the data item.

Abstract: Methods and systems for identifying assets for review. The methods described herein involve generating an organizational statistical model describing assets associated with a first organization and generating a report identifying a discrepancy between the organizational statistical model and an identified asset of the first type associated with the first organization.

Abstract: A device comprising a processing unit having a plurality of processors is provided. At least one encryption unit is provided as part of the device for encrypting data written by the processors to external storage and decrypting data read from that storage. The processors are divided into different sets, with state information held in the encryption unit for performing encryption/decryption operations for requests for different sets of processors. This enables interleaved read completions or write requests from different sets of processors to be handled by the encryption unit, since associated state information for each set of processors is independently maintained.

Abstract: There is provided data-efficient threat detection method in a computer network. The method can include: receiving raw data related to a network node, generating local 5 behaviour models related to the network node; generating at least one common model of normal behaviour on the basis of local behaviour models related to multiple network nodes; filtering input events by using a measure for estimating the likelihood that the input event is produced by the generated common model of normal behaviour and/or by the generated one or more local behaviour models, wherein only input events having a 10 likelihood below a predetermined threshold of being produced by any one of the models are passed through the filtering; and processing input events passed through the filtering for generating a security related decision.

Abstract: A transmitter device for sending an encrypted message to a receiver device in an identity-based cryptosystem, the transmitter device being associated with a transmitter identifier. The transmitter device is configured to receive a transmitter partial private key from a trusted center, the transmitter device being configured to: send a request for two public session keys to the receiver device; receive from the receiver device a first ciphertext set, the first ciphertext set being derived from an encryption and authentication of two public session keys; decrypt and authenticate the two public session keys from the first ciphertext set using a receiver identifier and the transmitter partial private key; determine a second ciphertext set from the transmitter partial private key, from the receiver identifier, and from the two public session keys, the second ciphertext comprising an encrypted message; send the second ciphertext set to the receiver device.

Abstract: Disclosed herein are methods, systems, and processes for generating, configuring, and implementing a data collection and analytics (DCA) pipeline to optimize the identification of anomalous or vulnerable computing assets and/or anomalous or vulnerable computing asset behavior in cybersecurity computing environments. Raw data from an agent executing on a computing asset is received. A baseline profile or a gold image associated with the computing asset is also received. A difference or delta between the raw data and the baseline profile or the gold image is identified, and an output providing context relating to the difference is generated. The difference relates to a keyed property that is common between the raw data and the base profile or the gold image, and the difference is further filtered to reduce noise in the output.

Abstract: Various embodiments of a hierarchical system or method of identifying sensitive content in data is described. In some embodiments, sensitive data classifiers local to a data storage system can analyze a plurality of data items and classify at least some data items as potentially containing sensitive data. The sensitive data classifiers can provide the classified data items to a separate sensitive data discovery component. The sensitive data discovery component can, in some embodiments, obtain the classified data items, perform a sensitive data location analysis on the classified data items to identify a location of sensitive data within some of the classified data items, and generate location information for the sensitive data within the data items containing sensitive data. The sensitive data discovery component can provide to a destination this information, in some embodiments, where the destination might redact, tokenize, highlight, or perform other actions on the located sensitive data.

Abstract: Embodiments provide systems, methods, and computer program products for enabling user authorization to perform a file level recovery from an image level backup of a virtual machine without the need for access control by an administrator. Specifically, embodiments enable an access control mechanism for controlling access to stored image level backups of a virtual machine. In an embodiment, the virtual machine includes a backup application user interface that can be used to send a restoration request to a backup server. The restoration request can include a machine identifier and a user identifier of the user logged onto the virtual machine. The backup server includes a backup application that determines whether or not the machine identifier contained in the restoration request can be matched to a machine identifier of a virtual machine present in one of the virtual machine backups stored on the backup server.

Abstract: Embodiments of the invention include a computer-implemented method that uses a processor to access cryptographic-function constraints associated with an encrypted message. Based on a determination that the cryptographic-function constraints do not include mandatory cryptographic computing resource requirements, first resource-scaling operations are performed that include an analysis of cryptographic metrics associated with a processor. The cryptographic metrics include information associated with the encrypted message, along with performance measurements of cryptographic functions performed by the processor.

Abstract: The innovation disclosed and claimed herein, in one or more aspects thereof, illustrates systems and methods for providing a technical control to a technically pervasive problem of inadvertent capture of items in a computing environment, returning control of what happens to such items in technical environments that have become widespread and intrusive. The innovation provides a system for users to control the types of items that pervasive computing environment elements may process without their express control and with technical countermeasures in a relatively unobtrusive manner.

Abstract: A model generator constructs a model for estimating selectivity of database operations by determining a number of training examples necessary for the model to achieve a target accuracy and by generating approximate selectivity labels for the training examples. The model generator may train the model on an initial number of training examples using cross-validation. The model generator may determine whether the model satisfies the target accuracy and iteratively and geometrically increase the number of training examples based on an optimized geometric step size (which may minimize model construction time) until the model achieves the target accuracy based on a defined confidence level. The model generator may generate labels using a subset of tuples from an intermediate query expression. The model generator may iteratively increase a size of the subset of tuples used until a relative error of the generated labels is below a target threshold.