Abstract: Systems and methods leverage trust anchors to generate tokens which can then be used by network functions (NFs). A virtualization infrastructure manager (VIM) for a virtualized platform receives a NF software package and a certificate request token (CRT) from a management function. The NF is a virtual NF, a containerized NF, or another virtual entity (xNF) to be deployed. The CRT is digitally signed by the management function and includes a network address of a trust anchor platform and a NF profile. The VIM deploys the NF and provides the CRT to the NF. The NF obtains from the CRT the network address of the trust anchor platform, generates a certificate signing request (CSR) for a digital certificate, and submits the CSR and the CRT to the trust anchor platform. The NF receives a digital certificate from the trust anchor platform based on validation of both the CSR and CRT.

Abstract: A method for replacing an identity certificate in a blockchain network includes a service subnet, a consensus subnet, and a routing layer used for isolating the service subnet from the consensus subnet. The method includes: receiving a root certificate replacement notification transmitted by a certificate authentication center; obtaining a public key corresponding to the certificate authentication center; verifying the root certificate replacement notification by using the obtained public key; forwarding the root certificate replacement notification to a consensus node in the consensus subnet after the validation succeeds, so that the consensus node records the root certificate replacement notification into a latest data block after a consensus on the root certificate replacement notification is reached; and requesting, when the data block is received, the certificate authentication center to replace an identity certificate.

Abstract: Implementations are directed to receiving analytical attack graph (AAG) data representative of one or more AAGs, each AAG representing one or more lateral paths between configuration items within an enterprise network, calculating, for each configuration item in a set of configuration items, a process risk value for each impact in a set of impacts achievable within the configuration item, for a first impact, a first process risk value being calculated based on a multi-path formula in response to determining that multiple paths in the AAG lead to the first impact, and, for a second impact, a second process risk value being calculated based on a single-path formula in response to determining that a single path in the AAG leads to the second impact, and determining that at least one process risk value exceeds a threshold process risk value, and in response, adjusting one or more security controls within the enterprise network.

Abstract: A method for selecting a consensus node in an apparatus for generating a blockchain includes reading a nonce from the nonce chain of a node, performing an operation on the read nonce and previous height information, and comparing the result of the operation with a reference value in order to select the node as a consensus node.

Abstract: A method for implementing a secure multiparty inner product computation between two parties using an SPDZ protocol involves having a first party and a second party compute, for i=1, . . . , k, a vector (I)=(II) based on a vector (x={x1, . . . , xN}), and a vector (w={W1, WN}), respectively, where (I)=(X2i-1X2i) (III)=W2i-1W2i, N is the total number of elements in the vectors k=N/2. The vectors (I), and (III) are securely shared between the parties. The parties then jointly compute SPDZ protocol Add([w2i], [x2i-1]) and Add([w2i], [x2i-1]) to determine shares [w2i-1+x2i] and [w2i+x2i-1] respectively, and then compute, for i=1, . . . , k, inner product shares [di] by performing SPDZ protocol Mult([w2i-1+x2i], [w2i+x2i-1]). SPDZ protocol ([Add d1], . . . , [dk], -(IV), . . . , -(V), -(VI), -, (VII)) is then performed to determine the inner product.

Abstract: The present invention provides a method, a system, and a device for a hash generation and network traffic detection. It uses a method of storing intermediate calculation results to perform hash calculation for streaming data, and uses a matrix multiplication operation as a strong hash algorithm to reduce memory occupation. The present invention can generate hash in real time in the case of streaming data comprising defects, unordered, and overlapping, which is suitable for detecting files from network traffic, and is applicable to virus detection, intrusion detection, data anti-leakage, network content review, digital forensics, digital rights protection, and other fields.

Abstract: Systems and techniques are provided for Byzantine agreement in open networks. An indication to change a validation network for an open network from a current validation network to a next validation network may be broadcast. An agreement to change to the validation network to the next validation network may be. An instance of external validity multi-valued Byzantine agreement may be run to determine a continuing sequence number to be used by the next validation network based on the sequence numbers of amendments applied to decentralized database copies stored node computing devices of the open network. The next validation network may be switched to as the validation network for the open network after the continuing sequence number is determined. An amendment validated by the next validation network may be applied to a decentralized database copy. The amendment may include a sequence number that is higher than the continuing sequence number.

Abstract: Systems and methods leverage trust anchors to generate tokens which can then be used by network functions (NFs). A virtualization infrastructure manager (VIM) for a virtualized platform receives a NF software package and a certificate request token (CRT) from a management function. The NF is a virtual NF, a containerized NF, or another virtual entity (xNF) to be deployed. The CRT is digitally signed by the management function and includes a network address of a trust anchor platform and a NF profile. The VIM deploys the NF and provides the CRT to the NF. The NF obtains from the CRT the network address of the trust anchor platform, generates a certificate signing request (CSR) for a digital certificate, and submits the CSR and the CRT to the trust anchor platform. The NF receives a digital certificate from the trust anchor platform based on validation of both the CSR and CRT.

Abstract: An improved blockchain implementation that reduces application transaction processing bottlenecks for applications that operate on a decentralized network. For example, if an application operating on a decentralized network becomes sufficiently popular, an existing blockchain can be split into the original blockchain and an application-specific chain (or app chain) that includes blocks that only store transactions for the sufficiently popular application. A peer that is not interested in tracking transactions for the sufficiently popular application, however, does not need to track the application-specific chain. Thus, the peer can reduce the number of computational operations that are performed by simply storing block data for blocks in the original blockchain and not for blocks in the application-specific chain.

Abstract: A mechanism is described for facilitating unified accelerator for classical and post-quantum digital signature schemes in computing environments. A method includes unifying classical cryptography and post-quantum cryptography through a unified hardware accelerator hosted by a trusted platform of the computing device. The method may further include facilitating unification of a first finite state machine associated with the classical cryptography and a second finite state machine associated with the post-quantum cryptography though one or more of a single the hash engine, a set of register file banks, and a modular exponentiation engine.

Abstract: A system and method for recording and verifying the data integrity, identity of the recorder, and no-later-than date-of-existence for digital content of an arbitrary size is provided. The provided system and method employ blockchain technology to ensure immutability and accessibility of digital content state, digital content recorder identity, and timestamp of recording for the recorded digital content. The provided system and method also generate meta-data files associated with the recorded digital content that consist of a manifest file, a signature file, and a signature block file. The meta-data files are included into the digital content in order to facilitate the verification of the digital content against the records held in the blockchain.

Abstract: A device, method, and computer readable storage medium generate a biometric public key for an individual based on both the individual's biometric data and a secret, in a manner that verifiably characterizes both while tending to prevent recovery of either by anyone other than the individual. The biometric public key may be later used to authenticate a subject purporting to be the individual, using a computing facility that need not rely on a hardware root of trust. Such biometric public keys may be distributed without compromising the individual's biometric data, and may be used to provide authentication in addition to, or in lieu of, passwords or cryptographic tokens. Various use cases are disclosed, including: enrollment, authentication, establishing and using a secure communications channel, and cryptographically signing a message.

Abstract: A system for providing secure access to digital resources is provided that utilizes a blockchain platform. Using this blockchain platform, digital resource vendors create new digital tracking ledgers for their digital resource products such that updates to the digital resource products are accessible directly from a blockchain. Accordingly, these updates are deliverable in a protected and secure manner to consumers of the digital resources.

Abstract: Methods, systems, and devices for validation at an application server are described. The application server may validate a user device utilizing a public-private key pair, and may refrain from establishing a database connection until the user device is validated. For example, the application server may transmit a private key and a public key identifier to the user device. When the application server receives a session establishment message that is based on a private key and that contains the public key identifier, the application server may determine the public key of the public-private key pair based on the identifier. The application server may validate that the session establishment message is received from the user device based on the private key and the determined public key. Based on this validation procedure, the application server may establish a database connection with a database, granting the validated user device access to requested data.

Abstract: In the context of network activity by an endpoint in an enterprise network, malware detection is improved by using a combination of reputation information for a network address that is accessed by the endpoint with reputation information for an application on the endpoint that is accessing the network address. This information, when combined with a network usage history for the application, provides improved differentiation between malicious network activity and legitimate, user-initiated network activity.

Abstract: The method for deriving a temporal motion vector predictor according to the present invention comprises the steps of: selecting a reference picture for a current block; deciding a predictor block corresponding to a predetermined storage unit block, as a reference prediction unit for the current block, in the reference picture; and deriving the temporal motion vector predictor from motion information of the decided reference prediction unit. The present invention enhances image compression efficiency.

Abstract: System and method for improving operational efficiency of a video encoding pipeline used to encode image data. The video encoding pipeline includes a mode decision block, which selects a first inter-frame prediction mode used to prediction encode a first prediction unit, and a motion estimation block, which receives the first inter-frame prediction mode as feedback from the mode decision block when processing a second prediction unit; determines an initial candidate inter-frame prediction mode of the second prediction unit based at least in part on the first inter-frame prediction mode; and determines a final candidate inter-frame prediction mode of the second prediction unit by performing a first motion estimation search based at least in part on the initial candidate inter-frame prediction mode.

Abstract: An in-loop filtering acceleration circuit applied in a video codec system supporting the H.264 standard and the VC-1 standard is provided. The circuit includes multiple one-dimensional (1D) filters configured to perform a filtering process; and a filter selection unit configured to select one of the 1D filters according to the value of the boundary strength to perform the filtering processing to the reconstructed macroblock. The in-loop filtering acceleration circuit further divides the reconstructed macroblock into multiple 8×8 blocks and multiple 4×4 blocks, performs the filtering process to horizontal edges of the 8×8 blocks the reconstructed macroblock row by row from bottom to top, and performs the filtering process to horizontal edges of the 4×4 blocks row by row from top to bottom.

Abstract: A method, apparatus, system and computer-implemented non-transitory memory may encode h.264/AVC compliant video with region of interest compression, wherein a hybrid region of interest of each frame may include both an enlarged luminance region of interest of each frame and in addition thereto an excess portion of an enlarged chrominance region of interest of each frame, in excess of the enlarged luminance region of interest of each frame.

Abstract: A system and method for low power surveillance. The system receives a series of frames from a camera, each frame having a background and a foreground. A background template is generated. Thereafter, the system receives a new image frame of the scene, the new image frame having a background and a foreground. Potential regions of interest (ROI) are detected in the new image frame. Initial region descriptors are determined in the potential ROI in the foreground. The initial region descriptors are segmented to generate a segmented region. Region descriptors are re-determined from the segmented region. A contiguous sparse foreground is determined from the re-determined region descriptors, the contiguous sparse foreground being a contiguous ROI. The ROI is reconstructed using foveated compressive sensing to generate an image of an interesting object. Finally, the interesting object image is combined with the background template to reconstruct the foreground.