Abstract: A system for providing secure browsing via a transparent network proxy is disclosed. The system may receive, from a client, a request to access a resource. The request may include an identifier that may be utilized to locate the resource. Once the request is received, the system may determine if the resource is not trusted, such as if the identifier is determined to be unknown or suspicious. If the resource is determined to not be trusted by the system, the system may forward the request to a virtual machine manager that may select a browser virtual machine from a pool of browser virtual machines. After the browser virtual machine is selected, the browser virtual machine may stream a rendering of the resource to the client based on the request. The rendering of the resource may be provided in lieu of the actual resource.

Abstract: Systems and methods for determining cryptographic operation masks for improving resistance to external monitoring attacks. An example method may comprise: selecting a first input mask value, a first output mask value, and one or more intermediate mask values; based on the first output mask value and the intermediate mask values, calculating a first transformation output mask value comprising two or more portions, wherein concatenation of all portions of the first transformation output mask value produces the first transformation output mask value, and wherein exclusive disjunction of all portions of the first transformation output mask value is equal to the first output mask value; and performing a first masked transformation based on the first transformation output mask value and the first input mask value.

Abstract: Systems and techniques are disclosed to protect a user equipment's international mobile subscriber identity by providing a privacy mobile subscriber identity instead. In an attach attempt to a serving network, the UE provides the PMSI instead of IMSI, protecting the IMSI from exposure. The PMSI is determined between a home network server and the UE so that intermediate node elements in the serving network do not have knowledge of the relationship between the PMSI and the IMSI. Upon receipt of the PMSI in the attach request, the server generates a next PMSI to be used in a subsequent attach request and sends the next PMSI to the UE for confirmation. The UE confirms the next PMSI to synchronize between the UE and server and sends an acknowledgment token to the server. The UE and the server then each update local copies of the current and next PMSI values.

Abstract: Various embodiments of the disclosed subject matter provide systems, methods, architectures, mechanisms, apparatus, computer implemented method and/or frameworks configured for guaranteeing that a payload portion of every data packet provided to a secure/encrypted output port of a processor such as a microprocessor is encrypted.

Abstract: An apparatus for cloud key management may include a networking interface, a memory, and a processor, coupled to the memory and the networking interface, the networking interface to couple the apparatus to one or more endpoint servers (EPSs) of a cloud service provider (CSP), each EPS including a hardware accelerator, and a management node (MN) of the CSP. The apparatus may further include an accelerator functional unit (AFU) developer interface module operated by the processor to receive cryptographic material (CM) for each of one or more AFU developers (AFUDs) and store it into the memory, the CM includes a public key hash (PKH), and an encryption key (EK) to decrypt an AFU of the AFUD.

Abstract: A computer-implemented method for creating a classified token database usable for dynamically redacting confidential information from communications includes performing natural language processing on training input and determining whether a confidentiality level is present in the training input. The method includes, in response to determining that the confidentiality level is present, adding at least one classified token associated with the training input to a classified token database.

Abstract: Embodiments of the present disclosure disclose a machine learning training method and a server. The method includes: acquiring training data uploaded by the terminal; creating a trusted execution environment in response to a machine learning training request from the terminal; and performing machine learning training based on the trusted execution environment and the training data.

Abstract: A portable computer providing high level of security comprises of two completely logically and electrically isolated computer modules within one tamper resistant enclosure. One computer module is for Higher-Security applications (refer higher-security to as “red”) and the other is for Lower-Security applications such as email and internet (refer lower-security to as “black”). The two modules are coupled together to secure Peripheral Sharing Switch that enables intuitive user interaction while minimizing the security risk resulted from sharing same peripheral device.

Abstract: Systems, apparatuses, and methods for efficient handling of subroutine epilogues. When an indirect control transfer instruction corresponding to a procedure return for a subroutine is identified, the return address and a signature are retrieved from one or more of a return address stack and the memory stack. An authenticator generates a signature based on at least a portion of the retrieved return address. While the signature is being generated, instruction processing speculatively continues. No instructions are permitted to commit yet. The generated signature is later compared to a copy of the signature generated earlier during the corresponding procedure call. A mismatch causes an exception.

Abstract: Embodiments of the present specification disclose data processing methods, apparatuses, and devices. One method comprises: obtaining an acquisition request for target data of a data owner; determining a trusted application (TAPP) for generating the target data based on decentralized identifier document (DID Doc) information of the data owner in response to the acquisition request; sending, to the TAPP, a target data generation request to use the TAPP to process data of the data owner obtained from a trusted institution; and receiving a processing result from the TAPP in response to the target data generation request.

Abstract: Disclosed are various embodiments for managing security credentials. In one embodiment, knowledge-based questions are selected in response to failing to receive a valid master security credential in a request to authenticate a user account for access to account data. In response to receiving the request, the plurality of knowledge-based questions are provided to an application. Answers to the knowledge-based questions are received and scored. Access is granted to establish a new master security credential based at least in part on the score meeting or exceeding a predetermined threshold.

Abstract: A sensitive content display control system determines whether to display sensitive content on a computing device display, such as on a lock screen. The system attempts to authenticate a user of the computing device using an under-display sensor (e.g., a fingerprint sensor). One or more selectable items (e.g., icons or buttons) that correspond to sensitive content are displayed, and the under-display sensor is situated to sense authentication information of the user in response to user selection of one of the selectable items. If the user is not authenticated then the system does not display sensitive content corresponding to the one or more selectable items. If the user is authenticated, then the system displays the sensitive content corresponding to the selected item.

Abstract: In an embodiment, a computer-implemented method prevents use of a network protocol over an encrypted channel. In the method, a packet is received on an encrypted channel addressed to a network address. It is determined whether a network host at the network address is able to service a request formatted according to the network protocol over the encrypted channel. When the network host is determined to be able to resolve to a domain name over the encrypted channel, the network packet is blocked.

Abstract: Security risk evaluation across user devices is disclosed herein. An example method includes registering one or more devices associated with a first user with the computer system, determining respective security sub-scores for each item of the one or more devices, computing an overall security score for the first user based, at least in part, on an aggregation of the security sub-scores, and creating a user profile based on the overall security score, the user profile to enable the at least one of the one or more devices to exchange data with an external device when the overall security score meets a security score threshold, the user profile to prevent the at least one of the one or more devices from exchanging data with the external device when the overall security score does not meet the security score threshold.

Abstract: The invention relates to a system and methods for providing conditional access to indoor location information in a system comprising a mobile device (320), a positioning webservice (310) and an authorization authority (360), the method comprising: the mobile device (320) performing the steps of: transmitting license information to the authorization authority (360) and transmitting a request for indoor location information to the positioning webservice, the request comprising a request-location-estimate corresponding to a location estimate of the mobile device (320) at the time of making the request, the authorization authority (360) performing the steps of: receiving the license information, verifying whether the license information authorizes access to indoor location information by the mobile device (320), issuing a secure proof, verifiable by the positioning webservice (310) upon successful verification, the secure proof indicating that the license information authorizes access to indoor location informati

Abstract: Methods and systems for facilitating a transaction are provided. A transaction involving an integrated circuit user device in contact with an access device is processed in less time, such that the user device can be removed at an earlier time. In embodiments, an access device provides an estimated value to a user device such that a cryptogram can be generated without waiting for a final value. Additionally, the access device can store user device data and then complete the transaction with the user device before authorizing the transaction, such that the user device can be removed without waiting for an authorization response.

Abstract: A license management system subtracts, a number of rights corresponding to a number of users set by a number of users setter from a number of owned rights for each unit period, and uses a first unit period that is an earliest unit period, in which the number of owned rights is expected to be insufficient with respect to a number of rights in a unit period, as a last unit period, in which content can be used by a plurality of users, to set same expiration of a valid period for all of the plurality of users.

Abstract: Described is a baseboard management controller (BMC). The BMC comprises a BMC flash storage storing firmware and an access permission table. The access permission table defines an access control policy for access requests to peripherals communicatively coupled to the BMC. The BMC further comprises an access control chip comprising one or more processors and a write-once memory. The write-once memory stores a copy of the access permission table. The access control chip is configured to manage access to the peripherals using the access permission table.

Abstract: Private network request forwarding can include receiving a request from a user for Internet services over a public network. Private network request forwarding can include analyzing the request and determining whether the request is legitimate. Private network request forwarding can include forwarding the request to an entity through a private network when it is determined that the request is legitimate, wherein the user has access to the entity through a proxy.

Abstract: Various embodiments enable an application on a first device to log into an online meeting in association with a trusted entity, such as a trusted user. Once trust is established between the trusted entity and the meeting domain, such as an enterprise domain, permissions can be assigned to a meeting device, by virtue of the trust relationship with the trusted entity, to enable the meeting device to join the meeting as a participant, thus allowing the meeting device to bypass an initial join process such as a meeting lobby and the like. By virtue of the assigned permissions, the meeting device may take control of the meeting and control the experience for others in the meeting as a fleeting organizer or some other permission-centric role.