Abstract: An example method may include a processing system including at least one processor detecting an interaction of a first user and a second user, providing a temporary authorization to the second user to access a data set based upon an authorization of the first user to access the data set, wherein the providing the temporary authorization is in response to the detecting the interaction, generating a record of an access of the second user to the data set, wherein the record includes a notation of the temporary authorization of the second user to access the data set based upon the authorization of the first user, detecting an end to the interaction of the first user and the second user, and revoking the temporary authorization of the second user to access the data set in response to the detecting of the end of the interaction.

Abstract: A method of transmitting a message via a blockchain network is provided. A method may include encrypting, via a first identity-based encryption (IBE) function, a message to generate a ciphertext. The method may further include transmitting the ciphertext to each node of a plurality of nodes in a blockchain network. Further, the method may include decrypting, via a second IBE function, the ciphertext at each node of the plurality of nodes in the blockchain network after at least one condition is met.

Abstract: An apparatus comprises at least one processing device coupled to memory. The at least one processing device is configured to obtain a secured disk image comprising an encrypted manifest file, an encrypted install binary and a plurality of other files. The at least one processing device is further configured to obtain a certificate corresponding to the secured disk image and to derive a public key based at least in part on the certificate. The at least one processing device is further configured to decrypt the manifest file and the install binary based at least in part on the public key and to validate checksums for respective ones of the plurality of other files against corresponding checksums contained in the decrypted manifest file. The at least one processing device is further configured to execute the decrypted install binary responsive to validation of the checksums for the respective ones of the plurality of other files.

Abstract: A server kernel processing system receives an input/output (I/O) request from a user mode computing environment. The I/O request is analyzed to determine whether it is a file open request. If so, target analysis logic determines whether the file open request is for a driver file or for a file within a protected volume that stores a driven whitelist file. If the file open request is for a file stored in a protected volume, the request is blocked. If the file open request is for a driver file, then the driver whitelist file is examined to determine whether the target driver is on the whitelist. If not, the file open request is also blocked.

Abstract: A technique for secure data storage and access during transition operations includes retrieving an encrypted instance of a data object from a data store. The retrieved encrypted instance of the data object is stored in a cryptcache. The encrypted instance in the cryptcache is decrypted to a cleartext instance of the data object and stored as the cleartext instance of the data object in a clearcache. The clearcache instance of the data object is secured by controlling an access window defining an amount of time the cleartext instance of the data object is accessible in the clearcache.

Abstract: Method, apparatus and product for purpose-based data access control. Having a data about a subject, for which usage is approved for a purpose, a first encryption key associated with the first purpose is obtained. A link pointing to a first alias of the data is generated, the first alias being associated with the first purpose. The link pointing to the first alias is encrypted with the first encryption key to obtain a first encrypted link; and access is provided to the first encrypted link, whereby access to the data is obtainable by decrypting the first encrypted link with the first decryption key to obtain the first alias and using the first alias to access the data. In some cases, a second link for a second can be similarly generated. Upon revocation of approval, a corresponding alias is eliminated to prevent access thereby. The links may be retained in a decentralized ledger, such as a blockchain.

Abstract: The method includes: receiving, by a first member device, a second EAPOL-MKA packet sent by a second member device; determining, by the first member device, a first cipher suite, and determining a first secure association key SAK corresponding to the first cipher suite; and sending, by the first member device, the first cipher suite and the first SAK to the second member device in CA. Based on the foregoing technical solution, a device in the CA may determine a cipher suite and a secure association key corresponding to the cipher suite that are used for MACsec secure data transmission. In addition, all devices in the CA support the determined cipher suite. In this way, a problem that the cipher suite needs to be re-determined because one or more devices do not support the cipher suite determined by the first device can be avoided.

Abstract: A computer processing hardware architecture system in a highly secure isogeny based cryptosystem that includes at least one computer processor operably configured to target accelerating operations involved in isogenies on elliptic curves and having a secret key register operably configured to register a secret key, a pseudo-random function, and a secret message buffer, each operably written to by a 2:4 demultiplexer circuit operably configured to receive outside data in regions therein and read by a 4:2 multiplexer circuit.

Abstract: A method, system and computer-usable medium for automating the assessment of security vulnerabilities associated with a user module via a user module assessment operation. The user assessment operation includes receiving a request from a user module via an edge device; determining whether the request includes a persistent session cookie; determining whether the user module should be assessed to detect security vulnerabilities; resetting information contained in the persistent session cookie when the user module should be accessed to detect security vulnerabilities; redirecting the user module for assessment; and, performing an assessment of the user module to detect possible security vulnerabilities.

Abstract: Techniques are described for pooling data originating from different entities into a data pool managed by a data pool management system for performing accurate and resource-efficient statistical and other data operations by entities. Techniques further include maintaining rule sets that govern access to the data sets of the data pool. The DPMS uses the rule sets to determine whether a particular data set, on which a particular operation is requested to be performed, qualifies as authorized data for the requesting entity. In an embodiment, the DPMS determines, based on one rule set, that the particular data set does not qualify as authorized data for the particular operation. The DPMS further determines that based on another rule set the particular data set does qualify as authorized data for the particular operation. Based on determining that authorizing rule set overrides the non-authorizing rule set, DPMS proceeds to performing the particular operation using the particular data set.

Abstract: The present invention relates to security service providing apparatus and method for supporting lightweight security which provides lightweight security by using an error coefficient and a hash of a chain block used for time synchronization with the terminal for generation of an encryption key to improve security complexity while securing security for communication with terminals and also securing security for an encryption key through the blockchain. According to the present invention, for security for the communication session between the service providing apparatus and the terminal, the encryption key of the terminal is generated as the hash through the hash algorithm by combining the time difference generated in the time synchronization process with the terminal and the hash generated based on the information related to the encryption key of the other terminal stored in the blockchain to generate a symmetrical encryption key which cannot be inferred and has high security.

Abstract: Mechanisms are provided for evaluating a trained machine learning model to determine whether the machine learning model has a backdoor trigger. The mechanisms process a test dataset to generate output classifications for the test dataset, and generate, for the test dataset, gradient data indicating a degree of change of elements within the test dataset based on the output generated by processing the test dataset. The mechanisms analyze the gradient data to identify a pattern of elements within the test dataset indicative of a backdoor trigger. The mechanisms generate, in response to the analysis identifying the pattern of elements indicative of a backdoor trigger, an output indicating the existence of the backdoor trigger in the trained machine learning model.

Abstract: The present disclosure relates to systems and methods of control access to a controlled-access area. The method includes receiving offsite sensor data, receiving offsite user identification data corresponding to the offsite sensor data, determining that the offsite sensor data satisfies an organizational standard, determining that the offsite user identification data corresponds to an approved user, and transmitting a notification to a user device. The method may also include receiving onsite user information and using the offsite sensor data and the onsite user information to determine if a user is approved for access to an access-controlled area. In some examples, the offsite sensor data may be temperature data associated with a febrile condition of a user attempting to gain access to the controlled-access area.

Abstract: Systems, methods, and computer-readable storage media are provided for managing application traffic. A routing policy defines the data flow path between the client device (which uses a virtual private network (VPN) client) and the appropriate network-based service. Based on various factors associated with the user, the client device, and the destination (e.g. network-based service), the routing policy will direct the VPN client to communicate with either a public DNS (via the public Internet) or to a private DNS (via the private Intranet). The resulting IP addresses will be used to establish a particular route (either over a public Internet or private Intranet) between the client device and the network-based service in accordance to the routing policy.

Abstract: Methods and systems for assessing a vulnerability of a network device. The systems and methods described herein combine data regarding locally discovered vulnerabilities and exposed services with data regarding what executables are provided by software installed on the network device.

Abstract: A cloud-based fleet of sandboxes is scalable along two tiers. Additional sandboxes may be added to a particular sandbox network in a particular sandbox stack, or additional sandbox stacks may be added. Isolation of individual sandboxes within a sandbox network is provided by virtual switches or routers, and subnetting. Isolation of sandbox networks is provided by network or port address translation, and by running hypervisors in respective infrastructure-as-a-service virtual machines. Provisioning efficiency can be provided by the two-tiered architecture, by use of differencing disks, by use of virtual machine scale sets, and by hybrid core-count sandboxes. Sandboxes may be secured but still have outgoing internet connectivity. Workloads run in the sandbox may include builds, tests of development code, investigations of possible malware, and other tasks.

Abstract: Secure network communications are described. In one aspect, a secure network can include a passbuilder that provides policy information related to performance characteristics of the secure network. A sender can receive the policy information and transmit packets to a receiver if the policy information is complied with by the potential packet transmission.

Abstract: An electronic device and method that are robust against attacks on encryption-related vulnerabilities as detection of an encryption algorithm based on if artificial intelligence technology is enabled are provided. A security enhancement method includes a hooking loading of an executable code into a memory, inputting the executable code into an encryption code identification model that is based on an artificial neural network, determining, by the encryption code identification model, whether the loading of the executable code into the memory is allowed, and when the loading of the executable code is not allowed, blocking the loading of the executable code into the memory.

Abstract: Described is a system for biometric authentication. The system converts biometric data into a cryptographic key r? using a reusable fuzzy extractor process having an underlying hash function modeling a random oracle model. The system allows access to secured services when a comparison of r? to a previously computed cryptographic key r shows a match.

Abstract: An apparatus includes a processor and a memory operatively coupled to the processor. The processor is configured to automatically send queries to client devices, and to receive responses from the client devices in response to the queries. The processor is configured to identify, based on the responses and on role information stored in an Active Directory database, roles of current users of the client devices and identify based on the roles security risks associated with the client devices. The roles can differ among users. The processor is configured to select a remedial action for at least one of the client devices based on the security risk associated with that client device, and is configured to implement the remedial action on that client device. The processor is configured to not select a remedial action for another of the client devices based on the security risk associated with that client device.