Abstract: The method provides an automated and scalable system for the generation, distribution, management of symmetric pre-shared keys (PSKs) to applications executing on headless and mobile devices. It helps achieve device protection, application security, and data protection with data authenticity and confidentiality in intra-device, inter-device, device-to-edge, and device-to-cloud communications. It helps Transport Layer Security (TLS) enabled applications dynamically acquire and renew PSKs and use identity hints for PSK based authentication ceremony during a TLS handshake. It helps client-server applications dynamically acquire and renew PSKs using keyed-hash message authentication code (HMAC) for data integrity and authenticity, content signing, and data encryption for confidentiality. It helps manage and distribute API shared secrets and API access tokens required for authenticated API requests and API security.

Abstract: Systems and methods for embodiments of a graph based artificial intelligence systems for identity management are disclosed. Embodiments of the identity management systems disclosed herein may utilize a network graph approach to analyzing roles of a distributed networked enterprise computing environment. Specifically, in certain embodiments, an artificial intelligence based identity management systems may utilize role graphs to assess the role structure of a distributed enterprise computing environment.

Abstract: There is provided an information processing apparatus that generates an encrypted bit string in which a hash value calculated by using keyed hashing from a keyword for an information search is mapped into a bit string having a predetermined length, selects a predetermined number of bits from the encrypted bit string on the basis of a dynamically generated random number, inverts the predetermined number of selected bits, and sends the encrypted bit string and inverted-bit-number information to an external apparatus. The inverted-bit-number information indicates a number of bits inverted by a bit inverting unit.

Abstract: Assigning privacy ratings to tracking domains in order to increase user awareness of online privacy violations. A list of known tracking domains and raw data from a set of host websites may be received. A prevalence, frequency, and role for each tracking domain may be determined from the raw data. Each tracking domain may be assigned to a prevalence cluster, a frequency cluster, and a role cluster. A rank may be determined for each prevalence cluster, frequency cluster, and role cluster. A domain privacy rating may be assigned to each tracking domain that is based on the ranks of the clusters to which each tracking domain is assigned. A privacy action may be performed based on the domain privacy rating assigned to each tracking domain.

Abstract: A mechanism for securing a series of related function calls for firmware services using session tokens is discussed.

Abstract: Systems as described herein may include authorizing the sharing of data and sharing data between a variety of systems. A request to share data may be provided to a first system. The system may create sharing session data on a distributed ledger accessible by a number of systems. Sharing session data may be stored using a transaction stored on a distributed ledger. A second system may obtain the sharing session account and verify the sharing session. On verification of the sharing session, a variety of data may be shared between the systems identified in the sharing session data. The sharing session data may be established between two or more systems. The distributed ledger may be maintained by the systems themselves and/or a distributed network system. In a variety of embodiments, encrypted data may be stored and/or obtained using the distributed ledger.

Abstract: A method of creating a trusted execution domain includes initializing, by a processing device executing a trust domain resource manager (TDRM), a trust domain control structure (TDCS) and a trust domain protected memory (TDPM) associated with a trust domain (TD). The method further includes generating a one-time cryptographic key, assigning the one-time cryptographic key to an available host key id (HKID) in a multi-key total memory encryption (MK-TME) engine, and storing the HKID in the TDCS. The method further includes associating a logical processor to the TD, adding a memory page from an address space of the logical processor to the TDPM, and transferring execution control to the logical processor to execute the TD.

Abstract: Traffic is received at an interface of a compute server. Identity information associated with the traffic is determined including an identifier of a customer to which the traffic is attributable. An egress policy configured for the first customer is used to determine whether the traffic is allowed to be transmitted to a destination where that destination is a resource of a second customer. If the traffic is allowed to be transmitted, the traffic and identity information is transmitted over a cross-customer GRE tunnel to a namespace of the second costumer on the compute server. An ingress policy configured for the second customer is used to determine whether the traffic is allowed to be transmitted to the destination, and if it is, then the traffic is transmitted.

Abstract: Methods, apparatus, and systems for detecting signals interfering with satellite signaling and determining a location of the interfering source are disclosed. In one example aspect, a method for detecting a signal directed at interfering with satellite signaling includes receiving, by a receiving node, a signal from a signal source, the signal produced by the signal source disguised as a satellite signal; determining an estimated position of the receiving node based on an orbital position of the satellite and a characteristic of the signal; comparing the estimated position of the receiving node with a reference position of the receiving node; determining that the signal source is a spoofing source different than the satellite; and determine a location of the spoofing source in part based on the estimated position.

Abstract: Approaches for detecting and rectifying the malware in the computing systems are described. In an example, a request by a process or is intercepted by the malware detection module. Relevant information and characteristics pertaining to the request are extracted and on the based on the extraction, operational attributes are generated. These extracted operational attributes are analyzed and compared with the baseline attributes and if there are any anomalies present, the susceptible code or process originating from the intercepted request is ascertained as malicious.

Abstract: An active feedback control method for a quantum communication system based on machine learning is disclosed. In the transmission process of a quantum key distribution system, the present invention uses a pre-trained double-layer LSTM network to predict, according to a real-time ambient temperature, humidity and laser light intensity fluctuation, as well as voltage changes in the past moment, a zero-phase voltage value of a phase modulator at a receiving end at the next moment, and updates the network at a fixed time interval, so that the LSTM network can accurately predict for a long time, ensuring that the quantum key distribution system operates stably and efficiently for a long time. The present invention greatly improves the transmission efficiency of the quantum key distribution system by method of active prediction and feedback control.

Abstract: Concepts and technologies are disclosed herein for providing an electronic document processing system, an electronic document generation mechanism, an encrypted digital certificate generator, a tool for coordinating the processing of electronic documents, a packaging mechanism for finalizing and authenticating electronic documents, a tracking log for recording relevant electronic document information, and a transferring protocol for transferring the ownership of electronic documents. The present disclosure also is directed to an electronic authentication system including an electronic document authentication watermark seal or signature line for confirming a document's signing within the view.

Abstract: A method for anonymizing documents before publication is provided. The method includes identifying regular expressions configured to match strings to be anonymized in a document, selecting a readable identifier as an anonymized reference for a string replacement, searching the document for a match string that fits the regular expression, hashing the match string using a collision resistant, deterministic, non-inverting cryptographic hashing function, and comparing a cryptographic hash of the match string with a database including multiple previous hashes and multiple corresponding readable identifiers. When none of the previous hashes matching the cryptographic hash, the method includes creating a new database record including the cryptographic hash, incrementing a counter in the readable identifier and associating the readable identifier with the new database record, and replacing the match string with the readable identifier, throughout the document.

Abstract: A method including determining, by a device, an assigned key pair including an assigned public key and an assigned private key; determining, by the device for a group associated with a folder, a group access key pair including a group access public key and a group access private key; encrypting, by the device, the group access private key by utilizing the assigned public key; and accessing, by the device, the folder based at least in part on decrypting the group access private key. Various other aspects are contemplated.

Abstract: Techniques for providing application-independent access control in a cloud-services computing environment are provided. In one embodiment, a method for providing application-independent access control is provided. The method includes obtaining a user identity for accessing the cloud-services computing environment and receiving a user request to perform a task using an application. The method further includes collecting process-related data for performing the task using the application and obtaining one or more network routing addresses. The method further includes determining, based on the user identity, the process-related data, and the one or more network routing addresses, whether the task is to be performed. If that the task is to be performed, the task is caused to be performed using the application; and if the task is not to be performed, the user request is denied.

Abstract: According to an aspect, a method is performed by a first controller for providing security for second controllers in an in-vehicle network. An inherent information request is transmitted to a suspicious controller of the plurality of second controllers for an inherent information of the suspicious controller. The inherent information request includes a certificate assigned to the first controller. An encrypted inherent information of the suspicious controller is received from the suspicious controller and a decrypted inherent information is compared with a pre-stored inherent information. The suspicious controller is determined to be an anomalous controller when the decrypted inherent information is different from the pre-stored inherent information. In response to receiving an update request from a backend server for a specified controller out of the plurality of second controllers, the inherent information request including the certificate assigned is transmitted to the specified controller.

Abstract: A technique of identifying hosts suspected of being sources of ransomware infection includes initiating a tracking interval in response to a data storage system detecting a suspected ransomware attack. During the tracking interval, write requests received by the data storage system are analyzed and ransomware attributes for those write requests are generated. The ransomware attributes of the write requests indicate risks of ransomware infection and are associated with hosts from which the respective write requests originate. A particular host is identified as a suspected source of ransomware infection based at least in part on the ransomware attributes associated with that host.

Abstract: Described systems and methods allow carrying out privacy-preserving DNS exchanges. In some embodiments, a client machine engages in a private information retrieval (PIR) exchange with a nameserver. In response to receiving an encrypted query from the client, the query formulated according to a domain name, the nameserver may extract a record (e.g., an IP address) from a domain name database without decrypting the respective query. Some embodiments achieve such information retrieval by the use of homomorphic encryption.

Abstract: A system and method to filter potentially unwanted traffic from trackers, third-party cookies, malicious websites or other sources and present the aggregated results of said filtering to the VPN user. One of the embodiments enables a VPN user to opt-in or opt-out from the filtering activities while being able to access the aggregated information about filtering. In another embodiment, the user can choose to customize the filtering parameters to add or remove specific targets from the filtering policies.

Abstract: A root-of-trust device includes one or more processors configured to receive a candidate block identifier corresponding to a block number of a candidate block of a distributed electronic ledger; receive one or more verified block identifiers each corresponding to a block number of one or more verified blocks; compare the received candidate block identifier with a block identifier in the stored one or more verified block identifiers; and in the case that the comparing of the candidate block identifier to the block identifier in the stored one or more verified block identifiers satisfies a predetermined condition, verify the candidate block corresponding to the candidate block identifier and send data corresponding to a verified block of the distributed electronic ledger.