Abstract: In an example embodiment, access to a data set in a data lake can be specified using several approaches, based on the metadata and information attached. The metadata may be replicated from the original data source of the underlying data, and additional metadata may be modeled and stored to construct linkage information between data types. This linkage information may be used to automatically grant access to users to additional objects that are linked to objects that the user has explicit access to.

Abstract: Method and system disclosed herein facilitate retrieval of a blockchain key. The method comprises receiving a key store comprising a first encryption method, a second encryption method, and identification information of one or more network nodes storing a plurality of encrypted storage keys; displaying an authentication request and receiving and input form the user in response to the authentication request; upon the input received matching a record within a database, instructing the one or more network nodes to transmit the encrypted key segments; decrypting each encrypted key segment based on the first encryption method; and generating a blockchain key by appending the strings of the key segments based on the second encryption method.

Abstract: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.

Abstract: An information handling system improves detection of steganography data embedded in a graphics file by parsing the portable network graphics file to determine a location of a graphics file signature in the graphics file, and determining whether there is data embedded in the graphics file before the graphics signature. The embedded data may then be removed from the graphics file.

Abstract: A system for managing composed information handling systems to manage access to data by applications hosted by the composed information handling systems includes a system control processor that instantiates a composed information handling system using a compute resource set that hosts applications and a hardware resource set that stores a portion of the data, associates, using authorization information, storage areas of the at least one hardware resource set with the applications to obtain storage area associations, obtains a data access request from the compute resource set for the portion of the data which is stored in a storage area of the storage areas, makes a determination, based on the storage area associations and an initiator of the data access request, that the initiator of the data access request is not authorized to access the portion of the data, and refuses to service the data access request.

Abstract: Systems and methods for efficient and secure management of encrypted “snapshots” for a remote provider substrate extension (“PSE”) of a cloud provider network substrate are provided. The PSE may request and obtain a snapshot from the cloud provider network substrate, restore a volume from the snapshot, make changes to data in the restored volume, and/or initiate the creation and storage of a new snapshot that includes incremental updates to the original snapshot to reflect the changes made to data in the volume. An encrypted snapshot stored within the cloud provider network substrate may be decrypted using a cloud provider key designed for internal use only, and then re-encrypted using a PSE-specific key before providing the snapshot to the PSE, thereby avoiding the sharing of the cloud provider internal use only key outside the cloud provider network substrate.

Abstract: The technology includes a method performed by a security system of a 5G network. The security system is instantiated to sort incoming or outgoing network traffic at a perimeter of the 5G network into one of multiple groups that are each uniquely associated with one of multiple functions or applications and one of multiple security levels. The system can inspect portions of incoming network traffic that contain addressing information required for the network traffic to reach an intended application or function, sorting the incoming network traffic into the groups based in part on the inspection of the portions of the network traffic, and dynamically directing the network traffic for the 5G network based on a particular security level associated with a particular application or a particular function of each of the groups.

Abstract: An information processing apparatus connectable with a terminal via a network to manage a license of a package including applications assignable to a device includes circuitry configured to display a first screen for displaying a device list, the license of the package being assignable to and cancellable from the device in response to receiving a first request, receive a selection of a specific device in the device list and any one of an operation of assigning and cancelling the license of the package, assign the license of the package to the selected specific device in response to receiving the selection of the specific device and the operation of assigning the license of the package, and cancel the license of the package from the selected specific device in response to receiving the selection of the specific device and the operation of cancelling the license of the package.

Abstract: A system and method for securely storing, retrieving and sharing data using PCs and mobile devices and for controlling and tracking the movement of data to and from a variety of computing and storage devices.

Abstract: Embodiments of the present application provide a blockchain-based data evidence storage method, a blockchain-based data check method, and relevant apparatuses. The data evidence storage method comprises: performing irreversible encryption on data content of a target file to obtain irreversibly encrypted data of the target file; storing the irreversibly encrypted data in a blockchain and obtaining on-chain evidence storage information of the irreversibly encrypted data; generating a digital watermark of the on-chain evidence storage information; embedding the digital watermark into the target file; and storing the target file embedded with the digital watermark of the on-chain evidence storage information.

Abstract: A method, computer program product, and computer system for receiving, by a computing device, a plurality of file segments of a file, the plurality of file segments being received individually by the computing device. A first file segment of the file may be scanned to identify the presence of malware within the file segment. The first file segment of the file may be encrypted to create an encrypted file segment in response to identification by the scan of the first file segment that malware is absent from the first file segment. The encrypted file segment of the file may be sent to another computing device before a second file segment of the file is received by the computing device.

Abstract: A method for monitoring control-flow integrity in a low-level execution environment, the method comprising receiving, at a monitor, a message from the execution environment indicating that the execution environment has entered a controlled mode of operation, receiving, at the monitor, a data packet representing execution of a selected portion of a control-flow process at the execution environment, identifying, using the data packet, a pathway corresponding to the selected portion of the control-flow process from a set of permissible control-flow pathways and determining whether the identified pathway corresponds to an expected control-flow behaviour.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: A security system includes a backup acquisition unit configured to store given information indicating states of backup data together with backup images generated from the backup data for each backup generation; and a determination unit configured to generate, when a predetermined timing comes, determination information for determining whether there is an abnormality in the stored backup data, based on a predetermined determination rule and the given information for each backup generation, and to output the generated determination information.

Abstract: A network with a set of servers can support authentication from a module, where the module includes an embedded universal integrated circuit card (eUICC). The network can send a first network module identity, a first key K, and an encrypted second key K for an eUICC profile to an eUICC subscription manager. The second key K can be encrypted with a symmetric key. The module can receive and activate the eUICC profile, and the network can authenticate the module using the first network module identity and the first key K. The network can (i) authenticate the user of the module using a second factor, and then (ii) send the symmetric key to the module. The module can decrypt the encrypted second key K using the symmetric key. The network can authenticate the module using the second key K. The module can comprise a mobile phone.

Abstract: A method and apparatus utilize a peer-to-peer network of security nodes collectively adhering to a protocol for inter-node communication. The system is comprised a plurality of first security nodes, at least one second security node, and at least one third security node. The plurality of first security nodes receive at least one of pre-trained detection models and rules, monitor at least one of a blockchain and connected devices for malicious behavior based on the received at least one of pre-trained detection models and rules, and report the malicious behavior. The at least one second security node creates and communicates the at least one of pre-trained detection models and rules to the plurality of first security nodes. The at least one third security node is informed by the at least one second security node of the reported malicious behavior.

Abstract: A data-processing device includes a computing unit and an interface unit using a packet-based communication protocol, in particular PCI Express. The data-processing device also includes an intrusion detection unit that is connected via a signal connection to a filter device of the interface unit, and/or to a secure element, in the form of a Trusted Execution Environment, of an authentication arrangement related to the communication protocol. The intrusion detection unit evaluates input signals received via the signal connection for a rule infringement in a set of intrusion detection rules The filter device, at least part of which is hardware, is designed to forward only the communication data meeting an approval condition from the interface unit to an additional component of the data-processing device according to configuration information predetermined in the data-processing device and containing the approval condition.

Abstract: Embodiments of the present disclosure relate to a data transmission method, user equipment, and a control plane node. User equipment (UE) determines a security attribute of a session of the UE; the UE sends a session establishment request message to a control plane node when the security attribute of the session of the UE does not meet a security requirement of an application. The session establishment request message is used to request to establish a session corresponding to the security requirement of the application. Embodiments of the disclosed method reduce an unnecessary signaling exchange caused by establishment of a new session in a data transmission process to facilitate meeting requirements of different services.

Abstract: A first request is received for a temporary alternate identifier for a user, wherein the user is identified within a service using a user service identifier, and wherein the temporary alternate identifier assists in transferring the user service identifier from the service to a resource. In response to the first request, the temporary alternate identifier is generated and associated with the user service identifier. The temporary alternate identifier is then provided the user, and the temporary alternate identifier is also provided by the user to the resource. A second request is received, from the resource, for an associated service identifier that is associated with the temporary alternate identifier. An indication is then provided, to the resource, that the user service identifier is the associated service identifier.

Abstract: A method, system, and computer program product for adaptive network provisioning. The method may include storing a plurality of use case records in a use case repository, where each use case record provides a diagnostic definition of a security threat to a SIEM environment. The method may also include storing metadata for a plurality of attributes of subscribers to the SIEM environment. The method may also include storing use cases that the subscribers have deployed from the use case repository. The method may also include setting up a new subscriber, where setting up the new subscriber includes: receiving a set of attributes of the new subscriber; searching a metadata store to identify subscribers with attributes that are similar to the set of attributes; and selecting an initial set of use cases for the new subscriber based on use cases deployed by the identified subscribers.