Abstract: Multi-mode interfaces having secure alternate modes are disclosed. An example method includes exposing to a device, during a first alternate mode negotiation session, an availability of a first secure alternate mode on a host, authenticating the device to the host using the first secure alternate mode, and responsive to the device being authenticated, exposing to the device a second secure alternate mode.

Abstract: The present disclosure provides a method of access to users of a network system via a unique identity key that controls access and permission rights of outside entities as controlled by the entity itself. The system assigns unique identity to a unique entity. The key is responsible for facilitating preferred access types and information accessed by outside entities, and acts as a signal for action, interaction and experience within the System as well as third party platforms. Each interaction within the system includes a requesting entity's proxy (‘REP’) sending an information access request (‘IAR’) to the deciding entity's proxy (‘DEP’) via a network. This IAR is routed to the correct DEP via the unique identifier. The DEP applies access preferences to allow or deny the IAR, in part or completely. If allowed or partially allowed, the DEP returns information to the REP.

Abstract: The technology provides for a threat detection system. In this regard, the system may be configured to output file states of a multi-layer file system. For instance, the system may determine, based on the file states for a file, one or more layers of the multi-layer file system in which one or more objects corresponding to the file can be found. Based on the one or more objects corresponding to the file, the system may detect a potential threat. The system may then take an action in response to the potential threat.

Abstract: A data protection system includes a data storage apparatus and an information processing apparatus. In the information processing apparatus, a redirection processing apparatus sets a personal storage area corresponding to a user to an accessible state according to a redirection policy. Furthermore, a write control unit controls data writing permission/prohibition for each storage area according to a write management policy. In particular, the write control unit prohibits data writing to a local storage unit except for the storage area to be used to access the personal storage area. With this, the data does not remain in the information processing apparatus, thereby preventing data leakage from the information processing apparatus.

Abstract: A threat management facility analyzes a plurality of instructions in computer code for redundancy. When redundancy is found, the threat management facility determines whether the redundancy has characteristics of deliberate obfuscation consistent with malware techniques such as server-side polymorphism. Measures of redundancy, such as one or more of a degree of redundancy or a pattern of redundancy, may inform this process, and my usefully aid in distinguishing legitimate code redundancies from malware. Where an inference of malware is supported, the threat management facility may initiate remediation of the computer code. Further, or instead, the type of remediation applied to the computer code may be based on one or more aspects of the detected obfuscation.

Abstract: Systems and methods of providing industrial system cybersecurity event detection and corresponding response are described. The systems and methods utilize various end point sensors already available in an industrial control system and an associated monitoring process to detect cybersecurity and other security threats based on data collected by the sensors. The cybersecurity monitoring process may be trained with sensor data patterns and behaviors for known threats to recognize potentially malicious activity. Such a process may also learn to recognize and be trained on new threats and may incorporate each new threat to stay current with evolving industrial threats. This allows an enterprise to utilize its existing industrial infrastructure to detect and act upon a variety of threats to an industrial system with little or no interference or interruption of existing industrial processes.

Abstract: Intruder detection using quantum key distribution is disclosed. A request for a first key for use with a first application configured to execute on a computing device is received by a quantum computing system. The request includes information that identifies the application. In response to the request, a quantum key distribution (QKD) process to generate a key is initiated. It is determined that an intruder attempted to eavesdrop on the QKD process. A message is sent to the computing device that instructs the computing device to cause the first application to implement a reduced functionality mode of the first application.

Abstract: Systems and methods are described for modifying input and output (I/O) to an object storage service by implementing one or more owner-specified functions to I/O requests. Different data manipulation functions can be placed in different I/O paths depending on the request method or user access level. For example, a user having full access may be returned the unaltered version of the object, whereas a user having modified or reduced access may be returned a modified or redacted version of the object. In this manner, owners of the object collection are provided with greater control over how the object collection is accessed.

Abstract: A signature verification system, which comprises a plurality of worn devices of signing users, each provided with one or more motion sensors, and a processor for receiving motion signals from the sensors, the processor is adapted to define a set of features that describe a signature and distinguish one signature from another; perform a training phase by obtaining motion signals from one or more motion sensors of the worn devices; training a machine learning classifier using the instances and labels; obtain motion signals from motion sensors of the a worn device, the motion being of an allegedly genuine signature of one of the users; scale and domain transform the allegedly genuine signature; calculate values of the features describing the allegedly genuine signature with respect to scaled and transformed reference signatures of the one of the users; and apply the trained classifier on the feature values, thereby classifying the allegedly genuine signature as genuine or forged.

Abstract: There is disclosed a microprocessor, including: a processing core; and a total memory encryption (TME) engine to provide TME for a first trust domain (TD), and further to: allocate a block of physical memory to the first TD and a first cryptographic key to the first TD; map within an extended page table (EPT) a host physical address (HPA) space to a guest physical address (GPA) space of the TD; create a memory ownership table (MOT) entry for a memory page within the block of physical memory, wherein the MOT table comprises a GPA reverse mapping; encrypt the MOT entry using the first cryptographic key; and append to the MOT entry verification data, wherein the MOT entry verification data enables detection of an attack on the MOT entry.

Abstract: A system and method for securely storing, retrieving and sharing data using PCs and mobile devices and for controlling and tracking the movement of data to and from a variety of computing and storage devices.

Abstract: An information handling system operating a data integration protection assistance system may comprise a processor linking first and second data set field names identified within a previous execution of a data integration process for transferring a data set field value identified by the first data field name at a source geographic location to a destination geographic location for storage under the second data field name. The processor may receive a user instruction to associate data set field names labeled as sensitive private individual data with a barred geographic location, determine the second data set field name is labeled as sensitive private individual data and the destination storage location matches the barred geographic location. A graphical user interface may display a notice that the data set field value was stored during the previously executed integration process within the barred geographic location.

Abstract: Disclosed are various examples for multi-party authentication and authentication. In one example, a user can gain access to secured data stored by a managed device based on the presence of the minimum quantity of other users within a threshold proximity of the user who desires access.

Abstract: Described embodiments provide systems and methods for selectively encrypting and decrypting portions of a network flow by intermediary devices. A first device may identify a protocol used by a network flow traversing the first device via one or more packets of the protocol. The first device may determine that a level of encryption for the network flow meets a predetermined threshold. The first device may receive networks packets to be communicated between a sender and a receiver. The packets may include a first portion that is encrypted and a second portion that has clear text information. The first device may encrypt the second portion of the one or more packets. The first device may forward the network packets with the first portion and the encrypted second portion via a tunnel to a second device for decryption of the encrypted second portion for forwarding to the receiver.

Abstract: Disclosed are various examples for enrolling a client device and synchronizing user attributes for the client device across multiple directory services. A search request for user attributes can be sent to a first directory service with an identifier for a user account. The first directory service can query for the identifier and send back user attributes. If a global identifier is included in the attributes, another search request for user attributes can be sent to a second directory service with the global identifier. The second directory service can query for the global identifier and send back user attributes.

Abstract: A System on Chip (SoC), including a plurality of processor cores including a secure master, which is configured to run security software, and a non-secure master, which is configured to run non-security software; a resource configured to be shared by the secure master and the non-secure master; and a state machine configured to protect the resource by allowing only the secure master to transition the resource to a particular state of the state machine, and allowing only the non-secure master to transition the resource to another particular state of the state machine.

Abstract: This application provides an unmanned aerial vehicle authentication method and an apparatus. The method includes: sending, by a communications device after determining that a type of a terminal is a UAV, authentication information of the terminal to an authentication server, so that the authentication server can perform authentication on the terminal based on the authentication information of the terminal, and therefore, the authentication server completes authentication on the terminal. In addition, the unmanned aerial vehicle is allowed to fly only after authentication on the terminal succeeds. Therefore, flight security of the unmanned aerial vehicle can be improved.

Abstract: In some implementations, systems and methods for detecting leaked credentials in a request for a network resource are provided. A request to access a resource on a network is analyzed to determine if the request was transmitted using an unsecured protocol, and if so, determine whether the request includes authentication credentials. If the request includes authentication credentials, the authentication credentials are authenticated and in response to determining that the authentication credentials are authentic, the authentication credentials are disabled. One or more notifications may be transmitted to an owner of the disabled authentication credentials.

Abstract: A system of peer identity verification that reduces the risk of identity theft in case of a data breach. The system does not require a vendor to maintain a database of sensitive customer-related data. Cryptographic keys are used. The system creates a one-time encryption keypair. The public and private keys of each user are saved securely on each user's device. While the public key for each user is stored remote from each user's device (such as in a cloud), the private key for a given user is not stored anywhere other than securely on that user's device. Thereafter, a user (i.e., the main user) requests another user to act as their “trusted peer” to be added to their “trust cluster.” If that other user accepts the request, the main user's private key is encrypted with that other user's public key and this encrypted data gets stored remotely, such as in a cloud.

Abstract: A method provides a network-agnostic identity broker for retrieving identity records across heterogeneous identity networks. An identity broker receives a client request from a client to retrieve and evaluate user identity information for confirming an identity of a particular entity. The identity broker utilizes a group membership of the client to select a set of policies for handling the client request, and selects an identity network from multiple heterogeneous identity networks as a selected identity network to which the client request is to be sent. The identity broker sends the client request to the selected identity network, and then receives a response from the selected identity network. The identity broker evaluates the response according to the set of policies, such that the evaluated response conforms with the set of policies, and transmits the evaluated response to the client.