Abstract: A secret computation system is a secret computation system for performing computation while keeping data concealed, and comprises a cyphertext generation device that generates cyphertext by encrypting the data, a secret computation device that generates encrypted basic statistics by performing secret computation of predetermined basic statistics using the cyphertext while keeping the cyphertext concealed, and a computation device that generates decrypted basic statistics by decrypting the encrypted basic statistics and performs predetermined computation using the decrypted basic statistics.

Abstract: Containers can be managed for cryptanalysis attack protection. For example, a computing system can receive, from a container, a description specifying a first hardware requirement for the container. The computing system can restrict access to hardware based on the first hardware requirement for the container. The computing system can perform, for a data object requested by the container, an encryption operation and a decryption operation using the hardware. A result of the encryption operation can be inaccessible to the container prior to the decryption operation.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; and instructions encoded within the memory to instruct the processor to: provide a permission list; allocate an executable, the executable to have permissions according to the permission list; designate a child object of the executable; allocate a certificate for the child object; and after a system reboot, grant the child object permissions of the executable after validating the certificate.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a system profile store; and a ransomware detection engine including instructions encoded within the memory to instruct the processor to: detect an operation, by a process, that results in an operation on a file, wherein the operation includes newly creating the file including a file type identifier, or where the file is an existing file, changing a file type identifier for the file; querying the system profile store with a combination of the file type identifier and metadata about the file; based at least in part on the querying, determining that the process is a suspected ransomware attack; and taking a remedial action.

Abstract: Some examples relate generally to computer architecture software for data classification and information security and, in some more particular aspects, to verifying audit events in a file system.

Abstract: A communication network encrypts a first portion of a transaction associated with point-to-point communications using a point-to-point encryption key. A second portion of the transaction associated with end-to-end communications is encrypted using an end-to-end encryption key.

Abstract: Disclosed herein are systems and methods for decentralized data distribution by a database network system comprising a hierarchical blockchain model. The hierarchical blockchain model may comprise a quantum pyramid consensus to distribute data throughout the database network system in a decentralized and secure manner. The hierarchical construct may be built according to trusted scores calculated for the nodes of the network over their lifetime at the network.

Abstract: In some examples, an example method to provide an IPsec anti-replay window with quality of service (QoS) at a first network endpoint may include configuring a multiple number of anti-replay windows, generating a first security association (SA), and establishing the first SA with a second network endpoint. The first SA may include a first multiple number of security parameter indexes (SPIs), where each of the first multiple number of SPIs may be assigned to a specific QoS level, and each of the first multiple number of SPIs may be assigned to one of the multiple number of anti-replay windows. Establishing the first SA with the second network endpoint may include assigning the first SA to a first encryption key, and providing the first encryption key to the second network endpoint.

Abstract: The present invention discloses a method for managing cloud service authority in a cloud storage system, which includes: a set of cloud data and a plurality of data servers. The cloud data includes a plurality of user object files and global access control information. Each data server includes an access control enforcement unit for executing or rejecting I/O requests from the client computers, where the access control enforcement unit includes local access control information. The method includes steps of: changing the content of the global access control information in the cloud data; downloading, by the data servers, the changed global access control information from the cloud data; updating, by the data servers, the local access control information therein according to the downloaded global access control information; and processing, by the data servers, I/O requests from the client computers according to the updated local access control information.

Abstract: Various embodiments relate to a method and system for securely comparing a first and second polynomial, including: selecting a first subset of coefficients of the first polynomial and a second subset of corresponding coefficients of the second polynomial, wherein the coefficients of the first polynomial are split into shares and the first and second polynomials have coefficients; subtracting the second subset of coefficients from one of the shares of the first subset of coefficients; reducing the number of elements in the first subset of coefficients to elements by combining groups of / elements together; generating a random number for each of the elements of the reduced subset of coefficients; summing the product of each of the elements of the reduced subset of coefficients with their respective random numbers; summing the shares of the sum of the products; and generating an output indicating that the first polynomial does not equal the second polynomial when the sum does not equal zero.

Abstract: Real time security, integrity, and reliability postures of operational (OT), information (IT), and security (ST) systems, as well as slower changing security and operational blueprint, policies, processes, and rules governing the enterprise security and business risk management process, dynamically evolve and adapt to domain, context, and situational awareness, as well as the controls implemented across the operational and information systems that are controlled. Embodiments of the invention are systematized and pervasively applied across interconnected, interdependent, and diverse operational, information, and security systems to mitigate system-wide business risk, to improve efficiency and effectiveness of business processes and to enhance security control which conventional perimeter, network, or host based control and protection schemes cannot successfully perform.

Abstract: Technologies for secure collective authorization include multiple computing devices in communication over a network. A computing device may perform a join protocol with a group leader to receive a group private key that is associated with an interface implemented by the computing device. The interface may be an instance of an object model implemented by the computing device or membership of the computing device in a subsystem. The computing device receives a request for attestation to the interface, selects the group private key for the interface, and sends an attestation in response to the request. Another computing device may receive the attestation and verify the attestation with a group public key corresponding to the group private key. The group private key may be an enhanced privacy identifier (EPID) private key, and the group public key may be an EPID public key. Other embodiments are described and claimed.

Abstract: In an embodiment, a threat score prediction model is generated for assigning a threat score to a software vulnerability. The threat score prediction model may factor one or more of (i) a degree to which the software vulnerability is described across a set of public media sources, (ii) a degree to which one or more exploits that have already been developed for the software vulnerability are described across one or more public exploit databases, (iii) information from one or more third party threat intelligence sources that characterizes one or more historic threat events associated with the software vulnerability, and/or (iv) information that characterizes at least one behavior of an enterprise network in association with the software vulnerability.

Abstract: Embodiments of the present disclosure relate to verifying a third-party resource by automatically validating multi-factor message codes associated with the third-party resource to enable access to functionality associated with the third-party resource via a multi-app communication system. An example embodiment includes a multi-app communication system including at least one processor and at least one memory. The embodiment multi-app communication system is configured to receive a sign-in request from a multi-app communication system application executed on a client device, and cause transmission of a multi-factor confirmation message to a verified third-party multi-factor authentication resource. The embodiment multi-app communication system is further configured query the verified third-party multi-factor authentication resource to identify the multi-factor confirmation message, and enable access to the third-party resource.

Abstract: Embodiments of the disclosure relate to a computer-implemented consequence-driven cyber-informed engineering tool for performing and reporting consequence-based prioritization, system-of-systems breakdown, consequence-based targeting, and mitigations and protections. Embodiments of a CCE tool may perform one or more steps of defining a target industrial control system (ICS), wherein the target ICS includes operational goals, critical functions, and critical services; determining one or more scored high consequence events (HCE) associated with the defined target ICS; prioritizing the scored HCEs according to an HCE severity index; and updating a dashboard with one or more representations of the prioritized HCEs, wherein the updated dashboard is associated with the CCE tool and presented at a display.

Abstract: Techniques are described with regard to client authentication management. An associated method includes constructing an authentication resolution model specific to a client based upon error patterns respectively included in a plurality of erroneous authentication submissions inconsistent with a proper authentication submission. The method further includes receiving, via an authentication interface, a new erroneous authentication submission inconsistent with the proper authentication submission. Responsive to determining that the new erroneous authentication submission corresponds to an authentication exception defined in the authentication resolution model, the method further includes completing authentication. Responsive to determining that the new erroneous authentication submission corresponds to an authentication warning defined in the authentication resolution model, the method further includes performing at least one client account warning protection activity.

Abstract: Unauthorized use of user credentials in a network is detected. Data indicative of text strings being used to access resources in the network is accessed. Regex models are determined for the text strings. Groupings of the regex models are determined based on an optimization of a cumulative weighted function. A regex model having a cumulative weighted function that exceeds a predetermined threshold is identified. An alert is generated when the cumulative weighted function for the identified regex model exceeds the predetermined threshold.

Abstract: Systems and/or methods of the present disclosure enable crypto-ledger interoperability using a controller to perform an operation between a first user and a second user on separate entity-specific distributed crypto-ledgers, where the separate entity-specific distributed crypto-ledgers are both operatively linked to a membered common distributed crypto-ledger. The controller burns a first quantity of first entity-specific crypto-tokens from the first entity-specific distributed crypto-ledger and mints a second quantity of the common crypto-tokens on the membered common distributed crypto-ledger, where the first quantity of first entity-specific crypto-tokens and the second quantity of the common crypto-tokens represent an equivalency.

Abstract: A content server can extend enterprise content management to a leading system in an efficient, automated, and seamless manner by leveraging the permission information provided by the leading system. The content server can sync the permission information with the leading system, evaluate user-manager relations, role-based rule definitions, and user-group associations defined in the leading system, and determine and/or update role memberships for workspaces created in the content server for users in the leading systems. In this way, even though the content server and the leading system have very different types of roles and permission models, the content server can evaluate complex relationships and role-based rules and intelligently, correctly, and quickly assign the right people to the right roles in the right workspaces in the content server.

Abstract: A method and apparatus with an adaptively updated enrollment database (DB) are provided. A method with an adaptively updated enrollment database (DB) includes extracting an input feature vector from an input image, determining whether the input feature vector is included in a changeable enrollment range, with the changeable enrollment range being determined based on a threshold distance from each of plural enrolled feature vectors in the enrollment DB, and with the enrolled feature vectors corresponding to enrolled images, determining whether to enroll the input feature vector in the enrollment DB in response to the input feature vector being determined as being included in the changeable enrollment range, and in response to a result of the determining of whether to enroll the input feature vector being to enroll the input feature vector, selectively enrolling the input feature vector in the enrollment DB.