Abstract: Systems and methods are provided for authenticating a user. The method includes accepting, using a graphical user interface coupled to an electronic computing device, a login request from the user to access a remote server, wherein the login request includes biometric data of the user, using a non-tactile biometric scanner, and comparing, using a processor on an intermediary server, the biometric data of the user with biometric data stored in memory of the intermediary server, wherein the biometric data stored in the memory is associated with one or more known users. The method further includes determining, based on the comparison, whether an identity of the user is authentic, and if the identity of the user is authenticated, relaying the login request to the remote server.

Abstract: Disclosed embodiments relate to trust domain islands with self-contained scope. In one example, a system includes multiple sockets, each including multiple cores, multiple multi-key total memory encryption (MK-TME) circuits, multiple memory controllers, and a trust domain island resource manager (TDIRM) to: initialize a trust domain island (TDI) island control structure (TDICS) associated with a TD island, initialize a trust domain island protected memory (TDIPM) associated with the TD island, identify a host key identifier (HKID) in a key ownership table (KOT), assign the HKID to a cryptographic key and store the HKID in the TDICS, associate one of the plurality of cores with the TD island, add a memory page from an address space of the first core to the TDIPM, and transfer execution control to the first core to execute the TDI, and wherein a number of HKIDs available in the system is increased as the memory mapped to the TD island is decreased.

Abstract: One example method includes contacting, by a client, a service, receiving a credential from the service, obtaining trust information from a trust broker, comparing the credential with the trust information, and either connecting to the service if the credential and trust information match, or declining to connect to the service if the credential and the trust information do not match. Other than by way of the trust information obtained from the trust broker, the client may have no way to verify whether or not the service can be trusted.

Abstract: Methods, systems, and devices for virtualized authentication device are described. A virtual device (such as a virtual machine) may be permitted to access secured data within a memory device by an authentication process. The memory device may generate cryptographic keys in portions of the memory device and assign the cryptographic keys to the virtual machines. The virtual machine may use an authentication process using the cryptographic keys to access the secure data in the memory device. The authentication process may include authenticating the identity of the virtual machine and the code operating on the virtual machine based upon comparing cryptographic keys received from the virtual machines to the assigned cryptographic keys in the partitions of the memory device. Once both the identity of the virtual machine is authenticated, the virtual machine may be permitted to access the secure data in the memory device.

Abstract: The present technology discloses a method for enriching local crypto-processor queries with software-defined networking augmented information, comprising sending, from a virtual machine installed on a physical host, a request for trust verification data; augmenting, by an identity verification system on the physical host, the request for trust verification data with encrypted information from an external entity; receiving, at a trusted processor module on the physical host, the request for trust verification data; receiving, at the virtual machine, the trust verification data; and assessing, at the virtual machine, a state of the physical host based on the trust verification data.

Abstract: Potentially malicious uniform resource locators and websites are safely and effectively investigated through live forensic browsing. Live data from an isolated browser feeds a security information and event management (SIEM) tool and other forensic tools during a browsing session, allowing investigators to direct the browsing in response to analysis results. Session data may be translated for SIEM ingestion. Browsing sessions may be manually or automatically customized to obscure their forensic nature, by routing selection, by bandwidth or latency adjustment, or by spoofing externally detectable characteristics such as geolocation, user agent, time zone, and language. Forensic activity by an investigator may also be obscured from discovery by an attacker as a result of spoofing the browser's context, such as plugin status and host machine physical characteristics.

Abstract: Disclosed are a method and system for providing user notification when personal information is used in a speech controller. A method of providing user notification may include receiving information monitored for reference to personal information in a process of processing a user's query in a voice service, storing a personal information utilization history for each user and for each service based on the monitored information, determining the suitability of the reference to the personal information based on the monitored information, determining whether the personal information is included in a response when generating the response to the user's query, generating and providing guide information indicating that the personal information is included in the response if the personal information is included in the response, and providing the response to the user's query based on feedback from the user for the guide information.

Abstract: A system and methods for facilitating secure computing device control and operation. The invention discloses a framework to supply security and policy-based control to computing applications as a software service. Clients running the framework make requests for services whereby they identify the service needed and its required parameters, encrypt and sign them, and send them to the service handler. The service handler decrypts, checks for policy allowance, and then, if allowed, executes the functions. The handler then encrypts and returns the response to the client. The framework allows for an aggregator that collects service requests for any number of clients and manages the distribution to service handlers and communications back to the clients.

Abstract: An information processing apparatus capable of connecting to an external apparatus via a network includes a setting unit configured to enable a function of transmitting an issuance request for a digital certificate to the external apparatus at a previously designated date and time or with a previously designated cycle and acquiring a digital certificate from the external apparatus in response to the issuance request, wherein the function is enabled by the setting unit under a condition that information required for connection to the external apparatus is previously input.

Abstract: Logic may implement observation layer intrusion detection systems (IDSs) to combine observations by intrusion detectors and/or other intrusion detection systems. Logic may monitor one or more control units at one or more observation layers of an in-vehicle network, each of the one or more control units to perform a vehicle function. Logic may combine observations of the one or more control units at the one or more observation layers. Logic may determine, based on a combination of the observations, that one or more of the observations represent an intrusion. Logic may determine, based at least on the observations, characteristics of an attack, and to pass the characteristics of the attack information to a forensic logging system to log the attack or pass the characteristics of the attack to a recovery system for informed selection of recovery procedures. Logic may dynamically adjust a threshold for detection of suspicious activity.

Abstract: Disclosed is a system for performing key management of an in-vehicle network. The key management system of the in-vehicle network includes a reception unit configured to receive a shared secret key of a central gateway and a domain gateway, a memory configured to store a program for performing key management of the in-vehicle network using the shared secret key, and a processor configured to execute the program. The processor generates a secret key to be stored in a node of the in-vehicle network using the shared secret key and a unique ID of the node.

Abstract: A system is provided for managing booting of an OS that includes a UEFI controller comprising embedded application code instructions and a pre-loaded signed certificate, a boot process controller comprising application code instructions for the OS, pre-loaded signed certificates, and a plurality of application hash identifiers. The boot process controller receives signed communications from the UEFI controller and determines if the UEFI controller is authorized to manage the OS. The UEFI controller manages the OS in response to a positive authorization. The boot process controller determines if the UEFI controller is authorized to manage the OS in response to installation or execution of the OS. The UEFI controller receives a signed communication from the boot loader program, compares the signed communications with the plurality of application identifiers, and executes the boot loader program in response to the pre-loaded signed certificate matching an application identifier from the plurality.

Abstract: Systems and methods for smart contract-based detection of authentication attacks are disclosed. According to one embodiment, a method may include: (1) receiving an identification of a plurality of password-protected resources from an account holder; (2) receiving a rule identifying an automated protective action to be taken in response to a failed login attempt with one of password-protected resources; (3) receiving, at a distributed ledger, a notification of a login attempt with one of the plurality of password-protected resources; (4) a smart contract or self-executing code executed by the information processing apparatus determining that the login attempt meets the rule; (5) the smart contract or self-executing code taking the automated protective action with the one of the plurality of password-protected resources and another of the plurality of password-protected resources; and (6) the smart contract or self-executing code committing the automated protective action to the distributed ledger.

Abstract: Continuous variable quantum secret sharing (CV-QSS) technologies are described that use laser sources and homodyne detectors. Here, a Gaussian-modulated coherent state (GMCS) prepared by one device passes through secure stations of other devices sequentially on its way to a trusted device, and each of the other devices coherently adds a locally prepared, independent GMCS to the group of propagating GMCSs. Finally, the trusted device measures both the amplitude and the phase quadratures of the received group of coherent GMCSs using double homodyne detectors. The trusted device suitably uses the measurement results to establish a secure key for encoding secret messages to be broadcast to the other devices. The devices cooperatively estimate, based on signals corresponding to their respective Gaussian modulations, the trusted device's secure key, so that the cooperative devices can decode the broadcast secret messages with the secure key.

Abstract: Methods and systems for network communication are disclosed. Proxy information may be received. The proxy information may facilitate a gateway device communicating as a proxy for a user device.

Abstract: A data protection implementation solution includes utilizing a peer-to-peer network and incorporating an auditing method to record and/or track transactions related to a customer's data. A private peer-to-peer network such as inter planetary file system (IPFS) is used to achieve secured and fast data accessibility while also managing data modifications. An auditing method such as blockchain is used to record activity related to data within the IPFS network. The IPFS network may include a plurality of nodes, among which data is distributed. Devices are registered with the network, and public keys, private keys, and node identifiers are used to authenticate users and secure the data. By incorporating blockchain with the IPFS network, file commit transactions are validated and a clear ledger regarding time of modification and count of file edits is provided.

Abstract: Methods and apparatus for protecting a physical unclonable function (PUF) generator are disclosed. In one example, a PUF generator is disclosed. The PUF generator includes a PUF cell array, a PUF control circuit and a reset circuit. The PUF cell array comprises a plurality of bit cells. Each of the plurality of bit cells is configurable into at least two different stable states. The PUF control circuit is coupled to the PUF cell array and is configured to access each of the plurality of bit cells to determine one of the at least two different stable states upon a power-up of the plurality of bit cells, and generate a PUF signature based on the determined stable states of the plurality of bit cells. The reset circuit is coupled to the PUF cell array and is configured to set the plurality of bit cells to represent their initialization data based on an indication of a voltage tempering event of a supply voltage of the PUF cell array.

Abstract: In one implementation, the disclosure provides systems and methods for generating a secure signature using a device-specific and group-specific moving target authentication protocol. According to one implementation, generating the secure signature entails determining a state of a first device in association with a select time interval. The state of the first device is defined by one or more time-variable characteristics of the first device. The device computes an output for a signing function that depends upon the determined state of the first device associated with the first time interval.

Abstract: Methods, apparatus, systems, and articles of manufacture to deconflict malware or content remediation are disclosed. An example apparatus includes a site redirector to identify a first request to be transmitted from a client device to a destination site identified by a uniform resource locator (URL), a site verifier to determine whether the first request indicates that a user has authorized navigation to the destination site, and a URL encoder to, in response to determining that the user has authorized the navigation to the destination site, generate a data field based the domain of the destination site, the site redirector to transmit a second request to a network security monitor, the second request to indicate to the network security monitor that the user has authorized the navigation to the destination site, the second request including the data field and the URL.

Abstract: Disclosed herein are methods and systems for detecting a source of malicious activity in a computer system. An exemplary method comprises gathering information related to the objects of the computer system, forming a graph based on the information gathered on the objects, selecting at least two induced subgraphs (hereinafter, subgraph) from the resulting graph, determining the coefficient of harmfulness for each selected subgraph, the coefficient of harmfulness representing a numerical characteristic describing the strength of the relations between the vertices of that subgraph, determining, from the selected subgraphs, a subgraph whose coefficient of harmfulness is a minimum among the determined coefficients of harmfulness of the subgraphs, and the total coefficient of harmfulness of the subgraphs related to that subgraph is a maximum, identifying the object correlated with at least one vertex of the determined subgraph as a source of the malicious activity in the computer system.