Abstract: Methods and apparatuses for a computerized system are disclosed. A data processing device receives information from at least one source of log information in the computerized system and detects, based at least in part on said received log information, at least one security protocol related event at a first host device, the at least one security protocol related event being initiated by a second host device. Information is then stored for determination of a trust relationship record based on the detected at least one security protocol related event and information of the second host device.

Abstract: Techniques for sharing private data objects in a trusted execution environment using a distributed ledger are described. The techniques described herein may enable sharing of data objects, referred to herein as private data objects (PDOs), between individuals and organizations with access and update policies mediated by execution of code (referred to herein as a “smart contract”) carried with the PDO in a secure enclave. A distributed ledger may serve as a “public commit log” to ensure that there is a single, authoritative instance of the object and provide a means of guaranteeing atomicity of updates across interacting objects.

Abstract: A network device may receive, from an application on a user device, a first network packet associated with a packet flow. The network device may identify an application identifier of the first network packet, wherein the application identifier identifies the application on the user device. The network device may select, based on the application identifier, a security protocol, wherein the security protocol is associated with at least one of an authentication header (AH) or an encryption algorithm. The network device may selectively apply, to a second network packet associated with the packet flow, at least one of the AH or the encryption algorithm, associated with the security protocol, to generate a protected network packet. The network device may transmit the protected network packet.

Abstract: A method of enabling program code stored on target data processing devices, the method comprising: receiving an in encrypted value of a permitted number of target data processing devices that are permitted to have program code stored on them enabled, and using a security data processing device to decrypt the encrypted value and store the decrypted value on the security data processing device; and for each target data processing device, using the security data processing device to: determine whether the value of the permitted number of target data processing devices is greater than zero; if so, obtain a device identifier from the target data processing device; generate a license key from the device identifier; store the license key on the target data processing device; and decrement the value of the permitted number of target data processing devices.

Abstract: Systems and methods for processing inbound and outbound secure packet traffic are provided herein. A first lookup operation can be performed to identify a security association corresponding to a received packet. A second lookup operation can be performed to determine a security parameters index associated with the packet and the identified security association. The packet can be processed in accordance with the security association and the security parameters index.

Abstract: A method and system for monitoring computer network intrusions, the system comprising at least one security device including a processor and memory. The at least one security device is communicatively coupled to a private network and configured to generate heartbeat pulses comprising operational snapshots of the at least one security device. The system further comprises one or more host systems configured to communicate with the at least one security device from an external network, transmit configuration parameters to the at least one security device, the configuration parameters including instructions for the at least one security device to operate as a given type of network asset, monitor the heartbeat pulse of the at least one security device, determine a change in integrity in the at least one security device based on the monitoring, and send one or more notification messages to a network administrator based on the determination.

Abstract: An efficient obfuscation of program control flow, comprising obscuring a control execution flow through a plurality of code blocks of a computer program. It involves obtaining a secret key, initializing a state variable based on the secret key, generating a switching value by processing the state variable through an encoding function, and selecting a code block from among a set of code blocks using the switching value. It further involves executing the block code, which comprises updating the state variable based on a present value of the state variable, and repeating the steps of generating a switching value, selecting a code block, and executing the code block to control execution flow through the set of code blocks.

Abstract: A DSSE architecture network enables multi-user such as data owners and data users to conduct privacy-preserving search on the encrypted PHIs stored in a cloud network and verify the correctness and completeness of retrieved search results simultaneously is provided. The data owners and data users may be patients, HSPs, or combination thereof. An IoT gateway aggregates periodically collected data into a single PHI file, extract keywords, build an encrypted index, and encrypt the PHI files before the encrypted index and PHI files are transmitted to a cloud network periodically for storage thus enable the DSSE architecture network to achieve a sub-linear search efficiency and forward privacy by maintaining an increasing counter for each keyword at the IoT gateway. Since the PHI files are always transmitted and added/stored into the cloud storage over the cloud network, file deletion, file modification is eliminated.

Abstract: The disclosure relates in some aspects to establishing connectivity with a network using a first set of credentials and determining whether additional connectivity needs to be established (e.g., using a second set of credentials) to communicate data. The disclosure relates in some aspects to the use of multiple credentials for access and service connectivity. For example, traffic generated by a device may be authorized based on a different set of credentials than the set of credentials used to access the network (e.g., to connect to an LTE network for a PDN connection). In this way, traffic belonging to a specific service or application can be charged and policed based on service specific needs. The disclosure thus relates in some aspects to the use of access credentials and service credentials. These different types of credentials can be used to enable traffic differentiation and policing based on the credentials in use.

Abstract: An implementation of the present application provides a computer—implemented method to increase the security of a blockchain—implemented transaction, the transaction including participation from a plurality of participating nodes, each participating node participating as a message originator, selector, and propagator. The method, implemented at a participating node, includes: receiving ciphertext from a prior node and determining whether the participating node is a selector node for said ciphertext received from the prior node. When the participating node is the selector node for said ciphertext, the method includes selecting a subset of said ciphertext, decrypting the selected subset of said ciphertext to provide opted ciphertext and transmitting said opted ciphertext to the next node. When the participating node is other than the selector node for said ciphertext, the method includes decrypting said ciphertext received from the prior node and transmitting the decrypted ciphertext to the next node.

Abstract: A system and method for facilitating supervisory control of localized meeting groups is provided. A method includes the steps of generating a master meeting group based on input received from a master organizer, generating a plurality of authentication tickets based on input received from the master organizer of the master meeting group identifying a local organizer for each authentication ticket of the plurality of authentication tickets, transmitting the plurality of authentication tickets to each of the local organizers, authenticating a plurality of local organizers based at least partially on an authentication ticket for each local organizer, and generating a plurality of meeting subgroups associated with the master meeting group based at least partially on the at least one meeting parameter. Each meeting subgroup is associated with at least one local organizer and is generated based at least partially on input received from the at least one local organizer.

Abstract: A first set of access rules is received from an access configuration service. The first set of access rules specifies addresses of devices authorized for a first user. A second set of access rules is received from the access configuration service. The second set of the access rules specifies addresses of devices authorized for a second user. At a wireless access point, a network packet associated with the first user is received. The first set of access rules is applied to filter the network packet.

Abstract: A method to obscure a control execution flow in a computer program includes initializing a state variable, q, and a switching variable, selecting a code block for execution using a present value of the switching variable, executing the code block, updating the state variable based on a present value of the state variable and a block-dependent constant that is associated with the code block to generate an updated state variable, and by applying a state update function to the updated state variable, and updating the switching variable by processing the state variable through a non-injective output function that generates a new value of the switching variable based on the state variable. The operations of selecting the code block, executing the code block, updating the state variable and updating the switching variable are repeated to control execution flow.

Abstract: Systems and methods are provided to implement moving target defense techniques for transportation systems. The moving target defense techniques can randomly change the IP addresses of the nodes associated with both the vehicles and the corresponding control centers. The nodes for the vehicles and the control centers can be “mobile” nodes that use a “care-of” IP address for communications. The care-of address used by the nodes can be updated through a binding update process. During the binding update process, the one node sends the binding update notice (with a new care-of address) to the care-of address of the other node while maintaining its prior care-of address. The node that receives the binding update notice can send a binding acknowledgement back to the node that sent the binding update. Once the binding acknowledgement is received, the prior care-of address can be removed by the node that sent the binding update.

Abstract: A data storage device includes a plurality of tiles whose faces are marked with characters. An elongated core is configured to enable slots of the tiles to fit over an openable end of the core to mount the tiles on the core with the marked faces aligned and to slide along the core. The length of the core is sufficient such that tiles of a mounted stack of tiles are slidable away from other tiles of the stack to form a gap that is sufficient to enable reading the character on the tile. A locking element is placeable on the openable end to prevent removal of tiles from the stack, and removable to enable addition of tiles or removal of tiles. A casing is closable over the core and includes a limiting structure to limit sliding of the tiles when the casing is closed.

Abstract: Mechanisms for booting a service processor are provided. With these mechanisms, the service processor executes a secure boot operation of secure boot firmware to boot an operating system kernel of the service processor. The secure boot firmware records first measurements of code executed by the secure boot firmware when performing the boot operation, in one or more registers of a tamper-resistant secure trusted dedicated microprocessor of the service processor. The operating system kernel executing in the service processor enables an integrity management subsystem of the operating system kernel which records second measurements of software executed by the operating system kernel, in the one or more registers of the tamper-resistant secure trusted dedicated microprocessor.

Abstract: A first security policy associated with a first tenant in a multi-tenant hosting data processing environment is created. A first virtual machine is caused to execute on a first host, the first virtual machine associated with a first group defined by the first security policy. A controller is caused to send, from the controller to an agent executing on the first host, authorized communication information, the authorized communication information specifying a set of virtual machines associated with the first group. The agent is caused to configure a second routing entry in the first host, the second routing entry derived from the authorized communication information, the second routing entry causing the first virtual machine to reject outgoing network traffic intended for a second IP address, the second IP address associated with a third virtual machine outside the first group.

Abstract: An anomaly detection system configured to generate a plurality of tensors based on spatial attributes of a set of cybersecurity data and temporal attributes of the set of cybersecurity data. The set of cybersecurity data comprising numeric data and textual data collected from a plurality of computational sources. The anomaly detection system can provide the plurality of tensors to a Hierarchical Temporal Memory (HTM) network. The HTM network can be configured to generate respective HTM outputs for respective regions of the HTM network. The anomaly detection system can determine that at least one HTM output indicates an anomaly, convert the at least one HTM output to a notification, and provide the notification to a user interface.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for receiving, by a network device, a request from a computing device to join a network, where the network is segmented to include a provisioning network, a first network segment, and a second network segment, and the second network segment provides limited network access privileges to computing devices compared to network access privileges provided by the first network segment. Providing the computing device access to the provisioning network. Determining, while the computing device is connected to the provisioning network, properties of the computing device. Selecting which of the first network segment and the second network segment to assign access to the computing device based on the properties of the computing device. Providing security credentials to the computing device for accessing the selected one of the first network segment or the second network segment.

Abstract: A method and system for security authorization on an electronic device are disclosed. The method includes detecting whether a trusted device is present in proximity to the electronic device. The trusted device is associated with a user profile of the electronic device, and the user profile includes access to private information. The method further includes allowing access to the user profile in response to detecting that the trusted device is present in proximity to the electronic device, and defaulting access to a public user profile of the electronic device in response to detecting a lack of presence of the trusted device in proximity to the electronic device.