Abstract: A system for dispersing access rights for routing devices in a network including a router, a key and a key socket, and a key-router validation server. The router and the physical key must be present and both must be validated by the key-router validation server before the router can establish a VPN network between remote external and internal networks. Neither the key nor the router does contain critical information for allowing access to networks. Losing either the key, or the router, does not endanger security of the networks. This is the essence of dispersed access rights.

Abstract: In some aspects, a gateway server can unlock or unfreeze access to data about a user by third parties without requiring the user to navigate completely away from a third-party website through which the user is executing an electronic transaction. The gateway server can receive a request to unlock or unfreeze data through the third-party website hosted by a third-party web server. The gateway server can output a user interface that is displayable simultaneously with the third-party website. Through the user interface, the gateway server can receive sign-in data such as log-in credentials of the user and consent to share data about the user with the third-party web server. The gateway server can output a command to unlock or unfreeze data about the user and to share the data with the third-party web server. Based on the shared data, the transaction can be completed at the third-party web server.

Abstract: A computer-implemented method for protecting a mobile device against unauthorized access may be provided. The method comprises encrypting the user data stored in a volatile memory of the mobile device if the mobile device is switched to a locked status, and decrypting the user data stored in the volatile memory if the mobile device is switched from the locked status into an unlocked status.

Abstract: A method for securely broadcasting information to a group of undisclosed recipients. The information in an information system is encoded by applying a hash function to a group of messages to form the information stream, wherein portions of the information in the information stream are intended for respective ones of the group of undisclosed recipients. The information is encoded such that that only an intended recipient can decode a portion of the information intended for the intended recipient. The information stream is broadcasted to the group of undisclosed recipients.

Abstract: Systems and applications are described that use group signature technology to allow for anonymous and/or semi-anonymous feedback while allowing for the application of rules and parameters. The use of group signature technology may serve to potentially mitigate or prevent malicious identification of individuals or entities providing a communication such as feedback. Feedback may range from constructive feedback all the way to the ‘whistleblower’ variety. It may be desirable to identify the individuals as belonging to a particular group or having a particular status or position while maintaining the anonymity of the individuals within the particular group.

Abstract: Systems, methods, and computer-readable media for achieving privacy for both data and an algorithm that operates on the data. A system can involve receiving an algorithm from an algorithm provider and receiving data from a data provider, dividing the algorithm into a first algorithm subset and a second algorithm subset and dividing the data into a first data subset and a second data subset, sending the first algorithm subset and the first data subset to the algorithm provider and sending the second algorithm subset and the second data subset to the data provider, receiving a first partial result from the algorithm provider based on the first algorithm subset and first data subset and receiving a second partial result from the data provider based on the second algorithm subset and the second data subset, and determining a combined result based on the first partial result and the second partial result.

Abstract: A method at a computing device, the method including detecting, at the computing device, a trigger that authentication is pending for an application or service; indicating a state of a credential vault via a user interface of the computing device; and when the credential vault is in a locked state, activating an authentication mechanism for the credential vault without changing focus on the user interface for the application or service.

Abstract: An authorization process employs a network ID as a possession factor for a secure account, such as a bank account or e-mail account, and determines one or more risk indicators associated with the possession factor. The authorization process is successfully completed when a risk score that is based on the risk indicators is less than a certain risk threshold. The risk indicators include a device history of the network ID and/or at least one attribute of a cellular account associated with the network ID. The device history identifies other mobile devices and/or SIM cards, if any, that have been previously activated with the network ID, while the one or more attributes can further indicate potentially fraudulent activity associated with the cellular account through which wireless services for the network ID are currently provided.

Abstract: Systems and methods are provided for receiving input data to be processed by an encrypted neural network (NN) model, and encrypting the input data using a fully homomorphic encryption (FHE) public key associated with the encrypted NN model to generate encrypted input data. The systems and methods further provided for processing the encrypted input data to generate an encrypted inference output, using the encrypted NN model by, for each layer of a plurality of layers of the encrypted NN model, computing an encrypted weighted sum using encrypted parameters and a previous encrypted layer, the encrypted parameters comprising at least an encrypted weight and an encrypted bias, approximating an activation function for the level into a polynomial, and computing the approximated activation function on the encrypted weighted sum to generate an encrypted layer. The generated encrypted inference output is sent to a server system for decryption.

Abstract: An interface for a threat management facility of an enterprise network supports the use of third-party security products within the enterprise network by providing access to relevant internal instrumentation and/or a programmatic interface for direct or indirect access to local security agents on compute instances within the enterprise network.

Abstract: Example methods are provided for a host to perform authentication offload in a virtualized computing environment that includes the host and a destination server. The method may comprise detecting, from a virtualized computing instance, a packet destined for the destination server. The method may also comprise: in response to determination that the detected packet is an authentication request, obtaining, from the virtualized computing instance, metadata associated with a client application for which authentication is requested; and sending the authentication request and the metadata to the destination server to cause the destination server to authenticate the client application based on the metadata.

Abstract: Systems and methods provide access to location-restricted resources outside of recognized locations. An example, a method includes receiving a request for a controlled access resource from a client device and determining that the request is not associated with a recognized location but that state data exists for the client device identifier. In response to identifying the state data, the method includes generating a link for accessing the controlled access resource at a server, generating an encrypted token including a timestamp, a random number, and licensed resource information from the state data, including the encrypted token in the link, and providing the link to the client device. The client device uses the link to request the controlled access resource from the server, which determines that the request includes the token, determines that the token is not expired, and provides the controlled access resource to the client device.

Abstract: Secure protocols for external-facing authentication are provided for both user templates stored on their devices and the biometric measurement captured by external sensors of an access device. The protocols provide different levels of security, ranging from passive security with some leakage to active security with no leakage. A packing technique is also provided. Zero-knowledge techniques are used during enrollment to validate a norm of user templates and knowledge of the plaintext biometric template. One enrolled, the verifier can sign the encrypted template for use in a later matching phase with an access device.

Abstract: A system for securely disseminating information relating to a process control plant includes a process control node and a controller that is coupled to a plurality of process control devices. The process control node includes a communicator module operable to transmit, via a first network, information of the process plant received from the controller. The system also includes a data services module operable to receive from the communicator module, via the first network, the information of the process plant and to transmit some or all of that information via a second network, and a mobile server, coupled to the second network and to a third network, and operable to receive data from the data services module. The mobile server is operable to communicate with a plurality of mobile computing devices via the third network.

Abstract: Several methods may be used to exploit the natural physical variations of sensors, to generate cryptographic physically unclonable functions (PUF) that may strengthen the cybersecurity of microelectronic systems. One method comprises extracting a stream of bits from the calibration table of each sensor to generate reference patterns, called PUF challenges, which can be stored in secure servers. The authentication of the sensor is positive when the data streams that are generated on demand, called PUF responses, match the challenges. To prevent a malicious party from generating responses, instructions may be added as part of the PUF challenges to define which parts of the calibration tables are to be used for response generation. Another method is based on differential sensors, one of them having the calibration module disconnected. The response to a physical or chemical signal of such a sensor may then be used to authenticate a specific pair of sensors.

Abstract: Disclosed is a process for testing a suspect model to determine whether it was derived from a source model. An example method includes receiving, from a model owner node, a source model and a fingerprint associated with the source model, receiving a suspect model at a service node, based on a request to test the suspect model, applying the fingerprint to the suspect model to generate an output and, when the output has an accuracy that is equal to or greater than a threshold, determining that the suspect model is derived from the source model. Imperceptible noise can be used to generate the fingerprint which can cause predictable outputs from the source model and a potential derivative thereof.

Abstract: Techniques for routing a request based on a vulnerability in a processing node are disclosed. A vulnerability analyzer determines a set of detected vulnerabilities in each of a set of processing nodes. Based on the detected vulnerabilities, the vulnerability analyzer determines a respective vulnerability score for each processing node. A routing engine receives a request to be processed by at least one of the set of processing nodes. The routing engine selects a particular node for processing the request based on the detected vulnerabilities in one or more of the set of processing nodes. The routing engine may select the particular node based on the vulnerability scores of the set of processing nodes. Additionally or alternatively, the routing engine may select the particular node based on whether the particular node includes any vulnerability that may be exploited by the request.

Abstract: A system may include a first automated teller machine (ATM) and a second ATM, wherein the first ATM and the second ATM are in communication via a local area network. The first ATM obtains a user input value, generate an encryption key based on the user input value, and generates encrypted authentication information based on the encryption key. The first ATM also obtains a first biometric reading, updates a user record based on the first biometric reading, and stores the encrypted authentication information at the first ATM in association with the user record. The second ATM obtains a second biometric reading and a duplicate value, retrieves the encrypted authentication information associated with the user record based on the second biometric reading, generates a decryption key based on the duplicate value, and decrypts the encrypted authentication information to retrieve the authentication information.

Abstract: Disclosed herein is a data storage device with storage medium that stores encrypted user content data. A cryptography engine uses a cryptographic key to decrypt the encrypted user content data. An access controller receives, from a user device, a request to register the user device and generates a challenge for a manager device. The manager device is located remotely from the data storage device. The controller sends, to the user device, the challenge for the manager device; receives, from the user device, a response calculated by the manager device to approve the request to register; calculates the cryptographic key based at least partly on the response calculated by the manager device; and creates and stores authorization data associated with the user device. The authorisation data indicates the cryptographic key, to register the user device with the data storage device.

Abstract: Disclosed is a method that includes training, at a client, a part of a deep learning network up to a split layer of the client. Based on an output of the split layer, the method includes completing, at a server, training of the deep learning network by forward propagating the output received at a split layer of the server to a last layer of the server. The server calculates a weighted loss function for the client at the last layer and stores the calculated loss function. After each respective client of a plurality of clients has a respective loss function stored, the server averages the plurality of respective weighted client loss functions and back propagates gradients based on the average loss value from the last layer of the server to the split layer of the server and transmits just the server split layer gradients to the respective clients.