Abstract: There is provided a data security method, comprising: creating an interaction graph, by: analyzing collected interaction events between users and between users and files and/or records, wherein a respective node of the interaction graph represents a specific one of a user, a record, and a file, wherein a respective edge indicates an interaction between respective users or between a respective user and a respective file and/or record, wherein an interaction weight assigned to the respective edge indicates an amount of the interaction, monitoring an attempt by a target user to access a target file and/or record, computing a target interaction weight between the target user and the target file and/or record from the interaction graph, and in response to the target interaction weight being below a target threshold, at least one of: filtering security alerts, and blocking access by the target user to the target file and/or record.

Abstract: A system includes a hypervisor, a memory, and boot firmware stored in the memory. The boot firmware is configured to execute on a processor to load a trusted code that includes a condition checker from the hypervisor, check a signature of the trusted code, and verify the signature is trusted by a guest. The boot firmware is also configured to load the trusted code into an encrypted memory at a known guest address. The hypervisor is configured to protect the known guest address. The trusted code includes a first instruction, one or more intermediate instructions, and a final instruction. The first instruction and the final instruction are exits to the hypervisor. The hypervisor is also configured to execute the condition checker and detect an inconsistency in guest memory.

Abstract: An IoT/M2M service layer may be provided with the capability to protect user privacy. This functionality may allow the IoT/M2M service layer to anonymize user data, particularly when user data is shared with third party consumers. A privacy policy service may enable the IoT service layer system to generate anonymization (e.g., privacy) policies based on inputs such as legal obligations, subscriber privacy preferences, and an authorization level of the data consumer. Data anonymization policies may be output from the privacy policy service and may be sent to a data anonymization service, where raw data may be anonymized based on the one or more data anonymization policies. The output from the data anonymization service function may be a privatized (e.g., anonymized) version of data that may prevent the data consumer from discovering one or more identifying characteristics of a user.

Abstract: This invention involves an encryption method that is mainly applied to network. The network could be both wireless or wired, the former is connected through a wireless router, and the latter is connected through a router. When the network receives a message requesting connection from at least one new networking device, it can authenticate and authorize the message through the key to form a fixed connection with the network, and at the same time, at least one connected device to the network can update the password connected to the network synchronously, or at least one connected device connected to the network can update the password connected to the network at any time, so as to improve the performance of network security and avoid hacking.

Abstract: A system receives a request from a user to execute a command on an air-gapped computer system. If a role-based access control system permits the user to execute the command, the system prompts a number of approvers to determine whether to approve of the user executing the command. If a required number of approvers have approved of the user executing the command, the system encodes the command and incorporates the encoded command in an encoded message. The system uses a simplex communication output device to communicate the encoded message to a simplex communication input device for the air-gapped computer system. The system enables execution of the command by requesting the air-gapped computer system to execute the command, or by providing the user with an access token, received from the air-gapped computer system, which enables the user to physically access the air-gapped computer system and execute the command.

Abstract: A biometric identification device may be used to secure passwords and other valuable information. In one implementation, the biometric identification device may be a capacitive fingerprint sensor. Capacitive readings may be used to identify the ridges and valleys of a fingerprint and determine if an object contacting the fingerprint sensor is living tissue. Two-factor identification may be implemented by recognizing the authenticity of biometric inputs and a specific combination or sequence in which the biometric inputs are provided. A user interface is provided in which sequences of biometric inputs are associated with commands. A user may indicate a command by providing a predetermined sequence of fingerprints to a fingerprint scanner.

Abstract: Systems and methods for protecting privacy for safety, comfort, and infotainment of one or more occupants of an autonomous vehicle are disclosed. For example, the system may capture image data indicative of an interior of the autonomous vehicle via one or more cameras integrated with the autonomous vehicle. The captured image data is then transformed to remove personal identification information of the one or more occupants, and the transformed image data may be analyzed to identify a concern, e.g., an occupant safety concern or a vehicle safety concern. The level of concern may be determined, and a mitigation strategy may be deployed based on the safety concern identified.

Abstract: Embodiments are directed to techniques for chaining, triggering, and/or enforcing entitlements in a constrained environment. A constrained environment may be provided within with shielded assets are required to exist or execute. An entitlement may be granted on a variety of shielded assets, including datasets, computations scripts, data privacy pipelines, and intermediate datasets generated by an intermediate step of a data privacy pipeline. Thus, a beneficiary may use a granted entitlement as an input into other data privacy pipelines, without the need for the grantor to approve each specific downstream operation. The constrained environment may enforce an entitlement by fulfilling applicable constraints upon accessing the entitlement, restricting the output of the entitlement to the constrained environment, and fulfilling applicable policies when executing downstream operations.

Abstract: A system and method are disclosed for delegating, by a resource-constrained device, a privilege to a basic input/output system, wherein the privilege allows the basic input/output system to authenticate an endpoint device on behalf of the resource-constrained device. The system and method also includes generating an asymmetric security key that includes a private key and a public key and transmitting the public key to the basic input/output system, wherein the public key is included in a proxy certificate generated by the basic input/output system. In addition, the system and method includes establishing a secure session between the basic input/output system and the endpoint device using the private key and the proxy certificate, wherein the secure session is used by the basic input/output system to authenticate and verify that the endpoint device is authorized to perform an operation.

Abstract: The present invention relates to a method, apparatus, and system for communication with a user's family members using the DNA of the user without making the DNA profile public. According to a first aspect, there is provided a computer implemented method of locating one or more members of a familial network, comprising the steps of: generating one or more encryption keys derived from a first genomic sequence; encrypting a message using the or each encryption key to form an encrypted message; sending the encrypted message to one or more remote devices wherein decrypting the encrypted message at the one or more remote devices uses one or more encryption keys derived from a second genomic sequence; and receiving a confirmation regarding whether the decryption of the encrypted message was successful by any of the one or more remote devices.

Abstract: Indices of non-zero weights may be stored in an index register file included within each of a plurality of processor elements in a systolic array. Non-zero weights may be stored in a register file associated with the index register file. Input values (e.g., dense input values) corresponding to a single block in a data structure may be sent to the plurality of processor elements. Those of the input values corresponding to the indices of non-zero weights in the index register file may be selected for performing multiply-accumulate (“MAC”) operation based on sending the plurality of input values to one or more of the plurality of processor elements. The indices of the plurality of non-zero weight are stored in an index data stick. The values of the plurality of non-zero weights are stored in a value data stick.

Abstract: Techniques and mechanisms for using passively collected network data to automatically generate a fingerprint prevalence database without the need for endpoint ground truth. The process first clusters all observations with the same fingerprint string and similar source and destination context. The process then annotates each cluster with descriptive information and uses a rule-based system to derive an informative name from that descriptive information, e.g., “winnt amp client” or “cross-platform browser”. Optionally, the learned database may be augmented by a user to clarify custom process labels. Additionally, the generated database may be used to report the inferred processes in the same way as databases generated with endpoint ground truth.

Abstract: Methods and systems of recovering a cryptographic key associated with a blockchain based computer network, including encryption of at least a portion of a cryptographic key of the computer network with a recovery public key, sending of the encrypted at least a portion of the cryptographic key to at least one second computing device, sending of a recovery private key to a recovery escrow service, detection that the at least one first computing device is unavailable, publishing the recovery private key in a public repository, retrieving the recovery private key from the public repository, and decryption of the encrypted at least a portion of the cryptographic key by the at least one second computing device.

Abstract: Disclosed herein are systems and methods of executing scanning software, such an executable software program or script (e.g., PowerShell script), by a computing device of an enterprise, such as a security server, may instruct the computing device to search all or a subset of computing devices in an enterprise network. The scanning software may identify PowerShell scripts containing particular malware attributes, according to a malicious-code dataset. The computing system executing the scanning software may scan through the identified PowerShell scripts to identify particular strings, values, or code-portions, and take a remedial action according to the scanning software programming.

Abstract: A secure token (ST) system including at least one ST computing device to provision data using secure tokens over a network is provided. The ST computing device is configured to receive first customer data from a credit issuer computing device, the first customer data including at least one or more account identifiers associated with a customer and a social security number (SSN) associated with the customer. The ST computing device is also configured to hash the SSN, wherein the hashed SSN includes a hash value, assign a unique identifier to each of the one or more account identifiers, and generate a secure token by associating the hash value to each unique identifier. The ST computing device is further configured to store the secure token within the database, and transmit the secure token to at least one of the credit issuer computing device and a third party computing device.

Abstract: A computer network may include a Non-IP subnetwork for communication between the gateway and the frontend device, an IP subnetwork for communication between the gateway and at least one backend device, and a gateway connecting the Non-IP subnetwork with the IP subnetwork and translating communication therebetween. The IP communication is based on an IP security protocol, providing means for authentication and/or encryption. The gateway mediates handshaking for establishing a secure tunnel for secure end-to-end communication between the backend device and the frontend device. The secure tunnel is set to apply a session key. The gateway and the backend device exchange datagrams with handshaking parameters. The Non-IP messages are exchanged with a subset of the handshaking parameters. The backend device and the frontend device generate the session keys and to authenticate the handshaking incorporating the handshaking parameters and subset of handshaking parameters, respectively.

Abstract: A system and method for early detection of a compromised client device includes a tamper detection service configured to monitor modifications to resource access privileges over time to identify unusual variations in jailbreak status that indicate compromise of the client device. For example, the tamper detection service may monitor the jailbreak status of system files over time to expose attempts to hide the jailbreak status of a protected resource. To validate that malware is attempting to hide the jailbreak status of a protected resources, the tamper detection process may launch multiple different resource accesses, targeting the protected resource, to determine whether different accessibility results are returned, indicating a compromised device.

Abstract: Systems and methods for authenticating access to multiple data stores substantially in real-time are disclosed. The system may include a server coupled to a network, a client device in communication with the server via the network and a plurality of data stores. The server may authenticate access to the data stores and forward information from those stores to the client device. An exemplary authentication method may include receipt of a request for access to data. Information concerning access to that data is stored and associated with an identifier assigned to a client device. If the identifier is found to correspond to the stored information during a future request for access to the store, access to that store is granted.

Abstract: A method for implementing a slice security zone (SSZ) in a 5G network. The method comprises storing by an SSZ function executing on a first network server an SSZ security profile of the SSZ in a secure storage function, receiving by the SSZ function from a slice management function a slice registration request comprising information relating to a slice security profile of a slice managed by the slice management function, if the slice security profile complies with the SSZ security profile, storing by the SSZ function a slice registration association between the slice and the SSZ in the secure storage function, and sending by the SSZ function to the slice management function a slice registration response comprising information relating to whether the slice was registered in the SSZ.

Abstract: Secure cloud-based storage system management that includes: establishing, within a cloud-based services provider and based on one or more user credentials, a cloud-based user session to execute one or more commands on a remote storage system that includes physical storage devices; determining one or more data storage operations corresponding to the physical storage devices to implement the one or more commands on the storage system; and extending, based on using an access token based on the one or more user credentials to securely issue the one or more data storage operations to the remote storage system, the cloud-based user session to the remote storage system.