Abstract: A chip fingerprint management device includes: a one-time programmable (OTP) memory including a first storage region, the first storage region being readable by hardware and access restricted by software; and an OTP controller which generates a chip fingerprint based on a random number, and programs the generated chip fingerprint into the first storage region in the OTP memory.
Abstract: System and methods are described which are useful for efficiently combining characteristic detection rules, such as may be done to efficiently and quickly assist in the dispositioning of user reported security threats.
Type:
Grant
Filed:
August 11, 2020
Date of Patent:
August 31, 2021
Assignee:
KnowBe4, Inc.
Inventors:
Marcio Castilho, Alin Irimie, Michael Hanley, Daniel Cormier, Raymond Skinner
Abstract: Some methods may involve receiving, at a first node of the health network, encrypted sensor data from one or more sensors. The first node may be in a data communication path between the one or more sensors and other nodes of the health network. The method may involve decrypting, by the first node of the health network, only a portion of the encrypted sensor data, and transmitting the encrypted sensor data from the first node of the health network to a second node of the health network. The first node may be a gateway device. In some examples, the second node may be able to decrypt more of the encrypted sensor data than the first node.
Abstract: Improved virtualized application performance is provided through disabling of unnecessary functions, such as unnecessary encryption and decryption operations. An example method performed by a hypervisor includes the steps of obtaining a request from a first virtual machine to perform one or more of encrypting and decrypting of a communication between the first virtual machine and a second virtual machine; determining when the first and second virtual machines execute on a same host as the hypervisor; and in response to the first and second virtual machines executing on the same host: processing the communication without performing the one or more of encrypting and decrypting of the communication, wherein the hypervisor initiates an encryption of further communications between the first virtual machine and the second virtual machine in response to at least one of the first virtual machine and the second virtual machine being moved from the same host.
Abstract: A firewall device comprises a storage unit that stores therein one or more rules related to blocking a request for each of a plurality of WEB servers independently of the rule for another WEB server; a feature-amount calculating unit that calculates a feature amount for each of the WEB servers based on a number of detections with regard to each index in each of the WEB servers; and a rule updating unit that updates a rule stored in the storage unit for each of the WEB servers based on the feature amount calculated by the feature-amount calculating unit.
Abstract: An information processing apparatus comprises a controller configured to: (1) receive, from a first user authorized to access a resource, an access control setting applicable to a second user, the access control setting set within an authority of the first user; (2) receive, in response to a successful authentication of the second user, an access permission request for the resource from the second user; and (3) request, if what is requested in the access permission request is allowed by the access control setting, the resource to execute a process according to the access permission request.
Abstract: Segmentation and classification of documents in a mixed security environment includes receiving a document including a plurality of subcomponents. A security classification level of each of the plurality of subcomponents is determined using a first classification model. The security classification level of each subcomponent includes one of a first classification level and a second classification level. A first subcomponent having the first classification level is routed to a first environment having a first security level. A second subcomponent having the second classification level is routed to a second environment having a second security level. A pointer for the second subcomponent is determined in which the pointer references a portion of the first subcomponent.
Type:
Grant
Filed:
September 19, 2018
Date of Patent:
July 27, 2021
Assignee:
INTERNATIONAL BUSINESS MACHINES CORPORATION
Inventors:
Christopher John Butler, Timothy M. Lynar, Adam Joseph Makarucha
Abstract: An electronic control device, a communication management method performable, and a non-transitory storage medium storing a program are disclosed. The electronic control device is connected to an in-vehicle network and is configured to restrict predetermined communication in the in-vehicle network. The electronic control device includes a key connection unit configured to accept connection of a key device, a key verification unit configured to verify the key device connected to the key connection unit, and a function controller configured to permit the predetermined communication in the in-vehicle network when the verification of the key device using the key verification unit succeeds.
Abstract: The present information processing apparatus sequentially activates a plurality of modules after the activation of a boot program. Each module uses verification information for verifying a signature of the module to be activated next to detect alteration of the module that is next to be activated, and activates the module to be activated next in a case where verification of the signature succeeds. Furthermore, each module holds in advance the verification information and its own signature.
Abstract: Particular embodiments described herein provide for a system that can be configured to receive a notification that a client device is requesting, to modify original data associated with an online application, wherein the original data is stored in encrypted format in a cloud; decrypt the original data using a first client encryption key; store the decrypted data in a location accessible by the online application; enable editing capability of the decrypted data; receive a notification that the client device is finished modifying the data in decrypted format; determine whether the original data in decrypted format was modified; encrypt, based on a determination that the original data was modified, the modified data using a second client encryption key; and upload the modified data in encrypted format to the cloud.
Abstract: A method for device based biometric authentication includes: storing, in a computing device, an encrypted biometric template; storing, in a first memory of the computing device, at least a first application program; storing, in a second memory of the computing device, at least a second application program and an encryption key, wherein the second memory is a trusted execution environment; receiving, by the second application program of the computing device, a validation request submitted by the first application program; receiving, by an input device of the computing device, biometric data; decrypting, by the second application program of the computing device, the encrypted biometric template using the encryption key; validating, by the second application program of the computing device, the received biometric data using the decrypted biometric template; and transmitting, by the second application program of the computing device, a result of the validation to the first application program.
Abstract: A system for preventing cyber security attacks over the CAN bus of a vehicle, from carrying out their plot. The system includes a teleprocessing device that is provided with the message identifier of at least one ECU to be blocked. The teleprocessing device is configured to read the message identifier of CAN messages, to thereby identify the at least one ECU to be blocked. Upon determining that the vehicle is under a cyber security attack, the ECU blocking device is activated. Upon identifying that a message was transmitted by the at least one ECU to be blocked, then during the CAN bus ‘bit monitoring’ process, before the at least one ECU to be blocked reads back the transmitted signal, the ECU blocking device alters one or more bits of the transmitted signal, to thereby force the message to be an erroneous CAN message.
Type:
Grant
Filed:
August 1, 2018
Date of Patent:
June 15, 2021
Assignee:
ENIGMATOS LTD.
Inventors:
Eyal Kamir, Alexander Fok, Yaniv Tuchman, Avi Bitton, Uriel Friedman, Meni Dali, Yoni Malka
Abstract: A network processor provides for in-line encryption and decryption of received and transmitted packets. For packet transmittal, a processor core generates packet data for encryption and forwards an encryption instruction to a cryptographic unit. The cryptographic unit generates an encrypted packet, and enqueues a send descriptor to a network interface controller, which, in turn, constructs and transmits an outgoing packet. For received encrypted packets, the network interface controller communicates with the cryptographic unit to decrypt the packet prior to enqueuing work to the processor core, thereby providing the processor core with a decrypted packet.
Abstract: The disclosed computer-implemented method for cross-product malware categorization may include accessing computer readable media storing an incomplete feature dataset and an incomplete label dataset, determining a correlation between the plurality of features and the plurality of malware labels, and constructing at least one of a complete feature dataset based on the incomplete feature dataset and the correlation and a complete label dataset based on the incomplete label dataset and the correlation. Various other methods, systems, and computer-readable media are also disclosed.
Abstract: Techniques for enhancing the security of a communication device when conducting a transaction using the communication device may include using a limited-use key (LUK) to generate a transaction cryptogram, and transmitting a token instead of a real account identifier and the transaction cryptogram to an access device to conduct the transaction. The token and the transaction cryptogram can be transmitted to a magnetic stripe reader by generating an emulated magnetic signal. The LUK may be associated with a set of one or more limited-use thresholds that limits usage of the LUK, and the transaction can be authorized based on at least whether usage of the LUK has exceeded the set of one or more limited-use thresholds.
Abstract: An exemplary method comprises: generating, by at least one first computing node in the enterprise network or the reconciliation network, a first digital facilitator, wherein the first digital facilitator provides one or more parameters for accessing or distributing data on a distributed ledger in the enterprise network, wherein a private key is used for performing a computing operation, based on the data, in the enterprise network; associating identification information associated with the private key or associated with a custodian of the private key, wherein the identification information enables initiation or execution of one or more distributed ledger-based computing operations in the enterprise network or the reconciliation network; and transmitting, via the reconciliation network, reconciliation data associated with the one or more distribution ledger-based computing operations, wherein the reconciliation data is extracted based on one or parameters for accessing or distributing the data in the enterpris
Type:
Grant
Filed:
May 16, 2019
Date of Patent:
May 4, 2021
Assignee:
Mox-SpeedChain, LLC
Inventors:
Daniel Cage, Padmakar Kankipati, Norman R. Silverman
Abstract: The Seed Splitting and Firmware Extension for Secure Cryptocurrency Key Backup, Restore, and Transaction Signing Platform Apparatuses, Methods and Systems (“SFTSP”) transforms transaction signing request, key backup request, key recovery request inputs via SFTSP components into transaction signing response, key backup response, key recovery response outputs. An offline transaction signing request message for a transaction is received by a first cold HSM and includes an encrypted second master key share from a second cold HSM and an encrypted third master key share from a hot HSM. A first master key share is retrieved. The encrypted master key shares are decrypted and, along with the first master key share, used to recover a master private key. A keychain path is determined. A signing private key for the keychain path is generated using the master private key. The transaction is signed using the signing private key, and the generated signature is returned.
Type:
Grant
Filed:
May 23, 2019
Date of Patent:
April 27, 2021
Assignee:
FMR LLC
Inventors:
Gang Cheng, Vladimir Tsitrin, Thomas Stephen McGuire
Abstract: A multi-lender architecture is configured to provide a loan applicant with automated pre-qualification and automobile loan eligibility evaluation for multiple candidate lenders. Lender output data may include sensitive data. The lender output data is stored in a data object of a first format and one or more fields of the data object are encrypted at the field level. The encrypted data object may be transmitted through multiple application layers or terminals. The encrypted data object may be reformatted at one or more application layers or terminals without decryption. A reformatted encrypted data object containing the lender output data may be decrypted at the last layer before forwarding the lender output data to the loan applicant.
Abstract: Certain example embodiments described herein relate to techniques for automatically protecting, or hardening, software against exploits of memory-corruption vulnerabilities. The techniques include arranging a plurality of guard regions in the memory in relation to data objects formed by the application program, identifying an access by the application program to a guard region arranged in the memory as a disallowed access, and modifying the execution of the application program in response to the identifying, the modifying being in order to prevent exploitation of the memory and/or to correctly execute the application program.
Type:
Grant
Filed:
April 30, 2018
Date of Patent:
April 27, 2021
Assignee:
GrammaTech, Inc.
Inventors:
David Gordon Melski, Nathan Taylor Kennedy, Drew Christian Dehaas