Abstract: An operator for a global total order broadcast domain executing a method to send an operation out of band to nodes of participating parties in a partition, receive a certificate and a signature on the operation for each of the participating parties, generate a single party packet based on the received signatures, generate a random symmetric encryption key, send the random symmetric encryption key to the participating parties, encrypt the single party packet with the random symmetric encryption key, generate a pseudo random string for the partition, and record an operation identifier, the encrypted party packet, and the pseudo random string on the global total order broadcast domain.

Abstract: Secure, semi-classical authentication schemes are presented. An authentication token is generated by applying a pre-determined measurement to a plurality of random quantum states to obtain a sequence of classical measurement outcomes. The token is validated by receiving the classical measurement outcomes and verifying whether the sequence corresponds to a statistically plausible result for the pre-determined measurement of the plurality of quantum states.

Abstract: Described is a system for intelligent and reversible data masking of computing environment information shared with an external system. The system may leverage a secure masking agent that acts as an intermediary between a computing system (or environment) and an analytics component. The masking agent may provide real-time reversible data masking that ensures that sensitive information is not exposed outside of a secure (e.g. on-premises) environment, while at the same time ensuring the analytics component receives sufficient contextual information to perform a detailed analysis with the shared information. For example, the system may identify and mask identifying information of a particular server or host, while still retaining certain contextual information such as a network topology.

Abstract: In a priority determination apparatus (10), a dissimilarity index calculation unit (11) calculates a dissimilarity index between a transmission/reception performance record of a first traffic flow related to a first security alert notified from a network-type intrusion detection apparatus and a transmission/reception performance record of a second traffic flow related to a second security alert notified from the network-type intrusion detection apparatus in the past, the network-type intrusion detection apparatus being configured to detect an attack on an apparatus in a network. A priority determination unit (12) determines a priority of the first security alert based on the dissimilarity index calculated by the dissimilarity index calculation unit (11).

Abstract: A method of making a decision on a blockchain is disclosed. First public keys are received from each of a plurality of participants (A, B, C), wherein each first public key represents a possible selection by a participant and is related to a corresponding first private key by a cryptographic operation having a homomorphic property. The first public keys are combined to generate second public keys, wherein each second public key represents a possible decision based on a combination of possible selections. Third public keys, corresponding to the second public keys, are communicated to the participants. A voting blockchain transaction is generated (Tc voting), wherein an input of the voting transaction is a script executable by means of a digital signature corresponding to a first private key of each of a plurality of the participants, wherein each first private key represents a selection made by the participant.

Abstract: Facilitating an object protocol based access of data within a multiprotocol environment is presented herein. In response to receiving a simple storage system (S3) protocol based request to access data via a storage device of a filesystem, the filesystem determines a type of S3 bucket that represents the data; and based on the type of S3 bucket, the filesystem facilitates an S3 protocol based access of the data via the storage device. For example, the S3 protocol based request comprises a file request to create, read, write, and/or delete a file within the storage device. In another example, the S3 protocol based request comprises an object request to create, modify, read, and/or delete an object within the storage device.

Abstract: Techniques for mobile user identity and/or SIM-based IoT identity and application identity based security enforcement in service provider networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for mobile user identity and/or SIM-based IOT identity and application identity based security enforcement in service provider networks includes monitoring network traffic on a service provider network at a security platform to identify a subscriber identity for a new session; determining an application identifier for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the subscriber identity and the application identifier.

Abstract: A lightweight node in a decentralized network includes stores a blockchain with a plurality of blocks. The lightweight node adds blocks to the blockchain successively. A given block having a header and a body. The header includes a data merkle root generated as a root hash of a data merkle tree with one or more leaf nodes that are one or more hashes. A given hash being a hash of a combination of (1) a public key associated with a lightweight node of the decentralized network and (2) of a validity value associated with the public key indicating whether the public key is a valid public key. The data merkle root being insufficient for restoring the data merkle tree. But with a public key and an intermediate hash the date merkle root is sufficient for at least partly verifying the public key.

Abstract: The disclosed embodiments enable applying production nature to a software signature post-build (or even post-release), where the signature type is determined by the existence of a production-signed intermediate CA certificate—either hosted in the cloud (for pure release immutability), or re-ingested into the package (if certain modification are allowed). This allows a so-called deferred issuance of the product release. Even if the CA certificate is to be reinserted into the package, this modification likely affects only the delivery shell (e.g., installer) and may not require format-specific binary changes of, possibly heterogeneous, artifacts therein.

Abstract: An anomaly detection method includes: calculating, for a detection target data stream of consecutive detection target data, distances between the detection target data; extracting features of the detection target data stream using the calculated distances; and calculating anomaly degree information about a degree of anomaly in the detection target data stream using the extracted features. Each extracted feature is made up of L consecutive distances (L is an integer greater than or equal to 2). For each feature extracted, supplementary information for calculating the anomaly degree information is calculated using a difference in the feature. For each of one or more information calculation target windows made up of N detection target data (N is an integer greater than or equal to L+1), the anomaly degree information is calculated using all supplementary information calculated from the N detection target data.

Abstract: A method for creating a tamper-evident digital content. The method includes receiving a portion of the digital content at a computing device. The method further includes encrypting the portion of the digital content by the computing device when the portion of the digital content is selected for proof-of-verification. The method further includes sending the encrypted portion of the digital content from the computing device to a distributed ledger system. The method further includes retrieving, by the computing device, hash identification data associated with the encrypted portion of the digital content from the distributed ledger system. The method further includes creating, by the computing device, an updated portion of the digital content using the retrieved hash identification data. The method further includes storing the updated portion of the digital content in a storage device by the computing device.

Abstract: A computer-implemented method may include: receiving, from at least one camera, image data associated with a first user at a public access user computing device; detecting, based on the received image data, by employing a machine learning model trained using a dataset of actions collected from a plurality of previous users, that the first user has moved away from the public access user computing device; automatically encrypting, based upon the detection, a user session associated with the first user, wherein the encrypted user session is configured to be subsequently activated by the first user; and initiating a new generic user session on the public access user computing device for a second user.

Abstract: An example apparatus can include a processor and an external communication component. The external communication component can be coupled to the processor and can be configured to, in response to determining a vehicular entity is within a particular proximity to the external communication component, generate an external private key and an external public key. The external communication component can further provide the external public key and data to a vehicular communication component associated with the vehicular entity. The external communication component can further receive data from the vehicular communication component in response to providing the external public key and data to the vehicular communication component. The external communication component can further decrypt the received data using the external private key, and provide a service to the vehicular entity based on the decrypted received data.

Abstract: A system may include a cryptographic accelerator to generate a first check value based on a payload received in a message, and provide the first check value to a first comparator and to a second comparator. The system may include the first comparator to receive the first check value from the cryptographic accelerator, determine whether the first check value matches a second check value, the second check value being a check value received in the message, and provide a first output indicating whether the first check value matches the second check value. The system may include the second comparator to receive the first check value from the cryptographic accelerator, determine whether the first check value matches the second check value, and provide a second output indicating whether the first check value matches the second check value.

Abstract: One variation of a method for end-to-end encryption of electronic mail includes: receiving an email encrypted according to a first encryption protocol and designating a recipient within an external domain; verifying encryption protocol supported by the recipient's mail client; in response to a recipient exclusion database identifying the recipient, encrypting the email to a less-robust encryption protocol supported by the recipient mail client and transmitting the email to the !recipient; in response to the recipient exclusion database excluding the recipient and the recipient mail client supporting the first encryption protocol, transmitting the email encrypted according to the first encryption protocol to the recipient; and, in response to the recipient exclusion database excluding the recipient and the recipient mail client not supporting the first encryption protocol, generating a notification email including a hyperlink to a secure webpage containing content of the email and transmitting the notification

Abstract: An apparatus and method for improving the security of trigger action platforms of a type providing interoperability between computer services send the trigger service additional information about an interoperability rule for the computer services so that the trigger service may implement a minimizer reducing the data communicated when the interoperability is implemented. Implementation of the minimizer may be done in a way that is transparent to the trigger action platform eliminating the need for disruption of existing interoperability services.

Abstract: According to certain embodiments, a method by a user equipment (UE) for securing network steering information includes transmitting a registration request to a Visited Public Land Mobile Network (VPLMN). Upon successful authentication b an authentication server function (AUSF), a home network root key is generated. A protected message comprising Network Steering information is received from a first network node. The protected message is protected using a configuration key (Kconf) and a first Message Authentication Code (MAC-1). The configuration key (Kconf) is determined from the home network root key, and the UE verifies the MAC-1. Based on the Kconf and the MAC-1, it is verified that the VPLMN did not alter Network Steering Information. An acknowledgement message, which is protected with a second Message Authentication Code (MAC-2), is transmitted to a Home Public Land Mobile Network (HPLMN).

Abstract: A system includes a data module for receiving an original data and a verification fingerprint, and generating a verification data by inserting the verification fingerprint into an embeddable location of the original data. The system also includes an interpretation module for generating data type information of the original data, and deriving an input-enabled location from an embedding location preset list of the original data, wherein the input-enabled location is included in an inactive area of the original data. The system further includes a preset database for storing the embedding location preset list according to the data type information.

Abstract: A device access control system includes a first computing system that is coupled to a second computing system via a network, and that includes a device access controller subsystem coupled to devices, a central processing subsystem, and a device access control manager subsystem. The device access control manager subsystem identifies first application(s) configured for provisioning by the central processing subsystem and second application(s) configured for provisioning by the second computing system, configures the device access controller subsystem to provide the central processing subsystem access to a first subset of the devices to allow the central processing subsystem to provide the first application(s), and configures the device access controller subsystem to provide the second computing system access via the device access control manager subsystem to a second subset of the devices to allow the second computing device to provide the second application(s) using the second subset of the devices.

Abstract: A system allows a user to store his personally identifiable information (PII) on a personal device. When a third party wants to access the user's PII (e.g., to update the PII or to retrieve the PII), a notification will be presented to the user on the personal device seeking consent to the access. The notification may inform the user as to what information is being requested and which entity is requesting the access. The requested access will be denied unless the user consents to the access. In this manner, the user is given control over the dissemination of his PII. Additionally, the system alters or adjusts the PII that is stored in third-party servers so that even if these servers are breached, the user's actual PII is not exposed.