Abstract: A virtual desktop infrastructure system includes a switch matrix and an end user device including a memory with instructions that when executed cause the system to initialize and configure the end-user device, establish a tunnel via the switch matrix, perform dependency verification, enforce a policy rule, and cause the end-user device to access the virtual desktop infrastructure via the tunnel. A method includes initializing and configuring the end-user device, establishing a tunnel via the switch matrix, performing dependency verification, enforcing a policy rule, and causing the end-user device to access the virtual desktop infrastructure via the tunnel. A non-transitory computer readable medium includes program instructions that when executed, cause a computer to initialize and configure the end-user device, establish a tunnel via the switch matrix, perform dependency verification, enforce a policy rule, and cause the end-user device to access the virtual desktop infrastructure via the tunnel.

Abstract: A user may securely access a remote virtual machine (RVM) by authenticating with a single sign-on portal (SSOP) connected to a request collector. The request collector is connected to a remote access helper (RAH) associated with the RVM. Upon a user request from the SSOP, a one-time password (OTP) is generated by the RVM and the RAH sends an acceptance notice to the request collector. The request collector generates a payload containing a URL which is sent to the SSOP and connects to the URL downloading a file containing the OTP. The user then connects to and accesses the RVM using the OTP contained in the file.

Abstract: A method for preventing transmission of malicious data may include receiving transaction data including at least one packet associated with a payment transaction; extracting at least one of network layer data or transport layer data from a header of the at least one packet; determining a first probability indicating that the at least one packet is in a first class based on the at least one of the network layer data or the transport layer data using a classifier. The method may also include determining a second probability indicating that the at least one packet is in a second class based on the at least one of the network layer data or the transport layer data using the classifier; and blocking the at least one packet. A system and a computer program product are also disclosed.

Abstract: A system and methods which manage and secure the interaction between (1) the owner of a client application and third-parties, and (2) between the third-parties and the client application while the client application is operating on a user's client computer. The invention enables interactive primitives such as ensuring the integrity of the client environment, reading data from the client, writing data to the client, collecting data from the user, and ensuring privacy. All functionality is done through the client application and under management and control of the owner of the client application.

Abstract: A computing device that includes at least one processor core for executing a first computer program, the computing device being designed to access a memory device, in particular in order to load the first computer program. The computing device is designed to transmit a first control command, which characterizes the first computer program and/or a memory area of the memory device associated with the first computer program, to at least one cryptography module. The cryptography module is designed in particular to check the computer program, or the memory area of the memory device associated with the first computer program, characterized by the first control command, and the computing device is designed to execute the first computer program.

Abstract: A cellular telephone or mobile device with several methods of touch, voice, and gesture based input is described. A user is able to interact with a touch screen display on the device to select one or more keys, expand keys, and customize legends or toolbars. A user may deliver spoken audio to the device and actuate a series of commands on the device including search on the device, search on the Internet, accessing an Internet resource, or downloading a document. A user may be able to execute one or more macros on the device. The device may further have a plurality of authentication methods based on the activities on the device. Authentication requests may be made for specific applications or the device. An authentication request may include identifying pictures taken on the device and engaging in activities with the photos.

Abstract: Identity identification preprocessing methods and systems, and identity identification methods and systems are disclosed. After any user carries a mobile device to a predetermined nearby area of a biometric feature collection device, the mobile device of the user receives a wireless signal broadcast by the biometric feature collection device. The wireless signal triggers the mobile device to upload an auxiliary identification factor other than a biometric feature of the owner and an identity of the owner to an identification server. The identification server establishes a mapping relationship between the received identity and the received auxiliary identification factor. After subsequently obtaining a collected biometric feature uploaded by the biometric feature collection device, the identification server can perform two-factor-based user identity identification based on the previously established mapping relationship and the collected biometric feature.

Abstract: The invention provides methods, systems and computer program products for sandbox enabled testing of money laundering detection rules or rulesets.

Abstract: On power-up, self-encrypting drives (SEDs, 150) are unlocked one after another in an order based on the SEDs' unlocking priorities. In determining the priorities, one or more of the following factors are taken into account: (1) the content stored on the SEDs; the SEDs storing the OS are given higher priorities; (2) the SEDs' access history on previous power-ups: if a SED was accessed earlier than other SEDs, then this SED is given a higher priority; (3) whether there is an access request pending for a SED. Such prioritization allows the system to reach full functionality faster on power-ups. Other features are also provided.

Abstract: Systems and methods for adaptive attack resistant distributed symmetric cryptography are disclosed. A client computer may communicate with a number of cryptographic devices in order to encrypt or decrypt data. Each cryptographic device may possess multiple secret shares corresponding to distinct secret values, which may be used in the process of encrypting or decrypting data. The client computer may generate multiple commitments and transmit those commitments to the cryptographic devices. Each cryptographic device may generate a partial computation based on the commitments and their respective secret shares. The partial computations may be transmitted to the client computer. The client computer may use the partial computations to generate a cryptographic key. The client computer may use the cryptographic key to encrypt a message or decrypt ciphertext.

Abstract: Systems and methods for accessing account information are provided. For example, an indication to launch an application that may provide account information may be received. A determination may be made regarding whether the indication is an initial interaction with the application. If the indication is an initial interaction, one or more credentials may be received via an interface that may be displayed via the application. If the indication is not the initial interaction, a token may be accessed. A request that may include the credentials or token may then be generated and transmitted such that credentials or token may be used to authenticate a device that includes the application and a user thereof, a new token may be generated, and a response with the new token and/or account information may be transmitted. The account information may then be displayed by an interface of the application.

Abstract: A system to create a stacked classifier model combination or classifier ensemble has been designed for identification of undisclosed flaws in software components on a large-scale. This classifier ensemble is capable of at least a 54.55% improvement in precision. The system uses a K-folding cross validation algorithm to partition a sample dataset and then train and test a set of N classifiers with the dataset folds. At each test iteration, trained models of the set of classifiers generate probabilities that a sample has a flaw, resulting in a set of N probabilities or predictions for each sample in the test data. With a sample size of S, the system passes the S sets of N predictions to a logistic regressor along with “ground truth” for the sample dataset to train a logistic regression model. The trained classifiers and the logistic regression model are stored as the classifier ensemble.

Abstract: A mechanism to facilitate a private network (VPN)-as-a-service, preferably within the context of an overlay IP routing mechanism implemented within an overlay network. A network-as-a-service customer operates endpoints that are desired to be connected to one another securely and privately using the overlay IP (OIP) routing mechanism. The overlay provides delivery of packets end-to-end between overlay network appliances positioned at the endpoints. During such delivery, the appliances are configured such that the data portion of each packet has a distinct encryption context from the encryption context of the TCP/IP portion of the packet. By establishing and maintaining these distinct encryption contexts, the overlay network can decrypt and access the TCP/IP flow. This enables the overlay network provider to apply one or more TCP optimizations. At the same time, the separate encryption contexts ensure the data portion of each packet is never available in the clear at any point during transport.

Abstract: In a secure multi-party computation (sMPC) system, a super mask is constructed using a set of masks corresponding to a set of data contributors. Each data contributor uses a corresponding different mask to obfuscate the data of the data contributor. a first scaled masked data is formed by applying a first scale factor to first masked data of the first data contributor, the scale factor being computed specifically for the first data contributor from the super mask. A union is constructed of all scaled masked data from all data contributors, including the first scaled masked data. A machine learning (ML) model is trained using the union as training data, where the union continues to keep obfuscated the differently masked data from the different data contributors. The training produces a trained ML model usable in the sMPC with the set of data contributors.

Abstract: In one example an apparatus comprises a computer readable memory, an XMSS verification manager logic to manage XMSS verification functions, a one-time signature and public key generator logic, a chain function logic to implement chain function algorithms, a low latency SHA3 hardware engine, and a register bank communicatively coupled to the XMSS verification manager logic. Other examples may be described.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for communicating and sharing blockchain data. One of the methods includes sending current state information associated with a current block of a blockchain to one or more shared storage nodes of the blockchain network; sending a hash value to the one of the one or more shared storage nodes for retrieving an account state stored in the historic state tree; receiving the account state in response to sending the hash value; and verifying, by the consensus node, that the account state is part of the blockchain based on the hash value.

Abstract: An embedded system includes a peripheral and system-on-a-chip executing virtual machines and a hypervisor. The peripheral includes a crossbar circuit receiving digital sensor signals and selectively outputting the digital sensor signals to different outputs, queue circuits each receiving a different one of the digital sensor signals from the crossbar circuit, and queue protection circuits associated with the queue circuits and selectively permitting access to one of the queue circuits by the virtual machines. The hypervisor controls the queue protection circuits to set which of the virtual machines may access which queue circuits. A sensor protection circuit selectively permits reading of the digital sensor signals from the crossbar circuit by the queue circuits. The hypervisor controls the sensor protection circuit to set which of the queue circuits may access each of the digital sensor signals from the crossbar circuit.

Abstract: A computer-implemented system and method for secure electronic message exchange including coupling a control platform to a workstation of a plurality of workstations via a communications medium, where the control platform includes one or more apparatuses for monitoring, controlling, conversion, and billing, related to messages exchanged between a plurality of local users and a plurality of remote users. The system prevents forwarding or copying of a message sent by a local user of the plurality of local users and received by a remote user of the plurality of remote users, to another party by the control platform. The system and method also provides for authenticating the remote user with the control platform.

Abstract: A system for data encryption includes any or all of: a set of items, a set of keys, and a server. A method for data encryption includes any or all of: encrypting items, sharing items, and reading items. The method can optionally additionally or alternatively include any or all of: performing a registration process, creating items, restricting access of users and/or supplementary systems to items, and/or any other suitable processes.

Abstract: A storage device includes a nonvolatile memory device, and a controller that manages a data encryption key (DEK). The DEK is used to encrypt data to be written in a storage space of the nonvolatile memory device by a first user and to decrypt data read from the storage space. The controller grants a second user authority to access the storage space by encrypting the DEK based on a Diffie-Hellman (DH) algorithm, grants a second user authority to access the encrypted DEK, and decrypts the encrypted DEK based on the DH algorithm.