Abstract: A first user device can transmit an interaction request to a remote computer via a long range communication channel. The first user device can receive an authentication request message from the remote computer and can then transmit the authentication request message to a second user device via a short range communication channel. The first user device can then receive an authentication response message comprising a response value from the second user device via the short range communication channel. The first user device can then transmit the authentication response message to the remote computer causing the remote computer to verify the response value and perform further processing if the response value is verified.

Abstract: According to one configuration, a wireless access service provider selects and assigns a particular authentication option amongst multiple different authentication options to an entity such as a wireless access point or a sub-network supported by the wireless access point. When a communication device attempts to use the corresponding wireless access point provided by the wireless access service provider, a wireless access gateway receives information from the wireless access point indicating the particular authentication option assigned to authenticate the communication device. The wireless access gateway communicates the notification of the particular authentication option to an authentication manager, which provides the wireless access gateway with network address information indicating a captive portal in which to authenticate the communication device.

Abstract: Systems and applications are described that use group signature technology to allow for anonymous and/or semi-anonymous feedback while allowing for the application of rules and parameters. The use of group signature technology may serve to potentially mitigate or prevent malicious identification of individuals or entities providing a communication such as feedback. Feedback may range from constructive feedback all the way to the ‘whistleblower’ variety. It may be desirable to identify the individuals as belonging to a particular group or having a particular status or position while maintaining the anonymity of the individuals within the particular group.

Abstract: A caching framework for a multi-tenant cloud-based system includes a plurality of microservices, a global cache that implements a global namespace, and a plurality of tenant caches, each tenant cache corresponding to a different tenant of the multi-tenant cloud-based system. The framework further includes a common module corresponding to each of the microservices and comprising a cache application programming interface (API), and a cache module comprising a service provider interface (SPI) adapted to connect to a distributed remote cache.

Abstract: According to one embodiment, a host communicates with a data processing (DP) accelerator using an obfuscation scheme. The DP accelerator receives an obfuscation kernel algorithm (or obfuscation algorithm), where the obfuscation kernel algorithm is used to obfuscate and de-obfuscate data in communication with a host. The DP accelerator de-obfuscates, using the obfuscation kernel algorithm, obfuscated data received from the host for a prediction request to obtain one or more AI models. The DP accelerator generates prediction results by applying the one or more AI models to a prediction input. The DP accelerator obfuscates, using the obfuscation kernel algorithm, the prediction results. The DP accelerator sends the obfuscated prediction results to the host, where the host retrieves the prediction results by de-obfuscating the obfuscated prediction results.

Abstract: A wireless enabled lighting device having the ability to retrieve credentials for a primary wireless LAN from another previously configured wireless enabled lighting device is disclosed. After installation, the lighting device may be instructed to join a secondary wireless network temporarily provided by the previously configured lighting device. Once connected to the secondary wireless network, the lighting device may be provided the credentials for the primary wireless LAN from the previously installed device. The lighting device may then join the primary wireless LAN based on the provided credentials and may automatically initiate enrollment with a remote cloud service. After enrollment, the lighting device may be instructed to operate as an access point for the secondary wireless network, thereby allowing a subsequently installed lighting device to retrieve the credentials for the primary wireless LAN from the newly enrolled lighting device.

Abstract: A method for real-time detection of and protection from steganography in a kernel mode comprises detecting transmission of a file via a firewall, an operating system, or an e-mail system. A size of the file is determined. From a file system, a stored filesize of the file is retrieved. The determined size of the file is compared to the stored filesize of the file. Responsive to the determined size of the file being larger than the stored filesize of the file, steganography detection analytics are executed on the file. Responsive to the steganography detection analytics indicating presence of steganography in the file, a steganography remediation action is executed, and information is transmitted describing the steganography to a client device.

Abstract: A security platform uses a sensor-event-analysis-response methodology to iteratively adapt to a changing security environment by continuously creating and updating entity models based on observed activities and detecting patterns of events that deviate from these entity models.

Abstract: A packet-filtering system configured to filter packets in accordance with packet-filtering rules may receive data indicating network-threat indicators and may configure the packet-filtering rules to cause the packet-filtering system to identify packets comprising unencrypted data, and packets comprising encrypted data. A portion of the unencrypted data may correspond to one or more of the network-threat indicators, and the packet-filtering rules may be configured to cause the packet-filtering system to determine, based on the portion of the unencrypted data, that the packets comprising encrypted data correspond to the one or more network-threat indicators.

Abstract: Example methods are provided for a host to perform authentication offload in a virtualized computing environment that includes the host and a destination server. The method may comprise detecting, from a virtualized computing instance, a packet destined for the destination server. The method may also comprise: in response to determination that the detected packet is an authentication request, obtaining, from the virtualized computing instance, metadata associated with a client application for which authentication is requested; and sending the authentication request and the metadata to the destination server to cause the destination server to authenticate the client application based on the metadata.

Abstract: The disclosed technology relates to a mobile terminal adapted to receive a memory card comprising a processing unit, an input interface and a card locking actuator configured to lock the memory card into the mobile terminal. The card locking actuator is controlled by the processing unit. In one aspect, the card locking actuator is configured to be locked when the mobile terminal is switched on. In another aspect, the processing unit is configured to lock the screen until a screen unlocking authentication procedure is performed by a user at the input interface and is configured to command unlocking of the card locking actuator after detecting that a predetermined authentication procedure is performed by a user at the input interface.

Abstract: A form of the invention is applicable for use in conjunction with a security credential management system that produces and manages pseudonym digital certificates issued to vehicles and used by vehicles to establish trust in vehicle-to-vehicle communications, the security credential management system including a pseudonym certificate authority processor entity which issues pseudonym digital certificates to vehicles, a registration authority processor entity that validates, processes and forwards requests for pseudonym digital certificates to the pseudonym certificate authority processor entity, and a misbehavior authority processor entity that receives misbehavior reports from reporter vehicles that include information about the reporter vehicles and suspect misbehaving vehicles and is responsible for producing a list of revoked credentials; the pseudonym certificate processor entity and registration authority processor entity participating in producing linkage values to be contained within the issued pseudon

Abstract: A media storage and playback apparatus encrypts header fields and side-information fields within respective packets of a compressed, packetized media file to obfuscate unencrypted payload fields within the packets. After encrypting the header fields and side-information fields, the media storage and playback apparatus stores the encrypted header fields and side-information fields together with the unencrypted payload fields within a nonvolatile storage for later retrieval, decryption and playback.

Abstract: Techniques for routing a request based on a vulnerability in a processing node are disclosed. A vulnerability analyzer determines a set of detected vulnerabilities in each of a set of processing nodes. Based on the detected vulnerabilities, the vulnerability analyzer determines a respective vulnerability score for each processing node. A routing engine receives a request to be processed by at least one of the set of processing nodes. The routing engine selects a particular node for processing the request based on the detected vulnerabilities in one or more of the set of processing nodes. The routing engine may select the particular node based on the vulnerability scores of the set of processing nodes. Additionally or alternatively, the routing engine may select the particular node based on whether the particular node includes any vulnerability that may be exploited by the request.

Abstract: The present invention concerns a method for secure data classification by a computer platform. A client sends to the platform data to be classified in encrypted form using a first symmetric key. Similarly, a supplier sends to the platform parameters of a classification model in encrypted form using a second symmetric key. The invention uses a homomorphic cryptosystem defined by a public key and a private key. The platform performs a first transcryption step by deciphering the data to be classified in the homomorphic domain and a second transcryption step by deciphering the model parameters in the homomorphic domain. The classification function is then evaluated in the homomorphic domain for providing a classification result encrypted by said public key.

Abstract: A cloud-based data governance system includes a processing unit, a network adapter, and memory for storing data and code. The network adapter establishes a connection with a remote data storage system associated with a remote file system over a wide-area network (WAN). The code includes an event collection interface, a data governance service, and an enforcement service. The event collection interface is configured to capture an event from the remote data storage system. The event is indicative of a file system operation executed on a data object of the remote file system. The data governance service is configured to receive the event from the event collection interface and to process the event to determine whether the file system operation conflicts with a governance policy of the data governance system. The enforcement service executes a set of remediation actions if the file system operation does conflict with the governance policy.

Abstract: A system including a mobile terminal having an authenticator, a TPM with tamper resistance and a voice assistant. The voice assistant makes a process request corresponding to voice input of a user to a server in accordance with the input, receives a biometric authentication request from the server, makes a request for a biometric authentication process to the mobile terminal of the user in accordance with the request for biometric authentication via wireless communication, and transmits an authentication result from the mobile terminal to a server. The mobile terminal executes the biometric authentication process using biometric information stored in the authenticator and the TPM in accordance with the request for the biometric authentication process from the voice assistant, and transmits an authentication result to the voice assistant.

Abstract: A method for obfuscation of operations using minimal additional hardware is presented herein. The method can begin by executing a first iteration of a set of computations, the execution of the set of computations resulting in a first iteration output. The method can continue by executing a second iteration of the set of computations, wherein the second execution is distinct from the first iteration but should satisfy a matching condition. The distinction can be a rearrangement of sub-operations, insertion of dummy sub-operations, or a combination of the two. After the iterations are complete, the iteration outputs can be compared. If the comparison of the first iteration output and the second iteration output satisfy the matching condition, the process result can be output. If the matching condition is not satisfied, an error detected signal can be output.

Abstract: One example method includes transmitting, from a client, a remote procedure call (RPC) to a fileserver of a data protection system, the RPC including information identifying an export, then receiving, at the client, node information concerning the export, and the node information concerns a master pseudofs of the fileserver. Finally, the example method includes creating, at the client, a sparse client-specific pseudofs that is based on the node information received from the fileserver, and the sparse client-specific pseudofs includes fewer than all the master pseudofs nodes that the client is authorized to access.

Abstract: Disclosed is a method that includes training, at a client, a part of a deep learning network up to a split layer of the client. Based on an output of the split layer, the method includes completing, at a server, training of the deep learning network by forward propagating the output received at a split layer of the server to a last layer of the server. The server calculates a weighted loss function for the client at the last layer and stores the calculated loss function. After each respective client of a plurality of clients has a respective loss function stored, the server averages the plurality of respective weighted client loss functions and back propagates gradients based on the average loss value from the last layer of the server to the split layer of the server and transmits just the server split layer gradients to the respective clients.