Abstract: The technology described herein protects the privacy and security of data stored in a knowledge graph (“graph”) by enforcing visibility policies when returning property information in response to a query or other attempt to extract property information from the graph and/or about the graph. The visibility policies may be stored with the object and used to prevent restricted properties from being extracted from the object, let alone the graph. The object-specific visibility policy may be stored in the storage layer of the knowledge-graph object with the object properties and content. Some implementations may include multiple visibility records for a single object. Together the visibility records form the object visibility policy. An object visibility policy may have a single visibility record or multiple visibility records.

Abstract: In an embodiment, a method comprises detecting, by a network control entity associated with a software-defined network, a network event in the software-defined network. The network control entity determines, based on the network event, an application for installation at the network control entity or in the software-defined network. The application is automatically installed at the network control entity or in the software-defined network.

Abstract: Systems and methods for cloud security monitoring and threat intelligence in accordance with embodiments of the invention are disclosed. In one embodiment, a process for monitoring and remediation of security threats includes generating a threat model using a first portion of activity data, identifying, based upon the threat model, a threat using a second portion of activity data, selecting a security policy to implement in response to the identified threat, identifying cloud security controls in a remotely hosted cloud application server system to modify in accordance with the selected security policy, establishing a secure connection to the remotely hosted cloud application server system using login credentials associated with a tenant account with the cloud application, and sending instructions to the remotely hosted cloud application server system to set the identified cloud security controls with respect to the tenant account in accordance with the selected security policy.

Abstract: A method and a computer program product and an apparatus for securing communication in heterogeneous networks that include devices with different protection levels. The method comprises monitoring, by a security agent installed on a device, communication between the device and external devices. The method comprises determining a level of in-device protection for each device based on available protection thereof. The method further comprises employing, by the security agent, an associated security policy for communications originating from the device, based on the level of in-device protection; such as resources utilized for employing security policies for communications originating from devices are correlated with the protection levels thereof. The method may further comprise enabling sharing security workload between device having trusted security agents to improve performance efficiency thereof.

Abstract: An improved data structure approach, and corresponding computational systems and methods are described to provide a technical approach that can be used for improving computational performance where a blockchain data structure is being accessed continuously or periodically for validation of recordals of one or more events that have taken place. A hybrid off-chain (or off-contract)/on-chain solution is utilized to provide a mechanism for establishing data linkages between the off-chain (or off-contract) records and on-chain data payloads.

Abstract: For communicating between an Internet of Things (IoT) device and a remote computer system, the IoT device may transmit an upload data message via a close range communication circuit to a mobile communication device, for forwarding to the remote computer system. The remote computer system may receive the upload data message via a mobile radio communication network and store an address of the mobile communication device, as a communication relay address for the IoT device. The remote computer system may transmit a download data message via the mobile radio communication network to the communication relay address, for forwarding to the IoT device. The IoT device may receive the download data message from the remote computer system, as forwarded by the mobile communication device via the close range communication circuit.

Abstract: A new approach is proposed to support a hardware-based lock mechanism having a hardware-based lock unit associated with a resource, wherein the lock is utilized by an arbitrator to arbitrate between multiple agents requesting access to the resource. When a first agent requests access to resource in unlocked state, the arbitrator creates a lock ID and set a locked state indicating that the resource is locked. The lock ID is provided to the first agent, which now has exclusive control over the resource. The arbitrator ensures that any agent with the same ID may access the resource. When a second agent requests access to the resource with a lock ID to the arbitrator, it is granted access to the resource if the lock ID provided matches the one stored on the lock unit. If there is a mismatch between the lock IDs, access to the resource is denied.

Abstract: In a distributed system that includes a collection of machines, a server system generates a global dictionary from sampling responses received from machines in the collection of machine, at least a subject of the sampling responses including information indicating one or more terms in a corpus of information stored at a respective machine in the collection of machines. The global dictionary includes global document frequency values corresponding to the document frequencies of terms in the corpora of information stored in the collection of machines. The server system generates a similarity search query for a target document, the similarity search query including identifiers of terms in the target document and optionally document frequency information for those terms, obtained from the global dictionary, and sends, through one or more linear communication orbits, the similarity search query to one or more respective machines in the collection of machines.

Abstract: Systems and methods provide for management of a gateway. In one embodiment, a method includes: in response to a request from a client device, establishing, by a computer system implementing a gateway to a private network, a network tunnel between the client device and the gateway; and starting a firewall service with a set of firewall rules on the computer system for selectively blocking and allowing network traffic between the client device and one or more network devices in the private network.

Abstract: A symmetric cryptography for encrypting and decrypting information is provided, that can be implemented efficiently in hardware or in software. The symmetric cryptography uses a key generator, so that the cryptography is not dependent on a single, static cryptography key. The key generator is a value or collection of values from which the key is generated. In some embodiments, the key generator substantially increases the computational complexity of differential cryptanalysis and other cryptographic attacks because it has more entropy than the key(s). In an embodiment, the key generator is updated with one-way functions exhibiting the avalanche effect, which generates an unpredictable sequence of keys used during the encryption or decryption process. In an embodiment, a dynamic key is derived from a key generator with a one-way function. In an embodiment, a block cipher uses a different dynamic key to encrypt each block of plaintext, where each key is derived from a different key generator.

Abstract: An anomaly detector is configured to construct cyber and/or physical features comprising information configured to characterize the cyber and/or physical state of a cyber-physical system. The physical features may be based on physical and/or physics-based relationships between a plurality of physical state attributes. A health of the cyber-physical system may be based on an error between estimates of one or more of the physical state attributes and measurements of the one or more physical state attributes. The relationships may be incorporated into machine learning membership functions used to classify cyber and/or physical behavior of the system.

Abstract: Sharing sensor data of a first device with a second device includes obtaining a set of point data from at least one of a sensors located in the first device, generating a first property data of the first subset of point data based on the first subset of point data, generating a sharing data including at least a portion of the first subset of point data and the first property data, and transmitting the sharing data to the second device. If a class of a first object included in the class information a class in which personal information must be protected, a content of the sharing data includes a privacy protection data in which the first subset of point data is processed such that personal information of the first object does not identified by the second device.

Abstract: An apparatus for preventing unauthorized software or firmware upgrades between two or more computing devices connected on a data bus includes a cryptographic engine, memory, and at least one processor coupled with the cryptographic engine and memory. The cryptographic engine stores cryptographic metadata for authorized upgrade images for updating at least one target computing device coupled to the data bus. The cryptographic metadata includes a manifest list of upgrade images. The processor is configured to monitor the data bus for transmissions of striped update hashes from a maintenance device, to receive signed striped hashes corresponding to an upgrade image file transmitted by the maintenance device, to validate the striped update hashes using information in the manifest list, to log that an unauthorized upload has been attempted when at least one of the striped update hashes fails validation, and to perform a mitigation action(s) in response to the attempted unauthorized upload.

Abstract: Systems, methods, and other embodiments associated with secure firmware update in a bare metal cloud environment are described. In one embodiment, a trusted device for causing a component of a computing device to accept a firmware update is presented. The device includes a management interface configured to receive a command that authorizes a firmware update to the component. The device further includes a recovery device logic that is configured to generate a signal configured to cause the component to enter a recovery mode. The recovery mode configures the component to accept the firmware update. The device also includes an interface of the device that is configured to pass the signal to the component to cause the component to enter the recovery mode and accept the firmware update.

Abstract: A device may receive, from a user equipment (UE), a request to allocate one or more computing resources for an application executing on the UE. The device may be associated with an edge node of a mobile network and the UE may be within a coverage area associated with the edge node. The device may receive a remote execution file package that is associated with code to be executed using the one or more computing resources. The device may assign the one or more computing resources for the application. The device may cause at least one of installation of the code for execution by the one or more computing resources, or execution of the code using the one or more computing resources. The device may transmit a response that provides an indication that the one or more computing resources have been allocated for the application.

Abstract: A method to generate a trusted certificate on an endpoint appliance located in an untrusted network, wherein client devices are configured to trust a first Certificate Authority (CA) that is administered by the untrusted network. In this approach, an overlay network is configured between the endpoint appliance and an origin server associated with the endpoint appliance. The overlay comprises an edge machine located proximate the endpoint appliance, and an associated key management service. A second CA is configured in association with the key management service to receive a second certificate signed by the first CA. A third CA is configured in association with the edge machine to receive a third certificate signed by the second CA. In response to a request from the appliance, a server certificate signed by the third CA is dynamically generated and provided to the appliance.

Abstract: A processing control system includes: at least one terminal device that is used by at least one user; a monitoring unit that monitors a security status of the at least one terminal device; and a control unit that controls, in a case where the security status which relates to executing processing instructed from the at least one user does not meet a condition, the processing including plural sub-processing operations on the at least one terminal device, execution of each of the sub-processing operations on the at least one terminal device based on the security status of the at least one terminal device.

Abstract: According to one embodiment, a DP accelerator includes one or more execution units (EUs) configured to perform data processing operations in response to an instruction received from a host system coupled over a bus. The DP accelerator includes a time unit (TU) coupled to the security unit to provide timestamp services. The DP accelerator includes a security unit (SU) configured to establish and maintain a secure channel with the host system to exchange commands and data associated with the data processing operations, where the security unit includes a secure storage area to store a private root key associated with the DP accelerator, where the private root key is utilized for authentication. The SU includes a random number generator to generate a random number, and a cryptographic engine to perform cryptographic operations on data exchanged with the host system over the bus using a session key derived based on the random number.

Abstract: Systems herein allow an administrator to efficiently enroll computing devices into a mobile device management system, even when those computing devices are offline and not connected to the system. A management server can include a console that allows the administrator to enroll an offline computing device by selecting an offline enrollment option on a registration record. This option can cause the management server to create a device record, indicating the computing device is enrolled. The management server can also create and save a provisioning file onto a storage device, such as a USB drive. Assets, such as graphics and applications, specified by the device record are also saved onto the storage device. The storage device can be physically connected to the computing device, at which point the provisioning file guides automatic installation of the assets and implementation of device settings and compliance rules specified by the device record.

Abstract: The technology disclosed herein provides an enhanced cryptographic access control mechanism that uses cryptographic keys that are based on temporal data. An example method may include: determining temporal data of a computing device; transforming the temporal data in view of conversion data associated with the computing device, wherein the conversion data causes a set of alternate temporal data values to transform to a specific cryptographic value; creating, by a processing device, a cryptographic key in view of the transformed temporal data; and using the cryptographic key to enable access to a protected resource.