Abstract: The disclosure generally relates to method, system and apparatus for multifactor authentication exchange using out of band communication to authenticate a user while defending against the man in the middle attack. In an exemplary method, the disclosed principles provide a multifactor authentication (MFA) exchange, which includes: receiving an authentication request through in-band communication from a first device associated with a user to authenticate the user, the authentication request including a first authentication factor to identify the user; generating a second authentication factor, the second authentication factor further comprising an authorization token; generating an encryption key to encrypt the authorization token and a redirect Uniform Resource Locator (URL) address; and communicating the second authentication factor, the encryption key and the redirect URL address to a second device associated with the user.

Abstract: Providing optical watermark signals for a visual authentication session by performing at least the following: receive, at an anti-spoof engine, an instruction to perform visual authentication operations for a visual authentication session, generate, with the anti-spoof engine, an optical watermark signal based on receiving the instruction, wherein the optical watermark signal includes at least one optical identifier to authenticate images captured during the visual authentication session, obtain, with the anti-spoof engine, an image source that includes captured images of the visual authentication session, determine, with the anti-spoof engine, whether the image source includes a reflected optical watermark signal, and compare, with the anti-spoof engine, whether the reflected optical watermark signal matches the generated optical watermark signal based on the determination that the image source includes the reflected optical watermark signal.

Abstract: A circuit includes a first communication interface configured to receive first sensor data from a stationary sensor. The first sensor data include a result of a first sensing of a local environment of the stationary sensor performed by the stationary sensor. The circuit may further include a second communication interface configured to receive second sensor data from an unmanned aerial vehicle. The second sensor data include a result of a second sensing of at least a portion of the local environment of the stationary sensor performed by a sensor of the unmanned aerial vehicle. The circuit may further include one or a plurality of processors configured to compare the first sensor data and the second sensor data and to classify the at least one stationary sensor based on a result of the comparison.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to track a provenance of goods. An example apparatus includes an unsigned block generator to generate a first unsigned block to store first processing data associated with the product by a first entity, a block signature engine to sign the first unsigned block with a first private key to generate a blockchain having a first signed block, the unsigned block generator to generate a second unsigned block in response to a second entity generating second processing data associated with the product by the second entity, the block signature engine to expand the blockchain by signing the second unsigned block with a second private key to generate a second signed block within the blockchain, and a blockchain validator to verify the product provenance by validating the first processing data and the second processing data using respective public keys associated with the first entity and the second entity.

Abstract: Technologies to facilitate supervision of an online identify include a gateway server to facilitate and monitor access to an online service by a user of a “child” client computer device. The gateway server may include an identity manager to receive a request for access to the online service from the client computing device, retrieve access information to the online service, and facilitate access to the online service for the client computing device using the access information. The access information is kept confidential from the user. The gateway server may also include an activity monitor module to control activity between the client computing device and the online service based on the set of policy rules of a policy database. The gateway server may transmit notifications of such activity to a “parental” client computing device for review and/or approval, which also may be used to update the policy database.

Abstract: Technologies for secure collective authorization include multiple computing devices in communication over a network. A computing device may perform a join protocol with a group leader to receive a group private key that is associated with an interface implemented by the computing device. The interface may be an instance of an object model implemented by the computing device or membership of the computing device in a subsystem. The computing device receives a request for attestation to the interface, selects the group private key for the interface, and sends an attestation in response to the request. Another computing device may receive the attestation and verify the attestation with a group public key corresponding to the group private key. The group private key may be an enhanced privacy identifier (EPID) private key, and the group public key may be an EPID public key. Other embodiments are described and claimed.

Abstract: Embodiments are directed to security optimizing compute distribution in a hybrid deep learning environment. An embodiment of an apparatus includes one or more processors to determine security capabilities and compute capabilities of a client machine requesting to use a machine learning (ML) model hosted by the apparatus; determine, based on the security capabilities and based on exposure criteria of the ML model, that one or more layers of the ML model can be offloaded to the client machine for processing; define, based on the compute capabilities of the client machine, a split level of the one or more layers of the ML model for partition of the ML model, the partition comprising offload layers of the one or more layers of the ML model to be processed at the client machine; and cause the offload layers of the ML model to be downloaded to the client machine.

Abstract: The present disclosure provides privacy preservation of analytic workflows based on splitting the workflow into sub-workflows each with different privacy-preserving characteristics. Libraries are generated that provide for formatting and/or encrypting data for use in the sub-workflows and also for compiling a machine learning algorithm for the sub-workflows. Subsequently, the sub-workflows can be executed using the compiled algorithm and formatted data.

Abstract: The present disclosure is directed to systems and methods for the selective introduction of low-level pseudo-random noise into at least a portion of the weights used in a neural network model to increase the robustness of the neural network and provide a stochastic transformation defense against perturbation type attacks. Random number generation circuitry provides a plurality of pseudo-random values. Combiner circuitry combines the pseudo-random values with a defined number of least significant bits/digits in at least some of the weights used to provide a neural network model implemented by neural network circuitry. In some instances, selection circuitry selects pseudo-random values for combination with the network weights based on a defined pseudo-random value probability distribution.

Abstract: A system and apparatus for data confidentiality in a distributed ledger are disclosed. The system and apparatus preserve qualities of distributed ledgers, such as transparency, integrity, and redundancy, while also providing confidentiality, scalability, and security not previously available in distributed ledgers. The system includes a data confidentiality module that exploits a trusted execution environment for both transaction processing and key synchronization. The apparatus accessing the distributed ledger provides for new nodes joining the network, sending transactions to the ledger by existing nodes, securely processing the transaction using the trusted execution environment, securing transmission to the logic layer for application of business logic, reading and writing data to local storage, and reading encrypted transactions.

Abstract: A system and method of detecting and remediating attacks includes receiving operating system (OS) read/write data from an OS, the OS read/write data describing at least one of reads from and writes to a storage device over a file system interface of the OS; collecting storage device read/write data, the storage device read/write data describing at least one of reads from and writes to the storage device; comparing the OS read/write data to the storage device read/write data; and determining if there is a discrepancy between the OS read/write data and the storage device read/write data. If there is a discrepancy, determining if there is an anomaly detected between OS read/write data and the storage device read/write data. If there is an anomaly, causing a remediation action to be taken to stop a malware attack.

Abstract: Technologies for secure collective authorization include multiple computing devices in communication over a network. A computing device may perform a join protocol with a group leader to receive a group private key that is associated with an interface implemented by the computing device. The interface may be an instance of an object model implemented by the computing device or membership of the computing device in a subsystem. The computing device receives a request for attestation to the interface, selects the group private key for the interface, and sends an attestation in response to the request. Another computing device may receive the attestation and verify the attestation with a group public key corresponding to the group private key. The group private key may be an enhanced privacy identifier (EPID) private key, and the group public key may be an EPID public key. Other embodiments are described and claimed.

Abstract: A wearable device provides protection for personal identity information by fragmenting a key needed to release the personal identity information among members of a body area network of wearable devices. A shared secret algorithm is used to allow unlocking the personal identity information with fragmental keys from less than all of the wearable devices in the body area network. The wearable devices may also provide protection for other personal user data by employing a disconnect and erase protocol that causes wearable devices to drop connections with an external personal data space and erase locally stored personal information if a life pulse from a connectivity root device is not received within a configurable predefined period.

Abstract: The disclosure generally relates to method, system and apparatus for privacy enhancement mode for integrated cameras. In an exemplary embodiment, the disclosure allows a user of a device equipped with an integrated device to engage the device in the so-called privacy mode whereby while the camera is engaged, the device does not broadcast the user's images; rather the device uses the camera to detect, discern and determine the user's attributes. Such attributes may include one or more of movement, motion, mood, gesture and temperature of the user. The attributes may include specificities of the user's environment.

Abstract: Methods and apparatus for virtual enterprise secure networking. A Layer 2 (L2)-based secured network solution is provided using resources of a computer platform to connect an operating system to a secured backend overlay network (e.g., enterprise, service provider or ‘zero trust network service’) in a way that does not require changes in the operating system and connection manager or alteration of network infrastructure (e.g., wireless access point) in the location where a client may reside. Under an aspect of the solution, the computer platform itself (e.g., platform hardware/Firmware/drivers) provides part of the role of the authenticator in an Institute of Electrical and Electronics Engineers (IEEE) 802.1X scheme either directly by simulation of an Access Point (AP) or as a pass through to the overlay network core. This replaces the traditional access point/switch authenticator role.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed for dynamic re-distribution of detection content and algorithms for exploit detection. An example apparatus includes at least one processor, and memory including instructions that, when executed, cause the at least one processor to deploy respective ones of a plurality of standard detection algorithms and content (SDACs) to respective ones of a first endpoint and a second endpoint, deploy a first set of enhanced detection algorithms and content (EDACs) to the first endpoint, deploy a second set of the EDACs to the second endpoint, the second set of EDACs different from the first set of EDACs, and in response to obtaining a notification indicative of an exploit attack from the first endpoint, distribute the first set of EDACs to the second endpoint to facilitate detection of the exploit attack at the second endpoint.

Abstract: A combination of hardware monitoring and binary translation software allow detection of return-oriented programming (ROP) exploits with low overhead and low false positive rates. Embodiments may use various forms of hardware to detect ROP exploits and indicate the presence of an anomaly to a device driver, which may collect data and pass the indication of the anomaly to the binary translation software to instrument the application code and determine whether an ROP exploit has been detected. Upon detection of the ROP exploit, the binary translation software may indicate the ROP exploit to an anti-malware software, which may take further remedial action as desired.

Abstract: Methods, apparatuses and system provide for technology that interleaves a plurality of verification commands with a plurality of copy commands in a command buffer, wherein each copy command includes a message authentication code (MAC) derived from a master session key, wherein one or more of the plurality of verification commands corresponds to a copy command in the plurality of copy commands, and wherein a verification command at an end of the command buffer corresponds to contents of the command buffer. The technology may also add a MAC generation command to the command buffer, wherein the MAC generation command references an address of a compute result.

Abstract: Systems, apparatuses and methods may provide for encryption based technology. Data may be encrypted locally with a graphics processor with encryption engines. The graphics processor components may be verified with a root-of-trust and based on collection of claims. The graphics processor may further be able to modify encrypted data from a non-pageable format to a pageable format. The graphics processor may further process data associated with a virtual machine based on a key that is known by the virtual machine and the graphics processor.

Abstract: Adversarial sample protection for machine learning is described. An example of a storage medium includes instructions for initiating processing of examples for training of an inference engine in a system; dynamically selecting a subset of defensive preprocessing methods from a repository of defensive preprocessing methods for a current iteration of processing, wherein a subset of defensive preprocessing methods is selected for each iteration of processing; performing training of the inference engine with a plurality of examples, wherein the training of the inference engine include operation of the selected subset of defensive preprocessing methods; and performing an inference operation with the inference engine, including utilizing the selected subset of preprocessing defenses for the current iteration of processing.