Abstract: A first server launches, under control of a device user, an execution of a first virtual payload by using a predetermined service provider interface or a first predetermined application programming interface that is associated with the first virtual payload executed by the first server. The first virtual payload generates a first random nonce. The first virtual payload launches an execution of a second virtual payload by using an associated second predetermined application programming interface. The second virtual payload is executed by the first or a second server. The first virtual payload exchanges with the second virtual payload the first random nonce, so as to establish a first secure channel. The invention also relates to corresponding first server and system.

Abstract: A system and method for protecting an application resource file (RF) when a client uses an application on a host can include the steps by the application on the host of binding the RF to the host during execution of the application on the host by obtaining a device fingerprint of the host, verifying a signature by using the RF, the device fingerprint of the host, and a public key, where the signature was created during or at one of the following: a) an installation of the application at the host by signing the RF and the device fingerprint of the host using a private key corresponding to the public key; (b) an application provider before the installation of the application at the host; or (c) a client device; and where the method further uses the RF if a verification of the signature is successful.

Abstract: Provided is a system and platform for Machine Learning (ML) based Data Discovery and Classification. The system and platform comprising components of a user console, a ML agent, and a ML data engine. By way of a ML pipeline, sensitive data is obfuscated that would otherwise by in the clear when transmitted to a centralized server. The ML model pipeline decouples embedding from model training. In a first step, the ML Agent runs on data endpoint machine or proxy to convert clear text data to embedding vectors. In a second step, the ML data engine runs on a centralized server to train models using the embedding vectors. The separation of pipeline components and respective handling of workflow requests and messages associated therewith prevents the transfer of clear data in the open. Other embodiments disclosed.

Abstract: Provided is a program and computer-implemented method of obfuscating a software code, comprising adding a conditional branch instruction to the software code which, when executed, causes evaluating an opaque predicate (PT, PF, P?). The method comprises a step of generating the opaque predicate which includes performing a multiplication operation having as operands two mixed Boolean-arithmetic expressions. Other embodiments disclosed.

Abstract: A system or method of image-based login authentication of a user on an access device using a mobile device registered to the user can include receiving login information at the access device, displaying an image reference at the access device, the image reference being one among a plurality of image references provisioned at the mobile device and an authentication authority, displaying the image reference selected by the authentication authority along with other image references, and receiving an authentication token at the authentication authority from the mobile device corresponding to a selection at the mobile device of one of the plurality of image references provisioned at the mobile device. The method can further include receiving validation by the access device of a completed authentication if the selection matches the image reference displayed at the access device and allowing login at the access device if the authentication token is validated.

Abstract: A method or system of providing data privacy compliance at a server with respect to a right to be forgotten can include one or more processors configured for receiving key information, data, and an expiration date in response to a request to create a key by a data subject to a key management service, sending a request to and receiving a key from the key management system, encrypting the data at the server with the key to provide encrypted data, storing the encrypted data in a storage, receiving a request to access the data, attempting to retrieve the key by the server, and denying access to the data in response to the request after a request from the data subject to revoke the key. In some embodiments, the key information received by the server is Hold Your Own Key and the encryption of data is Hold Your Own Encryption.

Abstract: A system or method of secure data entry can include one or more processors and memory having computer instructions which when executed by the one or more processors causes the one or more processors to perform the operations at a client edge device of executing a user interface data entry application on the client edge device, receiving data by the user interface data entry application, wherein the data entered is a graphic input pattern corresponding to characters, communicating the data entered to a server, and receiving access to the server if a data processing application at the server interprets the data entered as a credential based on rules negotiated between the data entry application and the data processing application and a template for the graphic input pattern.

Abstract: Provided is a method for use-case analysis of an application. It includes instrumenting a software application or an environment to generate execution traces at use-case reference points; capturing the execution traces during user interaction with the software application during a use-case scenario; applying a classification model to execution traces correlated to a sequence of interaction steps; and to report a use of the app. A machine learning module automatically adapts, updates and applies the classification model on use-case scenarios, thereby evidencing whether the customer successfully completed these use cases, and helping the product vendor understand if the customer is receiving value delivered by, and built into, the product or application. Other embodiments disclosed.

Abstract: A payment HSM hosted in a data center and comprising a host interface accessible by a remote end-user entity running a payment application using critical resources protected in the payment HSM, a second interface for main, operational management of the payment HSM by the end-user entity, and an Out-Of-Band, OOB, management interface being distinct and physically isolated from the communication channel of the second interface, and configured to allow secure access to the payment HSM by a third-party entity, distinct from the end-user entity. A resident, remotely configurable provisioning state-machine is implemented in the HSM for the management of the provisioning of the payment HSM for service to one or more end-user entities, under the control of the third-party entity over the OOB management interface.

Abstract: Provided is a system and method to authenticate multiple users in order to secure sensitive cloud assets. The system comprises a user device, a service provider, and an identify provider. The service provider provides services for producing and consuming data. The identify provider authenticates and authorizes multiple authorizors for providing user access to the resources and data. A device app communicates with the service provider and identify provider. The device app polls votes and determines when a quorum approval for utilizing data is met within a constraint. It authorizes the user temporary access to the data for use by one of the services upon quorum approval, and enforces temporal and physical conditions on it. The access can be granted via a push action or a pull notification. Other embodiments are disclosed.

Abstract: In one embodiment a Hardware Server Module (HSM) (10) implementing a distributed quorum authentication enforcement is provided, whereby user access to a resource (40) on the device (10) is enforced via an API gateway (16). The HSM comprises one or more resources, a separate resource manager API for accessing the one or more resources, an enforcement module for enforcing access to the one or more resources via the API gateway according to a quorum policy, and a quorum manager for generating and storing a quorum request in a database. The API gateway (16) can be a RESTful API using HTTP requests to produce and consume data related to quorum services via at least one of a GET, PUT, POST, PATCH and DELETE command type. Other embodiments are disclosed.

Abstract: A method for managing a first application program comprises: executing, by a first processor, a first control flow; executing, by a second processor, in synchronization with the first control flow execution, a second application, comprising a variable and an expected value that the variable has to have or a condition that the variable has to satisfy to authorize an execution of the correct first control flow; verifying, by the second processor, by executing each of the at least one second application, whether the variable has the expected value or the variable satisfies the condition; and inferring, by the second processor, if, for the second application, the variable has (not) the expected value or does (not) satisfy the condition, that the first processor is (not) executing the correct first control flow.

Abstract: The invention relates to a system and a method for adapting a response provided by a first device. The system comprises the first device with means for receiving from at least one client device, as at least one second device, a data access request comprising at least one client identifier and a predetermined application programming interface or service provider interface associated with the first device. The first device comprises means for processing the data access request that provides the response to the data access request and means for sending the response. The system comprises adapting means for intercepting and adapting the response sent by the first device. The adapting means adapts the response while being specific to the client and provides an adapted response. And the system comprises adapted response sending means for sending at least a part of the adapted response to the second or a third device(s).

Abstract: Protection of a first software application to be executed on an execution platform by adding at least one check module to the software application, wherein the check module, when being executed, checks at least a part of the code of the protected software application loaded in the memory and carries out a predefined tamper response in case the check module detects that the checked code was changed or ensures that the protected software application continues to function correctly in case the check module detects that the checked code was not changed; selecting a first code region of the first software application, said first code region provides a first functionality when being executed; amending the selected first code region of the first software application such that an amended first code region is generated to provide the protected software application; wherein the amended first code region, when being executed, still provides the first functionality but carries out an access to at least a part of the code

Abstract: A method for managing keys and encrypting data is provided. The method includes receiving data to be written to a logical disk, generating an encryption table indicating one or more locations on the logical disk for storing the data and indicating a key used for encrypting the data, encrypting the data to be written to the logical disk, and transmitting the encrypted data and the encryption table to a storage array.

Abstract: The invention is a method for controlling execution of an application. The method comprising: installing and activating a software license unit including License terms and a secure repository comprising both an applet and parameters, providing a virtual USB dongle including a command gate, a License validator, a VM controller and a VM engine initially devoid of applet, verifying the License terms and only if the verification of the License terms is successful: loading said applet and parameters to the VM engine and enabling the Command gate, initializing configuration data and secret data in the VM engine by using the parameters stored in the VM engine then exchanging, between the applet and said hardware function driver, USB messages to control execution of said application.

Abstract: The invention relates to a method for authenticating to a device, comprising receiving, by the device, from a chip, data; retrieving, by the device, based on the received data, a predetermined encrypted credential; sending, by the device, to the chip, a decryption request for decrypting the encrypted credential including or being accompanied with the encrypted credential to be decrypted; retrieving, by the chip, a secret key; decrypting, by the chip, the encrypted credential by using the secret key; sending, by the chip, to the device, as a decryption request response, the credential; verifying, by the device, whether the credential is or is not valid; and authenticating, by the device, only if the credential is valid, the chip.

Abstract: A method for providing a user authentication credential comprises a) registering, in a device, at least one reference character, as a first user authentication credential; b) submitting, by the user, to the device, at least one character, as a second user authentication credential; c) retrieving, by the device, each reference character along with a corresponding position within the first user authentication credential; d) comparing, by the device, each submitted character within the second user authentication credential to a corresponding reference character within the first user authentication credential at one and the same position within the second user authentication credential and the first user authentication credential; and e) providing, by the device to the user, if the submitted character does not match the corresponding reference character, an information item for prompting the user to correct the submitted character.

Abstract: Provided is a method of securing a software code of an application including at least one constant data. The method produces secure software code can then be executed on a processor. The method includes fragmenting current constant data into several valid data chunks of random length, encoding and storing the valid data chunks at random locations in the application software code, identifying all occurrences of the current constant data in the application software code and replacing each of them with a call to a Runtime application self-protection (RASP) agent for reading the current constant data, and inserting, at random locations of a control flow graph of the application software code, RASP check instructions which when executed at runtime. The RASP agent being configured for running in the application runtime environment and being capable of controlling application execution and detecting and preventing real-time attacks.

Abstract: An assembly allows detecting an intrusion into an appliance that includes a chamber(s). At least one wall relating to one and the same chamber is designed, so as to form a chamber opening allowing to access at least one appliance chip. The assembly includes at least one baffle that is, each, disposed at the chamber opening. The assembly includes at least one chip that comprises a baffle manager. The baffle manager is configured to cause the at least one baffle to move repeatedly between a first and a second position with respect to the chamber opening, during an appliance chip operation. The baffle manager is configured to detect whether a baffle movement is slowed or blocked during the appliance chip operation. If yes, the baffle manager is configured to send a predetermined signal(s) for alerting the appliance chip or a device(s) or take an action(s).