Abstract: A system or method for dynamically protecting a user's confidential information and a user's privacy at an edge device can include a plurality of sensors operatively coupled to the edge device, memory and one or more processors configured to perform certain operations. The operations can include aggregating signals from two or more sensors among the plurality of sensors via a sensor aggregator to provide an aggregated signal, setting policies via a policy agent that gives weighting factors to the two or more sensors and further assigns a security threshold level to one or more applications, calculating risks via a risk agent based on the policies set and readings from the two or more sensors, and orchestrating the sensor aggregator, the policy agent and the risk agent via a tracker application to modify a user interface interaction with each application operating on or via the edge device.

Abstract: A system or method of secure data entry can include one or more processors and memory having computer instructions which when executed by the one or more processors causes the one or more processors to perform the operations at a client edge device of executing a user interface data entry application on the client edge device, receiving data by the user interface data entry application, wherein the data entered is a graphic input pattern corresponding to characters, communicating the data entered to a server, and receiving access to the server if a data processing application at the server interprets the data entered as a credential based on rules negotiated between the data entry application and the data processing application and a template for the graphic input pattern.

Abstract: In one embodiment a Hardware Server Module (HSM) (10) implementing a distributed quorum authentication enforcement is provided, whereby user access to a resource (40) on the device (10) is enforced via an API gateway (16). The HSM comprises one or more resources, a separate resource manager API for accessing the one or more resources, an enforcement module for enforcing access to the one or more resources via the API gateway according to a quorum policy, and a quorum manager for generating and storing a quorum request in a database. The API gateway (16) can be a RESTful API using HTTP requests to produce and consume data related to quorum services via at least one of a GET, PUT, POST, PATCH and DELETE command type. Other embodiments are disclosed.

Abstract: Extension of functional capabilities of a file system in a container orchestration system by associating an extended storage class with a functional extension wherein access to data storage volumes belonging to the extended storage class are handled by an extended file system. In response to deployment of an application pod config including definition of an extended volume belonging to the extended storage class, request mounting the extended volume and creating a staging pod for mounting the original data storage volume and causing the container orchestration system to deploy the staging pod. Access by the containers in the application pod to data stored in the extended volume is handled by the extended file system.

Abstract: A method for controlling access to a disk device connected to an execution platform that includes reserving a first region of the disk device and storing an unique disk label in said first region, wherein said first region is not encrypted, encrypting a second region of the disk device, wherein the second region includes user data and file information, said method further comprises providing a cipher agent running on said execution platform and carrying out the following steps in case an opening of the disk device is requested, reading the unique disk label stored in the first region, retrieving a protection policy for the disk device based on the unique disk label and handling the further access to the disk device based on the protection policy.

Abstract: Provided is a method for a Hardware Security Module (HSM) appliance to provide cryptographic services to multiple clients via cryptographic service requests and responses transmitted over a secure communication channel there between. The method comprises the steps of providing a traffic control feature for communications over said secure communication channel by way of a Linux Kernel, and leveling cryptographic service and balancing a workload of cryptographic transactions on the HSM appliance for the multiple clients submitting said requests and receiving said responses by way of a Traffic Control Agent (TCA), thereby distributing a fair, proportional share of resources on the HSM appliance needed for servicing the cryptographic services to multiple clients irrespective of thread count per client. Other embodiments disclosed, including a dynamic intelligent TCA.

Abstract: Provided is a method for a Hardware Security Module (HSM) appliance to provide cryptographic services to multiple clients via cryptographic service requests and responses transmitted over a secure communication channel there between. The method comprises the steps of providing a traffic control feature for communications over said secure communication channel by way of a Linux Kernel, and leveling cryptographic service and balancing a workload of cryptographic transactions on the HSM appliance for the multiple clients submitting said requests and receiving said responses by way of a Traffic Control Agent (TCA), thereby distributing a fair, proportional share of resources on the HSM appliance needed for servicing the cryptographic services to multiple clients irrespective of thread count per client. Other embodiments disclosed, including a dynamic intelligent TCA.

Abstract: Provided is a method of securing a software code of an application including at least one constant data. The method produces secure software code can then be executed on a processor. The method includes fragmenting current constant data into several valid data chunks of random length, encoding and storing the valid data chunks at random locations in the application software code, identifying all occurrences of the current constant data in the application software code and replacing each of them with a call to a Runtime application self-protection (RASP) agent for reading the current constant data, and inserting, at random locations of a control flow graph of the application software code, RASP check instructions which when executed at runtime. The RASP agent being configured for running in the application runtime environment and being capable of controlling application execution and detecting and preventing real-time attacks.

Abstract: Provided is a system, method and API that provides HSM customers with an ability to request different levels of service for any cryptographic workload. It provides the customer with an API that by way of a Class of Service (CoS) attribute signals a higher class/level of service at the application level, such as a faster response time, for example, certain time-sensitive or high priority requests, that are not currently available in HSM deployments. The CoS attribute resides at the application level and provides developers of crypto API client application to prioritize crypto transaction performance.

Abstract: A Hardware Security Module (HSM) (900), and method thereof, suitable for use in securely servicing cryptographic requests from multiple tenant applications to preserve end-to-end privacy is provided. A Link Encryption and Key Diversification interoperability (43) between two processors provides cryptographic and logical isolation between multiple tenant applications on the HSM (900) that use and share more than one PCIe Physical Function (30) over more than one Virtual Function (VF) (21) to one or more Crypto Units (CU) (61) for satisfying a request (46) of an HSM cryptographic services. An Output Feedback (OFB) block with CRC support is further provided with encryption and decryption. The HSM as configured is more resistant to side channel attacks.

Abstract: A first server launches, under control of a device user, an execution of a first virtual payload by using a predetermined service provider interface or a first predetermined application programming interface that is associated with the first virtual payload executed by the first server. The first virtual payload generates a first random nonce. The first virtual payload launches an execution of a second virtual payload by using an associated second predetermined application programming interface. The second virtual payload is executed by the first or a second server. The first virtual payload exchanges with the second virtual payload the first random nonce, so as to establish a first secure channel. The invention also relates to corresponding first server and system.

Abstract: A system and method for protecting an application resource file (RF) when a client uses an application on a host can include the steps by the application on the host of binding the RF to the host during execution of the application on the host by obtaining a device fingerprint of the host, verifying a signature by using the RF, the device fingerprint of the host, and a public key, where the signature was created during or at one of the following: a) an installation of the application at the host by signing the RF and the device fingerprint of the host using a private key corresponding to the public key; (b) an application provider before the installation of the application at the host; or (c) a client device; and where the method further uses the RF if a verification of the signature is successful.

Abstract: Provided is a system and platform for Machine Learning (ML) based Data Discovery and Classification. The system and platform comprising components of a user console, a ML agent, and a ML data engine. By way of a ML pipeline, sensitive data is obfuscated that would otherwise by in the clear when transmitted to a centralized server. The ML model pipeline decouples embedding from model training. In a first step, the ML Agent runs on data endpoint machine or proxy to convert clear text data to embedding vectors. In a second step, the ML data engine runs on a centralized server to train models using the embedding vectors. The separation of pipeline components and respective handling of workflow requests and messages associated therewith prevents the transfer of clear data in the open. Other embodiments disclosed.

Abstract: A system or method of image-based login authentication of a user on an access device using a mobile device registered to the user can include receiving login information at the access device, displaying an image reference at the access device, the image reference being one among a plurality of image references provisioned at the mobile device and an authentication authority, displaying the image reference selected by the authentication authority along with other image references, and receiving an authentication token at the authentication authority from the mobile device corresponding to a selection at the mobile device of one of the plurality of image references provisioned at the mobile device. The method can further include receiving validation by the access device of a completed authentication if the selection matches the image reference displayed at the access device and allowing login at the access device if the authentication token is validated.

Abstract: Provided is a program and computer-implemented method of obfuscating a software code, comprising adding a conditional branch instruction to the software code which, when executed, causes evaluating an opaque predicate (PT, PF, P?). The method comprises a step of generating the opaque predicate which includes performing a multiplication operation having as operands two mixed Boolean-arithmetic expressions. Other embodiments disclosed.

Abstract: A method or system of providing data privacy compliance at a server with respect to a right to be forgotten can include one or more processors configured for receiving key information, data, and an expiration date in response to a request to create a key by a data subject to a key management service, sending a request to and receiving a key from the key management system, encrypting the data at the server with the key to provide encrypted data, storing the encrypted data in a storage, receiving a request to access the data, attempting to retrieve the key by the server, and denying access to the data in response to the request after a request from the data subject to revoke the key. In some embodiments, the key information received by the server is Hold Your Own Key and the encryption of data is Hold Your Own Encryption.

Abstract: A system or method of secure data entry can include one or more processors and memory having computer instructions which when executed by the one or more processors causes the one or more processors to perform the operations at a client edge device of executing a user interface data entry application on the client edge device, receiving data by the user interface data entry application, wherein the data entered is a graphic input pattern corresponding to characters, communicating the data entered to a server, and receiving access to the server if a data processing application at the server interprets the data entered as a credential based on rules negotiated between the data entry application and the data processing application and a template for the graphic input pattern.

Abstract: Provided is a method for use-case analysis of an application. It includes instrumenting a software application or an environment to generate execution traces at use-case reference points; capturing the execution traces during user interaction with the software application during a use-case scenario; applying a classification model to execution traces correlated to a sequence of interaction steps; and to report a use of the app. A machine learning module automatically adapts, updates and applies the classification model on use-case scenarios, thereby evidencing whether the customer successfully completed these use cases, and helping the product vendor understand if the customer is receiving value delivered by, and built into, the product or application. Other embodiments disclosed.

Abstract: A payment HSM hosted in a data center and comprising a host interface accessible by a remote end-user entity running a payment application using critical resources protected in the payment HSM, a second interface for main, operational management of the payment HSM by the end-user entity, and an Out-Of-Band, OOB, management interface being distinct and physically isolated from the communication channel of the second interface, and configured to allow secure access to the payment HSM by a third-party entity, distinct from the end-user entity. A resident, remotely configurable provisioning state-machine is implemented in the HSM for the management of the provisioning of the payment HSM for service to one or more end-user entities, under the control of the third-party entity over the OOB management interface.