Abstract: Secure user authentication is provided by leveraging the use of quantum keys, steganography and random user keys/passcodes. Random user passcodes limit both the entity's control over the user and potential exposure of the passcode to wrongdoers. From a security standpoint, use of quantum keys and quantum communication channels heightens security during transmission of keys, such that if a wrongdoer would attempt to hack the transmission, the quantum sequence would break, which would not only prevent the hack but also result in remedial actions, such as preventing the authentication-requiring event, providing alerts and the like. Further, use of steganography also heightens security by preventing exposure to the keys during transmission and/or while the authentication process is occurring on the display of the user's mobile device.

Abstract: An ultra low power network device is disclosed. The network device utilizes a Near Field Communications (NFC) tag to enable ultra low power communications with a configuration tool. The configuration tool writes information to the NFC tag that is accessible by the processing unit on the ultra low power network device. Additionally, the processing unit can write information into the NFC tag that is readable by the configuration tool. By exchanging messaged in this manner, the ultra low power network device and the configuration tool may create a shared encryption key. The ultra low power network device utilizes this shared encryption key when transmitting BLUETOOTH® packets. The configuration tool may then transmit the shared encryption key to either another BLUETOOTH® device or to a remote server. The ultra low power network device may also periodically refresh the shared encryption key.

Abstract: Described herein are a system and techniques for detecting whether biometric data provided in an access request is genuine or a replay. In some embodiments, the system uses an machine learning model trained using genuine and replay sample data which is optimized in order to produce a result set in which results for the genuine samples are pulled closer to a genuine center and results for the replay samples are pushed away from the genuine center. Subjecting input biometric data (e.g., an audio sample) to the trained model results in a classification of the input biometric data as genuine or replay, which can then be used to determine whether or not to verify the input biometric data.

Abstract: Various techniques related to authenticating and verifying the integrity of data received by a computer system from an external source (such as a sensor) are disclosed. Hardware circuits are disclosed that, along with the computer processor, allow for error-checking and authentication of data received by the computer system. For instance, the hardware circuits may generate a separate authentication code that can be compared to the authentication code in the data itself to determine whether or not the message is authentic and whether or not there is an error in the data. The disclosed techniques reduce the processing requirements of a computer system and can be implemented using simple hardware circuit designs.

Abstract: A cloud-based communication framework. A first secure channel may be established for communication between an IT device and a cloud-computing platform. A request for a device user interface may be received over the first secure channel. A second secure channel for communication between the IT device and the cloud-computing platform may be established in response to the request for the device user interface. The device user interface may then be forwarded over the second secure channel to the cloud-computing platform.

Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter that includes at least one host computer executing multiple machines. The method receives multiple contextual attributes associated with a set of data messages processed by the multiple machines executing on the at least one host computer, the multiple contextual attributes including contextual attributes that are not L2-L4 attributes and that define a compute environment in which one or more workloads performed by the multiple machines executing on the at least one host computer operate. The method uses the received multiple contextual attributes to perform a filtering operation to identify, from multiple intrusion detection signatures, a set of intrusion detection signatures applicable to the one or more workloads.

Abstract: Disclosed herein are systems and methods for automatically mitigating potential network services attacks based on service usage patterns learned using Machine Learning (ML) comprising, collecting operational data indicative of resource utilization of one or more network services serving a plurality of connections and of a plurality of operational factors of the plurality of connections, detecting degradation of the network service(s) based on analysis of the operational data, applying trained ML model(s) to the operational data in order to identify negative operational factor(s) of one or more suspected connections to the network service estimated to induce the degradation where the one or more ML model is trained to predict an impact pattern induced by each of a plurality of operational factors on the resource utilization of the one or more network services, and disconnecting, at least temporarily, the suspected connection(s) from the network service(s).

Abstract: A system and a receiver for generating quantum key(s) using conjugated homodyne detection is provided. The receiver may communicate with a transmitter via an insecure quantum channel and a classical channel to generate the quantum key(s). A decoder, in the receiver, may determine, based at least in part on quadratures X, P measured by conjugated homodyne detectors, a raw-key signal corresponding to a key signal generated by the transmitter, and a distribution of photon numbers corresponding to a quantum signal received via the insecure quantum channel. Information about the key signal is exchanged between the receiver and the transmitter via the classical channel and used to determine a quantum bit error rate of the determined raw-key signal. A gain is also obtained. A secure-key rate is calculated based at least in part on the gain, the quantum bit error rate, and the photon number distribution.

Abstract: In a method for encryption of sensitive data, an encrypted user private key is received in a Trusted Execution Environment (TEE) in a worker node in a container management system, the encrypted user private key being an encrypted version of a user private key for decrypting a message from a user in the container management system. The user private key is obtained in the TEE, and the encrypted user private key being decrypted into the user private key with a provider private key that is received from an encryption manager for managing the container management system. With these embodiments, the user private key may be transmitted to the worker node safely, such that the worker node may use the user private key to decrypt messages from the user. Therefore, the security level of the container management system may be increased.

Abstract: The present disclosure provides a secure communication method, and the method may include: a sending terminal may generate data to be transmitted and determine encrypted data by encrypting the data to be transmitted using a preset encryption algorithm based on an encryption key. The encryption key may be obtained by a key exchange process between a smart door lock and a mobile terminal through a preset secure communication channel. The sending terminal may assign a unique identifier to the encrypted data and may send the encrypted data with a unique identifier to the receiving terminal, so that the receiving terminal may perform identity authentication on the encrypted data with the unique identifier and may decrypt the encrypted data based on the encryption key obtained by the key exchange process according to a result of the identity authentication.

Abstract: A system and method for protecting secret data items using multiple layers of encryption with multiple encryption keys, a Secure Element, and a sandbox on an electronic device includes a secret data item manager. The secret data item manager encrypts secret data items using a hardware encryption key and the Secure Element. It encrypts the transient secret cipher data with an account encryption key to generate and store repository account cipher data. It further encrypts the account encryption key to generate and store the repository account key cipher data with a root encryption key. The manager also derives a secondary encryption key from a user account password, encrypts the root encryption key with the secondary key to generate the transient root encryption key, encrypts the transient root encryption key using the hardware key to generate the repository root encryption key cipher data, and stores repository root encryption key cipher data.

Abstract: A variety of techniques for concealing the content of a communication between a client device, such as a cell phone or laptop, and a network or cloud of media nodes are disclosed. Among the techniques are routing data packets in the communication to different gateway nodes in the cloud, sending the packets over different physical media, such as an Ethernet cable or WiFi channel, and disguising the packets by giving them different source addressees. Also disclosed are a technique for muting certain participants in a conference call and a highly secure method of storing data files.

Abstract: A method for accessing a private key is provided. The method includes storing, by a first device, the private key and an associated public key, generating an access token, sending to a second device, the access token, sending, to a first server, an address relating to a decentralized identifier and the access token, sending, by the first server, to a ledger, a request for getting a decentralized identifier along with the decentralized identifier address. By way of the method a solution is provided for accessing, by a first server to be accessed from a second device, based on a decentralized identifier readable from a ledger, a second server, as a proxy to a first device. It allows for authenticating a first device to a first server while keeping the private key only at the first device side (and not at the second device side).

Abstract: Cybersecurity on a Controller Area Network (CAN) in a vehicle. In an embodiment, electronic control units (ECUs), connected to a CAN bus, each comprise a hacking detection system, which, during an initialization stage, transmits a message comprising a CAN identifier, used by the respective ECU, to at least one other hacking detection system, receives a message comprising a CAN identifier, used by at least one other ECU, from the other hacking detection system, monitors one or more parameters, including at least one parameter of CAN messages received by the respective ECU and transmitted by the respective ECU, and generates a pattern-detection mechanism based on the monitored one or more parameters. Then, during a detection stage, each hacking detection system monitors the one or more parameters, and detects malicious activity based on the generated pattern-detection mechanism and the one or more parameters monitored during the detection stage.

Abstract: A USB protocol-based IP infringement identification method for USB devices, including the following steps: S1, connecting an infringement identification device at a peer side of the USB host to be tested; S2, the USB host to be tested entering compliance mode; S3, the infringement identification device sending an X.LFPS file to the USB host to be tested; S4, upon the USB host to be tested receiving the X.LFPS file, the USB host to be tested sending IP copyright information to the infringement identification device; S5, determining whether the USB host to be tested infringes the IP. The infringement identification of the USB device to be tested is performed by using the compliance mode specified in the USB protocol, which is more stable, reliable and can also save costs.

Abstract: Disclosed herein are apparatuses and methods for tracking chain of custody of a security camera using blockchain. An implementation may comprise receiving and granting a request for custody of a security camera by a first operator. The implementation further includes generating a block of a blockchain comprising identifiers of the first operator, security camera, and timestamp. The implementation includes distributing the blockchain to a plurality of nodes in a blockchain network. For each indication received of activity associated with usage and custody of the security camera to be recorded on the blockchain, the implementation includes generating a new block on the blockchain recording the activity. The implementation further includes receiving and verifying an authenticity a video clip from the security camera based on each activity recorded in the blockchain. In response to determining that the video clip is not authentic, the implementation includes generating an alert indicating inauthenticity.

Abstract: A method is disclosed. The method comprises transmitting, by an access device to a communication device, a resource provider certificate and an access device certificate. Then, establishing a secure channel between the access device and the communication device using data from the resource provider certificate and the access device certificate. Then, transmitting to or receiving data from the communication device using the secure channel.

Abstract: Internet of Things (IoT) device application workload capture is disclosed. A target IoT device is selected. A flow associated with the target device is determined and tagged. Packets from the tagged flow are admitted into a ring buffer. An indication is received that an extraction should be performed on a portion of the packets included in the ring buffer.

Abstract: In some examples, with respect to asymmetric-man-in-the-middle capture based application sharing protocol traffic recordation, a dynamic-link library that alters application programming interface calls with respect to communication between an application sharing protocol client and an application sharing protocol server may be injected into the application sharing protocol client. Based on the injected dynamic-link library, data from the communication between the application sharing protocol client and the application sharing protocol server may be ascertained. Further, based on the ascertained data, a test script may be generated to test operation of an application associated with the communication between the application sharing protocol client and the application sharing protocol server.

Abstract: Disclosed is an input/output circuit for a physical unclonable function generator circuit. In one embodiment, a physical unclonable function (PUF) generator includes: a PUF cell array comprising a plurality of bit cells configured in a plurality of columns and at least one row, and at least one input/output (I/O) circuit each coupled to at least two neighboring columns of the PUF cell array, wherein the at least one I/O circuit each comprises a sense amplifier (SA) with no cross-coupled pair of transistors, wherein the SA comprises two cross-coupled inverters with no access transistor and a SA enable transistor, and wherein the at least one I/O circuit each is configured to access and determine logical states of at least two bit cells in the at least two neighboring columns; and based on the determined logical states of the plurality of bit cells, to generate a PUF signature.