Abstract: A method of labeling video to provide authentication acquires an instruction to apply timestamp labeling. Each recorded video is labeled with a timestamp based on the instruction. The first mark information is generated based on a content of each recorded video as a hash value and is uploaded into a blockchain. Second mark information is generated based on a content of at least one video under investigation. By comparing the first mark information and the second mark information, a video under investigation is found to be undistorted and authentic when the first mark information is the same as the second mark information. The video under investigation is found to be non-authentic when the first mark information is different from the second mark information. A terminal device and a computer readable storage medium applying the method are also disclosed.

Abstract: A secret-key managing method includes: constructing a multi-node secret-key storing system, in response to secret-key data required by an encryption-decryption service program being not in an operating state, storing the secret-key data into a random node in the multi-node secret-key storing system, and controlling the secret-key data to migrate among nodes in the multi-node secret-key storing system according to a predetermined migration rule, rather than directly storing in the internal memory corresponding to the encryption-decryption service program, the attacker cannot know the storage position of the secret-key data, and thus has difficulty in stealing the secret-key data with conventional attacking means. Moreover, when a secret-key invoking request based on the encryption-decryption service program is received, the storage position of the secret-key data at the current moment can be determined based on the predetermined migration rule, to feed back the secret-key invoking request.

Abstract: A processor includes an execution unit for executing a message padding instruction including an operand field indicating a register buffering a message block segment of a message block to be padded and a mode field indicating which hash functions is to be applied to the message block. The execution unit includes a padding circuit configured to receive a message block segment from a register indicated by the operand field, where the message block spans multiple registers in a register file. Based on which hash function is indicated by the mode field, the padding circuit selects a byte location in the message block segment at which to insert at least one padding byte and inserts the at least one padding byte at the byte location within the message block segment. The message block segment as padded by the at least one padding byte is written back to the register file.

Abstract: A method for managing a storage system includes initiating, by a hardware resource manager, a boot-up of a storage controller managing the storage system comprising a plurality of storage devices, making a determination, by the storage controller, that the storage controller is in a secured mode, based on the determination: identifying a security state of each of the plurality of storage devices, determining that a storage device of the plurality of storage devices is in an unsecured state, and based on the unsecured state, sending, by the storage controller, a security operation request for securing the storage device, obtaining a secure state response from the hardware resource manager corresponding to securing the storage device, and based on the secure state response, resuming operation of the storage controller based on the secure mode.

Abstract: Embodiments are directed to providing integrity-protected command buffer execution. An embodiment of an apparatus includes a computer-readable memory comprising one or more command buffers and a processing device communicatively coupled to the computer-readable memory to read, from a command buffer of the computer-readable memory, a first command received from a host device, the first command executable by one or more processing elements on the processing device, the first command comprising an instruction and associated parameter data, compute a first authentication tag using a cryptographic key associated with the host device, the instruction and at least a portion of the parameter data, and authenticate the first command by comparing the first authentication tag with a second authentication tag computed by the host device and associated with the command.

Abstract: A data analytics system/method operative in conjunction with a data repository storing data regarding each of a multiplicity of frames including images of ID documents, including receiving at least one image generated by an image capturing device such as a camera or scanner; providing document data, derived by a hardware processor from the image capturing device, which characterizes a document depicted in the image; providing person data, derived by a hardware processor from the image, which characterizes a person who may bear the document depicted in the image; and generating inputs for identification of potential fraudulent attempts including analyzing whether the document data exists within the data regarding each of the multiplicity of images of ID documents; and/or analyzing whether the person data exists within the data regarding each of the multiplicity of images of ID documents.

Abstract: A cloud-based security solution that provides a robust and secure framework for managing and enforcing security policies related to various resources managed in the cloud is disclosed. The cloud-based security solution is implemented by a centralized application programming Interface (API) system and a security zone policy enforcement system in a cloud service provider infrastructure. The centralized API system receives an API request that identifies an operation to be performed on a resource in the CSPI. The system determines, from the API request, compartment information and context information associated with the resource. Responsive to determining the compartment information and the context information associated with the resource, the system determines that the resource resides in a compartment that is associated with a security zone. The system then processes the API request and transmits a result of processing of the API request to a user of the centralized API processing system.

Abstract: A Ransomware Activity Detection System (RADS) characterizes historic read/write IO activity on a storage volume, and also characterizes historic data characteristics of the storage volume, such as the percentage reducibility of the data held in the storage volume. The RADS monitors the storage volume to identify differences between current read/write IO activity and historic read/write IO activity, as well as difference between current data characteristics of the storage volume and historic data characteristics of the storage volume. When the RADS detects a significant difference in read/write IO activity on a storage volume, that is coupled with a significant changes to the data characteristics of the storage volume, the RADS protects the storage volume and generates an alert of the possible occurrence of a ransomware attack. Protection may occur prior in connection with any bulk read operation to proactively protect storage volumes against ransomware attacks.

Abstract: Examples herein describe a scalable tweak engine and prefetching tweak values. Regarding the scalable tweak engine, it can be designed to accommodate different bus widths of data. The scalable tweak engine described herein includes multiple tweak calculators that can be daisy chained together to output multiple tweak values every clock cycle. These tweak values can be sent to multiple encryption cores so that multiple data blocks can be encrypted in parallel. Regarding prefetching tweak values, previous encryption engines incur a delay as the tweak value (e.g., a metadata value) for a data block is calculated. In the embodiments herein, the encryption engine can include an independent metadata engine that determines the metadata value for a subsequent data block while the current data block is being encrypted.

Abstract: Methods, systems, and computer storage media provide a privacy compliance notification indicating a database's level of compliance with a privacy policy after restoring the database to the database's backup copy. The database is associated with a database management engine. The database supports privacy-based first-class data entities. The privacy-based first-class data entities are database entities having privacy system-level metadata properties associated with data operations in a database language syntax. The privacy compliance notification may be generated based on determining whether a privacy database operation associated with a database journal and a privacy journal has been executed on a database since the database was restored to a backup copy of the database.

Abstract: According to one embodiment, a memory system includes a nonvolatile memory and a controller. In response to receiving from a host a write request designating a first address for identifying data to be written, the controller encrypts the data with the first address and a first encryption key, and writes the encrypted data to the nonvolatile memory together with the first address. In response to receiving from the host a read request designating a physical address indicative of a physical storage location of the nonvolatile memory, the controller reads both the encrypted data and the first address from the nonvolatile memory on the basis of the physical address, and decrypts the read encrypted data with the first encryption key and the read first address.

Abstract: A memory controller for improving data integrity and providing data security. The memory controller including a transmit data path to transmit write data to a memory device, the transmit data path comprising a scrambling component, wherein the scrambling component includes a scrambling logic and an exclusive OR logic, wherein the write data is divided into a first portion and a second portion, wherein input of the scrambling logic comprises the first portion of the write data and an address associated with the write data to generate a pseudo-random output, and wherein input of the exclusive OR logic comprises the second portion of the write data, the pseudo-random output and a fixed seed corresponding to the first portion of the write data to generate a scrambled data.

Abstract: Decrypting data at a first storage system that has been encrypted at a second, separate, storage system includes the first storage system requesting a key that decrypts the data from the second storage system, the second storage system determining if the first storage system is authorized for the key, the second storage system providing the key to the first storage system in response to the first storage system being authorized, a host that is coupled to the first storage system obtaining the key from the first storage system, and the host using the key to decrypt and access the data at the first storage system. The host and the first storage system may provide failover functionality for a system that includes the second storage system. The host may obtain the key from the first storage system in response to a failure of the system that includes the second storage system.

Abstract: A transmitter device for sending an encrypted message to a receiver device in an identity-based cryptosystem, the identity-based cryptosystem includes a transmitter trusted center connected to the transmitter device and a receiver trusted center connected to the receiver device. The transmitter device is configured to: receive, from the transmitter trusted center, two public authentication keys; check if a set of conditions related to a transmitter trusted center public key, to a receiver trusted center public key, and to a transmitter authentication key comprised in the two public authentication keys are satisfied; determine a ciphertext set comprising an encrypted message if the set of conditions are satisfied; send the ciphertext set to the receiver device.

Abstract: A computer-implemented method for remote management of hardware security modules (HSMs) includes receiving a command request from a mobile device. The command request includes an encrypted key part and an encrypted signing key. The HSM decrypts the command request using a key associated with a security zone of the mobile device. The HSM decrypts the encrypted key part and the encrypted signing key. Decrypting the encrypted key part and the encrypted signing key includes using the key associated with the security zone of the mobile device and a key associated with a remote administrator associated with the mobile device. A command is generated for a domain with a target HSM. The command is generated using the decrypted key part and the decrypted signing key. The command is transmitted to the domain for execution by the target HSM. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A plurality of public encryption keys are distributed to a plurality of participants in a federated learning system, and a first plurality of responses is received from the plurality of participants, where each respective response of the first plurality of responses was generated based on training data local to a respective participant of the plurality of participants and is encrypted using a respective public encryption key of the plurality of public encryption keys. A first aggregation vector is generated based on the first plurality of responses, and a first private encryption key is retrieved using the first aggregation vector. An aggregated model is then generated based on the first private encryption key and the first plurality of responses.

Abstract: Managing a software multi-ownership account including operations of registering software, setting a usage authority, and transferring a usage authority. The operation of registering the software includes the operations of: receiving, by a reception unit of a management server, a software registration request from a software manufacturer server; checking whether an authentication unit of the management server is a pre-approved manufacturer; and generating a smart contract transaction using time information at which the authentication unit of the management server is requested to register the software and string information of a software name. An authority can be effectively transferred to use software between users to another person by using a sub-access token interworked to a system user account, and by additionally issuing a sub-access token for multiple access authorities for one piece of software, a user is able to have multiple access authorities, thereby broadening the scope of software utilization.

Abstract: Systems and methods of the present disclosure enable the automated provisioning of security and compliance policies and onboarding to identity governance solutions. The systems and methods include processors to receive a database provisioning request associated with at least one entity and accessing at least one identity data record via an identity management mechanism associated with the at least one entity. The processors automatically access the database via a secured port; automatically cause to generate in the database, at least one privilege account and at least one access credential rule based on the at least one identity data record. The database is configured to utilize the at least one access credential rule to automatically manage access credentials for accessing the database via the at least one privilege account. The processors automatically disconnect from the secured port of the database.

Abstract: Malicious website detection has been very crucial in timely manner to avoid phishing. User privacy also needs to be maintained at the same time. A system and method for classifying a website URL have been provided. The system is configured to achieve end-to-end privacy for machine learning based malicious URL detection. The system provides privacy preserving malicious URL detection models based on Fully Homomorphic Encryption (FHE) approach either using deep neural network (DNN), using logistic regression or using a hybrid approach of both. The system is utilizing a split architecture (client-server) where-in feature extraction is done by a client machine and classification is done by a server. The client machine encrypts the query using FHE and sends it to the server which hosts machine learning model. During this process, the server doesn't learn any information about the query.

Abstract: Devices and techniques are generally described for peer-based anomalous rights detection. In various examples, a rights vector may be determined for a first individual, the rights vector representing rights held by the first individual. A nearest neighbor algorithm may be used to determine a set of individuals having similar rights to the first individual. In various examples, a category label associated with the first individual may be determined. In some examples, a number of individuals of the set of individuals having the category label may be determined. In some examples, a determination may be made that the rights held by the first individual are anomalous based at least in part on the number. In some cases, alert data indicating that the rights held by the first individual are anomalous may be generated.