Abstract: A user equipment is configured for concealment of a mission-critical push-to-talk (MCPTT) group identity in multimedia broadcast multicast services (MBMS). The UE is configured in particular to receive an indication of an MCPTT group pseudonym (7) which is a pseudonym for an MCPTT group identity (11) that identifies an MCPTT group of which the UE is a member. The UE may for example receive this indication from a group management server (GMS) or an MCPTT server. The UE in some embodiments may determine whether received control signalling (e.g., an MBMS subchannel control message) is for the MCPTT group of which the UE is a member, by determining whether the control signaling includes the MCPTT group pseudonym (7).

Abstract: A stackable filesystem architecture that curtails data theft and ensures file integrity protection. In this architecture, processes are grouped into ranked filesystem views, or “security domains.” Preferably, an order theory algorithm is utilized to determine a proper domain in which an application is run. In particular, a root domain provides a single view of the filesystem enabling transparent filesystem operations. Each security domain transparently creates multiple levels of stacking to protect the base filesystem, and to monitor file accesses without incurring significant performance overhead. By combining its layered architecture with view separation via security domains, the filesystem maintains data integrity and confidentiality.

Abstract: By analyzing a content of a first message, a confidentiality level of the first message is determined. An encryption rule for a first computational complexity level corresponding to the confidentiality level of the first message is selected. The first message is encoded according to the encryption rule. The encoded first message and the confidentiality level of the first message are caused to be sent to a recipient.

Abstract: A device may transmit a packet for communicating via a tunnel. The packet may be associated with a protocol. The device may determine that the packet has been dropped by a security device. The device may selectively encrypt, after determining that the packet has been dropped, the packet using a null encryption for transport layer security (TLS) or a combination of encryption associated with the protocol and TLS encryption to generate an encrypted packet. The device may transmit the encrypted packet for communicating via the tunnel.

Abstract: Techniques for identifying certain types of network activity are disclosed, including parsing of a Uniform Resource Locator (URL) to identify a plurality of key-value pairs in a query string of the URL. The plurality of key-value pairs may include one or more potential anonymous identifiers. In an example embodiment, a machine learning algorithm is trained on the URL to determine whether the one or more potential anonymous identifiers are actual anonymous identifiers (i.e., advertising identifiers) that provide advertisers a method to identify a user device without using, for example, a permanent device identifier. In this embodiment, a ranking threshold is used to verify the URL. A verified URL associate the one or more potential anonymous identifiers with the user device as actual anonymous identifiers. Such techniques may be used to identify and eliminate malicious and/or undesirable network traffic.

Abstract: Embodiments of the invention are directed to systems, methods, and computer program products for protection of network-based resource transfers via the use of encrypted tags. As such, the system allows for generation of unique encrypted tags which encode authorization parameters for denominations of electronic resources. The system may then authorize or deny requested network-based transfers by utilizing a decryption module to access the authorization parameters for a specific electronic resource denomination. Furthermore, the system may manipulate the encrypted tags to alter the authorization parameters or to track an electronic resource denomination across multiple network-based transfers.

Abstract: A method of user data authorization based on blockchain includes: storing, by a first application client, encrypted user data of user data in a blockchain database through a blockchain node, generating authorization information in response to a request of acquiring the user data by a second application client, and notifying the second application client to obtain the authorization information such that the second application client obtains the user data based on the encrypted user data and the authorization information. The encrypted user data is stored in the blockchain database such that the encrypted user data cannot be tampered with and a leak of real user data is prevented. The second application client obtains the user data based on the authorization information and the encrypted user data.

Abstract: Aspects of the disclosure relate to information masking. A computing platform may receive, from a user computing device, a request to access information that includes personal identifiable information (PII). The computing platform may retrieve source data comprising the PII and mask, within the source data and based on a data management policy, the PII. The computing platform may send the masked information in response to the request to access the information. The computing platform may receive a request to unmask the masked information and unmask the PII. The computing platform may log the request to unmask the masked information in an unmasking event log and send the unmasked PII in response to the request to unmask the masked information. The computing platform may apply a machine learning model to the unmasking event log to identify malicious events and trigger remediation actions based on identification of the malicious events.

Abstract: Methods, systems and apparatus, including computer programs encoded on computer storage medium, for implementation of secret superposition protocols. In one aspect a method includes, performing, by a sender party, quantum operations on one or more qubits, comprising preparing, according to a predetermined secret superposition protocol, one or more qubits in respective uniform superposition quantum states; transmitting, by the sender party, to a recipient party, and through a secure channel, data indicating use of the predetermined secret superposition protocol; and transmitting, by the sender party and to the recipient party, one or more of the qubits, wherein the recipient party performs one or more measurements on the qubits to verify use of the predetermined secret superposition protocol.

Abstract: Techniques are described for controlling data and resource access. For example, methods and systems can facilitate controlled token distribution across systems and token processing in a manner so as to limit access to and to protect data that includes access codes.

Abstract: Disclosed herein are an in-vehicle network apparatus and method. The in-vehicle network apparatus includes one or more processors and executable memory for storing at least one program executed by the one or more processors. The at least one program is configured to verify the integrity of software stored in advance in the executable memory, to generate a key table by sharing authentication information with a communication target, and to exchange an encrypted message with the communication target using the key table.

Abstract: A target transaction initiated by a member node device in a blockchain is received, where the target transaction include a reference time parameter, and where the target transaction indicates a transfer of an asset and associated data released by the member node device to the blockchain for transfer to a candidate block. Based on the reference time parameter, a determination is performed as to whether the target transaction is a valid transaction within a transaction validity period. In response to determining that the target transaction is a valid transaction within the transaction validity period, the target transaction is recorded to the candidate block.

Abstract: A system and method for optimizing a defense model using available security capabilities are provided. The method includes obtaining a defense model and an optimal security application implementation associated with the defense model; evaluating available security capabilities deployed in an enterprise environment to determine a plurality of variant security applications implementing the defense model; determining a quality score for each of the plurality of the variant security applications; selecting, from the plurality of variant security applications, a variant security application having a highest quality score; and executing the selected variant security application.

Abstract: Various techniques for processing sensitive data in an isolated incubator system within a service-provider network are described. The incubator system, for instance, is isolated from a client system in the service-provider network. In an example method, the incubator system receives an indication of an operation, and first encrypted data, from the client system. The incubator system converts the first encrypted data to plaintext and performs the operation. The incubator system converts the processed data into second encrypted data and provides the second encrypted data to the client system. Thus, the incubator system performs the operation on the data without exposing the data to the client system in the plaintext format.

Abstract: Provided herein are systems and methods for defining and securely sharing objects for use in preventing data breach or exfiltration. Memory may be configured to store a plurality of objects for use in preventing data breach or exfiltration. A validation engine can validate the objects, incorporate into each object an object identifier and a signature, and generate a subset of the objects for use by a first user. The validation engine can store, in the memory, the plurality of objects as a superset of objects corresponding to the generated subset. An evaluation engine may, responsive to identifying that one or more object identifiers and signatures in a received set of objects belong to the subset corresponding to the stored superset, verify whether any object in the received set has been tampered with.

Abstract: A network interface device comprises an integrated circuit device comprises at least one processor. A network interface device comprises a memory. The integrated device is configured to execute a function with respect to at least a part of stored data in said memory.

Abstract: A system, method and computer-readable medium provide secure communication between a first and a second computer system based on supersingular isogeny elliptic curve cryptography. The first computer system and the second computer system each determine kernels KA and KB including computing mP+nQ by accessing a lookup table stored in a memory that contains a range of doubles of an end point of the respective kernels, where P and Q are points on the public elliptic curve and m and n are integers. The first computer system and the second computer system compute secret isogenies by determining a respective kernel KBA and KAB using mixed-base multiplicands with a single inversion, including computing the respective kernel KBA and KAB by converting the multiplicands to base 32, and computing scalar multiplications using the base 32 multiplicands.

Abstract: Technologies for providing secure utilization of tenant keys include a compute device. The compute device includes circuitry configured to obtain a tenant key. The circuitry is also configured to receive encrypted data associated with a tenant. The encrypted data defines an encrypted image that is executable by the compute device to perform a workload on behalf of the tenant in a virtualized environment. Further, the circuitry is configured to utilize the tenant key to decrypt the encrypted data and execute the workload without exposing the tenant key to a memory that is accessible to another workload associated with another tenant.

Abstract: Systems and methods are provided for controlling maintenance of a fuel dispenser. In one exemplary embodiment, a system is provided having a fuel dispenser that includes an electronics module having a data processor, a remote enterprise server in communication with the electronics module, and a remote code processor in communication with the remote enterprise server. The data processor is configured to determine an authorization password based on data characterizing the fuel dispenser, to receive a remote password that is generated by the remote code processor based on the fuel dispenser data, to determine that the remote password matches the authorization password, and to cause the fuel dispenser to enter a maintenance mode.

Abstract: A message processing request is received from a channel partner device, where the message processing request includes a ciphertext message encrypted in a trusted execution environment (TEE) of a service provider device based on a service processing request that includes a plaintext message of the ciphertext message, and where the service processing request requests at least a portion of the plaintext message to be sent to a target user. A first smart contract deployed in a blockchain of the blockchain network is invoked using a TEE of a blockchain node of a blockchain network. The ciphertext message is decrypted based on the first smart contract to obtain the plaintext message. The plaintext message is sent to an operator device to forward the at least a portion of the plaintext message to the target user.