Abstract: Method and apparatus for managing data in a data storage device configured as a storage compute appliance. In some embodiments, the data storage device has a non-volatile memory (NVM) and a controller circuit. The NVM stores a plurality of data sets encrypted by at least one encryption key. The controller circuit performs a storage compute appliance process by locally decrypting the plurality of data sets in a local memory of the data storage device, generating summary results data from the decrypted data sets, and transferring the summary results data across the host interface to an authorized user without a corresponding transfer of any portion of the decrypted data sets across the host interface.

Abstract: A security solution for BLUETOOTH Low Energy (BLE) or equivalent wireless data exchange protocols involves authentication of a peripheral device by a central device using the advertising channel is presented. A method of authenticating a peripheral device in a wireless data exchange has a peripheral device sending an advertising channel Protocol Data Unit (PDU), a central device receiving the advertising channel PDU and the central device sending a scan request scanning PDU to the peripheral device. The advantage of this method of using discovery protocol enables a software based solution for the monitoring device and a hardware with software based solution on the beacon device.

Abstract: Disclosed herein are embodiments of systems, methods, and products providing real-time anti-malware detection and protection. The computer uses artificial intelligence techniques to learn and detect new exploits in real time and protect the full system from harm. The computer trains a first machine learning model for executable files. The computer trains a second machine learning model for non-executable files. The computer trains a third machine learning model for network traffic. The computer identifies malware using the various machine learning models. The computer restores to a clean, uncorrupted state using virtual machine technology. The computer reports the detected malware to a security server, such as security information and even management (SIEM) systems, by transmitting detection alert message regarding the malware. The computer interacts with an administrative system over an isolated control network to allow the system administrator to correct the corruption caused by the malware.

Abstract: The method, computer system, and computer program product for using a key management server to protect visible content. The method, computer program product, and computer system may include a key management server which may receive, from an encryption device, an identification of one or more portions of clear information visible on a physical document. The key management server may receive, from the encryption device, one or more permission parameters. The permission parameters may include a time duration parameter, a location parameter, a start and end time parameter, or a device identification parameter. Further, the key management server may receive, from a decryption device, a request to access a portion of the clear information. The key management server may transmit, to the decryption device, information permitting access to the portion of clear information.

Abstract: A method operable by a computing device for configuring access for a limited user interface (UI) device to a network service via a local network access point is disclosed. The method comprises the steps of: obtaining from the limited UI device a device identifier via a first out-of-band channel. The device identifier is provided to the network service via a secure network link. A zero knowledge proof (ZKP) challenge is received from the network service. Configuration information is provided to the limited-UI device via a second out-of-band channel, the configuration information including information sufficient to enable the limited-UI device to connect to the local network access point. The ZKP challenge is provided to the limited-UI device via the second out-of-band channel.

Abstract: A method, computer system, and a computer program product for controlling access to an asset in a blockchain network is provided. The present invention may include encrypting the asset using a target encryption key. The present invention may also include storing the encrypted asset on a ledger. The present invention may then include receiving a start encryption key to access the asset. The present invention may further include traversing a graph of keys beginning with the start encryption key across a plurality of nodes and edges until reaching the target encryption key. The present invention may also include allowing access to the asset based on reaching the target encryption key.

Abstract: Embodiments provide bidirectional signature protection for packaged apps by verifying an authored app as executable and downloadable from a trusted marketplace service in response to determining that a (first) unique signature embedded within binary code defining the authored app matches an original trusted marketplace service signature acquired from the trusted marketplace service. Embodiments store another (second) signature acquired from the binary code defining the authored app into a storage item of the trusted marketplace service, wherein the second signature is unique to the authored app and different from the first signature; and offer the verified, authored app for download from the trusted marketplace service, wherein the first signature and the second signature are embedded in binary code defining the authored app.

Abstract: Encryption and decryption techniques based on one or more transposition vectors. A secret key is used to generate vectors that describe permutation (or repositioning) of characters within a segment length equal to a length of the transposition vector. The transposition vector is then inherited by the encryption process, which shifts characters and encrypts those characters using a variety of encryption processes, all completely reversible. In one embodiment, one or more auxiliary keys, transmitted as clear text header values, are used as initial values to vary the transposition vectors generated from the secret key, e.g., from encryption-to-encryption. Any number of rounds of encryption can be applied, each having associated headers used to “detokenize” encryption data and perform rounds to decryption to recover the original data (or parent token information). Format preserving encryption (FPE) techniques are also provided with application to, e.g., payment processing.

Abstract: Some embodiments of the present invention include an apparatus for securing data and include a processor, and one or more stored sequences of instructions which, when executed by the processor, cause the processor to set a data download threshold, encrypt data to be downloaded by a user based on detecting size of the data violating the download threshold such that the user receives encrypted downloaded data, and manage a decryption key used to decrypt the encrypted downloaded data. The decryption key may be deconstructed into “N” key fragments and may be reconstructed using “K” key fragments where “N” is equal to “2K?1”.

Abstract: A permissioned blockchain is caused to be deployed to nodes. Access level blocks are established. Each access level block is configured to store a nanoblock. Each nanoblock is an encrypted database. The access level blocks include access levels blocks for users, and the corresponding access level block for each user includes security credentials for the user. For each access level block: nodes are selected for deployment of the access level block; and the access level block is replicated to each of the selected nodes, such that, after replicating the access level blocks, there are at least two copies of each access level block on the permissioned blockchain, and the permissioned blockchain is capable of performing cryptographic operations, including determining permissions of the users based on the security credentials for the users, and is further capable of storing details of the cryptographic operations on the nanoblocks.

Abstract: A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for an external device. When JIT access to a resource is requested by a device, the JIT service retrieves a JIT policy for the resource that includes geolocation criteria limiting the geolocation from which JIT access can be automatically granted. The geolocation of the device is evaluated against the geolocation criteria. If the geolocation criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the device.

Abstract: The present disclosure is generally directed a data processing system for authenticating packetized audio signals in a voice activated computer network environment. The data processing system can improve the efficiency and effectiveness of auditory data packet transmission over one or more computer networks by, for example, disabling malicious transmissions prior to their transmission across the network. The present solution can also improve computational efficiency by disabling remote computer processes possibly affected by or caused by the malicious audio signal transmissions. By disabling the transmission of malicious audio signals, the system can reduce bandwidth utilization by not transmitting the data packets carrying the malicious audio signal across the networks.

Abstract: A method including, when a first extraction request that includes a primary password and is initiated by a first user is received, acquiring an object set corresponding to the primary password, and binding the first user to the object set; generating a secondary password corresponding to the object set, and returning a request response including the secondary password to the first user, so that the first user displays the secondary password to another user; and when a second extraction request that includes the secondary password and is initiated by a second user is received, distributing the object set to the first user according to a processing result of the second extraction request. The technical solution of the present disclosure implement service processing based on multiple levels of passwords.

Abstract: An information processing device includes a selection receiving unit that receives an input indicating selection of at least one countermeasure among a plurality of countermeasures applicable to a terminal, an operating information specifying unit that specifies a type of operating information corresponding to the countermeasure applicable to the terminal, an operating information acquisition unit that acquires operating information of the type specified by the operating information specifying unit, a remaining terminal specifying unit that specifies remaining terminals where a security risk remains when the countermeasure received by the selection receiving unit is applied based on terminal-specific countermeasure information indicating a countermeasure applicable to each terminal against the security risk, a prediction unit that predicts the number of remaining terminals at a future time based on the operating information acquired by the operating information acquisition unit, and a presentation unit that p

Abstract: The present disclosure is generally directed to a method and system for authentication with a computer network that comports with CNA requirements, but utilizes a bypass approach that allows for authentication to be completed within a full-featured browser. In an embodiment, an access point (AP) may be configured to allow for user devices to associate and detect the presence of a captive portal. However, during the CNA messaging sequence, the AP can provide a CNA bypass message that causes the CNA browser instantiated on the user device to consider the authentication complete without having to satisfy authentication requirements. Based on the CNA bypass message, the user device may then transition to a full-featured browser to complete authentication via a captive portal. Authentication may be completed by, for example, watching at least a portion of a video, playing a video game, taking a quiz, and/or entering identifying information.

Abstract: The systems, devices, and methods discussed herein are directed to redirecting mobile traffic of an infected mobile device, or user equipment (UE), to a security network node, which provides a security action for the UE. A mobile session management node may identify the UE as an infected device based on a database maintained at an intelligent redirection node or a security posture indicator received from the UE. The mobile management entity may then create a session with a security network node which redirects mobile traffic of the infected UE to the security network node and provides a security action for the UE.

Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.

Abstract: A mapping server provisions network elements to optimize the cryptographic resources of a computer network. The mapping server obtains from a source network element, a request for a source endpoint to communicate with a destination endpoint across the computer network. The mapping server determines a cryptographic policy based on the source endpoint, the destination endpoint, and an availability of cryptographic resources on the network elements. The mapping server identifies a destination network element based on the cryptographic policy. The destination network element is associated with the destination endpoint. The mapping server selects a security association based on the cryptographic policy to secure a communication from the source endpoint to the destination endpoint. The security association secures the communication between the source network element and the destination network element.

Abstract: A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for an external device. When JIT access to a resource is requested by a device, the JIT service retrieves a JIT policy for the resource that includes screening criteria limiting automatic granting of JIT access to users who meet the screening criteria. Screening information for a user associated with the request is evaluated against one or more screening requirements set forth by the screening criteria. If the screening criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the device.

Abstract: One embodiment provides a computer system (e.g., a client computing device) for facilitating screen projection, the first computer system comprising a processor and a memory coupled to the processor and storing instructions, which when executed by the processor cause the processor to perform a method, the method comprising: detecting a sound signal associated with a secondary display system, wherein the sound signal includes a passcode; extracting the passcode from the sound signal; processing the passcode; and transmitting data displayed on the computer system to the secondary display system, thereby allowing information displayed on the computer system to be displayed on the secondary display system.