Abstract: Some embodiments provide a novel method for authorizing network requests for a machine in a network. In some embodiments, the method is performed by security agents that execute on virtual machines operating on a host machine. In some embodiments, the method captures a network request (e.g., network control packets, socket connection request, etc.) from a primary application executing on the machine. The method identifies an extended context for the network request and determines whether the network request is authorized based on the extended context. The method then processes the network request according to the determination. The extended context of some embodiments includes identifications for primary and secondary applications associated with the network request. Alternatively, or conjunctively, some embodiments include identifications for primary and secondary users associated with the network request.

Abstract: An example operation may include one or more of receiving, by a blockchain node, a file as a part of a blockchain transaction, splitting, by the blockchain node, the file into a plurality of chunks based on a file size, transmitting, by the blockchain node, the plurality of the chunks to at least one peer-to-peer data store node on a blockchain network, and generating a storage plan based on locations of individual chunks of the plurality of the chunks on the at least one peer-to-peer data store node.

Abstract: Representative embodiments disclose mechanisms for flexible controls around use of cryptographic material such as encryption/decryption keys, key pairs, certificates, and so forth. The system replaces a local cryptographic agent or cryptographic service provider with a modified agent/service provider that redirects requests to utilize cryptographic key material used in a cryptographic operation to a backend system. The backend system receives the request and identifies a cryptographic process from context data associated with the request. The cryptographic process can have one or more controls attached to one or more operations in the cryptographic process. The controls are conditions that must be completed, in addition to successful completion of the underlying operation, in order to complete the underlying operation. A process owner can easily add, remove, and/or rearrange operations as well as controls to provide flexible controls around the use of cryptographic material.

Abstract: Approaches presented herein enable credentials to be revoked or otherwise modified while limiting the impact of inadvertent or unintended changes in access. In some embodiments, the revocation of a credential can occur over a period of time with the level of access being diminished over that period, in order to prevent an inadvertent denial of access while indicating to the requestor that there is an issue with the credential. When a new policy is created for a new credential, a prior policy can be retained for at least a period of time such that users with inadvertently revoked access can obtain a level of access per the previous policy. Various embodiments trace the calls for a credential throughout the system in order to determine which services, processes, or components might be affected by the revocation, such that an appropriate remedial action can be taken.

Abstract: Provided is a method for masking a sensitive signal by injecting noise into planes of a printed circuit board (PCB). The method comprises detecting, by a secondary integrated circuit (IC), a noise signal on a shared plane of a PCB that includes the secondary IC. The noise signal may be analyzed to determine the characteristics of the noise signal. A masking signal may be generated based on the characteristics. The masking signal may then be injected onto the shared plane.

Abstract: In particular embodiments, a data processing data inventory generation system is configured to: (1) generate a data model (e.g., a data inventory) for one or more data assets utilized by a particular organization; (2) generate a respective data inventory for each of the one or more data assets; and (3) map one or more relationships between one or more aspects of the data inventory, the one or more data assets, etc. within the data model. In particular embodiments, a data asset (e.g., data system, software application, etc.) may include, for example, any entity that collects, processes, contains, and/or transfers personal data (e.g., such as a software application, “internet of things” computerized device, database, website, data-center, server, etc.). The system may be configured to identify particular data assets and/or personal data in data repositories using any suitable intelligent identity scanning technique.

Abstract: Apparatuses, systems, methods, and computer program products are disclosed for automated event migration. A method includes aggregating a set of events from one or more servers to a trusted hardware device. Certain different events of a set of events may be associated with different service providers. A method includes identifying, on a trusted hardware device, a repeating event from a set of events. A method includes prompting a user to migrate subsequent instances of a repeating event from one service provider to a different service provider of a plurality of service providers based on a likelihood that the aggregated set of events includes each event for the user of an event type of the aggregated set of events. A method includes migrating subsequent instances of a repeating event, using a user's electronic credentials, from one service provider to a different service provider in response to the user accepting a prompt.

Abstract: A quantum attack-resistant system for processes of cryptography key exchange comprises a linear space computing module, a manifold computing module, and a Banach space computing module. The system implements the technologies of homotopy morphing and key cloaking for facilitating the processes of key exchange to perform quantum attack-resistant operations in a mathematics space which is different from the spaces that generic quantum attacks work on, and then retrieve the original key in a Hilbert space after the processes of key exchange. The system not only avoids quantum attacks on key exchange processes, but also avoids the defects of current PQC solutions, the vulnerability of the main streamed symmetric & asymmetric encryption systems, and the limitation of quantum key operation in a Hilbert space. Both legacy key solution and quantum key solution are provided and implemented without requiring expensive devices.

Abstract: Systems, apparatuses, and methods are disclosed for quantum entanglement authentication (QEA). An example method includes transmitting a first number and a second electronic identification of a second subset of the first set of entangled quantum particles to a second computing device, transmitting a second number and a first electronic identification of a first subset of a first set of entangled quantum particles to a first computing device, wherein each entangled quantum particle in the first set of entangled quantum particles is entangled with a respective entangled quantum particle in a second set of entangled quantum particles, receiving, from the first computing device, a first session key, receiving, from the second computing device, a second session key and in an instance in which the first session key corresponds to the second session key, authenticating a session between the first computing device and the second computing device.

Abstract: Systems and methods here may be used for authorizing network access including using by a server computer with a processor and memory, for receiving, through the gateway support node, a request to access the first network associated with the gateway support node from a client device, wherein the request includes a client device identifier, sending a validation request of the client device identifier to the data storage server, receiving a validation response based on previously registered client device identifier information and previously registered credential information from a second network, from the data storage server and sending authorization approval to the gateway support node for the client device access request to the first network.

Abstract: This disclosure relates to blockchain-based content verification. In one aspect, a method includes receiving, from a client device of a signer, a target transaction request for triggering presentation of a target electronic document. A smart contract for content verification of the target electronic document is invoked in response to receiving the target transaction request. A content verification program declared in the smart contract is executed. The executing includes reading content of the target electronic document from a blockchain and performing content verification on the target electronic document based on the content of the target electronic document read from the blockchain. A content verification result and the content of the target electronic document is returned to the client device for presentation to the signer.

Abstract: A network attached storage device coupled to a local network and including a network interface configured to receive digital content from a remote content provider outside the local network. The network attached storage device includes storage having a first region accessible by a user of the local network and a secure region. The network attached storage device includes a processor coupled to the storage, the processor configured to control access to the secure region of the storage based on instructions received from a remote content provider.

Abstract: Disclosed is a method for allocating QKD network resources, which includes the following steps: obtaining a network structure of a QKD network, and constructing a key topology according to distributions condition of quantum key resources in the QKD network; in response to arrival of a service requiring encryption, judging whether the encrypted service is delay sensitive; when the service is delay sensitive, distributing quantum key resources to the service according to the key topology of the QKD network; and when the service is not delay sensitive, distributing quantum key resources to the service according to the network structure of the QKD network. Moreover, the present disclosure also provides a device for allocating QKD network resources and a non-transitory computer-readable storage medium.

Abstract: Embodiments of this application disclose a cloud application detection method, including: obtaining at least one application instance corresponding to a to-be-detected cloud application, where the application instance corresponds one-to-one to a guard agent; extracting, by using the guard agent, a first characteristic value corresponding to each application instance; updating the first characteristic value to a second characteristic value when the to-be-detected cloud application meets a preset characteristic value update condition; and determining the to-be-detected cloud application as a target cloud application with security vulnerability if second characteristic values are inconsistent. This application further discloses a cloud application detection apparatus. integrity protection during running can be provided for a cloud application deployed on a platform as a service.

Abstract: A processor implementing techniques for processor extensions to protect stacks during ring transitions is provided. In one embodiment, the processor includes a plurality of registers and a processor core, operatively coupled to the plurality of registers. The plurality of registers is used to store data used in privilege level transitions. Each register of the plurality of registers is associated with a privilege level. An indicator to change a first privilege level of a currently active application to a second privilege level is received. In view of the second privilege level, a shadow stack pointer (SSP) stored in a register of the plurality of registers is selected. The register is associated with the second privilege level. By using the SSP, a shadow stack for use by the processor at the second privilege level is identified.

Abstract: A method and computer system for implementing authentication protocol for merging multiple server nodes with trusted platform modules (TPMs) utilizing provisioned node certificates to support concurrent node add and node remove. Each of the multiple server nodes boots an instance of enablement level firmware and extended to a trusted platform module (TPM) on each node as the server nodes are powered up. A hardware secure channel is established between the server nodes for firmware message passing as part of physical configuration of the server nodes to be merged. A shared secret is securely exchanged via the hardware secure channel between the server nodes establishing an initial authentication value shared among all server nodes. All server nodes confirm common security configuration settings and exchange TPM log and platform configuration register (PCR) data to establish common history for future attestation requirements, enabling dynamic changing the server nodes and concurrently adding and removing nodes.

Abstract: Presented here is a system that manages secured file system, and an authority to the secured file system, by granting access only to a user who is authorized to access the file system. The user within the system is identified using a unique key unique to each user. The user's authority is recorded in a linear sequence distributed among multiple devices each of which independently verifies the validity of each block in the linear sequence. The validity of the linear sequence is guaranteed by preventing certain operations from being performed on the linear sequence, such as branching of the linear sequence, deletion, and modification of the blocks within the linear sequence. Prior to adding a new block to the linear sequence, the validity of the block is independently computed by each of the devices.

Abstract: A method, system and computer-usable medium for mitigating security breaches associated with dissemination of protected data. In certain embodiments, the method includes receiving information communicated to a secured network from a source external to the secured network and determining whether the received information includes protected data. If the received information includes protected data, a determination is made as to whether the receipt of the protected data is anomalous. If the receipt of the protected data is anomalous, one or more sources of egress of the protected data from the secured network are identified. By identifying the sources of egress, actions may be taken to prevent future egress of the protected data.

Abstract: A trusted session is to be established between a smart speaker and a computer server. The computer server may receive an instruction to initiate a trusted session with the smart speaker. The instruction includes an indication of an account linking token for linking a first and second account associated with the smart speaker and the computer server, respectively. The computer server generates a session token and sends it to the smart speaker for acoustic signalling. The acoustic signal is captured by a mobile device and used to reconstruct the session token. The computer server receives the reconstructed session token along with identifying information from the mobile device. The computer server system uses the identifying information to confirm that the mobile device is associated with the second accord. Upon so confirming, the computer server may establish a trusted session between the first smart speaker and the computer server system.

Abstract: A method securely scans a second web page linked to a first web page being displayed by a browser. The method identifies a target link to a second web page from one or more links contained within a first web page. Prior to receiving a user selection of the target link, the method prefetches content from the second web page and loads the prefetched content from the second web page into a safe cache before receiving the user selection of the target link. The method scans the prefetched content from the second web page for a security threat, within the safe cache, wherein the safe cache is configured to prevent the prefetched content from altering a memory location or storage location external to the safe cache. In response to identifying a security threat within the prefetched content, the method displays a warning to the user.