Abstract: A system and method for extending data protection of data elements of a data packet beyond a TLS tunnel termination point by using encryption keys established when the TLS tunnel was established. The system and method include authenticating a client device to establish a shared secret. The system and method include receiving a data packet comprising a data element and an object identifier associated with the data element, the data element encrypted with a first content-specific key associated with the shared secret, the data packet encrypted with a session key. The system and method include decrypting the data packet using the session key to recover a decrypted data packet. The system and method include determining an existence of an object identifier in the decrypted data packet. The system and method include decrypting the data element of the decrypted data packet using a second content-specific key associated with the object identifier.

Abstract: Methods and apparatus consistent with the present disclosure may be performed by a Cloud computing device may use instrumentation code that remains transparent to an application program that the instrumentation code has been injected into, may perform deep packet inspection (DPI) on computer data, or identify a content rating associated with computer data. In certain instances, data sets that include executable code may be received via packetized communications or be received via other means, such as, receiving a file from a data store. The present technique allows one or more processors executing instrumentation code to monitor actions performed by the program code included in a received data set. Malware can be detected using exception handling to track memory allocations of the program code included in the received data set. Furthermore, access to content associated with malware, potential malware, or with inappropriate content ratings may be blocked.

Abstract: Provided are embodiments for a method, system, and computer program product for operating a certified information verification service. Some embodiments include receiving an article including one or more claims, and extracting the one or more claims from the article. The one or more claims are analyzed by the one or more information verification services, and a report for the article is generated based on the analysis.

Abstract: Systems, methods, and computer readable media for performing mobile interactions using a mobile communication device and an access device without a connection to a data network. An access device can provide the mobile communication device with a value request message requesting access tokens for an interaction. The mobile communication device provides access data including a plurality of access tokens to the access device. The access device can use the access tokens to gain access to value elements stored in data lockers of the mobile communication device. Upon receipt of the value elements, the access device may provide the mobile communication device with access to a resource.

Abstract: Provided is a method for transferring data in a topic-based publish-subscribe system, including a key distribution server and a number of local client systems that can be coupled to the key distribution server, including: providing a group key by the key distribution server for a group selected from the local client systems, locally deriving a first-order sub-group key for a first-order subgroup of the group by key derivation parameters at least comprising the provided group key and a certain topic of the publish-subscribe system by means of the particular client system of the first-order sub-group, and transferring at least one message cryptographically protected by the derived first-order sub-group key between the client systems of the first-order sub-group. Differentiation within group communication according to topic by specific cryptographic keys is thereby enabled.

Abstract: A method, system, and computer program product for detecting a network application security question is provided. The method includes receiving permission to access social media sources of a user. The social media sources and Internet based sources of the user are monitored in response to receiving the permission and associated data is generated and stored. A request for access to a secure account of the user is received and a list of security questions is presented to the user. The list of security questions is analyzed with respect to the data and each security question is ranked. An answer to a question of the list is received and analyzed and security attributes of the answer with respect to a potential malicious attempt to provide a predicted answer to for access to secure account are determined. A resulting security process with respect to enabling access to the secure account is executed.

Abstract: In accordance with the invention there may be provided a method and corresponding system for controlling the performance of a process conducted via a blockchain. The blockchain may or may not be the Bitcoin blockchain. The process may be a lending process. Advantageously, the invention provides a mechanism which enables the ultimate owner of a property or other asset to borrow funds against that asset, and sets out how this can be achieved in a manner which does not require the return to the investor(s) to be determined through the payment of interest. This makes it compliant with non-interest forms of lending. The invention provides a blockchain-implemented method (and corresponding system) of embedding data in a blockchain transaction (Tx). The method comprises the steps of deriving a public-key-private key cryptographic pair for the data; deriving a signature for the data using the public key-private key cryptographic pair; codifying the data to generate codified metadata for the data.

Abstract: Various embodiments are generally directed to techniques to enforce policies for computing platform resources, such as to prevent denial of service (DoS) attacks on the computing platform resources. Some embodiments are particularly directed to ISA instructions that allow trusted software/applications to securely enforce policies on a platform resource/device while allowing untrusted software to control allocation of the platform resource. In many embodiments, the ISA instructions may enable secure communication between a trusted application and a platform resource. In several embodiments, a first ISA instruction implemented by microcode may enable a trusted application to wrap policy information for secure transmission through an untrusted stack.

Abstract: A method for detecting anomalies in a computer network, in which a message transmitted over the computer network is received or recorded by a node of the computer network; based on at least the message, it is checked by a detection mechanism of the node whether the anomalies have occurred, and an occurrence of the anomalies is either confirmed or refuted according to a predefined detection rule of the detection mechanism.

Abstract: Various embodiments provide an approach to detect intrusion of connected IoT devices. In operation, features associated with behavioral attributes as well as volumetric attributes of network data patterns of different IoT devices is analyzed by means of statistical analysis to determine deviation from normal operation data traffic patterns to detect anomalous operations and possible intrusions. Data from multiple networks and devices is combined in the cloud to provide for improved base models for statistical analysis.

Abstract: A third-party server, delegated by organizations to manage application environment, may maintain a plurality of guided workflow plans. At least one of the guided workflow plans may include one or more steps associated with setting up an interaction control policy. The third-party server may receive an interaction report associated with the organization. The interaction report may include metadata of one or more devices that interacted with other devices. The third-party server may identify a particular device to which existing interaction control policies of the organization are inapplicable. The third-party server may search for additional out-of-band information of the particular device using the metadata in the interaction report. The third-party server may select an applicable guided workflow plan for setting up an applicable interaction control policy for the particular device. A guided workflow may be presented via a graphical user interface according to the applicable guided workflow plan.

Abstract: A system for exchanging authentication data between edge-nodes is provided. The system may include an edge-node network. The network may include a plurality of edge-nodes. Each edge-node may include a pairing module. Each pairing module may receive an instruction to pair with another edge-node. Each pairing module pair with another edge-node. The pairing module may continually transmit verification communications to other edge-nodes. The pairing module may continually discover responsive communications from other edge-nodes. The pairing module may continually receive responsive verification communications from other edge-nodes. Each edge-node may include an executable module. The executable module may determine occurrence of an event. Upon determination of the occurrence of an event, the executable module may analyze a stored event protocol. The protocol including an algorithm for implementing executables in response to an event.

Abstract: Provided are a system and a method for secure access to data, where the data comprises a number of data records each assigned to an entity, such as a user, and where the data records are stored in encrypted form in a database. A first decryption key assigned to a particular entity is used to decrypt the data records assigned to the particular entity. The first decryption keys are stored in a volatile memory, and the first decryption keys assigned to the particular entity are encrypted by an encryption key assigned to the particular entity, and the encrypted first decryption keys are stored in a permanent memory. After the volatile memory is cleared, the encrypted first decryption keys are copied from the permanent memory into the volatile memory, and in the volatile memory, the first decryption keys are decrypted by a second decryption key assigned to the particular entity.

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

Abstract: An analysis apparatus has a transfer path matching unit that is provided with a real browser log La and a browser emulator log Lb as input and identifies, as a specific transfer path, a transfer path that is not transferred to a malicious URL on a pseudo-browser where the transfer path is transferred to the malicious URL on a real browser, based on the malicious URL information in a malicious URL database, and an analysis avoidance code identification unit that identifies an analysis avoidance code that avoids analysis by utilizing a browser-specific function or an implementation difference between the real-browser and the pseudo-browser, among script codes that are executed on a website, based on the specific transfer path.

Abstract: Video content is processed for delivery using an automated process that allows for convenient packaging of encrypted or digital rights management (DRM) protected content in a manner such that the packaged content can be efficiently stored in a content delivery network (CDN) or other content source for subsequent re-use by other media clients without re-packaging, and without excessive storage of unused content data.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for handling data including images with privacy-sensitive data. In one aspect, a method may include recognizing privacy-sensitive sub-image(s) in an acquired or captured image. The sub-image(s) can be included in a second image that is encrypted. The acquired image can be changes by obscuring the privacy-sensitive sub-image(s) of the acquired image so as not to reveal any personal identifiable information.

Abstract: Scanning a virtual disk image for malware without fully extracting the virtual disk image is described herein. An embodiment operates by receiving a selection of a virtual disk image. Virtual storage is initialized based on the virtual disk image. An appliance is launched, and the appliance is configured to access the virtual disk image via the virtual storage. The virtual disk image is scanned for malware using an anti-virus program such that the virtual disk image does not have to be fully extracted. During scanning, on-the-fly decompression, de-deduplication, decryption, and other operations are performed to translate read requests for content on the virtual disk image into raw disk data for the antivirus program.

Abstract: A machine has a network interface circuit to provide connectivity to networked machines. A processor is connected to the network interface circuit. A memory is connected to the processor and the network interface circuit. The memory stores cryptographically protected data, an identity management contract and identity stewards specifying individuals to administer the identity management contract. The memory stores instructions executed by the processor to receive a request to identify a legal identity for a digital identity, collect from certain networked machines, via the network interface circuit, consent from the identity stewards, where the consent includes cryptographic identity packets. The cryptographic identity packets are combined to render the legal identity for the digital identity. Transaction data specifying the legal identity for the digital identity is supplied. The transaction data is recorded to a distributed ledger associated with at least a subset of the networked machines.

Abstract: An embodiment of a semiconductor apparatus may include technology to receive data with a unique identifier, and bypass encryption logic of a media controller based on the unique identifier. Other embodiments are disclosed and claimed.