Abstract: Training an adversarial perturbation detector comprises accessing a training set comprising an enrolled biometric sample xi and a public biometric sample x of an enrolled user, and submitted biometric samples x? of a second user, the submitted biometric samples x? comprising perturbed adversarial samples x?+?x?. A transformation function k(?) is provided having learnable a parameter ? and a classifier having a learnable parameter ?. The training set is used to learn the parameters ? and ? by inputting the training set to the transformation function k(?). The transformation function k(?) generates transformed enrolled samples k(xi), a transformed public biometric sample k(x), and a transformed adversarial sample k(x?+?x?). The classifier classifies the transformed adversarial sample k(x?+?x?) as a success or as a fail based on the transformed enrolled samples k(xi). Based on a result of the classification, the learnable parameters ? and ? are updated.

Abstract: Some aspects of this disclosure are directed to implementing hardware-based obfuscation of digital data. For example, some aspects of this disclosure relate to a method, including performing a capture operation that loads a plurality of primary input (PI) bits into corresponding shift registers of a plurality of test data registers (TDRs) disposed on one or more digital semiconductor devices and configured to store a plurality of secret information bits. The method further includes performing a sequence of shift operations on the plurality of TDRs to obtain a plurality of output bits. The method further includes applying, by an authenticating processor, a derivation function on the plurality of output bits to extract the plurality of secret information bits thereby authenticating the one or more digital semiconductor devices.

Abstract: Protecting a mobile device from visual hacking comprises analyzing a displayed window/page containing data fields and parsing the fields to identify when sensitive information is displayed. Data from a gyroscope of the mobile device is used to detect roll and pitch viewing angles of the mobile device, data from a proximity sensor is used to detect a distance between the mobile device and the user, and a camera is used to take an image of the user and detect a number of faces visible in the image. The sensitive information is obscured when any predefined conditions are not met, including: determining that the roll and pitch viewing angles are not within pitch and roll threshold values, or that the detected distance is not within distance threshold values, or that more than a single face is detected in the image.

Abstract: A system and method for processing garbled circuit techniques in memory-limited environments. The method includes: initializing a plurality of input gates and a plurality of state gates; generating a circuit slice for an update function; setting the plurality of state gates as a plurality of new output-state-gates; and generating a circuit slice for a finalization function, wherein the finalization function represented by a sub-circuit, the outputs of which are terminal gates.

Abstract: A dynamic hybrid residential threat detection method is disclosed. The method includes receiving, by a packet selector on a customer premises equipment (CPE), communication sessions and selecting and sending, by the packet selector, a predefined number of packets of the communication sessions to a CPE detection engine based on packet selection rules. The method also includes inspecting, by the CPE detection engine, the predefined number of packets of each communication session based on CPE detection rules that establish what type of inspection is to be performed by the CPE detection engine based at least in part on CPE resource constraints. The method further includes sending, by the packet selector, the predefined number of packets of at least some of the communication sessions to a cloud detection engine and blocking particular communication traffic on the CPE based on the inspection and/or an instruction from the cloud detection engine.

Abstract: A provisioning system is provided for provisioning a plurality of electronic devices with provisioning data. Each of the plurality of electronic devices is associated with an electronic device type. The provisioning system includes a provisioning control apparatus, and a provisioning equipment configured to be electrically connected with at least one of the plurality of electronic devices for provisioning the at least one electronic device. The provisioning system includes a provisioning security module configured to receive the device type information from the provisioning control apparatus and to generate provisioning data on the basis of the device type information. The provisioning security module transmits the provisioning data to the provisioning equipment for provisioning the at least one electronic device with provisioning data.

Abstract: A technique to stop lateral movement of ransomware between endpoints in a VLAN is disclosed. A security appliance is set as the default gateway for intra-LAN communication. Message traffic from compromised endpoints is detected. Attributes of ransomware may be detected in the message traffic, as well as attempts to circumvent the security appliance. Compromised devices may be quarantined. A disposable jump box may be utilized to provide an additional layer of protection against ransomware.

Abstract: A technique to stop lateral movement of ransomware between endpoints in a VLAN is disclosed. A security appliance is set as the default gateway for intra-LAN communication by overwriting the DHCP responses. A high availability cluster of the gateways is utilized to distribute traffic and implement load balancing amongst the gateways.

Abstract: A method, and related apparatuses are provided. The method comprises receiving an initial layer-3 message, wherein the initial layer-3 message comprises an indication indicating that a part of the initial layer-3 message is encrypted, and generating a keystream, wherein the keystream is used to decrypt the encrypted part of the initial layer-3 message.

Abstract: Systems, methods, and computer products for associating a network identifier with a network address enable operations that may include: receiving a network identifier associated with a first network; obtaining an identification of a proof provider; sending, to the proof provider, a network address associated with a second network, wherein the proof provider is configured to generate a signed association of the network identifier with the network address using a private key of the proof provider; obtaining the signed association; and providing, to the second network, at least the signed association. The second network may be configured to validate the signed association and store the signed association.

Abstract: Methods and systems are described herein for generating and assigning resources based on timestamps. A plurality of permission messages associated with a plurality of authorization events may be received with each permission message including an authorization timestamp indicating a generation time of a corresponding permission message. In addition, a plurality of data records may be received with each data record including a corresponding plurality of parameters. Based on the permission messages and the data records, a resource multiplier is generated, and resources assigned to each data record are multiplied based on the resource multiplier.

Abstract: A method and system provide the ability to process video content on a headend. A video processing server authenticates with a key server and public keys are exchanged. The key server generates and places a content key into a document that is signed with the public key. A client on the video processing server receives the document, extracts the content key, and saves the content key to a database. The video content is encrypted using the content key and DRM signaling elements are added to a manifest. The encrypted video content and manifest are received in the head end, a key ID is extracted from the manifest and provided to the CPIX client to retrieve the content key from the CPIX document. The encrypted video content is decrypted using the content key resulting in clear content that is provided to a downstream packager that encrypts and repackages the content for transmission to recipients.

Abstract: A computer vision processor in an image cluster defines a fenced memory region (FMR) that controls access to image data stored in a first portion of a trusted memory region (TMR). The computer vision processor receives FMR requests from an application implemented in a processing cluster. The FMR requests are to access the image data in the first portion of the TMR. The computer vision processor selectively allows the requesting application to access the image data. In some cases, the computer vision processor acquires the image data and stores the image data in the first portion of the TMR, such as buffers in the TMR. A data fabric selectively permits the image processing application to access the data stored in the TMR based on whether the image cluster has opened or closed the FMR for the portion of the TMR.

Abstract: Embodiments of the present invention provide methods, computer program products, and systems. Embodiments of the present invention can in response to receiving content, dynamically determining validity of received content. Embodiments of the present invention can then, in response to an determining the validity of received content, altering the received content prior to transmitting the received content to a user.

Abstract: A method to provide secure operation of a lighting network, the lighting network comprising a lighting device arranged for illuminating an environment and a local controller for controlling the lighting device, wherein the lighting network is further controllable by an external controller, external to the lighting network, wherein the method comprises: determining a configuration status of the lighting network, analyzing the determined configuration status, switching an operational mode of the lighting network between a normal mode and a secured mode based on the analysis; wherein in the normal mode, the lighting network is operably connected to the external controller, and a light rendering function of the lighting device is being controlled by the external controller according to a predetermined set of functions, and wherein in the secured mode, the light rendering function of the lighting device is being controlled by the external controller according to a subset of the predetermined set of functions.

Abstract: In some embodiments, a method can include detecting, at a first circuit, the first circuit being operatively coupled to a memory device having a set of memory portions. The method can include receiving, from the memory device and at the first circuit, a set of encryption key portions after the detecting, each encryption key portion from the encryption key portions being a unique portion of an encryption key. The method can include assembling the encryption key by ordering each encryption key portion from the set of encryption key portions based on (1) a first previously defined list and (2) a second previously defined list. The first previously defined list and the second previously defined list each is stored at or accessible by the first circuit but not stored at or accessible by the memory device. The method can include authorizing access to a second circuit based on the encryption key.

Abstract: Systems and methods for quick start-up of playback in accordance with embodiments of the invention are disclosed. Media content may be encoded in a plurality of alternative streams and a quick start-up stream. The quick start-up stream may include media content that is encoded at a lower quality that the alternative streams and may be encrypted with a different, less secure encryption process than that of the alternative streams. During a start-up of playback, the playback device streams the media content from a quick start-up stream until a metric, such as a decryption key for the alternative streams is met. The device then streams the media content from the alternative streams in response to the metric being met.

Abstract: The present disclosure may describes systems and methods for continuous biometric authentication for an electronic device. A continuous biometric authentication may include biometric sensors, processing systems, biometric data, an accelerometer, and other input/output devices. An accelerometer or other input/output devices may be configured to capture information concerning an electronic device, such as an acceleration of the electronic device, and/or information concerning an area surrounding the electronic device, such as ambient light intensity. Based on captured information, a triggering event associated with, for example, a theft, a change in location, or a transfer of possession may be detected by a processing system. Once a triggering event occurs, systems of the present disclosure may initiate additional biometric authentication procedures.

Abstract: Methods, apparatus, and computer-accessible storage media for controlling export of snapshots to external networks in service provider environments. Methods are described that may be used to prevent customers of a service provider from downloading snapshots of volumes, such as boot images created by the service provider or provided by third parties, to which the customer does not have the appropriate rights. A request may be received from a user to access one or more snapshots, for example a request to export the snapshot or a request for a listing of snapshots. For each snapshot, the service provider may determine if the user has rights to the snapshot, for example by checking a manifest for the snapshot to see if entries in the snapshot manifest belong to an account other than the customer's. If the user has rights to the snapshot, the request is granted; otherwise, the request is not granted.

Abstract: A method of detecting if a relay is present in a PEPS system for a vehicle is provided. The PEPS system includes a plurality of predefined subzones within one or more vehicle inclusion zones and the method includes the steps of: (a) transmitting a challenge signal including an LF telegram and CW signals from one or more antennas associated with the vehicle to a key fob, the CW signals being measured by the key fob; and (b) determining if CW signals measured by the key fob meet predetermined magnetic field strength values associated with one or more subzones from a plurality of predefined subzones, the predefined subzones being derived to accept the magnetic field distributions at localised positions within a valid inclusion zone and reject magnetic field distributions generated by a relay at a relay transmitter.