Abstract: Techniques for detecting suspicious data object access requests indicative of potential insider threats are described. A suspicious access detection module (SADM) determines, based on access data describing a access requests issued on behalf of multiple users, groups of the users having similar patterns of accesses to resource groups, a set of the resource groups accessed by each of the user groups, and ones of the user groups that are to be considered nearby others of the user groups based on having a threshold amount of resource group access similarities. The SADM causes an alert to be generated responsive to a determination that a subsequent access request is suspicious because it accesses a data object of a resource group that is not within the set of accessed resource groups of the issuing user's user group, and because the resource group is not within the sets of accessed resource groups of any nearby user groups.

Abstract: Embodiments of the present invention provide systems, methods, and computer storage media directed to facilitate identification of security policies for documents. In one embodiment, content features are identified from a set of documents having assigned security policies. The content features and corresponding security policies are analyzed to generate a security policy prediction model. Such a security policy prediction model can then be used to identify a security policy relevant to a document.

Abstract: Techniques include receiving an access notification identifying a request by an identity for access to an access-protected network resource; identifying a configurable and multi-dimensional policy defining rights of the identity to access the access-protected network resource with respect to the operation of the access-protected network resource; automatically determining, based on the configurable and multi-dimensional policy, whether to perform at least one of: permitting the identity to access the access-protected network resource; denying the identity to access the access-protected network resource; or rotating a secret associated with the identity.

Abstract: A single round advanced encryption standard circuit module includes a substitution byte/inverse substitution byte unit, configured to substitute elements of an input state array to generate an output state array and to respectively generate a first state array, a plurality of second state arrays, a third state array, a plurality of fourth state arrays and the output state array according to a first tier circuit unit, a second tier circuit unit, a third tier circuit unit, a fourth tier circuit unit and a fifth tier circuit unit; wherein the first state array, the plurality of second state arrays, the third state array and the plurality of fourth state arrays are represented by register-transfer level codes; wherein the substitution byte/inverse substitution byte unit is implemented by composite field arithmetic of sharing operators and operands.

Abstract: Methods, apparatus, and processor-readable storage media for protecting data based on a context of data movement operations are provided herein. An example computer-implemented method includes identifying a context of a data movement operation based at least in part on a source and an indicated destination of data associated with the data movement operation; applying one or more data protection policies to the data movement operation based at least in part on the identified context, wherein a given data protection policy comprises one or more indications of one or more content scanners that are configured to detect data belonging to one or more regulated data classes; and in response to detecting data associated with the data movement operation that belongs to at least one of the regulated data classes, performing one or more automated remedial actions associated with the at least one regulated data class.

Abstract: A method and device for comparing movement paths based on homomorphic encrypted is disclosed, where a server includes a processor configured to collect first encrypted movement path information of a comparison target encrypted by a common key, receive, from a user device, second encrypted movement path information of a user of the user device encrypted by a private key, compare the first encrypted movement path information and the second encrypted movement path information, decrypt a portion of a result of the comparison by the common key to generate a partially decrypted comparison result, and provide the partially decrypted result of the comparison to the user.

Abstract: Embodiments provide access to enterprise data via a secured virtual environment hosted on an Information Handling System (IHS), with the integrity of the IHS validated prior to launching the virtual environment. The integrity of the IHS may also be continuously validated during operation of the launched virtual environment. Policies for accessing the enterprise data are stored in a secured memory that is isolated from the operating system of the IHS. A virtual environment is configured, according to the policies, with resources for a particular user to access the enterprise data. If the integrity of the IHS is validated by a trusted resource on the IHS, the virtual environment is launched. During operation of the virtual environment, the trusted resource periodically confirms the integrity of the IHS. If the integrity of the IHS is not verified or policy changes are identified, access to the secured workspace may be revoked.

Abstract: This application provides a display method and apparatus, and a terminal, and relates to the field of image processing technologies, to resolve a problem that a peeping behavior of a peeper cannot be proved. The method is applied to a terminal having a front-facing camera and a display screen, where the front-facing camera and the display screen are on a same side of the terminal. The method includes: presenting a running interface of an application by using the display screen; collecting an image by using the front-facing camera; and when the image collected by the current camera meets a preset condition, presenting at least two display windows on the display screen. A first display window displays the running interface of the application, and a second display window displays the image collected by using the front-facing camera. This application is applicable to the terminal.

Abstract: Biometric data such as iris, facial, or fingerprint data may be obtained from a user. A public code may be generated from the biometric data, but does not obtain any of the biometric data or information that can be used to identify the user. The public code includes information that can be used to extract from the biometric data a biometric code that is suitable for bitwise comparison. Neither the underlying biometric data nor information from which the biometric data may be determined is stored as only the public code and the actual biometric feature of the user is required to generate the biometric code.

Abstract: Dynamic data dissemination is provided. A resolved data subject identifier corresponding to a data subject is selected from a set of resolved data subject identifiers existing in rows of a data asset. In response to determining that the resolved data subject identifier does not correspond to a right to forget list, it is determined that the resolved data subject identifier corresponds to a data subject request list. The rows are transformed to anonymize existing pseudo and personal identifiers in cells of the rows that are tied to columns associated with data classes for which specific consent dimensions have been indicated as revoked by the data subject.

Abstract: Techniques for implementing proactive data security operations for files using an analysis of access permission levels for the files are disclosed. In some embodiments, a computer system performs operations comprising: determining that data of a file includes sensitive information based on an analysis of the data using a data classification model; determining that access to the file is open using an access classification model; and based on the determination that the data of the file includes sensitive information and the determination that the access to the file is open, causing a notification to be displayed on a computing device of a user, the notification comprising an indication that the file includes sensitive information and that access to the file is open.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for quantum computing (QC) detection. An example method includes generating QC detection data. The example method further includes generating a pair of asymmetric cryptographic keys comprising a public cryptographic key and a private cryptographic key, generating encrypted QC detection data based on the pair of asymmetric cryptographic keys, and destroying the private cryptographic key. The example method further includes monitoring a set of data environments for electronic information related to the encrypted QC detection data. Subsequently, the example method may include generating a QC detection alert control signal in response to detection of the electronic information related to the encrypted QC detection data.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for quantum computing (QC) detection. An example method includes generating QC detection data. The example method further includes generating a pair of asymmetric cryptographic keys comprising a public cryptographic key and a private cryptographic key, generating encrypted QC detection data based on the pair of asymmetric cryptographic keys, and destroying the private cryptographic key. The example method further includes monitoring a set of data environments for electronic information related to the encrypted QC detection data. Subsequently, the example method may include generating a QC detection alert control signal in response to detection of the electronic information related to the encrypted QC detection data.

Abstract: Multiple work requests from different applications are queued to be processed subsequently without interruption by a crypto device. A prediction table is generated for each application to be processed by the crypto device. An initial credit value is determined for each incoming work request. The work request is an entry in an ordered queue in the order of time using respective time stamps. The next work request to be processed is selected from the entries in the queue by using the first entry in the queue for which the credit values for the corresponding application is greater than or equal to the predicted execution time for the corresponding request type in the prediction table. The selected next work request is processed.

Abstract: An apparatus comprises a plurality of hardware security modules, at least a first hardware security module in the plurality of hardware security modules comprising processing circuitry to generate a first plurality of pairs of cryptographic key pairs comprising a first plurality of private keys and a first plurality of public keys, forward the first plurality of public keys to a remote computing device, receive, from the remote computing device, a first plurality of ciphertexts, wherein each ciphertext in the plurality of ciphertexts represents an encryption of a cryptographic seed with a public key selected from the plurality of public keys, receive, from a subset of hardware security modules in the plurality of hardware security modules, a subset of private keys.

Abstract: A method for hyper security encoding includes receiving data to be encrypted, and padding the data to be encrypted with padding data to avoid un-obfuscated bits after encryption. The method also includes encrypting, with a Mojette Transform, the data to be encrypted after the data to be encrypted is padded with the padding data, and outputting a result of the encryption as encrypted data.

Abstract: A method of setting a surveillance camera includes the steps of recognizing a readable object in an image captured by the surveillance camera, updating a set value of one or more set items of the surveillance camera associated with the readable object, and transmitting the set value of an at least one set item to an external device in response to receiving a request therefrom.

Abstract: Assessing a consumer's risk of harms related to a data breach includes determining, for the particular data breach, a data breach score, referred to as a Breach Clarity™ (BC) score, indicative of the risk of harm related to the particular breach. A data structure pairs a breached information element with at least one potential harm. Algorithms assign a harm risk score to the harm, determine an element risk score for the information element-harm pair, and determine a BC score using the harm risk and element risk scores, and an exposure rating. The BC score can be modified by a scaling algorithm to generate a relative BC score. The system identifies and rank orders mitigation actions for the breach and outputs these with the BC score to the consumer. A consumer's demographic and/or behavioral characteristics can be factored into the exposure rating and ranking of the mitigation actions.

Abstract: Plural Internet of Things (IoT) gateways detect, secure against and remediate malicious code with an autonomous communication of tokens between the IoT gateways on a time schedule. Detection of an invalid token or a token communication outside of a scheduled time indicates that malicious code may have interfered with token generation or communication. Once malicious code is verified on an IoT gateway, the failed gateway is remediated to an operational state, such as with a re-imaging by another IoT gateway through an in band communication or a re-imaging by a server information handling system through an out of band communication.

Abstract: Cloud storage provides for accessible interfaces, near-instant elasticity and scalability, multi-tenancy, and metered resources within a framework of distributed resources acting to provide highly fault tolerant solutions with high data durability. However, cloud storage also has drawbacks and limitations with information uploading and how information is subsequently accessed. To date the lack of automated tools for managing tens, hundreds and thousands of users and/or documents within enterprises and organizations means that for most migrating is a massive undertaking. Accordingly, knowledge workers require a human interface to the data ingested from third-party systems that manages the data in original folder contexts/locations for each knowledge worker within the interfaces.