Abstract: A system and method for facilitating a blockchain-based state of data management that includes: receiving the state of data, the state including a data identifier associated with a blockchain network, a resource identifier, and one of: a public key and a state identifier; generating a state identifier using a least the public key included in the received state of data and one or more hashing algorithms.

Abstract: Actuators and sensors in an intelligent system are controlled by setting encryption types and key lengths to individual applications based on the type of device and application being run. A server system (1) running in a communications gateway, selects an encryption policy for one or more devices under its control. This selection is controlled by an analysis function (11) using data relating to the type of device (13), and the applications to be run on the device (14), to generate an appropriate encryption policy (12) which can be deployed to the device (37). Controlling the analysis and deployment in a gateway device allows co-ordination between devices, and reduces processor time in the devices. An agent is sent to the device alongside the encryption policy data, to control the device according to the encryption policy.

Abstract: A method and system. A dataset is generated according to a code package. The code package includes an image file associated with a container for a tenant in a cloud environment. The dataset includes general information related to security aspects of the image file. The image file includes two or more image layers. A security indicator of the image file is extracted according to the dataset. A security level of the image file is determined by comparing the extracted security indicator of the image file with a security indicator of an authenticated image file. A vulnerability in the image file is identified based on the determined security level. In response to the vulnerability having been identified, the image file is updated with a patch that fixes the identified vulnerability. The patch includes a new image layer added to the two or more image layers in the updated image file.

Abstract: A method and system for code package. A dataset is generated according to a code package. The code package includes an image file associated with a container for a tenant. The dataset includes general information related to security aspects of the image file. The image file includes two or more image layers. Generating the dataset according to the code package includes: exporting an image layer from the image file; and obtaining a configuration file of the exported image layer as the dataset. In response to the vulnerability having been identified, the image file is updated with a patch that fixes the identified vulnerability. The patch includes a new image layer added to the two or more image layers in the updated image file.

Abstract: A request is received from a security tool, the request relating to an event involving data records in a storage device. An application programming interface (API) is used to interface with secure storage functionality of the storage device, the secure storage functionality enabling a set of secure storage operations. A security operation is caused to be performed at the storage device involving the data records based at least in part on the request. In one aspect, the set of secure storage operations can include a direct read operation, a direct write operation, a copy-on-write operation, and a save-attempted-write operation.

Abstract: An information processing terminal, including a speaker unit, for receiving and processing an input of voice information, performs control, in a case where it is determined that authentication is needed for execution of a service corresponding to an input of voice information, to perform biometric authentication using information extracted as biological information of a user corresponding to the input voice information, and notifies, in a case where the biometric authentication is successful, the user via the speaker unit of a message regarding the execution of the service as a response to the input of the voice information.

Abstract: Systems and methods for detecting abnormal user activity comprising: tracking, by the server, during a first time period, user activity associated with an application service, determining, by the server, that the user activity associated with the application service exceeds a respective first predetermined threshold of user activity during the first time period, in response to determining that the user activity exceeds the first predetermined threshold, activating a second predetermined threshold, thereby triggering the system to track, during a second time period user activity associated with the application service, the tracking comprising tracking a content of the user interactions with the application service, determining that the user activity exceeds the second predetermined threshold of user activity during the second time period and in response to determining that the user activity exceeds the second predetermined threshold, triggering a user challenge procedure on a client device.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for quantum entanglement random number generation (QERNG). An example method for QERNG includes, among other operations, generating a quantum entanglement random number based on a subset of a first set of entangled quantum particles associated with a first computing device. Each entangled quantum particle in the first set of entangled quantum particles may be entangled with a respective entangled quantum particle in a second set of entangled quantum particles associated with a second computing device. In some instances, the example method may further include generating a cryptographic key based on the quantum entanglement random number, encrypting an electronic communication based on the cryptographic key, and transmitting the encrypted electronic communication to the second computing device.

Abstract: An adaptive data storage platform includes a plurality of nodes and a plurality of data stores, each associated with a different one of the nodes. An immutable journal distributed is between the plurality of nodes. Access to the data stores is based upon a consensus of trust determined by the plurality of nodes. The data is cyphered as it is received to form ciphered data that is sharded into equally sized shards that are distributed across the nodes for storing on a corresponding ones of the data stores and tracked using the immutable journal. The shard may be periodically sent to a different one of the nodes for storing on the corresponding data store. The data is thereby ciphered and distributed across the plurality of data stores and is not stationary.

Abstract: An example operation may include one or more of connecting, by an asset server, to a source blockchain configured to store a digital asset of an asset owner, enciphering and locking, by the asset server, the asset in the source blockchain, manifesting, by the asset server, the asset as a linked asset in a target blockchain, tracking, by the asset server, a life cycle of the asset, detecting, by the asset server, an end of the life cycle of the asset, reflecting, by the asset server, the end of the life cycle of the asset in the source blockchain, and creating, by the asset server, the asset in the target blockchain.

Abstract: A module with an embedded universal integrated circuit card (eUICC) can include a profile for the eUICC. The profile can include a first and second shared secret key K for authenticating with a wireless network. The first shared secret key K can be encrypted with a first key, and the second shared secret key K can be encrypted with a second key. The module can (i) receive the first key, (ii) decrypt the first shared secret key K with the first key, and (iii) subsequently authenticate with the wireless network using the plaintext first shared secret key K. The wireless network can authenticate the user of the module using a second factor. The module can then (i) receive the second key, (ii) decrypt the second shared secret key K, and (iii) authenticate with the wireless network using the second shared secret key K. The module can comprise a mobile phone.

Abstract: Intelligent methods of providing online security against hackers, which prevents the hackers from obtaining unauthorized access to secure resources. A first application session established between a first client and a first application of a first host device is detected. The first application is associated with a first plurality of security time limits. A duration of the first application session established between the first client and the first application is monitored. One or more first security actions are executed against the first application session responsive to the duration of the first application session reaching a security time limit of the first plurality of security time limits. One or more second security actions are executed against the first application session responsive to the duration of the first application session reaching another security time limit of the first plurality of security time limits.

Abstract: A private key of a public-private key pair with a corresponding identity is written to an integrated circuit including a processor, a non-volatile memory, and a cryptographic engine coupled to the processor and the non-volatile memory. The private key is written to the non-volatile memory. The integrated circuit is implemented in complementary metal-oxide semiconductor 14 nm or smaller technology. The integrated circuit is permanently modified, subsequent to the writing, such that further writing to the non-volatile memory is disabled and such that the private key can be read only by the cryptographic engine and not off-chip. Corresponding integrated circuits and wafers are also disclosed.

Abstract: A password-less authentication system and method include registering a contactless card of a client with an application service and binding the contactless card to one or more client devices. The contactless card advantageously stores a username and a dynamic password. Accesses by the client to the application service may be made using any client device, and authentication of the accesses may be performed by any client device that includes a contactless card interface and can retrieve the username and dynamic password pair from the contactless card. By storing the username on the card, rather than requiring user input, application security improved because access to and knowledge of login credentials is limited. In addition, the use of a dynamic password reduces the potential of malicious access.

Abstract: An automated method for cyberattack detection and prevention in an endpoint. The technique monitors and protects the endpoint by recording inter-process events, creating an inter-process activity graph based on the recorded inter-process events, matching the inter-process activity (as represented in the activity graph) against known malicious or suspicious behavior (as embodied in a set of one or more pattern graphs), and performing a post-detection operation in response to a match between an inter-process activity and a known malicious or suspicious behavior pattern. Preferably, matching involves matching a subgraph in the activity graph with a known malicious or suspicious behavior pattern as represented in the pattern graph. During this processing, preferably both direct and indirect inter-process activities at the endpoint (or across a set of endpoints) are compared to the known behavior patterns.

Abstract: Disclosed is an improved method, system, and computer program product for detecting hosts and connections between hosts that are being used as relays by an actor to gain control of hosts in a network. It can further identify periods of time within the connection when the relay activities occurred. In some embodiments, the invention can also chain successive relays to identify the true source and true target of the relay.

Abstract: Protection against the obsolescence of cryptographic algorithms is provided by generating a cryptographic key pair for future use and storing the public key on a device. The cryptographic key pair supports a signature scheme that is potentially resistant to quantum computing attacks. In an embodiment, a key management server generates a set of one-time use keys sufficient to sign the anticipated number of software updates to be applied to a device. The key management server provides a public key which is stored on the device for later use. In an embodiment, an update to the device us signed with the one-time-use private key, and can be authenticated by the device using the public key. In an embodiment, the key pair supports the use of a one-time signature technique such as a Merkle signature scheme, Winternitz signature, or Lampert signature.

Abstract: A blockchain-based record of transactions taking place through a smartphone or other electronic/peripheral device. The blockchain record itself contains mathematical hashes, including encryption if desired, based on the various data components of a smartphone or other device, which creates a distributed ledger system that is extremely difficult to break into to add, delete, or alter individual transactions after the fact.

Abstract: There is provided systems and methods for device interface output based on biometric input orientation and captured proximate data. A user may utilize a device to enter a fingerprint input to perform various device or application functionalities. The user may vary the orientation of the fingerprint to limit user interface data output, change the data that is output, or lock the interface from data output. Fake data may be output in specific instances, such as high risk of data misappropriation. The device may detect the orientation based on changes in the orientation of the grooves and ridges of a fingerprint with respect to an axis of the device, and may also detect additional data to determine what interface output is required. The additional data may include pressure of the fingerprint input and/or voice data. A second device may also provide user biometrics as the additional data.

Abstract: Suspending communication to/from non-compliant servers through a firewall includes establishing a secure collection of compliance rules for security compliance, ascertaining, for each server of server(s) of an environment, respective software package(s) installed on the server, building a secure server and acceptable risk listing that indicates each of the server(s) and the software package(s) installed on each server, assigning and securely storing risk ratings for the server(s), comparing the assigned risk rating for a second server to an acceptable risk level indicated for a first server, and based on determining that the assigned risk rating for the second server exceeds the acceptable risk level, performing a rules modification to the firewall to enforce the compliance rules. The rules modification disables communication between the first server and the second server through the firewall.