Abstract: A blockchain hierarchy comprises an arrangement of blockchains organized in a tree-like manner such that a blockchain at a lower level feeds data to a blockchain at a relatively higher level. At least one blockchain comprises a private autonomous group of peers that are involved in a particular task. Within that particular group of peers, preferably one of the peers is elected as a leader entity, which has the capability of also joining another private or public blockchain, e.g., one at a higher level in the hierarchy. The leader entity includes a capability to enforce a data protection policy within the blockchain that it leads. To this end, the leader filters or declassifies data based on some task-specific (or blockchain-specific) data protection policy, and it then makes that data available to one or more other blockchains in the hierarchy (directly or indirectly).

Abstract: Systems, apparatuses, and methods are described for wireless communications. A session management function may provide to a user plane function one or more messages comprising an Ethernet packet filter set and/or information for at least one policy rule. The user plane function may apply the at least one policy rule to a data flow to provide an Ethernet packet data unit session for a wireless device.

Abstract: A computer-implemented method manages cryptographic objects in a hierarchical key management system including a hardware security module (HSM), which institutes a key hierarchy extending from a ground level l0. Clients interact with the HSM to obtain cryptographic objects. A request is received from one of the clients for an object at a given level ln of the hierarchy (above the ground level l0). A binary representation of the object is accessed as a primary bit pattern p0, at the HSM and said pattern is scrambled via a bitwise XOR operation. The latter operates, on the one hand, on the primary bit pattern p0 and, on the other hand, on a control bit pattern pc that is a binary representation of an access code of the same length as said primary bit pattern p0. The pattern pc is obtained based on that given level ln of the hierarchy.

Abstract: This present disclosure generally relates to managing encrypted network traffic using Domain Name System (DNS) responses. One example includes requesting an address; receiving a response from the resolution server including one or more addresses associated with the domain name; associating with the domain name a particular address selected from the received one or more addresses; receiving a request to resolve the domain name; sending a response to the request to resolve the domain name, the sent response including the particular address associated with the domain name; receiving a secure request for a resource, the secure request directed to the particular address associated with the domain name; and determining that the secure request is directed to the domain name based on the association between the particular address and the domain name.

Abstract: A first certificate authority (CA) trust list comprising a plurality of CA identifiers is obtained by a first node of a blockchain network. A communication request comprising a public key certificate of the second node is received by the first node from a second node of the blockchain network. A first CA identifier is determined from the received public key certificate. A determination is made as to whether the first CA identifier matches one of the plurality of CA identifiers of the first CA trust list. In response to determining that the first CA identifier matches one of the plurality of CA identifiers of the first CA trust list, the communication request is approved by the first node. In response to determining that the first CA identifier does not match one of the plurality of CA identifiers of the first CA trust list, the communication request is denied.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for enhancing blockchain network security. Implementations include receiving a request for data from the data source, transmitting the request to a relay system that is external to the blockchain network and that includes a multi-node cluster including a plurality of relay system nodes, receiving a result provided from a relay system node, the result being digitally signed using a private key of the relay system node, verifying that the relay system node is registered, verifying an integrity of the result based on a public key of the relay system node and a digital signature of the result in response to verifying that the relay system node is registered, and transmitting the result to a client in response to verifying the integrity of the result.

Abstract: Embodiments of the present invention disclose methods and systems which receive a user credential corresponding to a user, a task to be performed by the user, a security policy including a user role, and sensitive information. These methods and systems dynamically provision virtual machines including un-redacted information from received sensitive information. Furthermore, a set of tools process the redacted information, based on the user credential, the task to be performed, and the security policy.

Abstract: A privacy protection based training sample generation method includes: generating n d-dimensional transform vectors ? from original data to be mined, wherein the original data comprises m original samples, each original sample includes a d-dimensional original vector x and an output tag value y, m and d being natural numbers, and each transform vector ? is determined by a sum of yx of a plurality of original samples randomly selected from the m original samples; and determining the n transform vectors ? as training samples of a binary classification model.

Abstract: A method of authenticating a user based on user effort, the method includes receiving a registration from a user device with a user effort-based identity authorization token and a first user effort, submitting the first effort to the effort validation server, receiving an effort analysis from the effort validation server, issuing a credential to the user device based on the effort analysis, receiving an access request from the user device, the access request including the credential and a second effort, providing the second effort to the validation server, receiving a validation response from the validation server, and granting access to the user device as a function of the validation response.

Abstract: In one embodiment, activity of a plurality of applications in a computer network is monitored, and a plurality of individual business transactions occurring within the plurality of applications may be identified. Additionally network traffic details associated with each particular business transaction of the plurality of individual business transactions may be determined. In response to detecting a network-based threat on a particular network flow within the computer network, the techniques herein may correlate the particular network flow to a corresponding business transaction of the plurality of individual business transactions based on the associated network traffic details of the corresponding business transaction. Accordingly, threat mitigation may be initiated specific to the corresponding business transaction in response to the detected network-based threat being correlated to the corresponding business transaction.

Abstract: A method of communicating information includes generating a photon pulse using an entangled photon generator. The photon pulse includes a photon pulse state and is temporally positioned within a photon pulse time slot. When the photon pulse is in a populated photon pulse state, it includes first and second entangled photons and the entangled photon generator outputs the first entangled photon into a first photon pathway optically coupled to an output end photon detector unit, and the second entangled photon into a second photon pathway, optically coupled to a receiving end photon detector unit. The method also includes determining the photon pulse state of the photon pulse using the output end photon detector unit, which outputs a signal regarding the photon pulse state of the photon pulse into a signal pathway to provide the receiving end photon detector unit with information regarding the photon pulse state of the photon pulse.

Abstract: A technique for securely transferring content from a first device in a first layer to a second device in a second layer. In one embodiment, the first device is a device in a trusted domain and the second device is outside of the trusted domain. Transfer of protected content to another device may require authentication of the receiving device. A rights file which specifies the rights of the receiving device to use the protected content, according to its security level is also transferred. These rights may concern, e.g., the number of times the receiving device may transfer the protected content to other devices, the time period within which the receiving device may play the protected content, etc. The higher the security level of the receiving device, the more rights accorded thereto. A minimum security level requirement may be imposed in order for protected content to be transferred to a device.

Abstract: In a general aspect, a digital certificate can be used with multiple cryptography systems (“cryptosystems”). In some cases, the digital certificate includes a public key field, which contains a first public key of an entity associated with a first cryptosystem. The digital certificate includes a signature value field, which contains a first digital signature of a certificate authority associated with the first cryptosystem. The digital certificate includes an extension. The extension contains a second public key of the entity, a second digital signature of the certificate authority, or both, associated with a second cryptosystem. The extension contains a policy field that includes instructions for processing the fields associated with the second cryptosystem.

Abstract: According to some embodiments, a plurality of monitoring nodes may each generate a series of current monitoring node values over time that represent a current operation of the industrial asset. A node classification computer may determine, for each monitoring node, a classification result indicating whether each monitoring node is in a normal or abnormal state. A disambiguation engine may receive the classification results from the node classification computer and associate a Hidden Markov Model (“HMM”) with each monitoring node. For each node in an abnormal state, the disambiguation engine may execute the HMM associated with that monitoring node to determine a disambiguation result indicating if the abnormal state is a result of an attack or a fault and output a current status of each monitoring node based on the associated classification result and the disambiguation result.

Abstract: A method may include a processing system assigning samples of network traffic data to positions in a list, where each of the samples is assigned a cluster identifier corresponding to the respective position, and traversing the list, where for each position, the processing system: increments an order indicator, and when the cluster identifier is not less than the order indicator, computes a distance between a sample assigned to the position and other samples, records a cluster identifier of another sample when a distance between the sample and the other sample is less than a threshold distance, and assigns a minimum cluster identifier that is recorded to all of the samples with cluster identifiers that are recorded. The processing system may determine clusters from cluster identifiers in the list after the traversing and identify at least one cluster as representing anomalous network traffic data.

Abstract: A device receives policy information indicating a policy to be implemented for an application hosted by multiple cloud domains, and receives, from the multiple cloud domains, different application resource tags and addresses associated with the application. The device maps the different application resource tags to a generic identifier, and associates the policy with the generic identifier and with the addresses associated with the application. The device provides, based on associating the policy with the generic identifier and with the addresses associated with the application, the policy to the multiple cloud domains to permit the multiple cloud domains to implement the policy.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for enhancing blockchain network security. Implementations include receiving a request for data from the data source, transmitting the request to a relay system that is external to the blockchain network and that includes a multi-node cluster including a plurality of relay system nodes, receiving a result provided from a relay system node, the result being digitally signed using a private key of the relay system node, verifying that the relay system node is registered, verifying an integrity of the result based on a public key of the relay system node and a digital signature of the result in response to verifying that the relay system node is registered, and transmitting the result to a client in response to verifying the integrity of the result.

Abstract: A data exchange agreement between a first user and a second user is written, by a data exchange platform, into a block chain. The data exchange agreement is associated with first data. A first key is received, by the data exchange platform and from a first device associated with the first user. The first key is used for decrypting encrypted first data. The received first key is transmitted by the data exchange platform to a second device associated with the second user.

Abstract: The disclosure relates to systems, methods and devices for secure routing and recording of network data streams passing through a network switch. Specifically, the disclosure relates to systems, methods and devices for reversibly deconstructing networks' OSI L1-L7 in time and space, in the process of selectively recording network data streams for secure access, as well as providing external rule-based security auditing and functioning as a black-box in industry-specific applications.

Abstract: Techniques for managing data files spread across different remote storage systems are described. A remote storage management system can provide a unified file system that interacts with different remote storage services to allow a user to manage, from one interface, the user's data stored in different source systems. The remote storage management system may allow a user to create sharable cloud drives with combination of files from the unified file system irrespective of which service provider is storing the files. The generated cloud drive can be shared with a recipient to give the recipient access to the user's files. The recipient is not required to have an account with any of the remote storage service providers or with the remote storage management system.