Abstract: A cryptographic ASIC and method for autonomously storing a unique internal identifier into a one-time programmable memory in isolation, by a foundry or a user. When later powered on, the ASIC calculates the value of the unique internal identifier from a predetermined input and compares the calculated identifier value to the stored identifier value. A match indicates the stored value is valid, while a mismatch indicates the stored value is invalid, whether due to natural memory component aging or damage by unauthorized access attempts. The ASIC may compare the calculated identifier to another copy or copies of the stored identifier, and disregard unreliable copies of the stored identifier. The ASIC may compare multiple copies of the stored identifier in a voting scheme to determine their validity. The confirmed valid lifetime of the ASIC thus extends far beyond the useful lifetime of a single copy of the stored identifier.

Abstract: In one embodiment, a device in a network constructs a graph based on Domain Name System (DNS) traffic in which vertices of the graph correspond to client addresses from the DNS traffic and domains from DNS traffic. The device uses stacked autoencoders to determine priors for the domains and client addresses. The device assigns the determined priors to the corresponding vertices of the graph. The device uses belief propagation on the graph to determine a malware inference from the graph. The device causes performance of a mitigation action when the malware inference from the graph indicates the presence of malware.

Abstract: A three-way pairing handshake may include an internet-of-things (IoT) service sending an encrypted token to an IoT device in response to a request for a token from that IoT device. The encrypted token may store a service managed client identifier and a device identifier. The IoT device may share the encrypted token with a companion application on a mobile device. In turn, the companion application sends a pairing request to the IoT service which includes the encrypted token, along with a copy of the device identifier and the client identifier. The IoT service may validate the pairing request by decrypting the encrypted token included in the pairing request and verifying that the device identifier and the client identifier recovered from the decrypted token matches the device identifier and client identifier received in the pairing request.

Abstract: Systems and methods are provided for sending a request to register a data offer from a data owner to participate in a distributed ledger, the request including information associated with the data offer and a privacy budget for the data offer, and wherein the information associated with the data offer and the privacy budget is stored in the distributed ledger and the data offer is accessible by third parties to the data owner. The systems and method further providing for receiving a request, associated with a third party computer, to access data associated with the data offer, processing a data request associated with the request to access data, based on determining that there is sufficient privacy budget to allow access to the data associated with the request to access data, to produce result data, anonymizing the result data, and updating the distributed ledger.

Abstract: Provided is a high-speed and light-weighted authentication system that makes IP address filtering possible and does not impair real-time property even on a network including many and unspecific entities (communication devices). In a communication system that a plurality of communication devices are coupled together such that mutual communication is possible over the network, the communication devices communicate with a server under a secure environment, when authentication has been obtained from the server, random seeds of the same value and individual identifiers are issued to them, each communication device generates the IP address that includes a pseudorandom number and the identifier, and the communication devices establish communication between the communication devices that include the pseudorandom numbers that are mutually the same in their IP addresses.

Abstract: A blockchain configuration may be used to store a distributed ledger for information security and accessibility. One example method of operation may include determining a proof-of-work via a device and using a predefined set of nonce values when determining the proof-of-work, storing the proof-of-work on a blockchain, and broadcasting the proof-of-work as a broadcast message.

Abstract: A message directed to a recipient of a messaging client is intercepted and prevented from reaching the messaging client in a native sent message format as sent from a sender of the message. One or more portions of the message are rendered to a format that is incapable of execution by a device and the message in the format that is incapable of execution is delivered to the messaging client for viewing and/or printing by the recipient.

Abstract: Methods and systems for communicating information between mobile applications are presented. In some embodiments, a mobile device may determine that a plurality of applications are running on the mobile device. The mobile device may determine that each application of the plurality of applications uses a shared passcode to encrypt information about a persistent state. The mobile device may generate a beacon that includes encrypted state information. The mobile device may maintain state information across the plurality of applications beyond the lifetime of any one of the plurality of applications by transmitting the beacon from a first application to a second application before the first application's lifetime is completed.

Abstract: Systems and methods the improve operation and security of large complex webs of 200,000 to 2,000,000 interconnected systems are provided. Systems and methods may dynamically schedule downtime for target systems within the complex. The schedule downtime may not impact operations stability of the complex web. Based on computational resource constraints, systems and methods may provide dynamic rescheduling of system downtime. Systems and methods may provide dynamic computational capacity management by adding capacity and/or reorganizing systems within the complex web.

Abstract: Method, apparatus and systems are provided for key derivation. A target base station receives multiple keys derived by a source base station, where the keys correspond to cells of the target base station. The target base station selects a key corresponding to the target cell after obtaining information regarding a target cell that a user equipment (UE) is to access. An apparatus for key derivation and a communications system are also provided.

Abstract: A service provision system includes a processor configured to provide a predetermined service based on first authentication information issued by an external first authentication unit. The processor is configured to implement a notification unit that sends to a user of the predetermined service a notification of third authentication information for obtaining second authentication information different from the first authentication information, an issue unit that issues the second authentication information in response to an issue request of the second authentication information including the third authentication information, and a second authentication unit that verifies authenticity of a use request of the predetermined service including one of the first authentication information and the second authentication information.

Abstract: Described are examples for authenticating a device including detecting an event related to communications with a trusted platform module (TPM) device, performing, in response to detecting the event, one or more security-related functions with the TPM device, such as generating and/or signing one or more digital certificates, which may be based on one or more keys on the TPM device.

Abstract: A Central Processing Unit (CPU) comprising an internal Network-On-Chip (NOC) core and multiple internal System-On-Chip (SOC) cores communicates with external CPUs comprising external NOC cores and external SOC cores. The internal NOC core exchanges hardware trust data with the internal SOC cores and the external NOC cores to maintain hardware trust. The internal SOC cores execute Virtual Network Functions (VNFs) and responsively exchange user data with the internal NOC core for the NFV VNFs. The internal NOC core exchanges an allowed portion of the user data for the VNFs among the internal SOC cores and the external NOC cores. The internal NOC core blocks a disallowed portion of the user data to an internal SOC core or an external NOC core when hardware trust fails between the internal NOC core and the individual SOC core or NOC core.

Abstract: Device, system, and method of user authentication utilizing an optical microphone or laser-based microphone. An optical microphone transmits an outgoing optical signal or laser beam towards a face of a human speaker; receives an incoming optical feedback that is reflected back from the face of the human speaker; performs self-mix interferometry that is based on the outgoing optical signal and the incoming reflected optical signal; and generates a user-specific feature or characteristic that uniquely characterizes said human speaker. A user authentication module operates to authenticate the user for performing a privileged or an access-controlled action, based on the user-specific characteristic that was generated, optionally in combination with one or more biometric features or authentication requirements.

Abstract: A cloud-based encryption machine key injection system includes at least one key injection sub-system including a key generation device and a quantum key distribution device connected with the key generation device, and a cloud-based encryption machine hosting sub-system including an encryption machine carrying a virtual encryption device and a quantum key distribution device connected with the encryption machine. The key injection sub-system and the encryption machine hosting sub-system are connected with each other through their respective quantum key distribution devices. The key generation device may generate a root key component of the virtual encryption device and transmit the root key component to the encryption machine. The encryption machine may receive root key components from one or more key generation devices and synthesize a root key of the virtual encryption device in accordance with the received root key components.

Abstract: Disclosed is a system for detecting security threats in a local network. A security analytics system collects data about entities in the local network. The security analytics system identifies the entities in the raw data and determines a set of properties about each of the identified entities. The entity properties contain information about the entity and can be temporary or permanent properties about the entity. The security analytics system determines relationships between the identified entities and can be determined based on the entity properties for the identified properties. An entity graph is generated that describes the entity relationships, wherein the nodes of the entity graph represent entities and the edges of the entity graph represent entity relationships. The security analytics system provides a user interface to a user that contains the entity graph and the relationships described therein.

Abstract: Methods and systems for security threat detection are disclosed. For example, a virtual machine with a network interface of a plurality of virtual machines includes a plurality of applications including first and second applications. The plurality of applications is associated with a respective plurality of application security modules, including a first and second application security modules associated with the first and second applications. A security policy engine executes on a processor in communication with a network including a network controller. The application security module detects an abnormality with a request to the first application, identifies a source and a mode of the abnormality, and reports the source and the mode to the security policy engine. The security policy engine prevents a further abnormality with the source and/or the mode from affecting the second application and commands the network controller to prevent the source from interacting with the network.

Abstract: A method for enhancing rapid data analysis includes receiving a set of data; storing the set of data in a first set of data shards sharded by a first field; and identifying anomalous data from the set of data by monitoring a range of shard indices associated with a first shard of the first set of data shards, detecting that the range of shard indices is smaller than an expected range by a threshold value, and identifying data of the first shard as anomalous data.

Abstract: A computer system and methods for securing files in a file system with storage resources accessible to an authenticable user using an untrusted client device in a semi-trusted client threat model. Each file is secured in the file system in one or more ciphertext blocks along with the file metadata. Each file is assigned a unique file key FK to encrypt the file. A wrapping key WK assigned to the file is used for encrypting the file key FK to produce a wrapped file key WFK. The file is encrypted block by block to produce corresponding ciphertext blocks and corresponding authentication tags. The authentication tags are stored in the file metadata, along with an ID of the wrapping key WK, wrapped file key WFK, last key rotation time, an Access Control List (ACL), etc. The integrity of ciphertext blocks is ensured by authentication tags and the integrity of the metadata is ensured by a message authentication code (MAC).

Abstract: A data segment is encrypted to produce an encrypted data segment. The encrypted data segment is dispersed storage error encoded to produce a set of encoded data slices. Auxiliary data is dispersed storage error encoded to produce a set of encoded auxiliary data slices. A sequence of output slices is generated to obscure the set of encoded data slices by interspersing the set of encoded auxiliary data slices within the set of encoded data slices.