Abstract: A system and method for providing an authentication state of a function execution device to a communication terminal is described. In some examples, the authentication state indicates whether authentication information is needed from the communication terminal before the communication terminal can request performance of one or more functions performable by the function execution device. In other examples, the communication terminal may provide to the communication terminal the authentication information irrespective of whether the function execution terminal has previously provided its authentication state to the communication terminal.

Abstract: A technique and system protects documents at rest and in motion using declarative policies, access rights, and encryption. Methods, techniques, and systems control access to documents and use of content in documents to support information management policies.

Abstract: A method of integrating a distributed ledger represented by a blockchain with a distributed storage network (DSN) begins by sending a proof of existence request to the DSN, the proof of existence request including an object name, an object version, a start time and an end time. The method continues by reading the object metadata for the sent object name. The method continues by checking a revision history from object metadata associated with the sent object name to ensure the object existed by the start time through the end time with no deletions and, if the object did not exist by the start time through the end time with no deletions, rejecting the proof of existence request and returning an error response. If the object did exist by the start time on through the end time with no deletions, the method continues by producing and returning an attestation comprising verification information related to the object.

Abstract: A system includes an electrical apparatus and a connecting device. The electrical apparatus comprises a control unit, a first interface device and a second interface device. A wire-bound first communication path is provided between the control unit and the connecting device via the first interface device and a second communication path is provided between the control unit and the second interface device. The system further includes a coupling device that can be set into a first coupling state and into a second coupling state. The first communication path is led through the coupling device in the first coupling state and is interrupted in the coupling device in the second coupling state. The control unit detects an attack on the system via the second interface device and, in the event of a detected attack, sets the coupling device from the first coupling state into the second coupling state.

Abstract: A method for generating a software container includes receiving a software application and a containerization file. The method also includes building an image file using the containerization file, the image file containing the software application. The method also includes recording, in the image file, an image lineage. The method also includes performing a security scan of the image file to obtain a result, the security scan comprising checking the image file for inadequacies. The method also includes assigning, to the image file, a security level selected from among a plurality of different predetermined security levels. Assigning is based on a combination of the image lineage and the result of the security scan. The method also includes signing the image file with the security level to create a signed image file. The method also includes storing the signed image file as the software container.

Abstract: The present disclosure includes apparatuses, methods, and systems for using a local ledger block chain for secure updates. An embodiment includes a memory, and circuitry configured to receive a global block to be added to a local ledger block chain for validating an update for data stored in the memory, where the global block to be added to the local ledger block chain includes a cryptographic hash of a current local block in the local ledger block chain, a cryptographic hash of the data stored in the memory to be updated, where the current local block in the local ledger block chain has a digital signature associated therewith that indicates the global block is from an authorized entity.

Abstract: In one embodiment, a method comprises: receiving, by a parent network device providing at least a portion of a directed acyclic graph (DAG) according to a prescribed routing protocol in a low power and lossy network, a destination advertisement object (DAO) message, the DAO message specifying a target Internet Protocol (IP) address claimed by an advertising network device in the DAG and the DAO message further specifying a secure token associated with the target IP address; and selectively issuing a cryptographic challenge to the DAO message to validate whether the advertising network device generated the secure token.

Abstract: A mechanism is provided in a data processing system comprising at least one processor and at least one memory, the at least one memory comprising instructions executed by the at least one processor to cause the at least one processor to implement an ontology based persistent attack campaign detection engine. In response to a security incident, the mechanism sends the security incident to an incident model microservice executing within the persistent attack campaign detection engine. The incident model microservice extracts artifacts from the incident, maps the artifacts to a graph topology data structure, and stores the graph topology data structure in a graph data storage.

Abstract: Disclosed is an apparatus for managing a risk of a malware behavior in a mobile operating system, which includes: a deducing unit configured to deduce characteristics of a malware from results of a static analysis on mobile malware data and a dynamic analysis thereon under a virtual environment by using a blacklist including an indicator of compromise (IOC) utilized in an existing mobile malware.

Abstract: While managing private data in cognitive surveys, a method, system, and computer program product may deploy a set of gather agents. Access credentials for a plurality of participants may be obtained from an encrypted data store and verified. The set of gather agents may gather a set of target data associated with the plurality of participants, and the set of target data may be collected according to a set of policy criteria. It may be determined whether one or more participants of the plurality of participants has requested to review a subset of the target data, and those participants may be prompted to review the subset of target data. It may be determined whether the one or more participants rejected the subset of target data. The subset of target data may be filtered, and the filtered subset of target data may be posted to a results database.

Abstract: Data items such as files or database records associated with particular applications (such as messaging applications and other applications) can be stored in one or more remote locations, such as a cloud storage system, and synchronized with other devices. The remote storage can be configured such that each application executing on a client device can only view data items stored at the remote location to which the application has permission to access. An access manager on each client device enforces application specific access policies. Storage at the remote location can be secured for each application associated with a user or user account, for example, using isolated containers. The cloud storage of data can be anonymized and anonymous group data can be stored in the cloud storage.

Abstract: Techniques described herein relate to generating and managing digital credentials using a digital credential platform in communication with various digital credential template owners and digital credential issuers. In some embodiments, a digital credential platform server may receive and coordinate requests and responses between the digital credential template owners and a set of digital credential issuers, to determine which digital credential issuers are authorized to issue digital credential based on which digital credential templates. The digital credential platform server may provide the authorized issuers with access to particular digital credential templates and the functionality to issue digital credentials to users based on any of the particular digital credential templates. Additional techniques described herein relate to tracking, analyzing, and reporting data metrics for issued digital credentials.

Abstract: A multilevel security (MLS) network is disclosed. The MLS network includes untrusted nodes (UTN) capable of receiving messages en route from a source node to a destination node, each message having an unencrypted outer header, an encrypted inner header, and a data payload. UTNs route messages toward their destination as directed by the outer header. Global trusted nodes (GTN) decrypt a portion of the inner header to validate source and destination information before routing the message forward. GTNs further modify the outer header to obfuscate source and destination information from the UTNs. Local trusted nodes (LTN) serve as gateway nodes into a local network. LTNs also validate source and destination information to regulate admission to the local network. LTNs include an address manager which decrypts an additional portion of the inner header to read local address data and generates local messages for routing through the local network.

Abstract: Embodiments of the invention are directed to a system, method, or computer program product for triple format preserving encryption for activity data transmissions. In particular the invention provides a secure platform for transmission and storage of data based on multi-level compounded encryption while preserving native data format post-encryption to allow compatibility of post-encryption data with existing systems. In particular, the invention is configured for generating a plurality of encryption keys such that each of the encryption keys are structured to preserve pre-encryption data format, post-encryption. The invention is further configured for sequentially compounding encryption of native format data using the plurality of encryption keys.

Abstract: This application relates to embodiments for providing a content stream to a device from a content server based on a protocol that is established between the device and an account server. The account server can initiate a session with the device and provide the device with a list of channels available for a user account associated with the device. When a channel is selected at the device, conditional access information can be provided from the account server to the device, which can thereafter relay the conditional access information to the content server. The content server can use the conditional access information to verify that the device has the appropriate permission to receive streaming content. In this way, because the conditional access information originates at the account server, permission to access streaming content can be managed by correspondence between the account server and the device, rather than the content server.

Abstract: A system for authenticating a user and his local device to a secured remote service with symmetrical keys, which utilizes a PIN from the user and a unique random value from the local device in such a way that prevents the remote service from ever learning the user's PIN, or a hash of that PIN. The system also provides mutual authentication, verifying to the user and local device that the correct remote service is being used. At the same time, the system protects against PIN guessing attacks by requiring communication with the said remote service in order to verify if the correct PIN is known. Also, the system works in such a way as to change the random value stored on the user's local device after each authentication session.

Abstract: Aspects define a union mixed secure virtual machine image to include an encrypted code virtualization machine for code machine instructions of a first retrieved package; and an unsecure virtualization hypervisor that includes a non-encrypted code virtualization machine for code machine instructions of a second retrieved package and a non-encrypted data storage device.

Abstract: Systems for providing secure access to systems are provided. A computing device may receive a request to access functionality which may include login credentials of a user. Upon receiving the request to access functionality, the computing device may execute a scan of an area surrounding the computing device to detect any wearable devices within proximity of the computing device that are linked to the computing device. The authenticating information and, in some examples, detected, linked wearable device, may be validated. Based on the validation, authentication response data may be generated and transmitted to an authentication computing platform which may cause the authentication computing platform to validate the authentication response data and cause the computing device to connect to a client interface computing platform.

Abstract: A computer system receives a first information detailing a TLS fingerprint. A computer system determines an amount of bad transactions associated with the TLS fingerprint, wherein a bad transaction is a transaction involved in one or more fraudulent activities. The computer system determines whether the amount of bad transactions associated with the TLS fingerprint exceeds a threshold amount.

Abstract: Various systems and methods for domain authentication are described herein. In an example, the method may include detecting a domain from a request of a tenant for access to a farm. The method may also include identifying a presence of a site ID from a database of the farm based on the domain. The method may also include sending an authentication request to a default site or a custom site, the authentication request managed through a site manager based on the identified presence of the site ID in the database of the farm. The method may also include routing traffic from the tenant to the farm in response to satisfaction of the authentication request.