Abstract: Distributed storage of a file in edge storage devices that is resilient to eavesdropping adversaries and Byzantine adversaries. Approaches include a cost-efficient approach in which an authorized user has access to the content of all edge storage nodes. In this approach, key blocks and file blocks that are masked with key blocks are saved in the edge storage nodes. Additionally, redundant data for purposes of error correction are also stored. In turn, upon retrieval of all blocks, errors introduced by a Byzantine adversary may be corrected. In a loss resilient approach, redundant data is stored along with masked file partitions. Upon retrieval of blocks from the edge storage nodes, a unique approach to solving for the unknown file partition values is applied with identification of corrupt nodes based on an average residual error value for each storage node.

Abstract: Embodiments may provide distance computations on homomorphic and/or functional encrypted vectors while detecting whether the resulting distance has wrapped around due to the vectors having elements not in an allowed range. A method of user authentication processing may comprise receiving and storing enrollment information from a client computer system, the enrollment information comprising a template of authentication data and at least one additional encrypted vector, receiving an additional template to be used to authenticate the user from the client computer system, authenticating the user using the received additional template using the stored template and the stored at least one additional encrypted vector, and determining that authentication is successful when the received additional template matches the stored template and is valid based on the stored at least one additional encrypted vector.

Abstract: A method for preventing image modification, an image capturing device and an image verification method are disclosed. The image modification method includes: processing a compressed image of at least one frame to obtain feature data of the compressed image of the at least one frame; encrypting the feature data to generate a checksum; generating supplemental enhancement information, which at least includes a time parameter and the checksum; and transmitting and/or storing the supplemental enhancement information and the compressed image of the at least one frame together so as to verify authenticity of the compressed image of the at least one frame by using the supplemental enhancement information. The time parameter is a counter value of a counter in the image capturing device and the counter value continuously increases. With the above method, authenticity of image data can be verified.

Abstract: A method for identifying suspicious activity on a monitored computing device is described. In one embodiment, the method may include monitoring a local procedure call interface of the monitored computing device, identifying, based at least in part on the monitoring, a remote procedure call (RPC) of a suspicious process, the RPC being transmitted over a local procedure call message of the local procedure call interface, analyzing the RPC of the suspicious process, and performing a security action based at least in part on the analyzing.

Abstract: A Zero Knowledge Proof (ZKP)-based privacy protection method and system for authenticated data in a smart contract wherein initialization is performed. Inputting a security parameter obtains a public parameter. A Data Authenticator (DA) generates a public/private key pair. A key pair is generated using the public parameter and a verification circuit as inputs, the key pair including a proof and a verification key. Authentication on private data of a Decentralized App (DApp) User (DU) is performed using the private key of the DA, and generates a signature. A DU prover terminal inputs private data as an input value and a calculation result and hash value as output values. The DU generates a ZKP using the proof key. A validator verifies whether the ZKP is correct. If verification passes, the calculation result is correct; otherwise the calculation result is wrong. The validator executes a smart contract based on the verification result.

Abstract: Distributed storage of a file in edge storage devices that is resilient to eavesdropping adversaries and Byzantine adversaries. Approaches include a cost-efficient approach in which an authorized user has access to the content of all edge storage nodes. In this approach, key blocks and file blocks that are masked with key blocks are saved in the edge storage nodes. Additionally, redundant data for purposes of error correction are also stored. In turn, upon retrieval of all blocks, errors introduced by a Byzantine adversary may be corrected. In a loss resilient approach, redundant data is stored along with masked file partitions. Upon retrieval of blocks from the edge storage nodes, a unique approach to solving for the unknown file partition values is applied with identification of corrupt nodes based on an average residual error value for each storage node.

Abstract: Embodiments relate to a system, program product, and method for use with a computer platform to support privacy preservation. The platform measures and verifies data privacy provided by a shared resource service provider. An assessment is utilized to support the privacy preservation with respect to a data steward, and associated shared data. It is understood that data associated with a data service has an expected level of privacy. A privacy score directly correlating to a leakage indicator of the service is formed, and an associated data container is populated with inferred entities deemed to at least meet a preferred privacy level. The privacy score effectively certifies the security of the populated data container.

Abstract: Preventing Transport Layer Security session man-in-the-middle attacks is provided. A first security digest generated by an endpoint device is compared with a second security digest received from a peer device. It is determined whether a match exists between the first security digest and the second security digest based on the comparison. In response to determining that a match does not exist between the first security digest and the second security digest, a man-in-the-middle attack is detected and a network connection for a Transport Layer Security session is terminated with the peer device.

Abstract: Techniques to facilitate passive detection of forged web browsers are disclosed herein. In at least one implementation, web traffic between a web server and a client is monitored, and a hypertext transfer protocol (HTTP) header transmitted by the client is processed to determine a type of web browser associated with the client. Attribute data points for the client are generated based on fields in the HTTP request header transmitted by the client and connection behavior of the client with the web server. The attribute data points for the client are then compared with predetermined attribute data points for the type of web browser associated with the client to determine if the client is a genuine web browser of the type of web browser associated with the client.

Abstract: A system and associated methods for the detection of anomalous behavior in a system. In some embodiments, time-series data that is obtained from the system (such as log data) may be used as an input to a process that converts the data into greyscale values. The greyscale values are used to construct an “image” of the system operation that is used as an input to a convolutional neural network (CNN). The image is used to train the neural network so that the neural network is able to recognize when other input “images” constructed from time-series data are anomalous or otherwise indicative of a difference between the prior (and presumed normal or acceptable) and the current operation of the system.

Abstract: Users are authorized to access tagged metadata in a provider network. A revision control and binding mechanism may be applied to tagged metadata that is added or modified by the user. A recommendation pertaining to security and compliance for the computing resource may be determined based on an analysis of the computing resource, scoring criteria, and data pertaining to customer and system data.

Abstract: Disclosed embodiments relate to systems and methods for analyzing and addressing least-privilege security threats on a composite basis. Techniques include identifying a permission associated with a secured resource, identifying attributes associated with the permission, weighting the attributes, and, based on the attributes and their weights, creating a normalized score corresponding to the risk presented by the permission. Further techniques include identifying attributes associated with the secured resource, identifying special risk factors, and creating weighted scores based on the resource attributes and special risk factors. Other techniques include aggregating the weighted scores and using the weighted scores to identify insecure areas within the system.

Abstract: Transparently identifying users using a shared VPN tunnel uses an innovative method to detect a user of a shared VPN tunnel, after authenticating the user, using an assigned userid (that may be a virtual IP). The virtual IP is used as a cookie in each request made by the user. This cookie is an authentication token used by the gateway to detect the user behind a specific request for an Internet resource (such as an http/s request). The cookie is stripped by the gateway so the cookie is not sent to the resource.

Abstract: The present invention relates to an ACME centralized management system and a load balancing method thereof. The system is connected with an ACME client and a plurality of certificate authorities (CAs) respectively and comprises an ACME unloading module, and a statistics module, a strategy module, a verification module and a notification module which are connected with the ACME unloading module respectively. The ACME unloading module is in communication with the ACME client and the plurality of certificate authorities (CAs). Compared with the prior art, the present invention has the advantages of avoiding frequent verification, quickly issuing certificate copies, more efficiently issuing certificates, etc.

Abstract: Systems and methods are described for performing blockchain validation of user identity and authority. In various aspects one or more processors receive a first blockchain ID and a second blockchain ID, where each of the first blockchain ID and the second blockchain ID is associated with a user and is further associated with a first and second blockchain, respectively. A plurality of blockchain transactions may be aggregated where the plurality of blockchain transactions includes at least a first blockchain transaction associated with the first blockchain and a second blockchain transaction associated with the second blockchain. A first validation event providing a first indication of validity for the user may be identified based on the first blockchain transaction or the second blockchain transaction.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for claim verification. One of the methods includes: receiving, from a first entity, a request for verifying a verifiable claim (VC) that comprises a digital signature; obtaining, based on the VC, a public key associated with a second entity; determining that the digital signature is created based on a private key associated with the public key; and verifying the VC based on the determination.

Abstract: According to an aspect of the present disclosure, SATA bridges in cascade connection and storage devices connected beyond the SATA bridges are identified. A setting of the operation mode of each of the SATA bridges is performed in accordance with a connection configuration of the SATA bridge and the storage device.

Abstract: Embodiments of the present invention are directed to facilitating detection of suspicious access to resources. In accordance with aspects of the present disclosure, an access graph is generated. The access graph contains access data that includes observed accesses between entities and resources. Access scores can be determined for entity-resource pairs in the access graph by applying a set of access rules to the entity-resource pairs in the access graph. The access scores indicate an extent of relatedness between the corresponding entity and resource. Thereafter, the access scores can be used to train a probabilistic prediction model that predicts suspiciousness of accesses between entities and resources.

Abstract: In an embodiment, a computer implemented method receives flow data for one or more flows that correspond to a device-circuit pair. The method calculates a time difference for each flow that corresponds to a device-circuit pair. Based on the calculated time differences and the received flow data, the method updates a probability distribution model associated with the device-circuit pair. Then, the method determines whether a time bucket is complete or open based on the updated probability distribution model.

Abstract: Information is identified as sensitive and a lapsed time job (Chron Job) is created that will allow the deletion of sensitive information after a period of time. The interval could be set to be longer than vacation or other planned use, and yet short enough to limit the period where risk to the organization or individual is incurred. The Chron Job could be integrated with the user's calendar, such that the Chron Job considers holiday time as a means of delaying execution of the Chron Job which would allow a shorter interval to be selected. In addition to deletion of the information identified as sensitive, additional steps could also be taken, such as the purging of the recycle bin, modification of the FAT, and optionally the deletion of related information. Once information is identified as sensitive, the information and derivative works are tracked and managed.