Abstract: Methods and apparati for permitting Computing Devices 200 to safely accept Payloads 220 from External Access Entity Devices 260, and to safely access external Networks 710. In an apparatus embodiment, a Computing Device 200 contains an Access Control Module 210 comprising an Access Verification Public Key 211 and a Device Signature Key 214. The Access Control Module 210 is configured to verify authorization of an External Access Payload 220 by verifying a digital signature affixed to the Payload 220 using the Access Verification Public Key 211. The authorized External Access Payload 220 is then permitted to execute on the Computing Device 200. The Access Control Module 210 is also configured to receive from a Network Access Device 600 information associated with a Network 710 access request, and to create a plurality of digital signatures, using the Device Signature Key 214, that link said information associated with the Network 710 access request with the Access Verification Public Key 211.

Abstract: Systems and methods for protecting private data behind a privacy firewall are disclosed. A system for implementing a privacy firewall to determine and provide non-private information from private electronic data includes a data storage repository, a processing device, and a non-transitory, processor-readable storage medium. The storage medium includes programming instructions that, when executed, cause the processing device to analyze a corpus of private electronic data to identify a first one or more portions of the data having non-private information and a second one or more portions of the data having private information, tag the first one or more portions of the data as allowed for use, determine whether the second one or more portions of the data includes non-private elements, and if the second one or more portions of the data comprises non-private elements, extract the non-private elements and tag the non-private elements as information allowed for use.

Abstract: A security question generation instruction is sent by a server to a user device. A reference picture is received at the server from the user device, where the reference picture is generated by the user device based on the security question generation instruction. A number of confusion pictures corresponding to the reference picture are determined by the server. A security question is generated by the server based on the reference picture and the plurality of confusion pictures.

Abstract: Endpoint security is improved by monitoring and controlling interprocess communications through a kernel-based endpoint protection driver. A list of protected computing objects such as registry keys, files, processes and directories is stored in the kernel and secured with reference to a trust authority external to the kernel and the endpoint. Protected processes are further controlled from unauthorized access and use by monitoring all interprocess communications through the endpoint protection driver and preventing unprotected processes from passing (potentially unsafe) data to protected processes.

Abstract: In one embodiment, an apparatus comprises a first processor to generate a first cryptographic key in response to a request from a software application; receive a second cryptographic key generated by a second processor; encrypt the first cryptographic key using the second cryptographic key; and provide the encrypted first cryptographic key for use by the software application.

Abstract: A technique to manage members of a group of decoders having access to broadcast data, each group member sharing a common broadcast encryption scheme (BES) comprising the steps of, in a stage for a decoder to become a group member, receiving keys pertaining to the position in the group according to the BES, receiving a current group access data comprising a current group access key, and in a stage of accessing broadcast data, using the current group access data to access the broadcast data, and in a stage of renewing the current group access key, sending a first group message comprising at lease a next group access key encrypted so that only non-revoked decoders can access it, said group message being further encrypted by the current group access key, updating the current group access key with the next group access key.

Abstract: In a method for operating a node in a blockchain network, a node in the network automatically determines whether a new block has been committed to a blockchain in the network. In response to determining that the new block has been committed, the node automatically uses a block identifier for the new block to generate a prestochanistic timing value. Also, the node automatically uses the prestochanistic timing value to determine whether to trigger a contingent operation. For instance, the node may automatically use a function that is both prestochastic and deterministic to determine a current expiration value for the node, and the node may use the current expiration value to determine whether registration for the node should be renewed. The node may automatically send a re-registration request to the blockchain network in response to a determination that registration for the node should be renewed. Other embodiments are described and claimed.

Abstract: Some embodiments described herein include a method to validate supply chains for electronic devices using side-channel information in a signature analysis. The method includes sending, to a target device, a first signal associated with a set of codes to be executed by the target device, and then receiving first side-channel information associated with the target device in response to the target device executing the set of codes. The method also includes determining second side-channel information associated with a simulated device in response to the set of codes. The method further includes comparing a discriminatory feature of the first side-channel information with a discriminatory feature of the second side-channel information to determine a characteristic of the target device based on a pre-determined characteristic of the simulated device. Finally, the method includes sending, to a user interface, a second signal associated with the characteristic of the target device.

Abstract: A method for enabling a user to define a Life Based VR experience to align with the user's life. The user and partners provide custom information and settings about the user's life state which allows the user to integrate information to the Life Based VR experience. The partners may use the user's information to integrate its information, which is then interacted with in a Life Based VR experience by a user, according to various custom VR parameters. The partners may also use the user's interactions with the Life Based VR experience to assess behavior as compared to the user's life state, and the users may assess the partner's accuracy of information delivery when compared to the user's life state. The method also enables the user and partner to interact in a marketplace to procure the information relating to the user's life, user ratings, and partner ratings.

Abstract: A shared database platform implements dynamic masking on data shared between users where specific data is masked, transformed, or otherwise modified based on preconfigured functions that are associated with user roles. The shared database platform can implement the masking at runtime dynamically in response to users requesting access to a database object that is associated with one or more masking policies.

Abstract: A method for enabling a user to customize, prioritize, and view information filtered to align with the user's life state that includes interaction with an online market place in a virtual reality environment. The user uses a virtual reality environment provides priority, positioning, and custom information about the user's life state which allows the user to view information in a life view. The partners may access the information by way of a virtual reality environment and use the information about the user's life to filter its information according to the information about the user's life, which is then viewed in a life view by a user in a virtual reality environment, according to the user defined positioning, prioritization, and other custom parameters. The method also enables the user to view partner and user participation in a marketplace to procure the information about the user's life according to the user's behavior.

Abstract: Various embodiments of the invention disclosed herein provide techniques for mitigating a distributed denial of service (DDoS) attack on a targeted computer system. A border gateway protocol (BGP) controller receives, via a first router, a BGP message that includes an indicator indicating that a computer system associated with the first router is under a DDoS attack. In response to receiving the BGP message, the BGP controller, in performs one or more operations to mitigate the DDoS attack. As a result, the time between detection of a DDoS attack and mitigating the attack is reduced relative to prior approaches. After receiving the BGP message indicating a DDoS attack is in progress, the DDoS attack mitigation platform automatically takes steps to mitigate the DDoS attack without further manual intervention. Consequently, the targeted computer system recovers more quickly and begins to respond to legitimate network requests sooner relative to prior approaches.

Abstract: In a network including a plurality of computing resources associated with an enterprise, an identity is established for each of the computing resources in accordance with a decentralized identity management system maintained in accordance with a distributed ledger. The plurality of computing resources is managed in association with the distributed ledger, wherein managing comprises the enterprise posting one or more commands on the distributed ledger to enable one or more of the plurality of computing resources to obtain the one or more commands. In one non-limiting example, the computing resources are part of a geographically distributed IT infrastructure associated with the enterprise.

Abstract: Systems and methods for protecting from external monitoring attacks cryptographic data processing operations involving computation of a universal polynomial hash function, such as GHASH function. An example method may comprise: receiving an input data block, an iteration result value, and a mask value; performing a non-linear operation to produce a masked result value, wherein a first operand of the non-linear operation is represented by a combination of the iteration result value and the input data block, and the second operand of the non-linear operation is represented by a secret hash value, and wherein one of the first operand or the second operand is masked using a mask value; determining, based on the mask value, a mask correction value; and producing a new iteration result value by applying the mask correction value to the masked result value.

Abstract: A method for securing an IT (information technology) system using a set of methods for knowledge extraction, event detection, risk estimation and explanation for ranking cyber-alerts which includes a method to explain the relationship (or an attack pathway) from an entity (user or host) and an event context to another entity (a high-value resource) and an event context (attack or service failure).

Abstract: An information processing system grants an access right to data to a registered user, and includes a receiving unit and a granting unit. The receiving unit receives information on an unregistered user who is to be granted with an access right to specific data. The granting unit grants the access right to the specific data to the unregistered user after the unregistered user has been registered.

Abstract: Some database systems may implement encrypted connections to improve the security of incoming server traffic. The systems may implement the encrypted connections using encryption keys known to both a proxy server and a server (e.g., a database server). For example, a proxy server may encrypt one or more communications between the proxy server and a user device, such as self-identifying information for the user device, using a known encryption key. The user device may, in turn, attempt to establish an encrypted connection with the server using the encrypted communications. Because the encryption key is known to both the server and the proxy server, the server may decrypt the encrypted communications and subsequently establish an encrypted connection with the user device based on the decrypted communications.

Abstract: One or more data storage systems are configured to automatically access a data registration service in response to receipt of a data request associated with a storage user of the one or more data storage systems and a profile of an identity associated with the storage user. The identity profile associated with the storage user comprises one or more policies for storage and access of data associated with the storage user.

Abstract: A secure method for resetting the password for an account is disclosed. During the setup of the account, the user can provide the service provider with a media file, and when the user asks the service provider to reset the password for the account, the user will be prompted with several media files. The user can be asked to identify the media file that the user provided to the service provider at the time of the setup of the account. If the user properly identifies the media file, the password will be reset.

Abstract: Managed devices containing a Trusted Platform Module (TPM) to provide a trusted environment generate a device certificate at initialization of the TPM and send the device certificate to a management console for storing in a certificate database. Upon detecting a file of interest, the TPM signs the file, adding to a signature list created by previous managed devices. The signature list can be used to analyze the spread of the file across the system of managed devices, including tracking the file to the first managed device to have had a copy, without requiring real-time access to the managed devices during the spread of the file. In some embodiments, additional security measures may be taken responsive to determining the first managed device and the path the file has taken across the system of managed devices.