Abstract: A managed server (MS) within an administrative domain is quarantined. The administrative domain includes multiple MSs that use management instructions to configure management modules so that the configured management modules implement an administrative domain-wide management policy that comprises a set of one or more rules. The quarantined MS is isolated from other MSs. A description of the MS is modified to indicate that the MS is quarantined, thereby specifying a description of the quarantined MS. Cached actor-sets are updated to indicate the quarantined MS's changed state, thereby specifying updated actor-sets. A determination is made regarding which updated actor-sets are relevant to an other MS, thereby specifying currently-relevant updated actor-sets. A determination is made regarding whether the currently-relevant updated actor-sets differ from actor-sets previously sent to the other MS.

Abstract: Example embodiments provide for secure storage and accessing of confidential information by a distributed system and for securely executing a function of the distributed system. Responsive to processing a function request identifying a function of the distributed system by a node computing entity, application program code corresponding to the function is accessed within a trusted execution environment. Based on data stored in a secure ledger maintained by the distributed system, the application program code is executed to generate a result within the trusted execution environment. A new entry comprising the result is generated and at least a portion thereof is encrypted using an encryption key within the trusted execution environment. The encrypted new entry is posted to the secure ledger.

Abstract: Intrusion-protected memory-containing assembly including a substrate, a data storage component and processor on the substrate, and a chassis intrusion detector assembly around the substrate. The chassis intrusion detector assembly includes a first plastic film, a mesh including conductor wires arranged on the first plastic film, and a second plastic film covering the mesh. The conductor wires are connected together in a single circuit with the processor to form a single transmission line. The second plastic film has sealed edges integrated with the mesh such that the edges are inseparable without breaking one of the conductor wires of the mesh. The processor takes action to prevent access to data in the data storage component upon detecting a variance in current through or impedance of the transmission line defined by the conductor wires caused by breaking of one of the conductor wires, e.g., causes the data storage component to self-destruct.

Abstract: Aspects provide for an automated computer security apparatus. A first sequential action data set of different actions performed sequentially in engaging a computer system to execute a data operation on the computer system is categorized as a normal or abnormal operation. Actions of the first sequential action data set and of another (second) sequential action data set of different actions having the same normal or abnormal category of the first set are randomly selected and combined to generate a random sequential action data set for the common category of the first and second sequential action data sets, to define a sequential order of actions performed sequentially in engaging the computer system to execute a random set data operation on the computer system.

Abstract: Provided is an adaptive dynamic analysis method, an adaptive dynamic analysis platform and a device equipped with the same. The adaptive dynamic analysis method for an application running in a container environment of a Linux host includes stopping execution of a first activity of the application, and acquiring analysis information for malicious code diagnosis of the application, conducting dynamic analysis using the analysis information, acquiring environment information to execute a second activity based on the dynamic analysis, and performing an execution environment update of the application by reflecting the environment information, and executing the application to enable the second activity to run.

Abstract: A request is received by a provider network from a requestor for data associated with a customer of the provider network. The data is not stored at the provider network, and the request includes a first encryption key. The provider network verifies that the requestor is authorized to request data from the customer of the multi provider network. The provider network sends information pertaining to the requested data to the customer. The provider network also sends the identity of the requestor and the first encryption key. The provider network sends, to the requestor, data that is encrypted, and a decryption key for decrypting the encrypted data.

Abstract: Methods and apparati for permitting Computing Devices 200 to safely accept Payloads 220 from External Access Entity Devices 260, and to safely access external Networks 710. In an apparatus embodiment, a Computing Device 200 contains an Access Control Module 210 comprising an Access Verification Public Key 211 and a Device Signature Key 214. The Access Control Module 210 is configured to verify authorization of an External Access Payload 220 by verifying a digital signature affixed to the Payload 220 using the Access Verification Public Key 211. The authorized External Access Payload 220 is then permitted to execute on the Computing Device 200. The Access Control Module 210 is also configured to receive from a Network Access Device 600 information associated with a Network 710 access request, and to create a plurality of digital signatures, using the Device Signature Key 214, that link said information associated with the Network 710 access request with the Access Verification Public Key 211.

Abstract: The disclosed technology for a hardware system to access a secure backend system uses non-volatile memory to hold encrypted secrets, volatile memory to hold decrypted secrets ready for use, a keys-for-all (K4A) server, and app servers running K4A clients. To access the backend system in production, each app server uses a decrypted secret and a certificate that identifies the app server and certifies its role and physical and logical location. At initialization of the app server, a K4A client is instantiated that launches and tracks processes, running on the app server, that are authorized to request decryption services. The K4A client responds to a decryption request from an authorized process, determined based on tracking of processes launched, by requesting decryption by a K4A server, using the certificate, and returns to the process, in volatile memory, a decrypted secret or a reference to the decrypted secret, decrypted by the K4A server.

Abstract: Methods for a server include defining a starting element and an element step size. A pad mapping is applied to a data Random Cipher Pad (RCP) to obtain a Key RCP using each element of the Data RCP once in a predetermined non-sequential order. The starting element and the element step size are combined with the Data RCP. The Data RCP is encrypted using the Key RCP to produce a subsequent Data RCP. The subsequent Data RCP is transmitted to another computer. Methods for clients include applying a pad mapping to a Data RCP to obtain a Key RCP using each element of the Data RCP once in a predetermined non-sequential order to develop the Key RCP. The Key RCP is encrypted using the Data RCP to produce a subsequent Key RCP. A data structure is encrypted using the Data RCP to produce an encrypted data structure.

Abstract: Provided is a processing device, including: a processing unit configured to perform an authentication process of authenticating a communication target device through communication of a first communication distance and perform a communication-based process with the authenticated communication target device through communication of a second communication distance shorter than the first communication distance.

Abstract: An integrated circuit (IC) provisioned for asset protection has a primary circuit portion, such as a microprocessor or system-on-chip, that can be selectively disabled and enabled via an operability control input. The IC includes a secure register to store lock state indicia and unlock criteria, where a signal at the operability control input is responsive to the lock state indicia. In operation, a firmware data store receives and stores firmware code that includes a lock/unlock command, and firmware data that includes an unlock key. An authorization module verifies authenticity of the firmware code. A lock/unlock (LUL) module is operative to write lock state indicia to the secure register based on the lock/unlock command only in response to a positive verification of the authenticity of the firmware code by the authorization module, and to write lock state indicia to the secure register.

Abstract: Computerized systems and methods are provided for data virtualization using copy data tokens. A data token is stored that defines attributes associated with copy data, including source data, transformation data, and access data for the copy data. The access data is indicative of a set of access settings for the copy data that define how an instance of the copy data is to be created for the user, and a set of access permissions for the copy data that define an access level for the user for the copy data that defines how much of the copy data the user can access. The data token is transmitted to a remote computer storing the copy data based on the source data in the data token. A copy of the copy data that was generated based on the preparation information and the access data is received.

Abstract: There is disclosed a system for monitoring the security of a target system (110) with a circuit (120), the target system (110) comprising at least one processor (111) and wherein: the circuit (120) comprises a finite-state machine (122) configured to receive data from one or more sensors (130) distributed in the target system (110), at least one sensor (1303) being located on the processor (111) of the target system (110); the finite-state machine (122) is configured to determine a state output in response to data received from sensors (130); the system monitoring the security based on said state output. Developments describe the use of a self-alarm mechanism comprising an encoder to encode states with redundancy, the application of an error correction code, comparisons with predefined valid encoded states, the triggering of an alarm to the processor, the determination of actions and/or retroactions on sensors and/or diagnostics and countermeasures.

Abstract: Systems and methods are disclosed for collaborative authentication of a person based on an interaction with another person. A request for collaborative authentication is sent to the computing device of a person wanting to access a system, including an authentication ID unique to the request. The person collaborates with another person associated with the system and provides the second person with the authentication ID. The second person sends the authentication ID to the system such that the system associates the second person with the first person. Data is sent to the second person in order to challenge the first person. The first person responds to the challenge using the computing device and the system receives the response. The system compares the response to an expected answer and can either allow or deny the first person access to the system based on the comparison. Co-location may also be verified.

Abstract: Application of streaming machine learning clustering algorithms enables finding clusters of messages (P2P text messages, WHATSAPP, tweets) sharing the same content. Such clusters may be analyzed for finding out offensive messages, unwanted or spam messages, and rumors and take corrective actions as needed. The solution enables visualization of data and/or messages and identification of clusters as the solution works on the data and aggregates data into clusters over time intervals. Corrective actions may be applied on selected clusters based on visualized data clusters or by automated application of defined rules.

Abstract: A device secures open authorization (OAuth) resources according to systems described herein. In some instances, a resource server is configured for receiving a request for authorization from a client device. The request, for authorization to use a requested resource, may include a token having at least one claim. The resource server may interpret data of the token according to a domain specific language. The interpreting may obtain at least one rule associated with the at least one claim from among a range of resource access control rules. The rule may be compared against a resource request and operation. Based on the comparison, the request may be allowed or rejected. In one example, interpretation of the token may decode resources including quantities and combinations of uniform resource identifiers (URIs) claimed by the token using a domain specific language defined by a context-free grammar.

Abstract: Certain aspects involve facilitating the integration of sensitive data from a data provider into an instance of a web-based, third-party application. For example, a data provider service can receive an authentication API call from a third-party system. The authentication API call can include a user identifier and a request for an access token usable by a web-based interface of the third-party system. The data provider service can generate an access token for the third-party system from which the authentication API call is received. The data provider service can subsequently receive, from the user device, a feature API call including the access token and a feature request for sensitive data. The data provider service can generate output data specific to the user identified by the access token included in the feature API call. The data provider service can provide the output to the user device via the web-based interface.

Abstract: Methods And Apparatus For Direct Communication Key Establishment Methods (100, 200, 300) and apparatus (400, 500, 600, 700, 800, 900) are disclosed for establishing a key for direct communication between a User Equipment device, UE, and a device. The methods and apparatus cooperate to form a system for securing direct communication between a UE and a device over an interface. The system comprises a UE (20), a device (30) and a Direct Communication Element (40). The Direct Communication Element (40) is configured to obtain a shared session key and Generic Bootstrapping Architecture Push Information, GPI, to derive a direct communication key from at least the shared session key, and to send the direct communication key and the GPI to the device (30). The device (30) is configured to send the GPI to the UE (20). The UE (20) is configured to derive the shared session key from at least the GPI and to derive the direct communication key from the shared session key.

Abstract: A communication system includes: a terminal device; and a communication device. The communication device includes: a first communication unit configured to perform communication with the terminal device through first wireless communication based on connection information; a second communication unit configured to perform communication via a network; and a connection control unit configured to permit the terminal device, which performs communication with the first communication unit based on the connection information, to connect to the network via the second communication unit.

Abstract: Equipment (300) is controlled and/or managed by EMS (200) by exchanging, with the EMS (200), a message configured to comply with a predetermined communication protocol through a network. The equipment (300) comprises a controller (330) that determines to execute a process requested by a request message requesting execution of the process on the equipment (300) when the request message is received from the EMS (200) and the request message includes predetermined authentication information.