Abstract: The technology disclosed herein enables a computing device to use a trusted execution environment to retrieve protected content from mutually-untrusted devices. An example method may include: establishing, by a processor, a trusted execution environment in a computing device, wherein the trusted execution environment uses memory encryption and comprises executable code; providing, by the processor, attestation data to a set of computing devices, the attestation data representing the executable code in the trusted execution environment; receiving, by the processor, cryptographic key data from the set of computing devices; and causing, by the processor, the executable code to execute in the trusted execution environment and to initiate an operation using the cryptographic key data.

Abstract: A cloud infrastructure is configured and deployed for managing services executed on a cloud platform. The cloud infrastructure includes a control datacenter configured to communicate with one or more service datacenters. The service datacenter deploys one or more application programming interfaces (API's) associated with a service. The service datacenter also deploys an administration agent. The control datacenter hosts an engine that receives requests from users to perform administration operations by invoking the administration API's. In this manner, the control datacenter functions as a centralized control mechanism that effectively distributes administration operation requests as they are received from users to service datacenters that can service the requests. The cloud infrastructure provides an auditable, compliant and secure management system for administering services for distributed systems running in the cloud.

Abstract: A consent block is a type of block that may be stored in a blockchain. Each consent block has an owner and may store an owner consent contract, i.e., a smart contract containing owner-specified access rules that determine who may access data assets that are stored in other blocks of the blockchain and owned by the same owner. The consent block may alternatively store a global consent contract containing global access rules that supersede owner-specified access rules. The consent block also stores a hash value determined from the consent contract and a previous hash value of the block immediately preceding the consent block. The consent contract and the position of the consent block in the blockchain are verifiable from the hash value. Each consent block, once added to the blockchain, becomes part of the immutable record of data stored in the blockchain, and therefore leaves an auditable trail.

Abstract: Cloud services intelligently provision new VMs for a VM scale set when the original label that included the OS or other software images used to provision existing VMs of the VM scale set is no longer available or has been changed. Metadata of the existing VMs are analyzed to identify an OS image or other software image used to provision the existing VMs. The metadata also reveals updates that are running on the new VMs. These updates include software that was not part of the original label used to provision the existing VMs and are used to find the second label in a label database. The second labels include the OS or software of the existing VMs—or a later version thereof—and some portion of the updates. A VM-provisioning service uses the second label to provision the new VM.

Abstract: An illustrative method includes determining that a total amount of read traffic and write traffic processed by a storage system during a time period exceeds a threshold; determining a first compressibility metric associated with the write traffic; determining a second compressibility metric associated with the read traffic; determining, based on a comparison of the first compressibility metric with the second compressibility metric, that the write traffic is less compressible than the read traffic; determining, based on the total amount of read traffic and write traffic exceeding the threshold and on the write traffic being less compressible than the read traffic, that the storage system is possibly being targeted by a security threat; and modifying, in response to the determining that the storage system is possibly being targeted by the security threat, a data protection parameter set for one or more recovery datasets generated by the storage system.

Abstract: A testing device (10) transmits a test packet that increases processing load to a device protected by a security system, the security system performing authentication of a packet transmitted to a to-be-protected device and a packet limit per source IP address. In addition, the testing device (10) generates a test session according to a scenario when transmitting the test packet and configures a packet so that the test packet uses a plurality of source IP addresses. In addition, the testing device (10) responds to a response request up to a predetermined stage of authentication among a plurality of stages of authentication performed by the security system so that the security system authenticates the test packet to be valid. In addition, the testing device (10) monitors, at a predetermined stage, packet filtering situation and processing load of the security system to which the test packet is transmitted.

Abstract: Blockchain environments may mix-and-match different encryption, difficulty, and/or proof-of-work schemes when mining blockchain transactions. Each encryption, difficulty, and/or proof-of-work scheme may be separate, stand-alone programs, files, or third-party services. Blockchain miners may be agnostic to a particular coin's or network's encryption, difficulty, and/or proof-of-work schemes, thus allowing any blockchain miner to process or mine data in multiple blockchains. GPUs, ASICs, and other specialized processing hardware components may be deterred by forcing cache misses, cache latencies, and processor stalls. Hashing, difficulty, and/or proof-of-work schemes require less programming code, consume less storage space/usage in bytes, and execute faster. Blockchain mining schemes may further randomize byte or memory block access, further improve cryptographic security.

Abstract: A cloud-native global file system, in which one or more filers are associated with a volume of a versioned files system in a private, public or hybrid cloud object store, is augmented to include a rapid ransomware recovery service. Upon detecting a ransomware attack associated with one or more files or directories of the volume, read and write access to the volume is restricted. A recovery filer is then activated or designated in the cloud. A restore operation is then initiated at the recovery filter. Following completion of the restore operation, a new clean (healthy) snapshot of the volume is then created using the recovery filer For any filer other than the recovery filer, a determination is made whether the filer has completed a merge operation with respect to the new clean snapshot. If so, read and write access to the volume is re-enabled from that filer.

Abstract: Generally, systems and methods for securely establishing data transfer, storage, and execution are presented. The system may comprise a computing device that comprises at least one programmable integrated circuit. The programmable integrated circuit may comprise multiple independently loadable partitioned segments. A first partitioned segment of the programmable integrated circuit may comprise one or more factory-installed secrets in the form of data, wherein the factory-installed secrets may be configured to convert data from an untranslated state to a translated state, and vice versa. A second partitioned segment may comprise storage-at-rest data for at least one authenticable user of the computing device. The computing device may comprise at least one storage medium that comprises data, including data comprising one or more boot instructions for the computing device, that may be in an untranslated state.

Abstract: A method at a computing device within an Intelligent Transportation System, the method comprising: determining, at the computing device, whether a short-term certificate is available to sign a message; if the short-term certificate is available, signing the message with a private key associated with the short-term certificate; if the short-term certificate is not available, signing the message with a private key associated with a long-term certificate; and sending the message to a recipient.

Abstract: Aspects described herein relate to securely performing cross-boundary backup operations. A service of a computing resource service provider may enable backup operations between a source account and a destination account of an organization based at least in part on a security policy allowing such operations.

Abstract: The present disclosure includes a method for processing distributed data. In the method, the distributed data of a first main body is obtained. The distributed data has a transfer identifier. The distributed data is transferred, in response to a second main body different from the first main body, to a management address based on the transfer identifier when the distributed data meets a first condition. The first condition is that the distributed data includes abnormal information. The distributed data transferred to the management address freezes transfer of the distributed data by the first main body.

Abstract: A computing device comprising a frontend and a backend is operably coupled to a plurality of storage devices. The backend comprises a plurality of buckets. Each bucket is operable to build a failure-protected stripe that spans two or more of the plurality of the storage devices. The frontend is operable to encrypt data as it enters the plurality of storage devices and decrypt data as it leaves the plurality of storage devices.

Abstract: Methods and systems are described herein for updating cybersecurity enforcement rules in real-time over disparate computer networks. A rule enforcement system may receive a real-time data stream. The real-time data stream may include real-time communications requiring cybersecurity verification. Real-time data communications are processed through a first rule repository. In response to determining that rule updates to rules within the first rule repository are available, a second rule repository is retrieved and brought online. Previously received real-time communication data is processed with the first rule repository and new real-time communication data is routed to the second rule repository. When previously received real-time communication data has been processed, the first rule repository is disabled.

Abstract: An electronic device includes a communication device electronically communicating with a content presentation companion device operating as a primary display for the electronic device and an augmented reality companion device. One or more sensors detect multiple persons within an environment of the electronic device while the content presentation companion device operates as the primary display for the electronic device. One or more processors automatically log a person operating the augmented reality companion device into the electronic device upon identifying the person operating the augmented reality companion device as being associated an authorized account profile selected from of a plurality of account profiles operable on the electronic device.

Abstract: The disclosure related to methods and associated devices and/or systems for authorising at least one operation associated with a device, the device operating in a communication network, such as a user network, that comprises a plurality of devices communicatively coupled to a server computer, such as a control server. The disclosed method comprises generating a data model based on a plurality of patterns of actions for one or more devices among the plurality of devices. The data model is configured to detect and/or store at least one regular pattern of actions for each device among the one or more devices, each action corresponding to an operating state of the device. The disclosed method comprises receiving a request for an operation associated with a first device among the plurality of devices and determining if the received request satisfies a first criterion, the first criterion being based on or associated with the data model.

Abstract: Ransomware attack (RWA) detection is performed during an incremental or differential backup of a system of folders or directories of a computer or network of computers via an electronic network. The RWA detection includes processing incremental or differential backup metadata acquired during the incremental or differential backup to determine whether a RWA alert is issued. RWA remediation is performed at least in part on the RWA alert being issued. The RWA alert may be issued based on processing of the incremental or differential backup metadata to identify candidate new files and candidate deleted files in which the candidate new files are candidates for being encrypted copies of the candidate deleted files. RWA alert criterion may be based on counts of new versus deleted files in a folder or directory, and comparison of file sizes of the new versus deleted files.

Abstract: A technique for controlling cryptographic document protection and verification is presented. In one implementation, a device is associated with a device identifier and with a cryptographic key is configured to obtain an electronically processable document representation (EPDR) of content of a document that is to be protected and to apply the cryptographic key to the EPDR to obtain a cryptographically processed document representation (CPDR). The device is further configured to transmit the device identifier and a verification parameter comprising at least one of the EPDR and the CPDR towards a transaction server that is configured to log the device identifier and the verification parameter in a tamper-proof manner. The device is also configured to receive a transaction identifier associated with the device identifier and the verification parameter from the transaction server, and trigger printing of the transaction identifier and the CPDR on a physical document that corresponds to the EPDR.

Abstract: A method implemented by an onboard avionics computer for executing a plurality of binary codes that are associated with a plurality of sets of metadata, wherein: the plurality of binary codes and the plurality of metadata are hierarchized into a number of levels at least equal to two; a first binary code, of a level, is associated with a first set of metadata of the level, and a second binary code of a lower level, itself associated with a second set of metadata of the lower level; the first set of metadata comprises a data signature, the data comprising at least a first message digest associated with the first binary code, and the second set of metadata comprises a public key; the method comprising the execution, by the second binary code, of the following steps: applying a hash function to obtain a second message digest of the first binary code; decrypting the signature using the public key to obtain the first message digest; authorizing the execution of the binary code, if and only if the first message dig

Abstract: A method of selecting a distributed framework includes identifying, by a selection device coupled to a memory, at least a first cryptographic evaluator of a plurality of cryptographic evaluators, wherein identifying the at least a first cryptographic evaluator further comprises and evaluating a secure proof generated by the at least a first cryptographic evaluator, and identifying the at least a first cryptographic evaluator as a function of the secure proof, assigning, by the selection device, a confidence level of the at least a first cryptographic evaluator, and selecting, by a selection device, a distributed framework from the plurality of cryptographic evaluators as a function of the confidence level, and assigning a task to the distributed framework.