Abstract: Systems and methods for detecting breached user login records in a zero-knowledge architecture. A breach detection module obtains login data that has been breached from breached data sources and service providers. The breached data is hashed with a system key and the breached data hashes are hashed in a hardware security module (HSM) using a hashing method and a non-exportable key. Clients provide user login data that has been hashed using the hashing method by the client device to the breach detection module. The breach detection module hashes the hashed user login data and compares the hashed user login hashes with the hashed breached data hashes and sends a breach alert to the client device if any hashes match.

Abstract: Techniques are disclosed for providing information sharing with enhanced security. In an embodiment, a secure information sharing engine provides secure sharing of data by applying one or more validation rules to the data. When applied to a given portion of the data, the validation rule verifies that the data of the given portion is, in fact, the data that is supposed to be in the given portion. At least one of the validation rules includes a check that a portion of the data contained in multiple fields maintain a relationship between the multiple fields. If the data passes the applied one or more validation rules, the secure information sharing engine allows the sharing of the data. Otherwise, if the data does not pass the one or more applied validation rules, the secure information sharing engine disallows the sharing of the data.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: Technologies for accelerated key caching in an edge hierarchy include multiple edge appliance devices organized in tiers. An edge appliance device receives a request for a key, such as a private key. The edge appliance device determines whether the key is included in a local key cache and, if not, requests the key from an edge appliance device included in an inner tier of the edge hierarchy. The edge appliance device may request the key from an edge appliance device included in a peer tier of the edge hierarchy. The edge appliance device may activate per-tenant accelerated logic to identify one or more keys in the key cache for eviction. The edge appliance device may activate per-tenant accelerated logic to identify one or more keys for pre-fetching. Those functions of the edge appliance device may be performed by an accelerator such as an FPGA. Other embodiments are described and claimed.

Abstract: A system for assessing potential cybersecurity threats to a subject system is provided. The system includes a computer system including at least one processor in communication with at least one memory device. The at least one processor is programmed to: receive a subject system to analyze, determine a potential hazard event associated with the subject system, generate an attack graph associated with the potential hazard event, wherein the attack graph includes a plurality of actions, determine an exploitability score for each of the plurality of actions, determine an uncertainty level for each of the plurality of actions based on the corresponding exploitability score, aggregate the plurality of actions including the corresponding exploitability scores and the corresponding uncertainty levels to determine one or more vulnerabilities of the subject system, and generate a response to the one or more vulnerabilities of the subject system.

Abstract: A domain transcendent file cryptology network includes a first data cryptology node in a first data domain having a first security protocol. A hardware processor of the first data cryptology node executes a first instantiation of a software code to receive a request to transfer a data file from the first data domain to a second data domain having a second, different, security protocol, obtain one or more characteristics of the data file, and generate an authentication tag for the data file based on the characteristic(s). The first instantiation of the software code also encrypts the data file and transmits the encrypted data file, the authentication tag, and a decryption key to a second data cryptology node in the second data domain. The decryption key and the authentication tag enable decryption of the encrypted data file by a second instantiation of the software code on the second data cryptology node.

Abstract: A system and method includes a communication interface configured to transmit a web-based form to an applicant device and receive a selection of the third party to provide data to populate the plurality of fields of the web-based form and an application server that, in conjunction with the communication interface, is configured to perform various steps. It may, in response to receiving the selection, transmit a third-party API call to the selected third party. It may also transmit data indicative of an authentication request associated with the selected third party and receive data indicative of a validated authentication request. It may further request a set of data from the selected third party via the third party API and receive the requested set of data, which includes data for populating a specific data field on the web-based form.

Abstract: This invention relates generally to blockchain implementations and is suited for, but not limited to, use with the Bitcoin blockchain. It can be used for the implementation of automated processes such as device/system control, process control, distributed computing and storage and others. The invention provides a solution which uses a blockchain to control a process executing on a computing resource. In a preferred embodiment, the computing resource, running simultaneously and in parallel to the blockchain, manages a loop-based operation. The computing resource continuously monitors the state of the blockchain as well as any other off-blockchain input data or source. The execution of the loop is influenced by the state of the blockchain. Each iteration of the loop that is executed by the computing resource is recorded in a transaction that is written to the blockchain. It is stored as a hash within the transaction's metadata.

Abstract: The implementations provide a method and an apparatus for establishing a trusted cluster. The method is used to form a trusted computing cluster by using N trusted computing units, the method including: grouping the N trusted computing units into a plurality of groups; identifying a first trusted computing unit in each group, and causing first trusted computing units in the plurality of groups to each respectively perform inter-unit trust authentication with other trusted computing units in a same group in parallel; performing inter-group trust authentication between/among the plurality of groups in parallel to obtain the N trusted computing units on which trust authentication succeeds; and propagating secret information in the N trusted computing units on which trust authentication succeeds, so that the N trusted computing units obtain the same secret information to form the trusted computing cluster.

Abstract: Systems and methods generate reasonably secure hash values at relatively few CPU cycles per byte. An example method includes, for each of a plurality of packets, injecting the packet into an internal state that represents an internal hash sum, mixing the internal state using multiplication, and shuffling the result of the multiplication so that bytes with highest quality are moved to locations that will propagate most widely in a next multiplication operation. Each of the plurality of packets include data from an input to be hashed. In some implementation, a last packet for the input is padded. The method may also include further mixing the internal state using multiplication after processing the plurality of packets and providing, to a requesting process, a portion of the final internal state as a hash of the input.

Abstract: An identity provider receives a request to configure authentication for enabling single sign-on to a service provider. The identity provider identifies the authentication protocols supported by the service provider and determines whether it is compatible with these authentication protocols. As a result of the identity provider being compatible with at least some of the authentication protocols, the identity provider generates configuration information that is usable by the service provider to configure the authentication. The identity provider transmits, to a computer system, a response that causes the computer system to be redirected to the service provider in order to provide information usable by the service provider to obtain the configuration information.

Abstract: Computer security techniques are described. One example determines whether to allow a program (e.g., native executable, script, etc.) to execute. This decision is based at least in part on the source of the program, such as whether the program is provided by a privileged source. A privileged program source may be any module, mechanism, or process that can provide executable instructions, such as directory or folder (e.g., on a local disk or network-accessible store), a computing device (e.g., server computer), another program (e.g., a Web server), or the like.

Abstract: Disclosed are an identity authentication, number saving and sending, and number binding method, apparatus and device.

Abstract: A plurality of dice having at least a first die and a second die. The first die can generate a measure of the first die using a cryptographic algorithm, a public key and a private key, and a digital signature according to the measure and the private key. The digital signature can include a digest encrypted by the private key. The digest can include the measure. The first die can communicate the measure, the digital signature, and the public key to the second die. The second die can store a validation code representative of a measure of the first die and validate the digital signature using the public key as well validate the measure by comparing the measure to the validation code.

Abstract: A data diode provides a flexible device for collecting data from a data source and transmitting the data to a data destination using one-way data transmission across a main channel. On-board processing elements allow the data diode to identify automatically the type of connectivity provided to the data diode and configure the data diode to handle the identified type of connectivity. Either or both of the inbound and outbound side of the data diode may comprise one or both of wired and wireless communication interfaces. A secure reverse channel, separate from the main channel, allows carefully predetermined communications from the data destination to the data source.

Abstract: A system includes processor(s) and memory(s). When encryption key(s) need to be generated to encrypt a key, processor(s): securely generate encryption key(s); encrypt key using encryption key(s) to generate encrypted key; split encrypted key and encryption key(s) into set(s) of key components, wherein subset of key components can be used to reconstruct encrypted key and encryption key(s); and securely erase key from memory(s). When encryption key(s) need to be used, processor(s): receive set(s) of key components from subset(s) of users that can be used to reconstruct encrypted key and encryption key(s) used to securely decrypt key from encrypted key; when set(s) of key components is received from subset(s) of users that can be used to reconstruct encrypted key and encrypted key(s), securely reconstruct encrypted key and encryption key(s); and when the encrypted key and the encryption key(s) have both been reconstructed, securely decrypt encrypted key into key using encryption key(s).

Abstract: A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Abstract: A combined object associated with a data chunk included in a request file is determined. An encryption key associated with the combined object and a corresponding chunk hash value associated with the data chunk are used to determine a corresponding chunk key associated with the data chunk. At least a locator to be used to retrieve the combined object and the corresponding chunk key associated with the data chunk are provided to a requesting system.

Abstract: Network traffic, including a device identifier, is received from an unrecognized guest device on a computer network of a hospitality establishment. A user profile server is queried to determine a user identifier that is associated with the device identifier of the guest device. A properly management system is queried to determine whether the user identifier is associated with a current guest of the hospitality establishment, and, when yes, to determine a guest area registered to the current guest. A login database is queried to find an unexpired login record of an authorized guest device associated with the guest area, the unexpired login record granting the authorized guest device access to the network service for an allowed access duration. The unrecognized guest device is automatically granted access to the network service for a remaining portion of the allowed access duration of the unexpired login record.

Abstract: An electronic device of a content producer generates a chunk of data, associates a location-independent name with the chunk of data, generates a signature for the chunk of data, attaches the signature to the chunk of data, and transmits the chunk of data, with the signature attached, to one or more user devices in response to respective requests. The signature is generated based on the data in the chunk, using a private key of the electronic device. The electronic device also stores information, including a specification of a public key associated with the private key, in a first ledger entry of a blockchain, to provide the one or more user devices with access to the public key. A user device may obtain the public key and use it to verify the chunk of data.