Abstract: In some embodiments, a system is provided, and computer-executable instructions cause the system to: obtain a file with instructions for provisioning resources of a service by referencing types of compute resources and including instructions for generating a customized resource of a first type; determine that the file references a first type of compute resources; retrieve threat modeling information associated with the first type of resource, including information identifying a first potential threat; generate a graph with nodes representing the first type of resource, the customized resource, and the first potential threat, and an edge connecting the first node and the second node with a predicate indicative of the relationship them; generate an ontology statement that relate the customized resource and first type of resource; and provide a plurality of ontology statements representing the graph to a reasoner to perform at least a portion of a security review without user intervention.

Abstract: A cryptographic service device includes: a processor; and a memory storing instructions executable by the processor, wherein the processor is configured to execute the instructions to operate as a registration module, a working key creation module, and a cryptographic operation calling module. The registration module is configured to call a primary security module to generate a master key for a newly added secondary security module. The working key creation module is configured to receive a working key creation request of a business system, call the primary security module to generate a working key for the business system, and acquire a working key ciphertext. The cryptographic operation calling module is configured to receive a cryptographic operation request of the business system; call a target security module, and obtain an operation result of the target security module.

Abstract: A method and apparatus to provide: 1) De-identification and tokenization software (the Software) that calls a central management platform (the Vault) to retrieve the specific configuration elements needed to run; and 2) A central management platform (the Vault) from which distributed installations can be managed, including setting permissions, de-identification rules, tokenization schemes, and file layouts. Because the local Software contains no inherent configuration, it is universal and can be installed quickly at any site. Any new or modified configuration made centrally through the Vault can be immediately accessed by the Software without any change required at the local installation. Even when Software is installed locally across a distributed network of sites, a central authority using the Vault can control the configurations (de-identification rules, token creation schemes, etc.) used by those sites and audit all activities across the distributed network.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for protecting user privacy in the playback of user sessions are described. In one aspect, a method includes accessing, for a user session with one or more user interfaces, event data that includes interface data specifying a structure of the user interface(s), and, for each of one or more user interface elements for which content was presented by the user interface(s) during the user session, an encrypted content element including the content of the user interface element encrypted using a public key corresponding to a rule enabling recording of the content of the user interface element and data identifying the rule. Playback of the user session is generated including, for each of the interface element(s), decrypting the encrypted content element for the user interface element and presenting the decrypted content during the playback of the user session.

Abstract: Some embodiments of the present specification provide a method and an apparatus for establishing a trusted channel between a user and a trusted computing cluster. According to the method, when a user wants to establish a trusted channel with a trusted computing cluster, the user only negotiates a session key with any first trusted computing unit in the cluster to establish the trusted channel. Then, the first trusted computing unit encrypts the session key using a cluster key common to the trusted computing cluster to which the first trusted computing unit belongs, and sends the encrypted session key to a cluster manager. The cluster manager transmits the encrypted session key in the trusted computing cluster, so that other trusted computing units in the cluster obtain the session key and join the trusted channel. Thus, the user establishes a trusted channel with the entire trusted computing cluster.

Abstract: A mismatch between model-based classifications produced by a first version of a machine learning threat discernment model and a second version of a machine learning threat discernment model for a file is detected. The mismatch is analyzed to determine appropriate handling for the file, and taking an action based on the analyzing. The analyzing includes comparing a human-generated classification status for a file, a first model version status that reflects classification by the first version of the machine learning threat discernment model, and a second model version status that reflects classification by the second version of the machine learning threat discernment model. The analyzing can also include allowing the human-generated classification status to dominate when it is available.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for managing cryptographic keys based on user identity information. One of the methods includes receiving biometric information associated with a user and a request to store a user key pair to a memory on an identity cryptographic chip (ICC); comparing the biometric information associated with the user with biometric information pre-stored in the memory as pre-stored biometric information; in response to determining that the biometric information associated with the user matches the pre-stored biometric information, encrypting the user key pair to provide an encrypted user key pair; and storing the encrypted user key pair to the memory.

Abstract: A system of smart edge sensors, wherein security and encryption is pushed to the edge of the network. In one example, an electronic device includes several sensors. The device is operated by a microprocessor. A plurality of smart edge devices are each interposed between a respective sensor and the microprocessor and intercepts communication between the sensor and the microprocessor. The smart edge device encrypt any data output by the sensor, and decrypt any data received from the microprocessor. In one example the smart edge device is implemented as a system on a chip (SoC).

Abstract: A network service may be identified. One or more attributes of the network service may be determined. An attribute manifest for the network service may be generated based on the determined one or more attributes of the network service. Furthermore, the attribute manifest may be transmitted based on the determined one or more attributes to the network service.

Abstract: Techniques described herein enhance the durability of cryptographically protected communications sessions. The negotiation of a cryptographically protected communications session results in the negotiation of a primary secret and a secondary secret. The primary secret and secondary secret are stored in separate locations, such as in two locations in RAM, one of which being used as a RAM disk. The primary secret is used to cryptographically protect the communications session. Following the detection of a change of state event, the cryptographically protected communications session switches to the secondary secret in place of the primary secret to cryptographically protect the communications session.

Abstract: A data storage device includes: a housing integrating a control logic, a data protection logic, and a non-volatile storage; and a network interface connector integrated to the housing and is configured to be directly inserted into a network switch. The control logic is configured to store a vehicle data including a video stream in the non-volatile storage. The video stream is received from a video camera that is connected to the network switch. The data protection logic is configured to detect a vehicle event and change an operating mode of the data storage device to a read-only mode prohibiting the vehicle data stored in the non-volatile storage from being erased or tampered.

Abstract: In order to handle the security issues with regards to maintaining privacy of the submitted confidential data, in an example embodiment, no single service is permitted to access both confidential data and member identity data. This design ensures that an attacker would have to compromise more than two services to be able to associate a member with their corresponding compensation data. Thus, member privacy would be preserved if there were any single point of breach. In an example embodiment, an approach is taken where it is still possible for a member to delete his or her confidential data information.

Abstract: The innovation disclosed and claimed herein, in one aspect thereof, comprises systems and methods of eliminating blind spots in a network system. The systems and methods generate synthetic transactions across a network system and capture at least part of the generated synthetic transactions. The systems and methods determine parts of the synthetic transactions that were not captured and generate a logical security map of the network system based on the captured synthetic transactions. The systems and methods determine at least one blind spot in the logical security map of the network system and determine a solution to eliminate the at least one blind spot. The systems and methods implement the solution for the network system to eliminate the blind spot.

Abstract: According to one embodiment, an electronic device is connectable to other devices. Starting of the electronic device is enabled when the electronic device is connected to a specified device among the other devices, and starting of the electronic device is disabled when the electronic device is not connected to the specified device.

Abstract: A database-management system provides sargable evaluation for query predicates that compare an “LHS” encrypted database-column operand to an “RHS” expression operand. The system directly compares the two operands if all their attributes match. If the operands are encrypted string-type values differing only in length, the system truncates the RHS or pads it with encrypted blanks and, if a truncation loses meaningful data, evaluates the predicate as never satisfying an equality condition. In all other cases, if all attributes of a plaintext RHS don't match those of the plaintext data encoded into the LHS column, the system attempts to cast the RHS to match the plaintext LHS data. An error condition or data loss at this step allows the system to sargably evaluate the predicate without further analysis, but if the casting is successful and error-free, the system encrypts the resulting RHS and performs a sargable predicate evaluation.

Abstract: An on-vehicle device mounted on a train includes a second on-vehicle-side wireless communication unit that performs wireless communication with the ground side, and an on-vehicle-side ground-to-vehicle communication security unit that encrypts or decrypts wireless communication data. The on-vehicle-side ground-to-vehicle communication security unit includes an on-vehicle-side secret-key holding unit that retains a plurality of secret keys that have secret key numbers for performing encryption or decryption; an on-vehicle-side secret-key selecting unit that selects one secret key from the on-vehicle-side secret-key holding unit using a secret key number calculated using train information unique to a train; and an on-vehicle-side encryption and decryption processing unit that performs encryption or decryption using the one secret key selected by the on-vehicle-side secret-key selecting unit.

Abstract: Various embodiments are generally directed to an apparatus, method and other techniques to de determine a secure memory region for a transaction, the secure memory region associated with a security association context to perform one or more of an encryption/decryption operation and an authentication operation for the transaction, perform one or more of the encryption/decryption operation and the authentication operation for the transaction based on the security association context, and cause communication of the transaction.

Abstract: Systems and techniques are provided for blockchain transactions where tokens of a first token type are transferred to a blockchain address of the second token type, the first token type being different than the second token type. In a specific implementation, a token exchange system receives blockchain blocks from one or more blockchain networks. The token exchange system identifies a wrong token type blockchain transaction in the blockchain blocks where the wrong token type blockchain transaction transfers tokens of the first token type to a blockchain address associated with the second token type. The token exchange system executes a fix token type blockchain transaction to correct the wrong token type blockchain transaction.

Abstract: In a storage system that includes a plurality of NVMe SSDs, data protection may be carried out by: for each of the plurality of NVMe SSDs, encrypting a device key using a master secret, wherein the device key, when not encrypted, is used to encrypt and decrypt data in one or more namespaces on the NVMe SSD; generating a plurality of shares from the master secret; and storing a separate share of the plurality of shares in a namespace prohibited from encryption on each NVMe SSD.

Abstract: Described embodiments provide systems and apparatuses for enhanced quality of service, steering and policy enforcement for https traffic via intelligent in-line path discovery of a TLS terminating node. The system may include a first network device having a secure connection traversing through the first network device, and in communication with a second network device. The first network device and the second network device may be intermediary to a client device and a server. The first network device may determine that the second network device terminates the secure connection. The first network device may receive key generation information of the secure connection from the second network device following determining the second network device terminates the secure connection.