Abstract: A database-management system provides sargable evaluation for query predicates that compare an “LHS” encrypted database-column operand to an “RHS” expression operand. The system directly compares the two operands if all their attributes match. If the operands are encrypted string-type values differing only in length, the system truncates the RHS or pads it with encrypted blanks and, if a truncation loses meaningful data, evaluates the predicate as never satisfying an equality condition. In all other cases, if all attributes of a plaintext RHS don't match those of the plaintext data encoded into the LHS column, the system attempts to cast the RHS to match the plaintext LHS data. An error condition or data loss at this step allows the system to sargably evaluate the predicate without further analysis, but if the casting is successful and error-free, the system encrypts the resulting RHS and performs a sargable predicate evaluation.

Abstract: A data diode provides a flexible device for collecting data from a data source and transmitting the data to a data destination using one-way data transmission across a main channel. On-board processing elements allow the data diode to identify automatically the type of connectivity provided to the data diode and configure the data diode to handle the identified type of connectivity. Either or both of the inbound and outbound side of the data diode may comprise one or both of wired and wireless communication interfaces. A secure reverse channel, separate from the main channel, allows carefully predetermined communications from the data destination to the data source.

Abstract: A first string, having a first string value, that is associated with a sample set of material is received, wherein a second string, having a complementary value relative to the first string value, is also associated with the sample set of material. A determinative hash is generated using the first string value and a symmetric generator polynomial. A second hash, corresponding to the second string, is generated directly from the determinative hash. A canonized hash is generated using the determinative hash and the second hash. It is determined whether at least one of the first string or the second string is stored in string storage that is configured to store a plurality of strings, including by searching a hash table for the canonized hash; in the event it is determined that at least one of the first string or the second string is not stored in the string storage, at least one of the first string or the second string is stored in the string storage.

Abstract: A computation is divided into computation tasks that are sent to worker nodes and distributed results are received in response. A redundant subtask is sent to each of the worker nodes, the redundant subtask being a random linear combination of the computation tasks sent to others of the worker nodes. The worker nodes perform the redundant subtasks to produce redundant results. The redundant result of each worker node is combined with distributed results of others of the worker nodes to determine whether one or more of the worker nodes are acting maliciously. Optionally, the worker nodes can be initially evaluated for trustworthiness using a homomorphic hash function applied to an initial computation task and applied to results of the initial tasks. If the results of both hash functions match, then the worker nodes are considered trustworthy and can be used for subsequent computations with redundant subtasks as described above.

Abstract: Disclosed herein are methods, systems, and processes for validating vulnerabilities using lightweight offensive payloads. An attack payload limited by an execution scope that includes pre-defined exploit features for validating code execution associated with a vulnerability is generated. The attack payload is transmitted to a target computing system and a confirmation of the code execution based on at least one pre-defined exploit feature is received, permitting a determination that the vulnerability has been validated.

Abstract: Systems, computer-implemented methods, and computer program products to facilitate conditional parallel coordinates in automated artificial intelligence with constraints are provided. According to an embodiment, a system can comprise a memory that stores computer executable components and a processor that executes the computer executable components stored in the memory. The computer executable components can comprise a visualization component that renders a pipeline constraint as a constraint axis having constraint scores of machine learning pipelines in a conditional parallel coordinates visualization. The computer executable components can further comprise a model generation component that generates a machine learning model based on the constraint scores of the machine learning pipelines.

Abstract: A machine learning model fraud detection system and fraud detection method wherein a license/model management apparatus: generates a test data-trained model by inputting a pre-trained model and test data associated therewith from a licensor apparatus, carrying out learning using the test data on the pre-trained model; stores the test data-trained model in association with the output values obtained when the test data is executed in the test data-trained model; inputs the associated test data into a user model, executes the model when the user model is inputted from a user apparatus using the test data-trained model; compares the output data from the user model with the stored output values from the test data-trained model and detects the fraud if the resulting error is outside tolerance limits.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: Method, apparatus and computer program product for multi-device user authentication are described herein. For example, the apparatus includes at least one processor and at least one non-transitory memory including program code.

Abstract: The present disclosure relates to a computer implemented method for testing an artificial intelligence module (AI-module). The method comprises generating a substitute module using first input datasets and first output datasets, wherein the first output datasets are generated on the basis of the first input datasets using the AI-module. Adversarial input datasets are generated on the basis of the first input datasets using the substitute module. The adversarial input datasets are used for assessing a resilience of the AI-module against adversarial attacking by using the first output datasets and second output datasets, wherein the second output datasets are generated on the basis of the adversarial input datasets using the AI-module.

Abstract: The present disclosure relates to a password management system and to a method for operating such a password management system. The password management system operates in communication with a client device running a cookie enabled browser application. The present disclosure also relates to a method for allowing access to restricted information stored at a server.

Abstract: In accordance with some embodiments, a secure local application communication method is performed at a first apparatus that includes a housing arranged to hold a second apparatus, a controller, a communication interface, and a non-transitory memory storing a matrix. The secure local application communication method includes detecting, via the communication interface, a request originating from a first application executing on the second apparatus to communicate with a second application on the second apparatus. The method further includes determining whether or not to allow the request based on the matrix. The method additionally includes allowing transportation of packets from the first application to the second application in accordance with a determination of allowing the request.

Abstract: Methods and systems are described for prioritizing notifications based on user responses. The system may include determining a first score indicative of a first relevance of a notification to a first user at a first client device. The first score is determined based on at least metadata characterizing the notification. The notification is prioritized for the first user based on at least the first score. The notification is presented at the first client device based on at least the prioritization for the first user. A second score is determined that is indicative of a second relevance of the notification to a second user at a second client device. The second score is determined based on at least a response to the notification from the first client device.

Abstract: A system trains a machine learning based model to predict the likelihood of an outcome for an entity, for example, a user. The system determines, for a particular prediction for a user, impact scores that indicate how each feature of the user impacted the prediction for that user. The feature impact scores are ranked to select features for the user that had the highest impact on the prediction. The system generates a description for the high impact features and provides the description, for example, for display via a user interface.

Abstract: This disclosure relates to, among other things, systems and methods for managing the communication of messages between devices using a service system operating as a trusted intermediary. Information indicative of device location and/or orientation may be communicated to the service system, which may use the information to determine whether a transmitting device is oriented and/or otherwise pointed in the direction of an intended receiving device. The trusted service may enforce policy articulated by the receiving device in connection with the communication of a message from the transmitting device to the intended receiving device.

Abstract: A communication system includes a network device including a plurality of communication ports and a plurality of communication nodes coupled with the network device through the plurality of communication ports. The communication system further includes a controller that is configured to generate a security key and to send a new configuration along with a message authentication code to the network device, wherein the controller is further configured to break the security key into parts and send the parts of the security key to at least some of the plurality of communication nodes such that each of the at least some of the plurality of communication node receiving one part of the parts of the security key. The network device is configured to retrieve the parts of the security key from the at least some of the plurality of communication nodes, to assemble the security key from the retrieved parts of the security key and using the assembled security key to authenticate the new configuration.

Abstract: Systems and methods of authentication and encrypted communication between a server and client devices using independently-generated shared encryptions keys are disclosed. Client devices with arrays of physical-unclonable-function devices are respond to challenges from a server. Characteristics of the arrays are stored by the server during a secure enrollment process. Subsequently, the server issues challenges to the clients. The clients derive encryption keys from their responses to those challenges generated by the clients from characteristics of portions of the arrays specified by the challenges. The clients send messages encrypted with the client-generated encryption keys to the server. The server uses the stored characteristics to independently reproduce the client-generated encryption key. When the server-generated encryption key matches the client-generated key, the clients may be authenticated and the clients can communicate securely with the server without exchanging encryption keys.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, apparatuses, and processes that, among other things, dynamically authorize pre-stages data exchanges based on contextual data. For example, an apparatus may receive first data characterizing an initiation of a first exchange of data between a client device and a terminal device. Based on the first data, the apparatus may obtain second data that characterizes an expected initiation of a second exchange of data during a corresponding temporal interval, which may be specified relative to an initiation time of the first data exchange. The apparatus may generate and transmit, to a computing system, pre-authorization data that requests a pre-authorization of the second data exchange to a computing system. The pre-authorization data may include a portion of the second data and may instruct the computing system to pre-authorize the second data exchange in accordance with the second data.

Abstract: Methods and computing devices configured to implement the methods for authenticating processing devices on a system on chip (SoC) for encrypted communication. An SoC may include a plurality of memories configured to store equivalent ephemeral shared data sets. A first processing device of the SoC may select first elements from a first ephemeral shared data set, generate a rule set indicating the first elements, send the rule set to a second processing device of the SoC, and generate a first result based on the first elements. The second processing device may receive the rule set, select second elements from a second ephemeral shared data set, generate a second result based on the second elements, and send the second result to the first processing device. The first processing device may receive the second result and authenticate the second processing device based on a comparison of the first and second results.

Abstract: There is provided a method comprising: generating and sharing an initial value of an integrity token between an endpoint node and a security backend computer, collecting data at the endpoint node, wherein dissimilar data types are aligned as input events, generating a new integrity token every time a new input event is written to a local repository of the endpoint node, wherein the new integrity token is generated based on the new input event and a prior integrity token that was generated prior to the new integrity token, removing the prior integrity token generated prior to the new integrity token from the endpoint node each time a new integrity token has been generated, and sending one or more input events with the new integrity token to the security backend computer for enabling the security backend computer checking integrity of the data received from the endpoint.