Abstract: Disclosed are hybrid authentication systems and methods that enable users to seamlessly sign-on between cloud-based services and on-premises systems. A cloud-based authentication service receives login credentials from a user and delegates authentication to an on-premises authentication service proxy. The login credentials can be passed by the cloud-based authentication service to the on-premises authentication service proxy, for instance, as an access token in an authentication header. The access token can be a JavaScript Object Notation (JSON) Web Token (JWT) token that is digitally signed using JSON Web Signature. Some embodiments utilize a tunnel connection through which the cloud-based authentication service communicates with the on-premises authentication service proxy. Some embodiments leverage an on-premises identity management system for user management and authentication.

Abstract: A digital file forensic accounting and management system collects forensic data for a digital file that is stored and accounted for in a datastore. The digital files and the associated forensic data may be retrieved from the datastore by a third party to verify the authenticity of the digital file. An interface program is utilized to collect forensic data about a file upon creation of the file and/or when the file is transferred to the datastore. An interface program may be a framework that is operated on a file producing program that a file provider used to create a digital file. An interface program may be an origination driver that is operated on the file providing computer. An interface program may be a directory monitoring program that transfers the digital file and forensic data to the datastore upon saving the file to the monitored directory.

Abstract: A mechanism for building decentralized computer applications that execute on a distributed computing system. The present technology works within a web browser, client application, or other software and provides access to decentralized computer applications through the browser. The present technology is non-custodial, wherein a public-private key pair, which represents user identity, is created on a client machine and then directly encrypted by a third-party platform without relying on one centralized computing system.

Abstract: A quantum key distribution system may include a transceiver including a state randomizer to impart a random state transformation to one or more qubits of a generated faint pulse and a quantum bit encoder to reflect the faint pulse back to the transceiver with one or more encoded bits. The transceiver may receive a return pulse through the communication channel, where the state randomizer reverses the random state transformation. The transceiver may include three or more detectors to measure the return pulse at time-gated timeslots associated with possible paths of the return pulse. Reception of the faint pulse from the quantum bit encoder as the return pulse triggers a detector in a first known subset of the detectors, while reception of a faked-state pulse from a third party as the return pulse results in a non-zero probability of triggering of a detector in a second known subset of the detectors.

Abstract: An example apparatus can include a memory device and a controller coupled to the memory device configured to receive a command including command information to access a register from a host device. The controller can grant access to the register in response to the controller determining the command is valid and/or deny access to the register in response to the controller determining the command is invalid. The controller can determine the command is valid by calculating an answer using a seed from the command in a formula and verifying the calculated answer matches an answer from the command. The command, once verified as valid, can allow the host device to access configuration registers and/or data registers.

Abstract: A method for a system for security evaluation includes working one state at a time; identifying primitives of interest and systematically applying relevant attacks for the system; starting at chip level, working through states, and then expanding a system boundary and repeating; following a sequence of: chip>circuit card>subsystem>system>platform for a product solution under analysis; determining if a system definition has sufficient detail, or is too abstract; for a chip with a native secure boot protocol, determining if all players are represented; representing attacks as vectors made up of measurements of the following attributes: Dollars, days, Probability of success, Probability of destruction, technology node, and number of samples; and representing countermeasures as vectors made up of scaling factors for each of attack attributes.

Abstract: The control device is configured to communicate with another device via a communication network, and comprises: a key acquisition unit configured to acquire, from a key distribution server via the communication network, an encryption key with a life period for performing encrypted communication with the another device; an encrypted communication processing unit configured to perform the encrypted communication with the another device using the encryption key within the life period; a server state detection unit configured to detect a key acquisition disabled state where acquisition of the encryption key by the key acquisition unit is disabled; and a life extension unit configured to perform extension processing for extending the life period if the key acquisition disabled state is detected.

Abstract: A method for managing security keys for an I/O device may include loading a first security key from a primary memory to a security engine, performing a first data transfer operation between a host and the I/O device using the first security key with the security engine, loading a second security key from a secondary memory to the security engine, and performing a second data transfer operation between the host and the I/O device using the second security key with the security engine. The method may further include storing the first security key in the primary memory based on a frequency of use of the first security key. The frequency of use of the first security key may be determined by a pattern of transfers between the host and the I/O device.

Abstract: Systems, apparatuses, and methods are described for preauthorizing a batch of access rights licenses, e.g., Digital Rights Management (DRM) licenses, and storing them at a location. The preauthorization may be based on predicting a batch of content items to be viewed. The location may be a content server or a user device. After receiving a request from the user device to play back a content item of the batch of predicted content items, the DRM license may be provided from the storage location instead of performing an authorization operation to obtain one from a DRM server. Providing the DRM license from the storage location may take less time than performing the authorization operation to obtain the DRM license from the DRM server.

Abstract: Systems, computer program products, and methods are described herein for dynamic communication channel switching based on preconfigured network security protocols.

Abstract: Introduced here are Internet monitoring platforms configured to define, monitor, and assess the boundary of a private network associated with a client. By monitoring the entire Internet, a private network, and relationships between these networks, an Internet monitoring platform can discover changes in the boundary of the private network that is defined by those assets on the private network capable of interfacing with a public network, such as the Internet. The Internet monitoring platform may, in response to discovering the boundary of the private network has experienced a change, identify an appropriate remediation action by mapping the change to a technological issue, a relevant business relationship, etc. For example.

Abstract: The invention is directed to a computer readable medium storing a display control program for causing a computer to execute: a setting procedure of setting display control information of protected content to be protected based on authentication information; and a determination procedure of determining whether to permit display of the protected content and whether to cancel an authenticated state of the protected content based on the display control information set by the setting procedure.

Abstract: An example system includes a processor to receive a graph-based masking policy and a composite payload containing a data object to be masked. The processor is to instantiate a masking engine based on the graph-based masking policy. The processor is to execute the masking engine on the composite payload to generate a masked payload comprising a masked data object. The data object to be masked is masked in place such that the resulting composite payload type is maintained. The processor is to output the masked payload.

Abstract: A computerized method for restricting communications between virtual private cloud networks comprises creating a plurality of security domains. Each of the plurality of security domains identifies gateways associated with one or more virtual private cloud networks. Also, the method features generating transit routing data stores in accordance with each of the plurality of security domains; determining whether a connection policy exists between at least a first security domain and a second security domain of the plurality of security domains; and precluding communications between gateways associated with the first security domain and gateways associated with the second security domain in response to determining that no connection policy exists between the first security domain and the second security domain.

Abstract: A system includes an application instance or application environment instance and a first cloud service of a trusted cloud provider. The first cloud service is configured to receive an encrypted disk image and to launch the application instance or application environment instance. The system also includes a second cloud service of a first alternate cloud provider, which is configured to launch a first attestation service instance from an attestation disk image that includes a secret and to provide the secret to the application instance or application environment instance.

Abstract: A method for verifying identities of parties to a transaction includes receiving a login attempt from a mobile communication device, the login attempt including a security credential. The method determines that the security credential of the login attempt from the mobile communication device is authentic. The method communicates a one-time access code to the mobile communication device. The method receives a one-time entry code and mobile communication device information from the mobile communication device. The method determines that the one-time entry code and the mobile communication device information from the mobile communication device satisfies the communicated one-time access code and predetermined user mobile communication device information. The method provides by the mobile communication device access to a secure transaction environment.

Abstract: A method for monitoring data transiting via a user equipment is described, as well as a cyber attack detection device, The method includes obtaining a first decision from a first cyber attack detection technique and a second decision from a second cyber attack detection technique, indicating whether the data are associated with attack traffic, obtaining a third decision from a third cyber attack detection technique indicating whether the data are associated with attack traffic, the third technique the first and second decisions and confidence levels assigned to the first and second detection techniques, updating the confidence levels on the basis of the first, second and third decisions, and adapting, triggered on the basis of the obtained first, second and third decisions and of the updated confidence levels, at least one rule applied by the first and/or the second technique.

Abstract: A cyber threat defense system and a method for detecting a cyber threat may use a predictor, e.g. a Transformer deep learning model, which is configured to predict a next item in the sequence of events and to detect one or more anomalies in the sequence of events. This provides a notification comprising (i) information about the one or more anomalies; and (ii) a prediction of what would have been expected.

Abstract: Methods, systems, and computer programs are presented for enabling any sandboxed user-defined function code to securely access the Internet via a cloud data platform. A remote procedure call is received by a cloud data platform from a user-defined function (UDF) executing within a sandbox process. The UDF includes code related to at least one operation to be performed. The cloud data platform provides an overlay network to establish a secure egress path for UDF external access. The cloud data platform enables the UDF executing in the sandbox process to initiate a network call.

Abstract: A computer-implemented method includes receiving, by a storage system, encrypted data and a set of key identifiers. Each key identifier is associated with information specifying a storage location for which the key identifier is authorized. The method also includes storing, by the storage system, the encrypted data in at least one storage location and receiving, by the storage system, at least one key identifier of the set of key identifiers with a data access request. The method includes determining, by the storage system, whether the data access request is authorized for the at least one key identifier.