Abstract: Methods and systems are disclosed for recording a transaction between a user and a transaction system on a distributed ledger maintained by nodes interconnected over a peer-to-peer (P2P) network. Where the user has opted in, a block for the transaction is generated with the user's key and is broadcast to the P2P network for validation and entry on the distributed ledger. Where the user has not opted in, device information associated with the transaction is obtained, and a block for the transaction is generated by the device information and is broadcast to the P2P network for validation and entry on the distributed ledger. The device information may be used to locate, retrieve and claim the records of past transactions by the user on the distributed ledger.

Abstract: Described is a system for selective transparency in a public ledger. In operation, a first submission by a first entity is logged to the public ledger. The submission is a data entry with a message M and an identification number (ID). Separately, a linkage by a second entity is recorded. The linkage is an encryption and commitment linking the submission by the first entity to a second submission by the second entity. The linkage can be verified through a series of processes, such as by determining a value of linkage verification information. The value of the linkage verification information and corresponding block number is then transmitted to a third entity. The third entity reads the commitments from block Ni and verifies that the commitments are commitments to the same ID using the linkage verification information.

Abstract: A method provides an intermediate mitigation of a vulnerability in a particular computer system. One or more processors receive a description of a vulnerability of a computer system to a malicious attack. The processor(s) perform an NLP analysis of the description of the vulnerability in order to extract risk information related to the vulnerability, where the risk information includes an identity of a type of vulnerable computer system resource in the computer system. The processor(s) match the vulnerable computer system resource to a computer system resource in a particular computer system, and perform an intermediate mitigation action that reduces a functionality of the computer system resource in the particular computer system until a solution is implemented that both restores the functionality of the computer system resource in the particular computer system and mitigates the vulnerability of the particular computer system to the malicious attack.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for blockchain-based storage of patrol inspection proof are provided. One of the methods includes: receiving proof information of patrol inspection at a patrol inspection site; obtaining one or more operating environment parameters of the mobile terminal at a time of the patrol inspection, wherein the one or more operating environment parameters comprise at least location information and sensor data of the mobile terminal; performing credibility verification on the patrol inspection site based on the proof information, the location information, and the sensor data using an algorithm model based on labeled identification information, labeled operating environment parameters, and historical attendance information; and in response to the credibility verification being successful, uploading verification information associated with the proof information for storing in a blockchain.

Abstract: Disclosed techniques relate to caching tenant encryption keys for a multi-tenant database. In some embodiments, a computing system encrypts data for a database in a multi-tenant database system using encryption keys assigned to respective tenants that are using the database. The computing system may store the encryption keys in a cache and, in response to a key rotation request for a first tenant, invalidate an entry in the cache for the first encryption key of the first tenant. The computing system may block writes for the first tenant until a new key is cached (e.g., based on retrieval from a key management system). In various embodiments, disclosed techniques may reduce encryption latency.

Abstract: Methods, systems, and media for protecting and verifying video files are provided.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for a system associated with a vehicle are provided. One of the systems includes one or more electronic control units (ECUs) connected to a controller area network (CAN) bus, one or more infotainment devices, and a security gateway coupled to the one or more ECUs via the CAN bus and connected to the one or more infotainment devices. The security gateway may be configured to receive signals from the CAN bus and the one or more infotainment devices and detect a security event based at least in part on received signals.

Abstract: A hierarchical integrated trust assessment system features nested subsystems. Each subsystem utilizes a trust module for validating input data to the subsystem, validating output data from the subsystem, and validating the operation of the subsystem itself. The trust module verifies the format, the authenticity, the content of the inputs to the subsystem. The scope of each trust module is minimized to the associated subsystem. Minimizing the scope of the trust module results in increased reliability of the trust module's decisions.

Abstract: Secure selective token-based access control includes receiving a data access request from over a computer communications network, extracting a token from the request, selecting a decryption key for use in decrypting the token and attempting decryption of the token using the decryption key. Thereafter, on condition that the decryption key successfully decrypts the token into decrypted data, a creation date of the token in the decrypted data may be read and a rule applied to the creation date, the rule determining whether or not to expire the token. Finally, in response to a determination by the application of the rule to expire the token based upon the creation date of the token, the token is expired from subsequent use in authorizing servicing of the data access request, but otherwise the data access request is authorized for servicing.

Abstract: Disclosed herein are methods, systems, and media for backtracking a user's operation of services. One method comprises: receiving an authorization request from a service device, the authorization request based on a service processing request from a client device, and comprises: data corresponding to a user's operation related to a service, authorization information for accessing the data granted to the service device; a first digital identity of the user; and a second digital identity of the service device; in response to determining that the authorization information satisfies a condition, generating a claim based on the data, the authorization information, the first digital identity, and the second digital identity; recording the claim to a blockchain; and in response to determining that a supervising user has permission to access the claim, granting permission to the supervising user to backtrack the user's operation corresponding to the service based on the claim in the blockchain.

Abstract: Technologies disclosed herein provide cryptographic computing. An example method comprises executing a first instruction of a first software entity to receive a first input operand indicating a first key associated with a first memory compartment of a plurality of memory compartments stored in a first memory unit, and execute a cryptographic algorithm in a core of a processor to compute first encrypted contents based at least in part on the first key. Subsequent to computing the first encrypted contents in the core, the first encrypted contents are stored at a memory location in the first memory compartment of the first memory unit. More specific embodiments include, prior to storing the first encrypted contents at the memory location in the first memory compartment and subsequent to computing the first encrypted contents in the core, moving the first encrypted contents into a level one (L1) cache outside a boundary of the core.

Abstract: A computer-implemented method for automatically redacting logs, comprising receiving a secret associated with a request for service, splitting the secret into a first portion and a second portion, determining whether the second portion has an entropy value greater than a predefined threshold, and in response to the entropy value being greater than the threshold, registering the first portion for protection by a logging service.

Abstract: A block chain defining authority and access to confidential data may not be encrypted, and the access to the block chain can be regulated by the block chain itself and an access control server operating in an enterprise information technology (IT) environment. To incorporate authority defined in multiple sources, such as the block chain and the access control server, a token can be created containing multiple layers of permissions, i.e., constraints, coming from multiple sources. Each additional permission attenuates the authority granted by the token. When a processor controlling the access to the block chain receives the token, the processor can check the validity of the token and the authority granted by the token to determine whether the requester is authorized to access at least a portion of the block chain.

Abstract: The secure management of attachments is described. In one example, files are identified for attachment to a message through a secure content application extension. Rather than directly attaching the files to the message, a resource locator or link to the files is generated, and the resource locator is inserted into the message. The message is then forwarded for distribution to client devices based on an addressee list for the message. The distribution of and access to the files is managed separately by a management service. The management service can notify the client devices to retrieve the files based on a file access schedule. At each of the client devices, users can access the files through a secure content file application extension using the resource locator during the file access schedule. Thus, the files are distributed through secure content file applications and not as direct attachments to messages.

Abstract: A system to control access to domains, servers, or content, among other things. There may be individualized or global policies. Policy servers or other devices may interface with databases, DNS servers, firewalls, programmable virtualized routers, or dynamic host configuration protocol servers, among other devices to dynamically update various policy enforcement elements.

Abstract: A device includes a secure execution context that is segregated from an operating system of the device. A security application executing in the operating system interfaces with the secure execution context to obtain verified data. The secure execution context may verify that operating system files are free of malware, obtain sensor readings that may be cryptographically signed, verify functioning of a baseband processor, and verify other aspects of the function and security of the device. The verified data may be used for various purposes such as verifying location of the device, training a machine learning model, and the like.

Abstract: Example methods disclosed herein to determine whether a first monitored device is compromised include determining a first entropy value for the first monitored device based on a first number of unique event identifiers included in log entries obtained for the first monitored device, the log entries associated with a first time window. Disclosed example methods also include determining a second entropy value for the first monitored device based on numbers of unique event identifiers included in corresponding groups of log entries obtained for respective ones of a plurality of monitored devices including the first monitored device, the groups of log entries associated with the first time window. Disclosed example methods further include determining whether the first monitored device is compromised based on the first entropy value and the second entropy value, and performing an action in response to a determination that the first monitored device is compromised.

Abstract: In some examples, a device receives a plurality of encryption keys from a secure storage of a management controller, where a first encryption key of the plurality of encryption keys is for site-wide access of information on removable storage media plugged into respective computers of a site, and a second encryption key of the plurality of encryption keys is to restrict access of information on removable storage media plugged into a subset of the computers. The device uses a given encryption key of the plurality of encryption keys to encrypt information written to or decrypt information read from a first removable storage medium plugged into a first computer of the computers, wherein the management controller is associated with and is separate from a processor of the first computer.

Abstract: An encryption method includes: calculating a second random matrix using a first random matrix and a secret key, and generating a ciphertext corresponding to a message using the second random matrix. The generating of the ciphertext includes: performing a rounding process for sending the generated ciphertext to a smaller modulus area. The generating of the ciphertext includes performing message encryption without Gaussian sampling.

Abstract: A data structure is provided that identifies relationships between entities of an infrastructure of a computing system and that is configured to update in response to changes in the infrastructure of the computing system. The data structure includes vertices and edges, where each vertex of the data structure represents an entity of the infrastructure, and where each edge of the data structure represents a relationship between entities of the infrastructure. When usage data are received, the usage data are analyzed to determine a correlation between a first operation specifying a first entity and a second operation specifying a second entity. An edge between the first entity specified by the first operation and the second entity specified by the second operation is generated. Event data comprising usage data specifying either the first entity or the second entity is generated.