Abstract: Techniques for securely sealing and unsealing enclave data across platforms are presented. Enclave data from a source enclave hosted on a first computer may be securely sealed to a sealing enclave on a second computer, and may further be securely unsealed for a destination enclave on a third computer. Securely transferring an enclave workload from one computer to another is disclosed.

Abstract: In one embodiment, data at rest is securely stored. A data safe performing data plane processing operations in response to requests of received read data requests, received write data requests, and received read information responses, with the data safe being immutable to processing-related modifications resulting from said performing data plane processing operations. In one embodiment, performing these data plane processing operations does not expose any pilot keys outside the data safe in clear form nor in encrypted form. The pilot keys are used to encrypt information that is subsequently stored in a storage system. One embodiment uses pilot keys to encrypt data that is subsequently stored in a storage system. One embodiment uses data cryptographic keys to encrypt data, uses the pilot keys to cryptographically-wrap (encrypt) the data cryptographic keys, and stores the cryptographically wrapped data keys and encrypted data in a storage system.

Abstract: N-state switching tables are transformed by a Lab-transform into a Lab-transformed n-state switching table. Memory devices, processors and combinational circuits with inputs and an output are characterized by the Lab-transformed n-state switching table and perform switching operations between physical states in accordance with a Lab-transformed n-state switching table. The devices characterized by Lab-transformed n-state switching tables are applied in cryptographic devices. The cryptographic devices perform standard cryptographic operations that are modified in accordance with a Lab-transform.

Abstract: A system and method to identify whether a removable battery pack inserted into a battery-powered device is an authorized battery pack for the device. Battery-powered devices may include a battery-powered drill, saw, flashlight or other type of device. The battery-powered device may send an authentication query to the battery pack. If the battery-powered device does not receive a valid reply from the battery pack, the battery-powered device may verify that the battery-powered device is still within a phase-out period that allows the battery-powered device to use a battery pack with an invalid authentication. If the phase-out period has expired, the battery-powered device may disable the use of the battery pack with an invalid authentication. If the phase-out period is still running, the battery-powered device may allow the use of the battery pack with an invalid authentication, but only for a limited number of battery pack recharge cycles.

Abstract: Identifying suspicious activity at a database of a multi-database system. A global evaluation of a plurality of interactions associated with a plurality of databases included within the multi-database system may be performed. A local evaluation of a plurality of interactions associated with a particular database of the plurality of databases may also be performed. The plurality of interactions associated with the particular database may comprise a subset of the plurality of interactions associated with the plurality of databases. A combination of both the global evaluation and the local evaluation may be analyzed to thereby identify one or more suspicious activities occurring at the particular database. Based on the analysis of the combination of the global evaluation and the local evaluation, one or more suspicious activities occurring at the particular database may then be identified.

Abstract: Embodiments are described for securing access to sensitive information used by on-premises devices in a distributed system. For example, embodiments include securing access to sensitive calendar items in a video conferencing service.

Abstract: A device that incorporates the subject disclosure may perform, for example, generating a security domain root structure for a universal integrated circuit card of an end user device, where the security domain root structure includes a hierarchy of a link provider operator security domain above a mobile network operator trusted security domain, where the link provider operator security domain enables transport management by a link provider operator, and where the mobile network operator trusted security domain enables card content management and subscription eligibility verification by a mobile network operator trusted service manager. Other embodiments are disclosed.

Abstract: To extend a sign on session among applications, an inter-application workflow request can be initiated from a first to a second application. The workflow request can identify one or more memory locations in a shared memory for secure data transfer between the applications. The first application can then monitor the memory locations for the presence of a public key stored in shared memory by the second application in response to the workflow request. Once the public key is present in the shared memory, the first application can retrieve and use it to encrypt an access interval key. The encrypted access interval key can then be stored in the shared memory for retrieval by the second application. The access interval key is associated with a sign on session of the first application, and the second application can retrieve and decrypt it to extend the sign on session to the second application.

Abstract: Methods and apparatus to clone an agent in a distributed environment are disclosed. An example apparatus includes a first management agent associated with a first component server in a virtualization environment, the first management agent configured to facilitate communication between the first component server and a virtual appliance, the virtual appliance to authenticate the first management agent based on first credentials including a first identifier and a first certificate. The example apparatus includes a second management agent associated with a second component server in the virtualization environment, the second management agent cloned from the first management agent and including a copy of the first credentials. The example second management agent is to: generate second credentials including a second identifier and a second certificate; authenticate with the virtual appliance based on the first identifier and the first certificate; and delete the copy of the first credentials.

Abstract: A method, system, and computer-implemented method to manage threats to a network is provided. The method includes receiving volume threat data that indicates a volume of threat data that needs to be managed by a threat management system having a plurality of threat management devices, determining a volume range from a plurality of volume ranges to which the received volume threat data belongs, determining a number of threat management devices of the plurality of threat devices needed to manage threat traffic associated with the volume range determined, and determining whether the number of threat management devices needed is different than a number of threat management devices currently being used to manage threat traffic.

Abstract: Systems, methods, and apparatuses for installing a software product using timestamp validation and system identification validation are disclosed. An example method to lock a software product in a software wrapper includes determining a unique hard drive serial number of a user device to which the software product is to be installed and generating a hash number of the unique hard drive serial number. The example method also includes determining a campaign identifier of the software product from a secure variable within the software product and generating a date-time code based on a current date and time. The method further includes assembling the date-time code and the campaign identifier into an unlock code, encrypting the unlock code using the hash number as a passphrase key to create an encrypted unlock code, and applying the encrypted unlock code to an end of a filename of an installer using a command line parameter.

Abstract: A terminal determination device includes a processor that executes a procedure. The procedure includes acquiring operation information indicating history of operation that has taken place on a terminal, and, according to whether or not the acquired operation information belongs in a particular range of similarity with operation information stored associated with a specific terminal, determining whether or not the terminal is the specific terminal.

Abstract: Systems and method for determining for determining the type of unauthorized access that occurs when a quantum-level encrypted message is tampered with or otherwise accessed during message communication/transmission. The quantum-level encrypted message is configured to change quantum particle states in response to at least an attempt to access the message. The messages may be logically programmed such that the message records, in an encrypted block, the type of access or the type of access may correspond to a quantum particle state. In other embodiments, a neural network storing empirical data associated with previous quantum-level encrypted messages that have been accessed is analyzed to determine the type of unauthorized access and, in some embodiments, the entity, nodes or infrastructure associated with the unauthorized access.

Abstract: Various embodiments enhance security and tamper resistance of device or components having a hardware intrinsic identity. For example, devices or components having PUFs can map challenges and helper values to a secret or share of secret to utilize a local identity in cryptographic operations. A plurality of components having individual identities can be extend so that the plurality of components can enroll into a shared global identity. Shares of the global identity can be distributed among the plurality of components or devices such that at least two devices must provide at least two shares of the global identity (or threshold operations on the at least two shares) to successfully use the global identity. Such sharing mitigates adversarial tampering attack on the global identity. Share refresh protocols can provide additional security, enable introduction of new components or devices to the global identity, and allow removal of existing components or devices.

Abstract: A computerized method for identification of suspicious processes executing on an end-point device communicatively connected to network, the network communicatively connected to a server, the method comprising receiving, by the server, a record of at least one process, initiated by and executing on by the end-point device. One or more parameters associated with the at least one process are identified. A first time pointer is identified corresponding to the identified one or more parameters, a first time pointer. A second time pointer at which a user associated with the end-point device initiated a user dependent process is identified. Whether the second time pointer occurred before the first time pointer is identified. It is determined whether the at least one process was initiated by the user based on identification of user dependent processes and corresponding attribution. An action is performed based on the above determination.

Abstract: Authentication of electronic document is based on multiple digital signatures incorporated into a blockchain. Structured data, metadata, and instructions may be hashed to generate the multiple digital signatures for distribution via the blockchain. Any peer receiving the blockchain may then verify an authenticity of an electronic document based on any one or more of the multiple digital signatures incorporated into the blockchain.

Abstract: In one embodiment, a method includes: presenting, in a user interface of an authoring tool, a plurality of levels of abstraction for a network having a plurality of devices; receiving information from a user regarding a subset of the plurality of devices to be provisioned with one or more security keys and an access control policy; automatically provisioning a key schedule for the subset of the plurality of devices in the network based on the user input and a topological context of the network; and automatically provisioning the access control policy for the subset of the plurality of devices in the network based on the user input and the topological context of the network.

Abstract: Disclosed in the embodiment of the present invention is a method for acquiring session initiation protocol (SIP) signaling decryption parameters and the method comprises the following steps: the authentication information of the Gm interface and the authentication information of the Cx interface are acquired; a security association (SA) decryption table is created according to the acquired authentication information of the Cx interface and authentication information of the Gm interface, wherein the SA decryption table comprises SIP signaling decryption parameters. A device for acquiring SIP signaling decryption parameters is also disclosed in the embodiments of the present invention.

Abstract: A system, computer-readable storage medium storing at least one program, and a computer-implemented method for controlling a local utility are disclosed. A first request originating from an application and including a first token is received at a local utility. The application received a web page, including a plurality of links and the first token, from a first server. The plurality of links are received by the application from a second server. The first token is authenticated. Authentication includes sending the first token to a third server. In response to authenticating the first token, a second token is generated at the local utility. The second token is sent to the application for inclusion in subsequent requests from the application.

Abstract: A system receives a request to store data at a first layer of servers in a cluster, configured to authenticate and authorize the request. The system compresses the data upon authenticating and authorizing the request and encrypts the compressed data at the first layer of servers when encryption is enabled. The system sends the request and the encrypted data to a second layer of servers in the cluster, configured to store data structures used to manage data storage in a third layer of servers in the cluster, and to distribute the request and the encrypted data to the third layer of servers using the data structures. The system stores the encrypted data in the third layer of servers. Encrypting the data at the first layer of servers reduces latency associated with transferring the data between the first, second, and third layers of servers.