Abstract: Disclosed herein are systems and methods for decentralized data distribution by a database network system comprising a hierarchical blockchain model. The hierarchical blockchain model may comprise a quantum pyramid consensus to distribute data throughout the database network system in a decentralized and secure manner. The hierarchical construct may be built according to trusted scores calculated for the nodes of the network over their lifetime at the network.

Abstract: In some examples, an example method to provide an IPsec anti-replay window with quality of service (QoS) at a first network endpoint may include configuring a multiple number of anti-replay windows, generating a first security association (SA), and establishing the first SA with a second network endpoint. The first SA may include a first multiple number of security parameter indexes (SPIs), where each of the first multiple number of SPIs may be assigned to a specific QoS level, and each of the first multiple number of SPIs may be assigned to one of the multiple number of anti-replay windows. Establishing the first SA with the second network endpoint may include assigning the first SA to a first encryption key, and providing the first encryption key to the second network endpoint.

Abstract: The present invention discloses a method for managing cloud service authority in a cloud storage system, which includes: a set of cloud data and a plurality of data servers. The cloud data includes a plurality of user object files and global access control information. Each data server includes an access control enforcement unit for executing or rejecting I/O requests from the client computers, where the access control enforcement unit includes local access control information. The method includes steps of: changing the content of the global access control information in the cloud data; downloading, by the data servers, the changed global access control information from the cloud data; updating, by the data servers, the local access control information therein according to the downloaded global access control information; and processing, by the data servers, I/O requests from the client computers according to the updated local access control information.

Abstract: Various embodiments relate to a method and system for securely comparing a first and second polynomial, including: selecting a first subset of coefficients of the first polynomial and a second subset of corresponding coefficients of the second polynomial, wherein the coefficients of the first polynomial are split into shares and the first and second polynomials have coefficients; subtracting the second subset of coefficients from one of the shares of the first subset of coefficients; reducing the number of elements in the first subset of coefficients to elements by combining groups of / elements together; generating a random number for each of the elements of the reduced subset of coefficients; summing the product of each of the elements of the reduced subset of coefficients with their respective random numbers; summing the shares of the sum of the products; and generating an output indicating that the first polynomial does not equal the second polynomial when the sum does not equal zero.

Abstract: Real time security, integrity, and reliability postures of operational (OT), information (IT), and security (ST) systems, as well as slower changing security and operational blueprint, policies, processes, and rules governing the enterprise security and business risk management process, dynamically evolve and adapt to domain, context, and situational awareness, as well as the controls implemented across the operational and information systems that are controlled. Embodiments of the invention are systematized and pervasively applied across interconnected, interdependent, and diverse operational, information, and security systems to mitigate system-wide business risk, to improve efficiency and effectiveness of business processes and to enhance security control which conventional perimeter, network, or host based control and protection schemes cannot successfully perform.

Abstract: Technologies for secure collective authorization include multiple computing devices in communication over a network. A computing device may perform a join protocol with a group leader to receive a group private key that is associated with an interface implemented by the computing device. The interface may be an instance of an object model implemented by the computing device or membership of the computing device in a subsystem. The computing device receives a request for attestation to the interface, selects the group private key for the interface, and sends an attestation in response to the request. Another computing device may receive the attestation and verify the attestation with a group public key corresponding to the group private key. The group private key may be an enhanced privacy identifier (EPID) private key, and the group public key may be an EPID public key. Other embodiments are described and claimed.

Abstract: In an embodiment, a threat score prediction model is generated for assigning a threat score to a software vulnerability. The threat score prediction model may factor one or more of (i) a degree to which the software vulnerability is described across a set of public media sources, (ii) a degree to which one or more exploits that have already been developed for the software vulnerability are described across one or more public exploit databases, (iii) information from one or more third party threat intelligence sources that characterizes one or more historic threat events associated with the software vulnerability, and/or (iv) information that characterizes at least one behavior of an enterprise network in association with the software vulnerability.

Abstract: Embodiments of the present disclosure relate to verifying a third-party resource by automatically validating multi-factor message codes associated with the third-party resource to enable access to functionality associated with the third-party resource via a multi-app communication system. An example embodiment includes a multi-app communication system including at least one processor and at least one memory. The embodiment multi-app communication system is configured to receive a sign-in request from a multi-app communication system application executed on a client device, and cause transmission of a multi-factor confirmation message to a verified third-party multi-factor authentication resource. The embodiment multi-app communication system is further configured query the verified third-party multi-factor authentication resource to identify the multi-factor confirmation message, and enable access to the third-party resource.

Abstract: Embodiments of the disclosure relate to a computer-implemented consequence-driven cyber-informed engineering tool for performing and reporting consequence-based prioritization, system-of-systems breakdown, consequence-based targeting, and mitigations and protections. Embodiments of a CCE tool may perform one or more steps of defining a target industrial control system (ICS), wherein the target ICS includes operational goals, critical functions, and critical services; determining one or more scored high consequence events (HCE) associated with the defined target ICS; prioritizing the scored HCEs according to an HCE severity index; and updating a dashboard with one or more representations of the prioritized HCEs, wherein the updated dashboard is associated with the CCE tool and presented at a display.

Abstract: Techniques are described with regard to client authentication management. An associated method includes constructing an authentication resolution model specific to a client based upon error patterns respectively included in a plurality of erroneous authentication submissions inconsistent with a proper authentication submission. The method further includes receiving, via an authentication interface, a new erroneous authentication submission inconsistent with the proper authentication submission. Responsive to determining that the new erroneous authentication submission corresponds to an authentication exception defined in the authentication resolution model, the method further includes completing authentication. Responsive to determining that the new erroneous authentication submission corresponds to an authentication warning defined in the authentication resolution model, the method further includes performing at least one client account warning protection activity.

Abstract: Unauthorized use of user credentials in a network is detected. Data indicative of text strings being used to access resources in the network is accessed. Regex models are determined for the text strings. Groupings of the regex models are determined based on an optimization of a cumulative weighted function. A regex model having a cumulative weighted function that exceeds a predetermined threshold is identified. An alert is generated when the cumulative weighted function for the identified regex model exceeds the predetermined threshold.

Abstract: Systems and/or methods of the present disclosure enable crypto-ledger interoperability using a controller to perform an operation between a first user and a second user on separate entity-specific distributed crypto-ledgers, where the separate entity-specific distributed crypto-ledgers are both operatively linked to a membered common distributed crypto-ledger. The controller burns a first quantity of first entity-specific crypto-tokens from the first entity-specific distributed crypto-ledger and mints a second quantity of the common crypto-tokens on the membered common distributed crypto-ledger, where the first quantity of first entity-specific crypto-tokens and the second quantity of the common crypto-tokens represent an equivalency.

Abstract: A content server can extend enterprise content management to a leading system in an efficient, automated, and seamless manner by leveraging the permission information provided by the leading system. The content server can sync the permission information with the leading system, evaluate user-manager relations, role-based rule definitions, and user-group associations defined in the leading system, and determine and/or update role memberships for workspaces created in the content server for users in the leading systems. In this way, even though the content server and the leading system have very different types of roles and permission models, the content server can evaluate complex relationships and role-based rules and intelligently, correctly, and quickly assign the right people to the right roles in the right workspaces in the content server.

Abstract: A method and apparatus with an adaptively updated enrollment database (DB) are provided. A method with an adaptively updated enrollment database (DB) includes extracting an input feature vector from an input image, determining whether the input feature vector is included in a changeable enrollment range, with the changeable enrollment range being determined based on a threshold distance from each of plural enrolled feature vectors in the enrollment DB, and with the enrolled feature vectors corresponding to enrolled images, determining whether to enroll the input feature vector in the enrollment DB in response to the input feature vector being determined as being included in the changeable enrollment range, and in response to a result of the determining of whether to enroll the input feature vector being to enroll the input feature vector, selectively enrolling the input feature vector in the enrollment DB.

Abstract: Methods, systems, and products authenticate users for access to devices, applications, and services. Skills of a user are learned over time, such that an electronic model of random subject matter may be generated. The user is prompted to interpret the random subject matter, such as with an electronic drawing. The user's interpretation is then compared to the electronic model of the random subject matter. If the user's interpretation matches the electronic model, the user may be authenticated.

Abstract: There is provided a method of detecting a threat against a computer system. The method includes monitoring installation and operation of multiple different versions of the same application in a computer system; analysing evolutionary changes between the behaviours of the different versions of the same application; detecting and monitoring a new version of the same application in a computer system; monitoring the behavior of the computer system to detect one or more procedures of the monitored application that do not match expected behaviors of the monitored application on the basis of the analysis; and upon detection of one or more procedures not matching the expected behaviors of the monitored application, identifying the monitored application as malicious or suspicious.

Abstract: Systems and methods are provided for authenticating a user. The method includes accepting, using a graphical user interface coupled to an electronic computing device, a login request from the user to access a remote server, wherein the login request includes biometric data of the user, using a non-tactile biometric scanner, and comparing, using a processor on an intermediary server, the biometric data of the user with biometric data stored in memory of the intermediary server, wherein the biometric data stored in the memory is associated with one or more known users. The method further includes determining, based on the comparison, whether an identity of the user is authentic, and if the identity of the user is authenticated, relaying the login request to the remote server.

Abstract: Disclosed embodiments relate to trust domain islands with self-contained scope. In one example, a system includes multiple sockets, each including multiple cores, multiple multi-key total memory encryption (MK-TME) circuits, multiple memory controllers, and a trust domain island resource manager (TDIRM) to: initialize a trust domain island (TDI) island control structure (TDICS) associated with a TD island, initialize a trust domain island protected memory (TDIPM) associated with the TD island, identify a host key identifier (HKID) in a key ownership table (KOT), assign the HKID to a cryptographic key and store the HKID in the TDICS, associate one of the plurality of cores with the TD island, add a memory page from an address space of the first core to the TDIPM, and transfer execution control to the first core to execute the TDI, and wherein a number of HKIDs available in the system is increased as the memory mapped to the TD island is decreased.

Abstract: One example method includes contacting, by a client, a service, receiving a credential from the service, obtaining trust information from a trust broker, comparing the credential with the trust information, and either connecting to the service if the credential and trust information match, or declining to connect to the service if the credential and the trust information do not match. Other than by way of the trust information obtained from the trust broker, the client may have no way to verify whether or not the service can be trusted.

Abstract: Methods, systems, and devices for virtualized authentication device are described. A virtual device (such as a virtual machine) may be permitted to access secured data within a memory device by an authentication process. The memory device may generate cryptographic keys in portions of the memory device and assign the cryptographic keys to the virtual machines. The virtual machine may use an authentication process using the cryptographic keys to access the secure data in the memory device. The authentication process may include authenticating the identity of the virtual machine and the code operating on the virtual machine based upon comparing cryptographic keys received from the virtual machines to the assigned cryptographic keys in the partitions of the memory device. Once both the identity of the virtual machine is authenticated, the virtual machine may be permitted to access the secure data in the memory device.