Abstract: Method, apparatus, and computer program product are provided for merging multiple compute nodes with trusted platform modules utilizing provisioned node certificates. In some embodiments, compute nodes are connected to be available for merger into a single multi-node system. Each compute node includes a trusted platform module (TPM) provisioned with a platform certificate and a signed attestation key (AK) certificate and is accessible to firmware on the compute node. One compute node is assigned the role of master compute node (MCN), with the other compute node(s) each assigned the role of slave compute node (SCN). A quote request is sent from the MCN to each SCN under control of firmware on the MCN. In response to receiving the quote request, a quote response is sent from each respective SCN to the MCN under control of firmware on the respective SCN, wherein the quote response includes the AK certificate of the respective SCN's TPM.

Abstract: An authorization processing method, a device, and a system, where the method includes receiving an authorization request from a public client, where the authorization request includes a client identifier of the public client, a requested redirect uniform resource identifier (URI), and a requested authorization scope, obtaining authorization information of the public client according to the client identifier, obtaining an authorization scope corresponding to an authorization credential stored in the authorization information, obtaining authorization notification information of an owner of a resource according to the requested authorization scope when the requested authorization scope exceeds the authorization scope corresponding to the authorization credential, generating a first access token whose authorization scope corresponds to the requested authorization scope, and sending the first access token to the public client according to the requested redirect URI.

Abstract: Methods for secure communications using one-time pad encryption are provided. In one aspect, a method includes generating and sharing, via proximity inter-device communication, unique device codes on each of multiple devices to be paired or grouped together, intermixing the device codes to generate a one-time pad code, generating a random block of data based on the one-time pad code, persisting the one-time pad code and random block of data over each device, and encrypting/decrypting messages between the paired or grouped devices. Systems and machine-readable media are also provided.

Abstract: A method and apparatus of a device that stores an object on a plurality of storage servers is described. In an exemplary embodiment, the device receives an object to be stored and encrypts the object with a first key. The device further creates a plurality of bit vectors from the encrypted object. In addition, the device randomizes the plurality of bit vectors to generate a plurality of randomized bit vectors. Furthermore, the device sends the plurality of randomized bit vectors and the plurality of second keys to the plurality of storage servers, wherein each of the plurality of storage servers stores at least one each of the plurality of randomized bit vectors and the plurality of second keys.

Abstract: In one embodiment, a network assurance service that monitors a network detects, using a machine learning-based anomaly detector, network anomalies associated with source nodes in the monitored network. The network assurance service identifies, for each of the detected anomalies, a set of network paths between the source nodes associated with the anomaly and one or more potential destinations of traffic for that source node. The network assurance service correlates networking devices along the network paths in the identified sets of network paths with the detected network anomalies. The network assurance service adjusts the machine learning-based anomaly detector to use a performance measurement for a particular one of the networking devices as an input feature, based on the correlation between the particular networking device and the detected network anomalies.

Abstract: A method for verifying the identity of a user is provided that includes generating, by a computing device, a parameter for each processed frame in a video of biometric data captured from a user. The parameter results from movement of the computing device during capture of the biometric data. Moreover, the method includes generating a signal for the parameter and calculating a confidence score based on the generated signal and a classification model specific to the user. The classification model is generated from other signals generated for the parameter. Furthermore, the method includes verifying the identity of the user as true when the confidence score is at least equal to a threshold score.

Abstract: Systems and methods are disclosed for creating simulated phishing attack messages that have characteristics which make them appear genuine, while also having characteristics that a user should recognize as being false. Simulated phishing emails may appear to be more realistic to a recipient user if the user observes that the email has also been sent to an individual known to the recipient within the same company. However, it may not be desirable to send the simulated phishing email to such additional recipients. The systems and methods include communicating a simulated phishing email from a server of a simulated phishing attack system to a recipient user of an entity. The simulated phishing email appears to the recipient user as though it is also addressed to one or more non-recipient users of the entity, even though the email is not sent to the non-recipient users.

Abstract: One embodiment of the present invention sets forth a technique for predicting fraud by correlating user behavior biometric data with one or more other types of data. The technique includes receiving cursor movement data generated via a client device and analyzing the cursor movement data based on a model to generate a result. The model may be generated based on cursor movement data associated with a first group of one or more users. The technique further includes receiving log data generated via the client device and determining, based on the result and the log data, that a user of the client device is not a member of the first group.

Abstract: A computer-implemented method may include obtaining a predicted idle-state duration of a first device. The computer-implemented method may further include obtaining a value corresponding to an available processing capacity of the first device. The computer-implemented method may further include making a first determination that the predicted idle-state duration of the first device exceeds a time required to perform a security scan of the first device using the available processing capacity of the first device. The computer-implemented method may further include making a second determination to perform a security scan of the first device in response to the first determination.

Abstract: A method and apparatus for the creation of simulated records from a small sample data set with configurable levels of variability, the creation of simulated data from an encrypted token that uniquely identifies an individual, and the creation of simulated values using as the basis retained data (birth years, 3-digit zip areas, gender, etc.) from the de-identification process.

Abstract: A technology is provided for mitigating an attack against a host service. Receive a connection from a client using a first cipher suite to authenticate the client. Identify that a distributed denial-of-service (DDoS) attack is occurring from a plurality of clients. Change the first cipher suite to a second cipher suite wherein the second cipher suite is more computationally intensive than the first cipher suite. Disconnect with the client and causing the client to reconnect using the second cipher suite.

Abstract: Hashing data using an image by performing a bit by bit concatenation of input text and hash key. The result is concatenated bit by bit with the salt. A two bit by two bit multiplication between the result and the reverse of the result is performed to get a next output. The bits of this output are used as coordinates to extract pixel and RGB values from an image. The extracted values are merged to form a string. The string is truncated to a desired length, and then split into two equal strings. A bit by bit concatenation is performed on the split strings to get a hash output.

Abstract: Methods, systems, and devices for data processing are described. Some systems may support data processing permits and cryptographic techniques tying user consent to data handling. By tying user consent to data handling, the systems may comply with data regulations on a technical level and efficiently update to handle changing data regulations and/or regulations across different jurisdictions. For example, the system may maintain a set of data processing permits indicating user consent for the system to use a user's data for particular data processes. The system may encrypt the user's data using a cryptographic key (e.g., a cryptographic nonce) and may encrypt the nonce using permit keys for any permits applicable to that data. In this way, to access a user's data for a data process, the system may first verify that a relevant permit indicates that the user complies with the requested process prior to decrypting the user's data.

Abstract: A disclosed method performed by a network device can include intercepting cryptographic certificates of host servers received in response to requests for encrypted connections between host servers and user devices, and determining that each encrypted connection is a suspicious connection or a normal connection based on a certificate validation policy. The method can further include causing decryption or metadata analysis of any suspicious encrypted connection and bypassing decryption or metadata analysis of any normal encrypted connection.

Abstract: A request for access to a user's account is made to an authenticator. The authenticator sends a request for access to the user associated with the user's account. In response to user authorization, the authenticator sends an access link to a service engineer. The service engineer access the link to access the user's account with limited and restricted access. When a remote service session associated with the activated access link is terminated, the authenticator sends a termination of session notice to the user.

Abstract: Techniques for managing data mobility domains in storage system environments. The techniques employ a multiple master approach, in which each storage system in a storage system domain can function as an owner of the domain. Each domain owner has privileges pertaining to addition of new members to the domain, removal of members from the domain, and modification of domain credentials. When a new storage system is added as a member of the domain, the domain credentials are provided from the domain owner to the new storage system, resulting in the domain credentials being shared among all members of the domain. Domain membership information is also shared among all members of the domain. In this way, the management of storage system domains can be achieved without the need of a domain management server, avoiding a single point of failure or latency and reducing the complexity/cost associated with the domain management server.

Abstract: Disclosed are an apparatus and method for public key encryption using a white-box cipher algorithm. An apparatus for public key encryption using a white-box cipher algorithm includes a key table generator configured to generate at least one key table from a cipher key, a hidden-key table generator configured to convert the at least one key table into at least one hidden-key table, and an encryption algorithm generator configured to generate a white-box implemented encryption algorithm by using the at least one hidden-key table and an inverse operation of the conversion and provide the generated encryption algorithm as a public key for encryption.

Abstract: The present application discloses a method, system and apparatus for storing a website private key plaintext. A specific implementation of the method includes: receiving a public key sent from a terminal configured to perform encryption and decryption, wherein the public key is generated at random by the terminal; encrypting a website private key plaintext by using the public key to generate a website private key ciphertext, wherein the website private key plaintext is pre-acquired; and sending the website private key ciphertext to the terminal, so that the terminal decrypts the website private key ciphertext by using the private key to generate the website private key plaintext and store the website private key plaintext in the terminal. This implementation improves the security of storage of the website private key plaintext.

Abstract: A method, a client, and a system for testing an application. A webpage file includes codes for simulating a malicious attack. The method includes providing, by the test client, a network address of the webpage file to the tested application, wherein when the tested application loads the webpage file according to the network address, the tested application executes the codes comprised in the webpage file to attempt to read content of a private file in a private directory of the tested application. When the tested application successfully reads the content of the private file, the tested application transmits a message carrying the content of the private file to a test server through a local terminal device, wherein the test server determines whether the tested application has a security loophole according to the message transmitted by the tested application.

Abstract: Embodiments provide a user interface display method for a terminal, and a terminal. The method includes: generating, by a terminal in a first operating environment, a first user interface that includes a first input component, obtaining a first user interface picture according to the first user interface, and determining attribute information of the first input component according to a first application. The method also includes switching, by the terminal, to a second operating environment, and displaying a second user interface in the second operating environment according to the first user interface picture and the attribute information of the first input component, thereby reducing processing overheads of the terminal.