Abstract: Disclosed herein are systems and methods for device authentication or pairing. In an aspect, a wearable display system comprises a display, an image capture device configured to capture images of a companion device, a computer-readable storage medium configured to store the images of the companion device, and a processor in communication with the image capture device and the storage medium. The processor can be programmed with executable instructions to receive a first image of a first optical pattern displayed by the companion device captured by the image capture device, wherein the first optical pattern is generated by the companion device based on first shared data, extract first data from the first optical pattern in the received first image, authenticate the companion device based on the first data extracted from the first optical pattern, and notify a user of the wearable display system that the companion device is authenticated.

Abstract: Techniques for evaluating cyber assets are disclosed. A system obtains, from data sources in an experimental environment, raw data generated in response to execution of a cyber asset. The system generates, from the raw data, at least one instance model corresponding to the data sources. The at least one instance model includes instances of concepts represented in a cyber impact ontology.

Abstract: A data analytics system is disclosed that can include a data repository configured to store data for multiple clients, a metadata repository separate from the data store, an access control system, and a policy store. The data analytics system can automatically generate metadata for data in the data repository using a metadata engine, the metadata including technical metadata and usage metadata, and store the metadata in the metadata repository. The data analytics system can obtain a client policy governing access to the data. The data analytics system can receive a request to provide the data, the request including instructions to create a pipeline to provide the data. The data analytics system can authorize, by the access control system, the request using the policy and usage metadata; create the pipeline using the technical metadata; and provide the data using the pipeline.

Abstract: Aspects of the disclosure relate to apparatuses, method steps, and systems for optimized Internet of Things (IoT) data processing for real-time decision support systems. The systems are used for real-time processing prioritization using a prioritization code and/or processing code. Edge devices may generate processing codes that are used in optimizing the data processing. For example, the system receives sensor data and preprocesses the sensor data with a simplified state estimation module to calculate a variance that is used to determine a processing code and/or a prioritization code.

Abstract: Artificial intelligence (“AI”) apparatus and methods are provided for hardening security of software applications. Under the conventional approaches, additional manual investment implementing security policies does not yield proportional increases in combating cyber security threats. Using manual approaches, it is increasingly difficult to consistently apply multiple policies covering different software applications or versions. This results in increased risk and technical debt. Over time, these undesirable consequences exacerbate the likelihood of inadvertently introducing an adverse policy omission or change. As the scale of software application deployed across and organization increases, it becomes even more difficult to ensure that security policies tracked and consistently applied. This may result in ineffective, contradictory or duplicative configuration requirements.

Abstract: Systems and methods for archive scanning are provided herein. In some embodiments, a method includes: selecting an archive; reading a metadata representing a plurality of files within the archive; reading a plurality of hash strings from the archive; comparing the plurality of hash strings with a database of hash strings; and determining, based on the comparing, if the plurality of files within the archive represent a security threat based on the plurality of hash strings.

Abstract: Techniques and apparatus for managing remote attestation of infrastructure components based on a customer controlled dynamic attestation policy are described. One technique includes receiving a user-specified configuration for managing remote attestation of infrastructure component(s) hosted in a cloud computing environment. The user-specified configuration indicates information related to managing the life-cycle of the infrastructure component(s). For example, the user-specified configuration can indicate attributes associated with the infrastructure component(s), criteria for validating an attestation policy for the infrastructure component(s), criteria for rotating an attestation policy for the infrastructure component(s), etc. An attestation policy for each infrastructure component is generated, based on the user-specified configuration. The attestation policy for each infrastructure component indicates which of the attributes to use during remote attestation of the infrastructure component.

Abstract: Networked devices in a communications network share a common firmware key. Using the common firmware key, one networked device can encrypt configuration data it uses to operate in the network for distribution to other networked devices of the same or similar type. The networked devices that receive the encrypted configuration data then use the common firmware key to decrypt the encrypted configuration data, and using the decrypted configuration data, self-configure to operate on the network. This allows for the secure distribution of configuration data, as well as the self-configuration of networked devices without exposing the sensitive data needed for such configuration to a human.

Abstract: Providing cascading quantum encryption services is disclosed. In one example, a first quantum computing device provides a plurality of encryption services that include one or more quantum encryption services and one or more classical encryption services. To encrypt a payload for transmission, the first quantum computing device selects a first encryption service from among the plurality of encryption services. The first quantum computing device then detects that the first encryption service is compromised. In response to detecting that the first encryption service is compromised, the first quantum computing device selects a second encryption service from among the plurality of encryption services, and encrypts the payload using the second encryption service. By automatically “cascading” from the first encryption service to the second encryption service in this manner, the first quantum computing device may ensure the secure communication of the payload to the second quantum computing device.

Abstract: The disclosed technology teaches securing a collaboration tool against unauthorized data exfiltration and malicious files, setting policies for file exfiltration to external guest users, uploading users in the external category, and using a proxy that intercepts an add request and response for a collaboration tool. The add response contains a tag identifying the invited user in the category. The request doesn't identify the user as a guest. Also taught is storing metadata identifying the user in the guest category for applying policies, and using a proxy that intercepts a user request and response for file transfer, and looking up and identifying the user as in the category, and applying the applicable policy. Responsive to the policy, included is invoking DPI and detecting that the referenced file contains sensitive information not permitted by the policy to be transferred by the particular user in the external guest category and blocking file transfer.

Abstract: Systems and methods for efficient and secure management of encrypted “snapshots” for a remote provider substrate extension (“PSE”) of a cloud provider network substrate are provided. The PSE may request and obtain a snapshot from the cloud provider network substrate, restore a volume from the snapshot, make changes to data in the restored volume, and/or initiate the creation and storage of a new snapshot that includes incremental updates to the original snapshot to reflect the changes made to data in the volume. An encrypted snapshot stored within the cloud provider network substrate may be decrypted using a cloud provider key designed for internal use only, and then re-encrypted using a PSE-specific key before providing the snapshot to the PSE, thereby avoiding the sharing of the cloud provider internal use only key outside the cloud provider network substrate.

Abstract: In one or more embodiments, one or more systems, one or more methods, and/or one or more processes may retrieve a first hash value of a key manifest public key from a one time programmable memory medium; determine a second hash value of the key manifest public key; retrieve a third hash value of an initial boot block from the boot policy manifest; determine a fourth hash value of the initial boot block; determine that the third hash matches the fourth hash value; execute the initial boot block; validate subordinate certificates with a root certificate; determine firmware hash values respectively from the firmware volumes; decrypt signatures respectively associated with the firmware volumes to obtain respective decrypted signatures, in which the signatures are decrypted with public encryption keys of the respective subordinate certificates; determine that the firmware hash values respectively match the decrypted signatures; and execute the firmware volumes.

Abstract: Described herein are techniques for managing replication in a data storage environment. The techniques including selectively compressing and selectively encrypting, by a production site, a set of files for replication from the production site to a remote site. Files can be selectively compressed based on a compression ratio satisfying a compression threshold, and files can be selectively encrypted based on a file content satisfying an encryption criteria. The techniques can further include updating, by the production site, metadata associated with selectively compressed files and updating metadata associated with selectively encrypted files. The techniques can further include replicating the set of files for replication from the production site to the remote site, the set of files for replication including the selectively compressed and the selectively encrypted files.

Abstract: Systems and methods for ensuring data privacy in a data sharing system are provided. A computer implemented method carried out at a host computing system includes: accessing a set of data from a data source including a true element and at least one spurious element so that the host computing system cannot differentiate between the elements to obfuscate the true element from the host computing system. The method includes: accessing a code which is executable on the set of data so as to output multiple results for the elements of the set of data; processing the set of data, including for each element: executing the code on the element to generate a result; computing a hash value of the element; and outputting the result in association with the hash value to a third-party computing system. A third-party computing system has access to the true hash value of the true element for identification of the result generated by execution of the code on the true element.

Abstract: A system for credential authentication includes an interface and a processor. The interface is configured to receive a create indication to create a guest credential representing a guest badge associated with a visitor and receive a claim indication from an authentication device to claim the guest credential. The processor is configured to provide the guest credential to the authentication device in response to the claim indication, provide a proof request to the authentication device, receive a proof response from the authentication device, validate the proof response, determine a visitor tracking system associated with a request from the authentication device to authenticate entry, and provide a check-in indication to the visitor tracking system that the visitor has checked in.

Abstract: A system for credential authentication comprises an interface configured to receive a create indication to create a visitor network credential and receive a certify indication to certify an authentication device to use a network, and a processor configured to provide the visitor network credential to the authentication device in response to the certify indication, provide a proof request to the authentication device, receive a proof response, validate the proof response using a distributed ledger, generate a network certificate, and provide the network certificate to the authentication device.

Abstract: A method for a serving network to selectively employ perfect forward security (PFS) based on an indication from a home network is described. The method includes receiving, by the serving network, a PFS indicator from the home network; determining, by the serving network, whether the PFS indicator indicates that the home network has instructed the serving network to employ PFS for communications with a piece of user equipment; and performing, by the serving network, a PFS procedure with the piece of user equipment in response to determining that the PFS indicator indicates that the home network has instructed the serving network to employ PFS for communications with the piece of user equipment.

Abstract: A data processing system includes a rich execution environment, a hardware accelerator, a trusted execution environment, and a memory. The REE includes a processor configured to execute an application. A compute kernel is executed on the hardware accelerator and the compute kernel performs computations for the application. The TEE provides relatively higher security than the REE and includes an accelerator controller for controlling operation of the hardware accelerator. The memory has an unsecure portion coupled to the REE and to the TEE, and a secure portion coupled to only the TEE. The secure portion is relatively more secure than the unsecure portion. Data that is to be accessed and used by the hardware accelerator is stored in the secure portion of the memory. In another embodiment, a method is provided for securely executing an application is the data processing system.

Abstract: Systems, computer program products, and methods are described herein for securely managing device communication. The present invention may be configured to provide, to another system, staging information including a digital certificate, a PIN, and a protocol for storing on a device, receive from the device a request to connect to an internal network after user input of the PIN, receive a digital certificate from the device, establish a wireless connection between the device and the internal network, and cause the device to delete the PIN. In some embodiments, the system is configured to permit communication from the device to the other system for a predetermined time window. In some embodiments, the system receives updates from the other system, via an external network, and the system sends the updates to the device, via the internal network.

Abstract: A system for credential authentication includes an interface and a processor. The interface is configured to receive a request from an application for authorization to access. Access to the application is requested by a user using a user device. The processor is configured to provide an authentication request to the user device, receive a device credential, wherein the device credential is backed by data stored in a distributed ledger, determine a user identifier and an authentication device associated with the user based at least in part on the device credential, provide a proof request to the authentication device, receive a proof response, determine that the proof response is valid, generate a token, and provide the token to the application authorizing access for the user.