Abstract: A computer-implemented method of generating and distributing keys includes generating, based on a master key, a keyset, wherein the keyset comprises a re-encryption key, generating a key distribution request comprising the keyset, encrypting the keyset using an inbox key associated with a client device to generate an encrypted keyset, sending the re-encryption key to a key manager, and causing to distribute the encrypted keyset to the client device.

Abstract: Secure auditability of monitoring processing using public ledgers that are particularly useful for monitoring surveillance orders, whereby an overseeing enforcer (“E”) checks if law enforcement agencies and companies are respectively over-requesting or over-sharing user data beyond what is permitted by the surveillance order, in a privacy-preserving way, such that E does not know the real identities of the users being surveilled, nor does E get to read the users' unencrypted data. Embodiments of the present invention also have inbuilt checks and balances to require unsealing of surveillance orders at the appropriate times, thus enabling accounting of the surveillance operation to verify that lawful procedures were followed, protecting users from government overreach, and helping law enforcement agencies and companies demonstrate that they followed the rule of law.

Abstract: A digital object is associated with a smart contract that stores a first hash value to represent a user device used to acquire ownership of the digital object. When a request to transfer ownership of the digital object from a first user to a second user is received, a user account of the first user is accessed to retrieve information identifying a user device associated with the user account of the first user. The first hash value in the smart contract is authenticated based on the information representing the first user's device. If the first hash value is determined to match the user device information stored in the first user's account, a token representing the digital object is transferred to a wallet associated with the second user. The smart contract is updated to include a second hash value that represents a user device used by the second user to request the ownership transfer of the digital object.

Abstract: A system generates vector representations of entries of traffic logs generated by a firewall. A first model learns contexts of values recorded in the logs during training, and the system extracts vector representations of the values from the trained model. For each log entry, vectors created for the corresponding values are combined to create a vector representing the entry. Cluster analysis of the vector representations can be performed to determine clusters of similar traffic and outliers indicative of potentially anomalous traffic. The system also generates a formal model representing firewall behavior which comprises formulas generated from the firewall rules. Proposed traffic scenarios not recorded in the logs can be evaluated based on the formulas to determine actions which the firewall would take in the scenarios. The combination of models which implement machine learning and formal techniques facilitates evaluation of both observed and hypothetical network traffic based on the firewall rules.

Abstract: Techniques are provided for aggregate inline deduplication and volume granularity encryption. For example, data that is exclusive to a volume of a tenant is encrypted using an exclusive encryption key accessible to the tenant. The exclusive encryption key of that tenant is inaccessible to other tenants. Shared data that has been deduplicated and shared between the volume and another volume of a different tenant is encrypted using a shared encryption key of the volume. The shared encryption key is made available to other tenants. In this way, data can be deduplicated across multiple volumes of different tenants of a storage environment, while maintaining security and data privacy at a volume level.

Abstract: A system and method for performing machine learning in a mobile computing device which is configured to be coupled with a cloud computing system is disclosed. The method may include activating, on the mobile computing device, a machine learning application, which accesses a local machine learning system including a local machine learning model, periodically updating the local machine learning system based upon updates for the local machine learning system received from a global machine learning system hosted by the cloud computing system, performing machine learning based on received training data, and periodically transmitting changes to the local machine learning system from the mobile computing device to the global machine learning system hosted by the cloud computing system.

Abstract: Disclosed are embodiments for injecting sidecar proxy capabilities into non-sidecar applications, allowing such non-sidecar applications to communicate with a service mesh architecture. In an embodiment, a method comprises receiving a request to instantiate a proxy for a non-sidecar application at a service mesh gateway (SMG). The SMG then instantiates the proxy in response to the request and broadcasts network information of the non-sidecar application to a mesh controller deployed in a containerized environment. Finally, the SMG (via the proxy) transmits data over a control plane that is communicatively coupled to the mesh controller.

Abstract: Systems, apparatuses, and methods related to securing domain crossing using domain access tables are described. For example, a computer processor can have registers configured to store locations of domain access tables respectively for predefined, non-hierarchical domains. Each respective domain access table can be pre-associated with a respective domain and can have entries configured to identify entry points of the respective domain. The processor is configured to enforce domain crossing in instruction execution using the domain access tables and to prevent arbitrary and/or unauthorized domain crossing.

Abstract: Subscriber identity module (SIM) swap scam detection include receiving wireless network data based on passive monitoring of a wireless network; identifying a subscriber identity module, SIM, card change in user equipment, UE, based on changes in identifiers in the wireless network data; identifying a commercial user communication with the UE after the SIM card change; and detecting potentially fraudulent activity for the UE based on a combination of the SIM card change, the commercial user communication, and a time period therebetween. The steps can further include providing an alert of the potentially fraudulent activity identifying the commercial user communication as a possible SIM swap scam.

Abstract: A method in a client computing device includes: establishing an association with a communications network in a first connection time period; via an authentication session with an authentication server of a communications network in an authentication time period following the first connection time period, obtaining at least one key value for use in accessing the communications network; storing reauthentication data associated with the at least one key value; responsive to disconnecting from the communications network, discarding the at least one key value and retaining the reauthentication data; responsive to a reconnection command: deriving the at least one key value from the reauthentication data, establishing a further association with the communications network in a second connection time period by sending an association request to the communications network, the association request containing the at least one key value, and accessing network resources via the communications network following the second co

Abstract: An example technique for security key derivation in a wireless system includes: sending a radio resource control (RRC) suspend message from a first node, to a first user device, the RRC suspend message including a first next hop (NH) chaining counter (NCC) value; releasing access stratum (AS) resources associated with the first user device; deriving a first node key based on the first NCC value; receiving a first uplink message from the first user device without allocating AS resources to the first user device; and unscrambling the first uplink message based on the first NCC value.

Abstract: Memory devices, systems including memory devices, and methods of operating memory devices are described, in which self-lock security may be implemented to control access to a fuse array (or other secure features) of the memory devices based on a predefined event associated with the memory device operation. The predefined event may include an operating parameter of the memory device, one or more commands directed to the memory device, or both. The memory device may monitor the predefined event and determine that the predefined event satisfies a threshold. The threshold may be related to a time elapsed since the predefined event has occurred or a certain pattern in the one or more commands. Subsequently, the memory device may disable a circuit configured to access the fuse array based on the determination such that an access to the fuse array is no longer allowed.

Abstract: A method, apparatus and computer program product are provided for generating a registered certified seal, sealing an asset, and verifying a sealed asset. In an example embodiment, a method is provided for receiving a request to generate a registered certified seal from an entity, accessing certifier entity data via a uniform resource locator of a certification authority identified by a certifying certificate, and verifying a digitally signed entity certifying certificate. The method further comprises upon verifying the digitally signed entity certifying certificate, receiving seal data comprising a seal data key for a certified seal, and saving the seal data for the entity within a digital seal registry, wherein the digital seal registry is searchable based at least in part on at least a portion of the seal data key.

Abstract: Disclosed are various examples for securing enterprise resources using a virtual private network. At least one computing device that can authenticate a client device for a virtual private network (VPN) connection based on a first device identifier received from the client device and a second device identifier received from a remote management service. The at least one computing device can determine that a network event associated with the client device has been observed and execute a machine learning routine to identify a pattern of access for the client device. A network access anomaly is determined in response to a network interaction of the client device deviating from the pattern of access for the client device. A remedial action is performed based on an anomaly type associated with the network access anomaly.

Abstract: Techniques are described for providing consistent memory operations and security across electronic circuitry components having disparate memory and/or security architectures when integrating such disparately architected components within a single system, such as a system on chip. A programmable logical hierarchy of isolated memory region (IMR) enforcement circuits is provided to protect such IMRs, allowing or preventing memory access requests from one of multiple distinct circuitry components based on configuration registers for the IMR enforcement circuits. Integration of multiple trust domain architectures associated with the multiple distinct circuitry components is facilitated via trust domain conversion bridge circuitry that includes translation logic for generating information in accordance with a first trust domain architecture based on information provided in accordance with a distinct second trust domain architecture.

Abstract: A method is provided that is performed in a wireless network to detect a rogue wireless device. The method comprises detecting a suspect wireless device in the wireless network based on messages transmitted by the suspect wireless device using a first Media Access Control (MAC) address that is also used by a valid wireless device in the wireless network. When a suspect wireless device is detected, the method next includes sending to the valid wireless device in the wireless network a request configured to cause the valid wireless device to change its MAC address. After the valid wireless device has changed its MAC address, the method involves observing messages transmitted by the suspect wireless device in the wireless network. The method then includes determining that the suspect wireless device is a rogue device when the suspect wireless device continues to transmit messages using the first MAC address.

Abstract: A system may generate all possible character mistakes in a first uniform resource locator associated with a first website, which may produce a set of unique and similar uniform resource locators associated with a set of similar websites. The system may execute machine vision algorithms to compare visual images of the first website and the set of similar websites, and identify a subset of similar websites, which may be undistinguishable from the first website. The system may block the subset of websites, and thereby prevent any user from accessing these fraudulent and malicious websites.

Abstract: Privilege capabilities can be implemented for devices used for container native function (CNF) operations according to some aspects described herein. In one example, a system can receive a request for executing a CNF using a device in a computing cluster. The CNF can involve an operation associated with a privileged capability. The system can determine the CNF is associated with a first credential for the privileged capability based on a data structure that stores process-level capabilities for the CNF and file handle level capabilities for the device. The system can determine the device is associated with a second credential for the privileged capability based on the data structure. In response to determining that the CNF is associated with the first credential and the device is associated with the second credential, the system can execute the CNF using the device in the computing cluster.

Abstract: Some embodiments are directed to a computer-implemented method for converting a first computation network of operations arranged to compute a function into a second computation network of FHE operations arranged to compute the same function. For example, a set of expansion factors (?i) may be determined for matrix operations in the first computation network. Real-valued matrices may be converted by scaling the real-valued matrices with their corresponding expansion factor and rounding. An accuracy measure for the second computation network can be iteratively optimized.

Abstract: Techniques and systems for determining a malicious derivative entity within a network are provided herein. A method for determining a malicious derivative entity may include receiving, by a network-based authentication system, a plurality of network transactions. A first attribute of a network transaction within the plurality of network transactions may be identified. The method may also include identifying a plurality of entities for the first attribute. The network-based authentication system may generate a first visual representation of a relationship between the first attribute and the plurality of derivative entities. Each of the derivative entities and the first attribute may be represented as nodes within the first visual representation. A first score for each of the nodes may be determined based on a degree of centrality of the nodes within the first visual representation. One network transaction may be blocked based on at least one node exceeding a first threshold.