Abstract: This disclosure describes techniques that include performing cryptographic operations (encryption, decryption, generation of a message authentication code). Such techniques may involve the data processing unit performing any of multiple modes of encryption, decryption, and/or other cryptographic operation procedures or standards, including, Advanced Encryption Standard (AES) cryptographic operations. In some examples, the security block is implemented as a unified, multi-threaded, high-throughput encryption and decryption system for performing multiple modes of AES operations.

Abstract: Various embodiments of methods, systems and computer program products described herein are directed to a Security Engine. The Security Engine provides for post-attack security upgrades of an application by selecting specific security hardening passes to be applied to a pre-attack state of the application. According to various embodiments, the Security Engine receives a pre-attack state of a first instance of an application in response to an action by an attack source. The Security Engine selects one or more security hardening passes to be applied to the pre-attack state. The Security Engine sends an identification of the selected security hardening passes to be applied to a second instance of the application running at the pre-attack state.

Abstract: Disclosed herein are systems and method for correlating events to detect an information security incident, a correlation module may receive a plurality of network events indicating potential security violations, wherein each network event of the plurality of network events has a respective timestamp. The correlation module may identify, from the plurality of network events, a subset of network events that have occurred within a period of time, based on each respective timestamp. The correlation module may determine a plurality of potential orders of occurrence for the subset of network events. The correlation module may apply at least one correlation rule to each respective potential order of the plurality of potential orders. In response to determining that the at least one correlation rule is fulfilled, the correlation module may detect the information security incident.

Abstract: In response to a request by a data furnisher system to add data to that organized by a system, a data coordinating system resolves the identity of counterparties to whom the data is relevant. For each identified counterparty, the coordinating system identifies a corresponding counterparty system, and via communications between smart contracts comprised in the coordinating system, communicates the data provided by the data furnisher system. The counterparty reviews the data and either verifies that it is accurate or disputes the data. The counterparty's response is communicated through the data coordinating system via the relevant smart contracts to the data furnisher system. If the counterparty verified the data, the data coordinating system updates its database to reflect the data has been verified. If the counterparty disputed the data, the data furnisher and counterparty communicate to resolve the dispute. The data is marked as being disputed.

Abstract: Embodiments of the present invention relate to a trusted application access control method and a terminal. The method includes: receiving, by a terminal in a TEE, a request for accessing a target trusted application (TA) that is sent by a client application (CA); determining, by the terminal, a service level of the CA in a trusted execution environment (TEE) based on the request for accessing the target TA; and providing, by the terminal in the TEE by using the target TA, a service corresponding to the service level for the CA. In this way, the target TA provides different levels of services for the CA, and determines, in the TEE, the service level corresponding to the CA, thereby enhancing constraint and limitation of accessing the target TA by the CA, and improving security of accessing the target TA by the CA.

Abstract: Systems and method are provided for a temporary network slice usage barring service within a core network. A network device in the core network receives a slice barring information message for an application function (AF). The slice barring information message includes a unique subscriber identifier associated with a user equipment (UE) device to be barred from a network slice and indicates a barring expiration time. The network device stores barring parameters based on the slice barring information message. The barring parameters include a slice identifier associated with the AF, the unique subscriber identifier, and the barring expiration time. The network device sends a barring instruction message to another network device associated with the network slice. The barring instruction message includes the unique subscriber identifier and the barring expiration time. The other network device enforces temporary barring of the UE device from the network slice based on the barring instruction message.

Abstract: The medical record data card is a smart card. The medical record data card is an electric circuit that is used as a dongle. The medical record data card electrically connects with a logical device. The medical record data card physically authenticates the identity of the cardholder. The medical record data card authorizes access to medical records contained in a medical records database. The medical record data card comprises an authentication device, a medical facility data device, the medical records database, and a communication link. The medical facility communicates with the medical records database using the communication link. The authentication device is the smart card. The authentication device electrically connects to a logical device that enables the access of the medical facility data device to the medical records contained in the medical records database.

Abstract: Access control for an ordered event stream (OES) storage system is disclosed. Access to a portion of an OES can be controlled at a key-level in relation to a key space of the OES. An application instance can be identified to enable determining a correspondence to one or more keys. The correspondence can be embodied in stored data, for example, via an advanced access control list (AACL) that can be in the form of a list, a table, etc. Application instance access to the portion of the OES can be controlled by determining if an access rule is satisfied, e.g., determining if the key space the application instance wants to access comports with the one or more keys corresponding to the application instance identity. In an aspect, screening data corresponding to the AACL can enable preliminary access screening external to the OES storage system.

Abstract: Secure auditability of monitoring processing using public ledgers that are particularly useful for monitoring surveillance orders, whereby an overseeing enforcer (“E”) checks if law enforcement agencies and companies are respectively over-requesting or over-sharing user data beyond what is permitted by the surveillance order, in a privacy-preserving way, such that E does not know the real identities of the users being surveilled, nor does E get to read the users' unencrypted data. Embodiments of the present invention also have inbuilt checks and balances to require unsealing of surveillance orders at the appropriate times, thus enabling accounting of the surveillance operation to verify that lawful procedures were followed, protecting users from government overreach, and helping law enforcement agencies and companies demonstrate that they followed the rule of law.

Abstract: A system for machine learning-based real-time electronic data quality checks in online machine learning and AI systems is provided. In particular, the system may comprise a machine learning module which receives input data from a data quality learning module which serves to perform filtering or alteration functions on incoming data during the training and/or live phases of the machine learning module. Over time, the data quality module may increasingly become efficient and accurate at assessing incoming data to determine the data quality. In turn, improving data quality of input data may ensure that the various neural networks within the system produce adaptively accurate output values to drive the decisioning processes of the system.

Abstract: A storage port receives a login request. The storage port configures an audit mode indicator as enabled in a login response to a host port to enter a security enabled mode to indicate to the host port that Input/Output (I/O) operations are to be transmitted from the host port to the storage port even if authentication or security association negotiation with the storage port cannot be completed successfully.

Abstract: An enforcement module receives a DNS-based rule of a segmentation policy that controls access of a managed workload to workloads in a DNS domain in which the IP addresses of the workloads associated with a domain name are resolved by a DNS server. When the managed workload makes a connection request to the workload associated with the domain name, the enforcement module snoops on a DNS response from the DNS server to learn the IP address of the workload associated with the domain name. If a domain name of the DNS domain is in a whitelist of domain names permitted by the DNS-based rule, the enforcement module adds the learned IP address to a whitelist of IP addresses and configures a firewall associated with the managed workload to permit connections to the IP addresses in the whitelist.

Abstract: A method of detecting bots, preferably in an operating environment supported by a content delivery network (CDN) that comprises a shared infrastructure of distributed edge servers from which CDN customer content is delivered to requesting end users (clients). The method begins as clients interact with the edge servers. As such interactions occur, transaction data is collected. The transaction data is mined against a set of “primitive” or “compound” features sets to generate a database of information. In particular, preferably the database comprises one or more data structures, wherein a given data structure associates a feature value with its relative percentage occurrence across the collected transaction data. Thereafter, and upon receipt of a new transaction request, primitive or compound feature set data derived from the new transaction request are compared against the database. Based on the comparison, an end user client associated with the new transaction request is then characterized, e.g.

Abstract: Disclosed are systems and methods for creating antivirus records for antivirus applications. An exemplary method includes: analyzing a log of records of API function calls of a file for presence of malicious behavior using one or more behavioral rules; determining that the file is malicious when a behavioral rule corresponding to one or more records of API function calls from the log is identified; extracting from the log the one or more API function calls associated with the identified behavioral rule; determining whether the one or more extracted records of API function calls are supported by an antivirus application of a user device; and when the one or more extracted records of API function calls are not supported by the antivirus application, adding to the antivirus application, a support for registering the unsupported records of API function calls.

Abstract: Memory is partitioned and isolated in container-based memory enclaves. The container-based memory enclaves have attestable security guarantees. During provisioning of the container-based memory enclaves from a container image, a purported link in the container to a memory address of the enclave is modified to verifiably link to an actual memory address of the host, such as partitioned memory enclave. In some instances, enclave attestation reports can be validated without transmitting corresponding attestation requests to remote attestation services, based on previous attestation of one or more previous container attestation reports from a similar container and without requiring end-to-end attestation between the container and remote attestation service for each new attestation request.

Abstract: Techniques are provided for aggregate inline deduplication and volume granularity encryption. For example, data that is exclusive to a volume of a tenant is encrypted using an exclusive encryption key accessible to the tenant. The exclusive encryption key of that tenant is inaccessible to other tenants. Shared data that has been deduplicated and shared between the volume and another volume of a different tenant is encrypted using a shared encryption key of the volume. The shared encryption key is made available to other tenants. In this way, data can be deduplicated across multiple volumes of different tenants of a storage environment, while maintaining security and data privacy at a volume level.

Abstract: A system may generate all possible character mistakes in a first uniform resource locator associated with a first website, which may produce a set of unique and similar uniform resource locators associated with a set of similar websites. The system may execute machine vision algorithms to compare visual images of the first website and the set of similar websites, and identify a subset of similar websites, which may be undistinguishable from the first website. The system may block the subset of websites, and thereby prevent any user from accessing these fraudulent and malicious websites.

Abstract: A logic circuit for quantum-resistant cryptoprocessing. The logic circuit includes a first plurality of multiplexers, a second plurality of multiplexers, a plurality of AND gates, a third plurality of multiplexers, a plurality of shift registers, a plurality of inverters, a fourth plurality of multiplexers, a plurality of adders, a plurality of XOR gates, a fifth plurality of multiplexers, and a plurality of parallel outputs.

Abstract: Techniques for secure team-based communication on existing wireless mesh networks are disclosed. In an example, a first network node receives a network encryption key from a headend system. The first network node receives a sub-group encryption key that is unique to a sub-group of nodes, a sub-group identifier, and a sub-group node list that lists the sub-group of nodes associated with the sub-group identifier. The first network node generates an application layer message for a second node of the sub-group of nodes at an application layer. The first network node encrypts the application layer message using the sub-group encryption key. The first network node generates a team packet that is addressed to a selected node and includes the encrypted application layer message and the sub-group identifier. The first network node encrypts the team packet using the network encryption key and transmits the encrypted team packet to the selected node.

Abstract: The invention proposes a method for an object (1) to communicate with a server (2) of a connected objects network to report that a clone may be impersonating the object in the network, which method comprises the following steps implemented by the object (1): transmitting (106) to the server (2) a request from the object (1) to join the connected objects network; after transmitting the join-request, detecting (110) whether a reference message (uplink) transmitted by the object (1) to the server (2) was rejected or ignored; in response to the detection, transmitting (114) to the server (2) an alert message indicating the rejection or ignoring.