Abstract: An encryption method, includes performing, by an encryption system, bit reversal permutation of pixel data of a 2D image, arranging the pixel data as first-pixel data, and applying the 2D image to a butterfly algorithm of fast Fourier transform; determining, by the encryption system, a plurality of data paths based on the first-pixel data; and performing, by the encryption system, a first encryption of the first-pixel data into second-pixel data on a specific data path based on a number of the specific data path among the plurality of data paths.

Abstract: A database stores a document as a plurality of encrypted records, where each record is indicative of an incremental change to the state of the document, and encrypted using a document key. The document key is stored with encryption decryptable using a group key, and the group key is stored with encryption decryptable using a first access key. In response to a request to rotate from the first access key to a second access key, the database decrypts the group key using the first access key, a stores a group key re-encrypted with the second access key.

Abstract: In some examples, a system for decorating network traffic flows with outlier scores includes a processor and a memory device to store traffic flows received from a network. The processor is configured to receive a set of traffic flows from the memory device and generate a tree model to split the traffic flows into clusters of traffic flows. Each cluster corresponds with a leaf of the tree model. The processor is further configured to generate machine learning models for each of the clusters of traffic flows separately. For a new traffic flow, the processor is configured to identify a specific one of the machine learning models that corresponds with the new traffic flow, compute an outlier score for the new traffic flow using the identified specific one of the machine learning models, and decorate the new traffic flow with the outlier score.

Abstract: An integrated-circuit device comprises a physical-unclonable-function (PUF) unit, a secure module, and an interconnect system communicatively coupled to the PUF unit and to the secure module. The device transfers a PUF key from the PUF unit to the secure module, over the interconnect system. In order to do this, the secure module generates a random value. The secure module then sends the random value to the PUF unit. The PUF unit then performs a bitwise XOR operation between the received random value and the PUF key, to generate a masked value. The PUF unit then transfers the masked value over the interconnect system to the secure module. The secure module then unmasks the PUF key by performing a bitwise XOR operation between the received masked value and the random value.

Abstract: Computer-readable media, methods, and systems are disclosed for handling intermediate data in connection with a database employing group-level encryption. Intermediate data is used during database operation and stored transiently such that the intermediate data is removed from memory upon database restart. To protect the privacy of the intermediate data, a random encryption key may be generated upon startup of a database instance. The random encryption key may be stored transiently. During database operation, the random encryption key may be used to encrypt and/or decrypt the intermediate data. The transient memory may be wiped upon database shut down such that the random encryption key is no longer accessible upon database restart.

Abstract: Various embodiments that pertain to artificial intelligence algorithms. A repository can retain a reusable common set of artificial intelligence algorithms. Different users can access this common set of artificial intelligence algorithms and employ individual artificial intelligence algorithms in programs as appropriately as they are developing different applications and/or products. Employment of these individual artificial intelligence algorithms can include, for example, tailoring parameters based on the desires of the individual user's desires using the same common set of algorithms or individually or as a group as appropriate.

Abstract: Systems, methods, and computer-readable media for discovering trustworthy devices through attestation and authenticating devices through mutual attestation. A relying node in a network environment can receive attestation information from an attester node in the network environment as part of a unidirectional push of information from the attester node according to a unidirectional link layer communication scheme. A trustworthiness of the attester node can be verified by identifying a level of trust of the attester node from the attestation information. Further, network service access of the attester node through the relying node in the network environment can be controlled based on the level of trust of the attester node identified from the attestation information.

Abstract: A malware profile is received. The malware profile comprises a set of n-tuples of attributes that describe one or more activities associated with executing a copy of a known malicious application that is associated with the malware profile. A set of one or more log entries is analyzed for a set of entries that matches the malware profile. Based at least in part on identifying the set of entries matching the malware profile, a determination is made that a host was compromised. In response to determining that the host has been compromised, a remedial action is taken with respect to the host.

Abstract: Techniques are disclosed for enabling attested end-to-end encryption for transporting data between devices. In one example, a destination device receives a policy profile that includes an origination key and a destination key, and the origination key corresponds to a public transfer key of a source device. The destination device verifies the policy profile based on the destination key corresponding to a public transfer key of the source device. The destination device receives a signed encrypted data encryption key from the source device. The destination device receives encrypted data from the source device. The destination device verifies the signed encrypted data encryption key originated from the source device based on the signed encrypted data key being signed with a private attestation identity key that corresponds to a public attestation identity key of the source device. The destination device decrypts encrypted data using a private transfer key of the destination device.

Abstract: A method (300) and system (1) of determining a common secret for two nodes (3, 7). Each node (3, 7) has a respective asymmetric cryptography pair, each pair including a master private key and a master public key. Respective second private and public keys may be determined based on the master private key, master public key and a deterministic key. A common secret may be determined at each of the nodes based on the second private and public keys. In one example, a node (3, 7) may determine the common secret based on (i) a second private key based on the node's own master private key and the deterministic key; and (ii) a second public key based on the other node's master public key and the deterministic key. The invention may be suited for use with, but not limited to, digital wallets, blockchain (e.g. Bitcoin) technologies and personal device security.

Abstract: This invention is a system and method for verifying a sender of messages on a mobile network. Software on a cloud messaging service generates a public/private key pair. The private key is securely retained in a cloud wallet service and is accessible to a messaging cloud service (the trusted sender). The public key is shared with a subscriber device that receives messages from the messaging cloud service. The cloud messaging service receives an inbound message for the subscriber device from a trusted enterprise application via a secure connection. The cloud messaging service signs a special header to the message with its private key. When the message is received by the subscriber device, the public key resident on the device verifies the message header signed with the public key of the cloud messaging service thereby verifying the sender.

Abstract: A method of generating a digital signature. The method comprises calculating a first random number and, based on second and third random numbers, first and second modified versions thereof. A curve point on an elliptic curve is determined based on a base point and the first modified version. A first signature part is calculated based on the curve point. Based on the second and third random numbers, the modified versions of the first random number, data to be signed, the first signature part, and a private key, a second signature part and a check value for the second signature part are calculated. The second signature part is compared with the check value for the second signature part and, responsive to the check value for the second signature part matching the second signature part, a cryptographic signature is output comprising the first signature part and the second signature part.

Abstract: Systems and methods are disclosed herein for determining a source of leaked sensitive data (e.g., passwords, insecure coding, log information, any information that should not exist, etc.) in compiled software applications. According to some aspects, a computing device (e.g., a software analysis device, a cloud-computing device, a server, a smart device, binary file/code scanner, etc.) may receive scan pattern information and a binary file of a software application. The computing device may be configured to determine one or more executable files of the software application based on the binary file. Based on the scan pattern information and the one or more executable files, the computing device may determine location information for one or more sensitive data elements configured with the software application. The computing device may use the location information for each of the one or more sensitive data elements to determine a respective source of the sensitive data element.

Abstract: A method and system for user authentication through mobility traces comprising: retrieving and processing (401, 411) data records stored in a network events database (14), the data records comprising data of one or more interactions (101) of the user with at least one network element (12) through a mobile device (11) of the user, a timestamp (T) associated with the recorded interactions, a unique identifier of the mobile device (11), a unique identifier of the user and a unique identifier of the network element (12); computing (103) at least one network interaction track, NIT, by using the retrieved data; using the at least one computed NIT (402, 412) to obtain an authentication result, e.g., based on a computed authentication probability (Pi), indicating either a success or a failure of the user authentication to be returned to a third-party service provider (21) requesting the user authentication status check (202, 302).

Abstract: Key rotation verification without decryption is provided. Two ciphertext inputs encrypted from a plaintext input by an encryption function using different cryptographic keys are input, wherein the encryption function is selected from a function family having an output space of one or more convex sets. A divergence between the two ciphertext inputs is computed. A membership oracle is executed on the two ciphertext inputs, wherein the two ciphertext inputs are determined to be members of the same convex set of the one or more convex sets if the computed divergence satisfies a separation condition. The two ciphertext inputs are validated to both correspond to the same plaintext input, responsive to determining that the two ciphertext inputs are members of the same convex set, wherein the two ciphertext inputs do not correspond to the same plaintext input if the two ciphertext inputs are not members of the same convex set.

Abstract: Described are various embodiments of an integrated network appliance and system. In one embodiment, the appliance comprises: a hardware-integrated processing engine operable to implement a trusted network-related resource; an integrated digital data processor operable to execute said processing engine; an integrated data storage resource accessible to said processing engine to implement said trusted network-related resource; an integrated location sensor; and an embedded hardware security module (HSM) hardwired to interface with said hardware-integrated processing engine via a dedicated hardware-isolated communication path, and operable to execute a trusted internal cryptographic process associated with said trusted network-related resource as a function of location data output from said integrated location sensor.

Abstract: Methods and systems for multifactor authentication and authorization are described. A method includes receiving captured image data of a person with a badge needing access to a secure area, detecting at least two faces from the captured image data, identifying a first name based on matching a face associated with a live human face with a control face in a database, identifying a second name based on matching on another face associated with the badge with a control face in a database, performing character recognition on text associated with the another face, comparing the second name with the character recognized text, comparing the second name with the first name when the second name matches the character recognized text, checking access rights, checking for at least another person in a proximity of the secure area, and granting access when the person is sole person accessing the secure area.

Abstract: Systems, devices, and methods are provided for authorizing access to database management system (DBMS) resources using security policies managed by a service external to the DBMS. A DBMS may be provisioned to obtain a database request, identify one or more securable resources that from applications, determine a request context for the system call, and sends a request to an external policy management service. The policy management service may be used to perform a policy evaluation to determine whether to grant access to the securable resources. In some cases, policies are cached by the DBMS. In various examples, the DBMS and policy management service are both hosted on resources managed by a computing resource service provider on behalf of a customer to run mainframe workloads.

Abstract: Some storage systems are configured with VDL (valid data length) type controls that are implemented on a per cluster basis and, in some instances, on a sub-cluster basis, rather than simply a per file basis. In some instances, per-cluster VDL metadata for the storage clusters is stored and referenced at the edge data volume nodes of a distributed network for the storage system rather than, and/or without, storing or synchronizing the per-cluster VDL metadata at a master node that manages the corresponding storage clusters for the different data volume nodes. Sequence controls are also provided and managed by the master node and synchronized with the edge data volume nodes to further control access to data contained in the storage clusters.

Abstract: A new approach is proposed that contemplates systems and methods to support post reset fuse reload for latency reduction. First, values of fuses are read once and stored into one or more load registers on an electronic device, wherein the load registers are protected. Once the values of the fuse are loaded into the load registers, a valid indicator of the load registers is set indicating that the values have been successfully loaded into the load registers. When other components of the electronic device need to access these values, the other components will check the load registers first. If it is determined that the valid indicator of the load registers is set, the stored values are read from the load registers instead of from the fuses. If the valid indicator of the load registers is not set, the values are loaded again from the fuses into the load registers.