Abstract: Selectively masking data in messages is provided. A masking expression is retrieved from a schema. The masking expression corresponds to a particular attribute within related messages generated by a producer application and sent to an immutable datastore for consumption by a consumer application of the computer that is registered to receive the messages related to a particular topic from the immutable datastore. A particular attribute value is masked only in those messages received from the immutable datastore that contain the particular attribute value during a time period when the particular attribute value is associated with the masking expression.

Abstract: A distributed data integration device includes an acquisition unit configured to acquire, for a piece of analysis target data, an anchor data intermediate representation and an analysis target intermediate representation, the anchor data intermediate representation being an intermediate representation obtained by converting anchor data by a first function, the anchor data being data commonly used in integration of a plurality of the pieces of analysis target data that are distributed, the analysis target intermediate representation being an intermediate representation obtained by converting the analysis target data by the first function, an anchor data conversion unit configured to convert, for the piece of analysis target data, a plurality of the anchor data intermediate representations by a second function, a calculation unit configured to calculate, for the piece of analysis target data, the second function that minimizes a difference between the plurality of the anchor data intermediate representations, a

Abstract: An activation function processing method includes processing a first activation function in a first mode by referring to a shared lookup table that includes a plurality of function values of the first activation function; and processing a second activation function in a second mode by referring to the shared lookup table, the second activation function being a different function than the first activation function.

Abstract: This application relates to a client-server architecture that enables user accounts registered with a service to be discoverable to other users of the service. A discovery protocol includes accessing personal information data stored in an address book of a client device, obfuscating the personal information data, transmitting a request to a service to determine if the obfuscated personal information data matches any potential contacts that have registered as discoverable with the service, and comparing information related to the potential contacts with the contacts included in the address book to determine if the contacts in the address book match any of the potential contacts.

Abstract: According to certain aspects of the present disclosure, a computer-implemented method is provided. The method includes receiving, at a manager device, data comprising at least one managed device. The method includes identifying, at the manager device, a website associated with the at least one managed device. The method also includes receiving, at a mobile device management server from the manager device, a first message to cause the mobile device management server to initiate transmission of a second message comprising a command that causes the at least one managed device to navigate to the website via a browser, restrict access to other websites other than the website, and enable a camera. Systems and machine-readable media are also provided.

Abstract: Disclosed is an orthogonal access control system based on cryptographic operations provided by multi-hop proxy re-encryption (PRE) that strictly enforces only authorized access to data by groups of users, scalable to large numbers of users. Scalable delegation of decryption authority can be shared with a plurality of members of a group whether those members be users or devices, and members of a group can further create sub groups and delegate decryption authority to those members, whether users or devices. Members are granted access via generation of transform keys, and membership or access can be revoked merely be deleting the transform key—no elimination of the encrypted data, regardless of its storage location, is needed.

Abstract: System and methods are described which are useful for efficiently combining characteristic detection rules, such as may be done to efficiently and quickly assist in the dispositioning of user reported security threats.

Abstract: Techniques for enhancing the security of a communication device when conducting a transaction using the communication device may include using a limited-use key (LUK) to generate a transaction cryptogram, and transmitting a token instead of a real account identifier and the transaction cryptogram to an access device to conduct the transaction. The token and the transaction cryptogram can be transmitted to a magnetic stripe reader by generating an emulated magnetic signal. The LUK may be associated with a set of one or more limited-use thresholds that limits usage of the LUK, and the transaction can be authorized based on at least whether usage of the LUK has exceeded the set of one or more limited-use thresholds.

Abstract: An attack handling location selection apparatus includes an acquisition unit configured to acquire traffic volumes of a plurality of first transfer apparatuses related to a path of an attack traffic, and a selection unit configured to assign priorities based on the traffic volumes to second transfer apparatuses extracted from the plurality of first transfer apparatuses based on comparison between the traffic volume of each first transfer apparatus and an upper limit value of a traffic volume capable of being handled by a protection apparatus configured to handle the attack traffic, and select, as a forwarding point of the traffic to the protection apparatus, a highest-ranking third transfer apparatus in the priorities. Thus, a forwarding point capable of increasing the likelihood that attack traffic is appropriately handled is selected.

Abstract: A computer-implemented method of making secure computer products is described, including a computer-implemented method of configuring a computer system configured to run an operating system, wherein the method of to enable the computer system to resist the execution of unauthorised software, the method comprising: instantiating an application programming interface to enable an application running on the computer system to access the functionality of the operating system; and applying a transform to the application programming interface to modify the application programming interface.

Abstract: A multi-lender architecture is configured to provide a loan applicant with automated pre-qualification and automobile loan eligibility evaluation for multiple candidate lenders. Lender output data may include sensitive data. The lender output data is stored in a data object of a first format and one or more fields of the data object are encrypted at the field level. The encrypted data object may be transmitted through multiple application layers or terminals. The encrypted data object may be reformatted at one or more application layers or terminals without decryption. A reformatted encrypted data object containing the lender output data may be decrypted at the last layer before forwarding the lender output data to the loan applicant.

Abstract: A system and method for providing secure access to an organization's internal directory service from external hosted services. The system includes a remote directory service configured to accept directory service queries from an application running on hosted services. The remote directory service passes the queries to a directory service proxy server inside a firewall of the organization via a secure connection service. The directory service proxy server passes the queries to the internal directory service inside said firewall. Request responses from the internal directory service pass through the directory service proxy server to the remote directory service through said firewall via the secure connection service. The remote directory service returns the response to the requesting application.

Abstract: A system and method for providing access to data of a user or services relevant to a user. A customer data key is created by a server that is specific to an application, the user of the application, and the device upon which the application resides. The server may receive an application programming interface call to create the customer data key; however, any call accessing or affecting user-specific data which does not contain a valid and authorized customer data key may be rejected. To authorize the access to the offered data or services, the user conducts an entirely separate transaction not mediated by the application. During this separate transaction, the customer data key may be activated, permitting access to the data or services using the activated customer data key.

Abstract: Disclosed is an orthogonal access control system based on cryptographic operations provided by multi-hop proxy re-encryption (PRE) that strictly enforces only authorized access to data by groups of users, scalable to large numbers of users. Scalable delegation of decryption authority can be shared with a plurality of members of a group whether those members be users or devices, and members of a group can further create sub groups and delegate decryption authority to those members, whether users or devices. Members are granted access via generation of transform keys, and membership or access can be revoked merely be deleting the transform key—no elimination of the encrypted data, regardless of its storage location, is needed.

Abstract: A technique to secure a wireless communication link that is being shared among a wireless access point (AP), and each of a set of wireless clients (each a mobile station (STA)) that are coupled to the AP over the communication link. A typical implementation is a WPA2-PSK communication link. In this approach, and in lieu of a single secret key being shared by all AP-STA pairs, each AP-STA pair derives its own unique WLAN shared secret, preferably via a Diffie-Hellman (DH) key exchange. The WLAN shared secret is then used to generate WPA2-PSK keys, namely, pairwise master key (PMK) and pairwise transient key (PTK), that establish an 802.11 standards-compliant secure link.

Abstract: A packet network includes packet engines that perform packet handling. Cipher engines are provided separately from the packet engines for encryption and/or authentication operations. To preserve relative timing and ordering of data packets, a packet engine performs pre-shaping of data traffic, wherein the packet engine inserts dummy packets into a data flow. The packet engine provides the pre-shaped data traffic to a cipher engine.

Abstract: The present invention relates to the field of tracing and anti-counterfeit protection of physical objects, and particularly to preparing and performing a secure authentication of such objects. Specifically, the invention is directed to a method and a system for preparing a subsequent secured authentication of a physical object or group of physical objects by a recipient thereof, to a method and system for authenticating a physical object or group of physical objects, to a method and system of securely providing a time-variant combination scheme for authenticating a physical object or group of physical objects according to the above methods, and to related computer programs corresponding to said methods. The invention is based on the concept of increasing the security level by increasing the information entropy of the data on which the anti-counterfeit protection is based by means of random data communicated to authenticating entities in an algorithmically hidden way.

Abstract: A chip fingerprint management device includes: a one-time programmable (OTP) memory including a first storage region, the first storage region being readable by hardware and access restricted by software; and an OTP controller which generates a chip fingerprint based on a random number, and programs the generated chip fingerprint into the first storage region in the OTP memory.

Abstract: System and methods are described which are useful for efficiently combining characteristic detection rules, such as may be done to efficiently and quickly assist in the dispositioning of user reported security threats.

Abstract: Some methods may involve receiving, at a first node of the health network, encrypted sensor data from one or more sensors. The first node may be in a data communication path between the one or more sensors and other nodes of the health network. The method may involve decrypting, by the first node of the health network, only a portion of the encrypted sensor data, and transmitting the encrypted sensor data from the first node of the health network to a second node of the health network. The first node may be a gateway device. In some examples, the second node may be able to decrypt more of the encrypted sensor data than the first node.