Abstract: The disclosed technology is generally directed to secure transactions. In one example of the technology, a first enclave to be used for executing a cryptlet binary of a first cryptlet is identified. The first enclave may be a secure execution environment that stores an enclave private key, and the first cryptlet may be associated with at least a first counterparty. A cryptlet binding that is associated with the first cryptlet may be generated, and may include counterparty information that is associated with at least the first counterparty. Cryptlet binding information may be provided to a cryptlet binding key graph, and a location of a first hardware security module (HSM) that stores a key that is associated with the first counterparty may be received from the cryptlet binding key graph.
Abstract: Embodiments of the present specification disclose trusted hardware-based data management methods, apparatuses, and devices. One method comprising: identifying, by trusted hardware, data description information to be published, wherein the data description information describes target data of a data owner provided by a trusted institution, and the trusted hardware is associated with a decentralized identifier of the data owner; requesting the trusted institution to verify whether the trusted institution stores user service data for generating the target data; receiving a verification result from the trusted institution; and publishing the data description information in response to determining that the verification result indicating that the trusted institution stores the user service data for generating the target data.
Type:
Grant
Filed:
June 25, 2021
Date of Patent:
May 24, 2022
Assignee:
Alipay (Hangzhou) Information Technology Co., Ltd.
Abstract: Provided are a method for detecting an anomaly in devices, the method being performed by a computing device and comprising: acquiring operation information on a first device connected to a security management unit (SMU) of a first domain, and operation information on a second device connected to a SMU of a second domain, and detecting an anomaly in the first device and/or the second device by comparing the operation information on the first device with the operation information on the second device, wherein the SMU of the first domain is not directly connected to the SMU of the second domain.
Type:
Grant
Filed:
July 19, 2019
Date of Patent:
May 17, 2022
Assignee:
KOREA INTERNET & SECURITY AGENCY
Inventors:
Mi Joo Kim, Woong Go, Sung Taek Oh, Jae Hyuk Lee, Jun Hyung Park
Abstract: A system and method for enhancing security for a high security embedded system. The system on chip device including at least one central processing unit (CPU) component, input and output component blocks, an independent hard or soft core dedicated to the input and output blocks, and a built-in, on die interposer, wherein the interposer consists of a field programmable gate array (FPGA) fabric, the FPGA fabric surrounding the components of the system on chip. The method for includes separating system components using a FPGA fabric, redirecting or changing the appearance of system components unknown to other system components, separating system code from security and recovery code, and providing proactive security problem detection and resolutions.
Abstract: A system and method prevent a networked computer connected to a secure network from executing malicious code. A data language system labels bits within the secure network; where each bit received from sources outside the secure network is labeled as data. Programs loading onto the networked computer from within the secure network are labeled as program code. A processor of the networked computer is modified to inhibit execution of instructions that have bits labeled as data. For a two-state or three-state bit computer, each bit is labeled by inserting/adding an adjacent label-bit to indicate data or program code. For four and higher bit state computers, two of the bit values (e.g., zero and one) are used for data and other bit values (e.g., two and three) are used for program code.
Abstract: The disclosed computer-implemented method for protecting users may include (i) detecting, at a parental control system, network activity originating from a child computing device operated by a child and (ii) providing, through the parental control system to a guardian computing device operated by a guardian of the child and based on the network activity originating from the child computing device operated by the child, information indicating an overview of activity by the child at the child computing device to enable the guardian to apply, from the guardian computing device, application-specific policies that restrict application activity at the child computing device. Various other methods, systems, and computer-readable media are also disclosed.
Abstract: Aspects of the disclosure relate to real-time validation of data transmissions based on security profiles. A computing platform may collect, in real-time, information associated with a plurality of data transmissions between applications, where the information may include, for each data transmission, an indication of a source application and a destination application. Then, the computing platform may retrieve, from a repository and for each data transmission, a first security profile associated with the source application, and a second security profile associated with the destination application. The computing platform may then compare, for each data transmission, the first security profile to the second security profile. Subsequently, the computing platform may detect, based on a determination that the first security profile does not match the second security profile, a potentially unauthorized data transmission.
Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to perform malware detection using a generative adversarial network. An example apparatus includes a first encoder network to encode an input sample into a first encoded sample, the first encoder network implemented using a multilayer perception (MLP) network, a generator network to reconstruct the first encoded sample to generate a reconstructed sample, a discriminator network to, in response to obtaining the first encoded sample and the reconstructed sample, generate a loss function based on the reconstructed sample and the input sample, and an optimization processor to, when the loss function satisfies a threshold loss value, classify the input sample as malicious.
Abstract: A file protecting method having following steps is provided: intercepting a data section in a module file, encrypting the data section according to a dynamic password; integrating other data sections that are not intercepted in the module file to update the module file, and storing the updated module file, the encrypted data section and the dynamic password. A corresponding data processing system is also provided.
Abstract: Example method includes: receiving, by a network device, a connection request to a wireless local area network (WLAN) from a client device; determining, by the network device, that the client device is associated with a particular role indicating that the client device is stolen; and performing, by the network device, a set of special handling operations that facilitates maintaining an active connection between the client device and the WLAN, collecting and reporting information about the client device to an investigation agency.
Type:
Grant
Filed:
April 28, 2018
Date of Patent:
February 15, 2022
Assignee:
Hewlett Packard Enterprise Development LP
Abstract: There is provided a method of generating malicious traffic, the method being performed by a computing apparatus and comprising obtaining traffic data transmitted from a first device infected with first malicious code or received by the first device, generating a traffic template of the first device by analyzing the traffic data, and generating a malicious traffic template of a terminal group, wherein the malicious traffic template of the terminal group comprises the traffic template of the first device.
Type:
Grant
Filed:
July 19, 2019
Date of Patent:
February 8, 2022
Assignee:
KOREA INTERNET & SECURITY AGENCY
Inventors:
Sung Taek Oh, Woong Go, Mi Joo Kim, Jae Hyuk Lee, Jun Hyung Park
Abstract: Systems and methods for performing a data transfer in a data protection system are disclosed. A user interface is provided that includes a workflow. The workflow is effective to configure a data transfer by identifying the source of the data, the destination of the data, and the data itself. A data control process associated with the data protection system is performed to authenticate the requesting user and determine whether the user is authorized to access the data. The data is transferred in accordance with the data control process of the data protection system.
Abstract: A method for importing a digitally signed assertion to a temporally sequential listing includes receiving, by an evaluating device, at least a communication including a first digitally signed assertion recorded, assigning, by the evaluating device, a confidence level to the first digitally signed assertion, authenticating, by the evaluating device, the first digitally signed assertion as a function of the confidence level, generating, by the evaluating device, a second digitally signed assertion as a function of the first digitally signed assertion, and entering, by the evaluating device, the second digitally signed assertion in at least an instance of a first temporally sequential listing.
Abstract: A security device providing a security function for an image, a camera device including the same, and a system on chip (SOC) for controlling the camera device are provided. An image transmitting device may include an image processor configured to process an image to be transmitted to an external device, and a security circuit including a key shared with the external device. The security circuit may be configured to generate a tag used for image authentication by using data of a partial region of the image and the key based on region information for selecting the partial region of the image. The image transmitting device may be configured to transmit the tag, generated to correspond to the image, to the external device with data of the image.
Abstract: A method and a user device are disclosed for securing streaming content decryption. The method includes receiving at the user device a manifest for requested content, the manifest providing a Content Encryption Key (CEK) that is encrypted using a first public Key Encryption Key (KEK), a corresponding first private KEK being stored in secure storage on the user device; decrypting, inside a secure processing zone on the user device, the CEK using the first private KEK to create a decrypted content key; decrypting, inside the secure processing zone, requested content using the decrypted content key to form decrypted content; and providing the decrypted content to a decoder on the mobile user device.
Type:
Grant
Filed:
February 10, 2015
Date of Patent:
January 18, 2022
Assignee:
Ericsson AB
Inventors:
Raj Nair, Kevin J. Ma, Mikhail Mikhailov
Abstract: A system including a data retirement engine (DRE) and a method are provided for retiring sensitive data. The DRE receives a sensitive data map generated by a sensitive data discovery engine (SDDE) integrated to the DRE. The sensitive data map includes locations of sensitive data of different data types in multiple data stores. The DRE generates tokens for operational data from the sensitive data map based on selectable data classifications using one or more tokenizers that desensitize the sensitive data, while retaining transactional data. The DRE determines candidates from the operational data in an entirety of a target data store for the tokenization based on rules adjustably configured based on predetermined criteria. The DRE tokenizes the candidates using the tokens on the target data store and facilitates detokenization using a soft delete mode and deletion of the tokens using a hard delete mode.
Abstract: Aspects of the present disclosure are directed to methods and systems for protecting sensitive data in a hosted service system. The system includes a host system and the host system includes a key management system (KMS) and a metadata service system (MSS). The KMS and the MSS are communicatively coupled to each other. The system further includes a database management system (DBMS) having a database, a query pre-parser, and a results handler. The query pre-parser and the results handler are communicatively coupled to the KMS and the MSS, and the system also includes a processing application configured to process at least some data received from a tenant system.
Type:
Grant
Filed:
July 9, 2019
Date of Patent:
January 11, 2022
Assignee:
International Business Machines Corporation
Abstract: A unique identifier id(f) is generated for file f and stored on a content address server. A symmetric encryption key KF is generated for file f. File f is divided into n segments. A unique identifier id(si) is generated for each segment si. Each segment si of the n segments is encrypted using the symmetric key KF using a symmetric encryption algorithm, producing n encrypted segments esi. Each encrypted segment esi is stored with its identifier id(si) on the first peer device and at least one other peer device. For each encrypted segment esi, the identifier id(si) is stored on the content address server with the identifier id(f). A public key KU2 of a second user is retrieved, the symmetric key KF is encrypted with key KU2, producing wrapped key KW2=EAKU2(KF), and key KW2 is stored on the content address server with identifier id(f).
Type:
Grant
Filed:
August 10, 2021
Date of Patent:
January 11, 2022
Assignee:
CyLogic, Inc.
Inventors:
Adam Firestone, Hilary L. MacMillan, Raghu Lingampally
Abstract: A one-way coupling device for the feedback-free transmission of data from the first network with high security requirements into a second network with low security requirements, containing a request unit, an eavesdropping unit and a receiving unit, wherein the request unit is formed so as to provide a first communication link within the first network to at least one device and, moreover, to request first data from the at least one device and then to transmit the first data via a second communication link on a separate line loop of the request unit, and the eavesdropping unit, which is formed so as to eavesdrop on data on the separate line loop and to transmit data to a receiving unit which is arranged in the second network. Also, a corresponding request unit, a corresponding method and a corresponding computer program product is also provided.
Abstract: A method of accessing data sent between a remote resource and a data processing device, the method comprising: caching data uploaded from the remote resource or caching data sent to the remote resource at one or more intermediate network nodes between the data processing device and the remote resource; and accessing the cached data stored at the one or more intermediate network nodes.