Abstract: SEPP 1 forms a first TLS protected N32-c connection between with SEPP 2 so that SEPP 1 and SEPP 2 are respectively a TLS client and server. A TLS protected second N32-c connection between with SEPP 2 so that SEPP 1 and SEPP 2 are respectively a TLS server and client. On forming the first and second TLS protected N32-c connections, respective first and second shared secrets are formed. First and second master keys are obtained from the first and second shared secrets, respectively. N32-f context IDs are created by each SEPP on setup of the first and second N32-c connections. Based on the first master key and the first N32-f context ID, a first session key is produced for encryption of a first N32-f request to the second security edge proxy and correspondingly a second session key is produced for decryption of a second N32-f request from SEPP 2.

Abstract: In some examples, a system executes a monitor separate from an operating system (OS) that uses mapping information in accessing data in a physical memory. The monitor identifies, using the mapping information, invariant information, that comprises program code, of the OS without suspending execution of the OS, the identifying comprising the monitor accessing the physical memory independently of the OS. The monitor determines, based on monitoring the invariant information of the OS, whether a security issue is present.

Abstract: A method and apparatus for processing biometric information in an electronic device including a processor that operates at a normal mode or at a secure mode, the method comprising, detecting a biometric input event from a biometric sensor module at normal mode, creating biometric data based on sensed data from the biometric sensor module at the secure mode, performing biometric registration or biometric authentication based on the created biometric data at the secure mode, and providing result information of biometric registration or biometric authentication at the normal mode.

Abstract: A first installation stores a secret key of a user and a second installation provides encrypted data for the user. In order that a user apparatus can decrypt the encrypted data, the apparatus creates a one-time password, encrypts the one-time password by means of a public key of the first installation and causes the second installation to retrieve the secret key of the user from the first installation by means of the encrypted one-time password and a key identification allocated to the user in the second installation. The first installation decrypts the one-time password, searches for the secret key based on the key identification, encrypts it with the one-time password and transmits the encrypted secret key to the apparatus via the second installation. There, the secret key of the user is decrypted by means of the one-time password and is used for decrypting the encrypted data.

Abstract: Embodiments of this disclosure provide an authentication information transmission method and system, a key management client, and a computer device. Performed by a device hosting a key management client and comprising a hardware abstract layer, the method includes receiving, through a path via a preset hardware abstract layer interface of the hardware abstract layer, authentication information from an application client associated with an application server; transmitting the authentication information to a key management server, so that the key management server transmits the authentication information to a trusted application in the device; obtaining authentication information signed by the trusted application and forwarded by the key management server; and transmitting, through the preset hardware abstract layer interface, the signed authentication information to the application server, so that the application server performs a validity check on the authentication information.

Abstract: An apparatus to facilitate mitigation of side-channel attacks in a computer system platform is disclosed. The apparatus comprises a cryptographic circuitry, including a plurality of crypto functional units (CFUs) to perform cryptographic algorithms; and jammer circuitry to generate noise to protect the plurality of CFUs from side-channel attacks.

Abstract: Embodiments protect against memory-based side-channel attacks by efficiently shuffling data. In an example implementation, in response to a data access request by an encryption methodology regarding a first data element from amongst a plurality of data elements stored in memory, a storage address of a second data element of the plurality is determined. This storage address is determined using (i) an address of the first data element in the memory, (ii) a permutation function, and (iii) a random number. In turn, the first data element is stored at the determined storage address of the second data element and the second data element is stored at the address of the first data element. In this way, embodiments protect encryption methodologies from memory-based side-channel attacks.

Abstract: A system and method for determining a secret crypto-graphic key shared between a sending unit and a receiving unit for secure communication includes obtaining, by the sending unit, a random bit sequence, and transmitting, at the sending unit, a first sequence of electromagnetic pulses to the receiving unit via a communication channel, wherein each electro-magnetic pulse of the first sequence of electromagnetic pulses corresponds to a bit of the random bit sequence according to a ciphering protocol, the signal loss is determined in the communication channel caused by an eavesdropper, and an information advantage is estimated over the eavesdropper based on the determined signal loss. Privacy amplification is performed based on the estimated information advantage in order to establish a shared secret crypto-graphic key.

Abstract: A computer system and process for mitigating a Distributed Denial of Service (DDoS) attack by analyzing and correlating inbound and outbound packet information relative to the one or more protected computer networks for detecting novel DDoS Reflection/Amplification attack vectors. Created are separate data repositories that respectively store information relating to captured inbound and outbound packets flowing to and from the protected computer networks. Stored in each respective inbound and outbound data repository are identified inbound destination ports respectively associated with the captured inbound and outbound packets such that each identified inbound destination port number is associated with 1) a packet count relating to the inbound and outbound packets; and 2) a packet byte length count relating to each of the inbound and outbound packets.

Abstract: Systems and methods include causing a scan by Cloud Access Security Broker (CASB) system of a plurality of users associated with a tenant in a Software-as-a-Service (SaaS) application where the scan includes any of identifying malware in content in the SaaS application and identifying confidential data in the content in the SaaS application; during the scan which is covering historical data in the SaaS application, receiving notifications of the content being actively modified by any of the plurality of users; and including the content being actively modified in the scan with the historical data. The systems and methods can further include maintaining geolocation of the any of the plurality of users; and causing the content being actively modified in the scan to be processed by the CASB system based on the geolocation.

Abstract: Embodiments of the present disclosure provide systems, methods, and non-transitory computer storage media for identifying malicious behavior using a trained deep learning model. At a high level, embodiments of the present disclosure utilize a trained deep learning model that takes a sequence of ordered signals as input to generate a score that indicates whether the sequence is malicious or benign. Initially, process data is collected from a client. After the data is collected, a virtual process tree is generated based on parent and child relationships associated with the process data. Subsequently, embodiments of the present disclosure aggregate signal data with the process data such that each signal is associated with a corresponding process in a chronologically ordered sequence of events. The ordered sequence of events is vectorized and fed into the trained deep learning model to generate a score indicating the level of maliciousness of the sequence of events.

Abstract: Described are automated systems and methods for employing certificate authority meta-resources to facilitate automatic renewal and/or rotation of certificates and/or certificate authorities in a PKI hierarchy. For example, embodiments of the present disclosure can provide creating a certificate authority meta-resource, which can maintain and monitor certain information to facilitate automatic renewal and rotation of certificates and/or certificate authorities in a PKI hierarchy. The certificate authority meta-resource can also keep track of the active certificate authorities and certificates to ensure that trust is maintained without manual configuration of the PKI hierarchy.

Abstract: Systems and methods are provided that may be implemented by services executing on one or more remote servers and on an endpoint information handling system to remotely erase (i.e., clear or remove) biometric fingerprint credential data that is previously stored on non-volatile memory of a discrete “match-on chip” fingerprint reader (MOFR) of the endpoint information handling system, as well as to erase separate non-biometric OS user identifier (ID) fingerprint enrollment information stored on separate system non-volatile memory of the endpoint information handling system.

Abstract: Disclosed are a privacy-protection-based data processing model acquisition method and apparatus, a terminal device and a storage medium. The method includes: acquiring sensor data of a plurality of sensors of a preset Internet of Things device; training an initial data model corresponding to each of the sensors through the sensor data corresponding to the sensor to obtain an intermediate data model corresponding to each of the sensors, and integrating the intermediate data models corresponding to the sensors to form an integrated data model; processing new data through the integrated data model and random noise to acquire a label category corresponding to the new data; and training the integrated data model according to the new data and the label category of the new data to acquire a data model. The method solved the technical problem of poor privacy protection of Internet of Things data.

Abstract: A method includes configuring one or more permissions for a first page of memory including a first section of a plurality of sections of an executable program code to enable execution of the first section. The method also includes configuring one or more permissions for a second page of the memory including a second section of the executable program code to disable execution of the second section. The method also includes identifying one or more annotations in the executable program code, wherein the one or more annotations indicate one or more allowed transitions and one or more disallowed transitions between the plurality of sections. The method also includes changing, in view of the one or more annotations, the one or more permissions of the second page to enable execution of the second section of the executable program code.

Abstract: A cryptography system comprises a noising engine and a de-noising engine. The noising engine is configured to receive a key pattern, determine a final membership value based on one or more input parameters and a first knowledge base, and generate a noised key pattern based on the key pattern and the final membership value. The de-noising engine is configured to receive the noised key pattern and the final membership value, and generate a de-noised key pattern based on the noised key pattern, the final membership value, and a second knowledge base.

Abstract: A computer-implemented method for providing a system-specific secret to a computing system having a plurality of computing components is disclosed. The method includes storing permanently a component-specific import key as part of a computing component and storing the component-specific import key in a manufacturing-side storage system. Upon a request for the system-specific secret for a computing system, the method includes identifying the computing component comprised in the computing system, retrieving a record relating to the identified computing component, determining the system-specific secret protected by a hardware security module and determining a system-specific auxiliary key. Furthermore, the method includes encrypting the system-specific auxiliary key with the retrieved component-specific import key, thereby creating a auxiliary key bundle, encrypting the system-specific secret and storing the auxiliary key bundle and a system record in a storage medium of the computing system.

Abstract: Various approaches are disclosed for protecting vehicle buses from cyber-attacks. Disclosed approaches provide for an embedded system having a hypervisor that provides a virtualized environment supporting any number of guest OSes. The virtualized environment may include a security engine on an internal communication channel between the guest OS and an external vehicle bus of a vehicle to analyze network traffic to protect the guest OS from other guest OSes or other network components, and to protect those network components from the guest OS. Each guest OS may have its own security engine customized for the guest OS to account for what is typical or expected traffic for the guest OS (e.g., using machine learning, anomaly detection, etc.). Also disclosed are approaches for corrupting a message being transmitted on a vehicle bus to prevent devices from acting on the message.

Abstract: Methods and systems for user authentication. At a server, receiving unique fingerprint information for an unauthenticated browsing session with the server by a first user device. The unique fingerprint information received is compared with respective historical fingerprint information associated with a plurality of user accounts stored on the server. Based on the comparison, determining that one of the plurality of user accounts has associated historical fingerprint information that matches the unique fingerprint information with at least a threshold confidence level. In response to receiving user input from a second device indicating that the unauthenticated browsing session corresponds to the one of the plurality of user accounts, associating the unauthenticated browsing session with the one of the plurality of user accounts.

Abstract: Integrated systems for collecting, storing, and distribution of images acquired of subjects in a research or clinical environment are provided. The system includes an image and data repository including a plurality of images originating from one or more image-generating devices, data associated with the images, and data associated with imaged subjects; and a workflow management module in direct communication with the image and data repository and with the one or more image-generating devices and/or storage devices that store the images of the imaged subjects, the workflow management module being configured to transport the images directly from the one or more image-generating devices and/or storage devices to the image and data repository and to manage the collation and distribution of images, data associated with the raw images and the data associated with the imaged subjects in the image and data repository.