Abstract: Embodiments disclose systems and methods to broadcast a message among virtual DP accelerators (DPAs). In one embodiment, in response to receiving a broadcast instruction from an application via a communication switch, the broadcast instruction designating one or more virtual DP accelerators of a plurality of virtual DP accelerators to receive a broadcast message, a system encrypts the broadcast message based on a broadcast session key for a broadcast communication session. The system determines one or more public keys of one or more security key pairs each associated with one of the designated virtual DP accelerators. The system encrypts a plurality of the broadcast session key based on the determined one or more public keys. The system broadcasts the encrypted broadcast message, and the one or more encrypted broadcast session keys to the virtual DP accelerators.

Abstract: A method for protecting content of online conversational content. The method provides for scanning content of an online conversational exchange between a first device and a second device. A sensitive object included in the content of the online conversation exchange is identified, based on object type information accessible from a protection policy included in respective user profiles. A pseudonymized-object-holder is assigned to the identified sensitive object according to the protection policy of the respective user profiles, and the identified sensitive object identified in the content of the online conversation exchange and stored on both the first device and the second device is replaced with a pseudonymized-object-holder, based on the sensitive-object protection policy of the respective user profiles.

Abstract: A model designer improves the security of a machine learning model in certain embodiments. Instead of storing the model in a central location, the training data used to build and train the model is stored across several different databases and/or datacenters. The training data is divided into portions and stored as a circular linked list across these databases and/or datacenters. The model designer retrieves the training data and incrementally builds and trains the model using the training data. The incremental error and bias of the model is used to locate training data between datacenters. Additionally, fake training data is appended to the circular linked list and the model designer tracks how much training data is used before hitting fake training data.

Abstract: Methods and systems generate seeds for public-private key pairs by determining a timestamp value associated with a process design kit (PDK) when a user of the PDK triggers a tool of the PDK while designing an integrated circuit device to have a physical unclonable function device (PUF). The methods and systems generate a first value by mapping the timestamp value to data of the user, generate a second value by mapping the timestamp value to configuration data of the PDK, and generate a third value by mapping the timestamp value to layout data of the PDK. A random number is then generated by applying a function to the first value, the second value, and the third value. A public-private encryption key pair is generated using the random number as a first seed number and using a second number generated by the number generation device as a second seed number.

Abstract: The invention relates to an industrial system comprising machines, systems for controlling machines connected by a first communication network, and a gateway intended to connect the first communication network to a second communication network. The gateway comprises a memory and comprises a processor configured to copy to the memory first data transmitted over the second communication network and relating to the operation of the machines.

Abstract: A method includes parsing a handshake message of an encrypted data stream according to a secure encrypted transmission protocol corresponding to the encrypted data stream, to obtain a plurality of fields included in the handshake message, determining, from a plurality of rule sets and based on the plurality of fields, a rule set that matches the handshake message, and determining, based on a mapping relationship between the matched rule set and an application, an application corresponding to the encrypted data stream.

Abstract: This disclosure describes techniques for dynamically changing a user authorization with a service provider during an ongoing user session. The changing user authorization may be used to address changing confidence in an identity of a user consuming a service provided by the service provider. The changing user authorization may also be used to adjust a scope of a service to which a user has access. The present techniques may allow single-sign-on type protocols to accomplish the flexible and dynamic change-of-authorization functionality of some traditional protocols to handle ongoing client-server sessions, rather than simply revoking authorization for access to the service. For this reason, the present techniques are able to integrate advantages of traditional protocols with newer, single-sign-on-type protocols.

Abstract: A method for determining whether a user is a human is disclosed. The method includes receiving a request to determine whether a user attempting to access a service provided by a host compute device is a human, obtaining an input motion that the user entered while the user solved a challenge-response test for accessing the service, extracting a noise component of the input motion, retrieving a noise model characterizing noise patterns of input motions previously entered into graphical user interfaces by humans, comparing the noise component with the noise model, calculating a human likeness score of the user based on the comparison, determining whether the user is a human based on the human likeness score, and sending a result of the determination to the host compute device such that the host compute device can allow or restrict access to the service by the user depending on the result.

Abstract: A system and method of de-elevating a process created in a computing device of a computer system are disclosed. In certain aspects, a method includes detecting a user login within a login session of a computing device in the computer system, the login session having a default security context. The method also includes creating a de-elevated security context for the login session, wherein the de-elevated security context has fewer privileges than the default security context. The method also includes detecting a process being created within the login session. The method further includes determining that the process is potentially malicious by comparing an intended state and a digital profile of the computing device. The method also includes launching the process using the de-elevated security context.

Abstract: Some embodiments provide a method for a first device that identifies definitions of different groups of devices, each of which is defined by a set of properties required for a device to be a member. The method monitors properties of the first device to determine when the device is eligible for membership in a group. When the first device is eligible for membership in a first group of which the device is not a member, the method sends an application for membership in the first group signed with at least a private key of the device to at least one other device that is a member of the first group. When the first device becomes ineligible for membership in a second group of which the first device is a member, the method removes the device from the second group and notifies other devices that are members of the second group.

Abstract: Methods and systems for managing cryptographic keys in on-premises and cloud computing environments and performing multi-party cryptography are disclosed. A cryptographic key can be retrieved from a hardware security module by a key management computer. The key management computer can generate key shares from the cryptographic key, and securely distribute the key shares to computer nodes or key share databases. The computer nodes can use the key shares in order to perform secure multi-party cryptography.

Abstract: Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.

Abstract: The present disclosure relates to a fifth generation (5G) or a pre-5G communication system for supporting higher data transmission rate compared to fourth generation (4G) communication systems such as Long Term Evolution (LTE). The present disclosure relates to generating a security key in a wireless communication system, and a method for operating a transmission end comprises the steps of: generating an encryption key using information related to channel estimation; and transmitting encrypted data to a receiving end using the encryption key.

Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.

Abstract: The present disclosure describes a firmware analysis system and method that can generate a collection of protocol constraints from known firmware and apply the collection of protocol constraints towards an unknown firm to recognize protocol relevant fields and detect functionality within the unknown firmware.

Abstract: Certificates issued by a CA are distributed across multiple CRLs. Each certificate issued by the CA is assigned to a specific CRL, and the address of that CRL is written to the appropriate field of the certificate, such that an authenticating application can subsequently determine if the certificate is revoked. When the CA revokes a specific one of the issued certificates, it determines to which CRL the revoked certificate is assigned, and updates the specific CRL accordingly. In some embodiments, a single one of the multiple CRLs is active for assignment of certificates at any given time, and each certificate issued by the CA is assigned to the currently active CRL. In other embodiments, assignments of issued certificates are distributed between different ones of a pre-determined number of multiple CRLs by applying a statistical distribution formula to each issued certificate to determine a corresponding target CRL.

Abstract: An approach is disclosed for running a first smart contract on a first blockchain platform restricting access to a client's funds appropriated to a second smart contract running on a second blockchain platform. A transaction is received by invoking the first smart contract authorizing the second smart contract. In response to receiving an indication of a successful completion of the first smart contract, a plurality of client's authorization tickets are sent to the second smart contract. The invoked smart contract receives the set of authorization information and records the set of authorization information. After receiving a set of authenticated authorization tickets exceeding a predetermined threshold, the funds are released.

Abstract: A verification platform may include a data connection to receive a stream of industrial asset cyber-attack detection algorithm data, including a subset of the industrial asset cyber-attack detection algorithm data. The verification platform may store the subset into a data store (the subset of industrial asset cyber-attack detection algorithm data being marked as invalid) and record a hash value associated with a compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata in a secure, distributed ledger.

Abstract: Conventionally, biometric template protection has been achieved to improve matching performance with high levels of security by use of deep convolution neural network models. However, such attempts have prominent security limitations mapping information of images to binary codes is stored in an unprotected form. Given this model and access to the stolen protected templates, the adversary can exploit the False Accept Rate (FAR) of the system. Secondly, once the server system is compromised all the users need to be re-enrolled again. Unlike conventional systems and approaches, present disclosure provides systems and methods that implement encrypted deep neural network(s) for biometric template protection for enrollment and verification wherein the encrypted deep neural network(s) is utilized for mapping feature vectors to a randomly generated binary code and a deep neural network model learnt is encrypted thus achieving security and privacy for data protection.

Abstract: According to one embodiment, a system receives, at a host channel manager (HCM) of a host system, a request from an application to establish a secure channel with a data processing (DP) accelerator, where the DP accelerator is coupled to the host system over a bus. In response to the request, the system generates a first session key for the secure channel based on a first private key of a first key pair associated with the HCM and a second public key of a second key pair associated with the DP accelerator. In response to a first data associated with the application to be sent to the DP accelerator, the system encrypts the first data using the first session key. The system then transmits the encrypted first data to the DP accelerator via the secure channel over the bus.