Abstract: Some embodiments of the invention provide a method for transmitting data messages via secure tunnels in a network. The method is performed at a gateway device. The method determines that a data message received at the gateway device should be sent via a secure interface of the gateway device. The method matches the data message to a firewall rule that maps to a particular secure tunnel used by the secure interface, with multiple different firewall rules mapping to multiple different secure tunnels used by the secure interface. The method encapsulates the data message with a header that comprises an indicator value specifying the particular secure tunnel and forwards the encapsulated data message to a destination interface.

Abstract: Systems and methods for providing access to historical data over a real-time tunnel are disclosed. The method provides a mechanism for secure communication between one or more historians. In an example, attack surfaces on historians in an industrial control system operational technology (OT) network and in an information technology (IT) networks are reduced and possibly entirely eliminated by tunneling through a DMZ (de-militarized zone) or “secured network”.

Abstract: A verification apparatus acquires a source code for multiparty computation, while changing a combination of options settable to a multiparty computation compiler, compiles the source code for each combination of options to generate a plurality of multiparty computation executable codes, selects at least one multiparty computation executable code from the plurality of multiparty computation executable codes as a verification code and provides the at least one verification code to a verification environment of multiparty computation, generates an evaluation index with respect to an execution result of at least one verification code in the verification environment, and selects at least one recommended code from the plurality of multiparty computation executable codes, based on the evaluation index corresponding to at least one verification code and outputs the selected recommended code.

Abstract: A system comprises a storage system comprising one or more storage devices and a storage controller operatively coupled to the storage system, the storage controller comprising a processing device, the processing device to receive first raw data from a first tenant of the storage system to a first non-volatile memory express (NVMe) input/output (I/O) queue of the storage system. The processing device further to determine that the first NVMe I/O queue corresponds to a first key, wherein the first key corresponds to the first tenant. The processing device further to encrypt the first raw data using the first key to generate first encrypted data. The processing device further to store the first encrypted data on the storage system.

Abstract: A method and computer readable software for providing randomized Security Parameter Index (SPI) for distributed Internet Protocol security (IPsec) are disclosed. In one embodiment a method includes designating each IPsec node with a unique node identifier, the IPsec node; performing a hash function on a random SPI to provide a randomized SPI; and assigning the randomized SPI to an IPsec tunnel associated with an IPsec node.

Abstract: Systems, computer program products, and methods are described herein for implementing real-time redaction in a workflow configurable environment. The present invention is configured to electronically receive, from a user input device, a request to load at least one user interface associated with an application; initiate a real-time content redaction engine on contents of the one or more fields associated with the at least one user interface in response to receiving the request, wherein initiating further comprises: parsing one or more embedded structures associated with the one or more fields; identifying private information in the one or more fields based on at least parsing the one or more embedded structures; and masking the private information in the one or more fields; and load the at least one user interface associated with the application in response to masking the private information in the one or more fields.

Abstract: Systems, apparatuses and methods may provide for detecting an identifier communication from a writing implement and transitioning a previously modified interior page of an electronic notepad from a locked state to an unlocked state if the identifier communication corresponds to one or more stored identifiers. Moreover, a plurality of additional interior pages of the electronic notepad may be maintained in the locked state while the previously modified interior page is in the unlocked state.

Abstract: Systems and methods of procuring real data items based on user affinity gauged via synthetic data items are disclosed. In one embodiment, an exemplary computer-implemented method may comprise: utilizing a trained machine learning model to generate a synthetic data item based on real user data; presenting the synthetic data item to those users; obtaining indications identifying user responses to the synthetic data item; obtaining user-defined control parameters from the users; configuring a user-defined control mechanism to share a portion of the real user data based thereon; obtaining a subset of the real user data based the user-defined control parameters; providing to a particular third-party data source at least one of: data regarding the synthetic data item, the at least one portion of the real user data, and the indications of the users; and then receiving a second real data item from the particular third-party data source.

Abstract: A method for accessing a network resource including detecting an attempt by a user via a computing device to access a service enabled by a computing system via a network and transmitting via the network to the computing system a first request to access the service in response to detecting the attempt by the user to access the service, the first request including at least one empty personally identifiable data structure. A failure to access the service responsive to the first request is determined. A second request to access the service in response to the first failure to access the service is transmitted via the network to the computing system, the second request including artificial personally identifiable information, and access to the service from the computing system is received for the user.

Abstract: Techniques are disclosed for cryptographically secure shuffling processes for generating and utilizing secrets in an infrastructure-as-a-service (IaaS) environment. In an embodiment, a method comprises generating a source list and a destination list, the source list and destination list association with a sequential format and the source list comprising a plurality of elements in the sequential format; generating a first random number and a second random number; determining a first element in the source list, the first element corresponding to a position in the sequential format of the source list based on the first random number; determining a first destination position in the destination list, the first destination position corresponding to a position in the sequential format of the destination list based on the second random number; and updating the destination list to include the first element in the source list at the first destination position.

Abstract: A network adapter within an industrial input/output (I/O) system includes one or more processers. The one or more processors are configured to: receive a first combination; determine whether the first combination matches a predefined lock combination; upon determining that the first combination matches the predefined lock combination, start a lock process; receive a second combination; determine whether the second combination matches a predefined lock key; and upon determining that the second combination matches the predefined lock key, lock the adapter.

Abstract: A decentralized and/or hybrid decentralized method for secure cryptography key storage referred to as Mutual Dependency Architecture (MDA) includes the steps of encrypting the cryptographic key using an unlock key; encrypting the unlock key using an encryption tool to create an encrypted seed; and storing the encrypted seed; wherein a user must have access to a first storage area in the device and to a second storage area external to the device in order to access the cryptographic key. In one embodiment, the encryption tool is a store key that is stored in unencrypted form in the first storage area, while the encrypted seed is stored in the second storage area. In another embodiment, the encryption tool is a Hardware Security Module (HSM) having an authentication key that is encrypted using a store key and stored in the second storage area, while the encrypted seed and the store key are stored in unencrypted form in the first storage area.

Abstract: Systems, computer program products, and methods are described herein for implementing real-time redaction in a workflow configurable environment. The present invention is configured to electronically receive, from a user input device, a request to load at least one user interface associated with an application; initiate a real-time content redaction engine on contents of the one or more fields associated with the at least one user interface in response to receiving the request, wherein initiating further comprises: parsing one or more embedded structures associated with the one or more fields; identifying private information in the one or more fields based on at least parsing the one or more embedded structures; and masking the private information in the one or more fields; and load the at least one user interface associated with the application in response to masking the private information in the one or more fields.

Abstract: A method includes obtaining, from a server, a filter including a set of encrypted identifiers each encrypted with a server key controlled by the server. The method includes obtaining a request that requests determination of whether a query identifier is a member of a set of identifiers corresponding to the set of encrypted identifiers. The method also includes transmitting an encryption request to the server that requests the server to encrypt the query identifier. The method includes receiving, from the server, an encrypted query identifier including the query identifier encrypted by the server key and determining, using the filter, whether the encrypted query identifier is not a member of the set of encrypted identifiers. When the encrypted query identifier is not a member of the set of encrypted identifiers, the method includes reporting that the query identifier is not a member of the set of identifiers.

Abstract: A method of accessing objects with fine-grained access control (FGAC) in a relational database management system (RDBMS) storing a segmented column-major database. For each object with access restrictions, an artificial neural network (ANN), is trained by generating an equally distributed segment map of segmented data entries, so that the map reproduces the row disposition in the unsegmented object. When a user access request is received, these ANNs are referred to determine if any of the objects to be accessed are subject to access restrictions. If that is the case, then the ANN creates a pseudo-view construct of its associated object which is limited to data entries that the user has permission to access. The pseudo-views are then injected into the user access request to embed the fine-grained access controls for subsequent processing of the request, which can then proceed without further regard to user-specific access restrictions.

Abstract: The present disclosure is directed to systems and methods for transparent Provider Backbone Bridge forwarding of MACsec key exchanges over public Ethernet provider backbones. The method includes the steps of receiving, at a first PBB device, an Ethernet frame from a first edge router for transmission to a second edge router via a MACsec connection, the Ethernet frame comprising a plurality of fields; performing a lookup of one or more fields of the plurality of fields to determine a match with one or more pre-defined values; determining that the one or more fields of the Ethernet frame match the one or more pre-defined values; rewriting the one or more fields of the Ethernet frame to one or more open values operable to allow the Ethernet frame to be transmitted to a next hop device; and transmitting the Ethernet frame to the next hop device.

Abstract: Techniques are described that include detecting customer personal information within any appropriate set of data, such as customer communications produced by customer-facing services offered by an organization. Once detected, the customer personal information may be tokenized within the customer communications, making the data appropriate for external systems, such as cloud-hosted applications. The disclosed techniques include a masking service that may be plugged into an on-premises pipeline of any customer-facing service that makes requests to an off-premises, cloud-hosted application. The masking service may apply rule-based detection and/or machine learning-based detection to detect both structured and unstructured customer personal information included in customer communications. The masking service may further tokenize or otherwise obfuscate or replace the detected customer personal information.

Abstract: Datacenters or other large-scale distributed computing systems can provide computing resources such as processing power and data storage as computing services accessible to tenants via a computer network. A tenant, such as a corporation, school, or organization, can have multiple users or groups of users with corresponding websites. To facilitate ready access, data relevant to a user, group, or website of a tenant can be stored in a dedicated network location sometimes referred to as a shard. A shard can be a physical and/or logical storage location that contains emails, chats, instant messages, documents, photos, videos, or other types of content items with which the user, group, or website can interact.

Abstract: Embodiments relate to keeping databases compliant with data protection regulations by sensing the presence of sensitive data and transferring the data to compliant geographies. A request including information is received, the request being intended for processing on a local database. A model is used to process the information of the request. Responsive to the model determining that information relates to sensitive data, the request is transferred to a remote database associated with a geography meeting a requirement for the sensitive data in order to execute the request.

Abstract: The present specification describes computer-implemented methods and systems for secure storage and transmission of data in a distributed network environment. In embodiments, each piece of data is transformed in to multiple pieces of metadata. Each piece of metadata is transmitted and stored on a different server, which is selected from separate pools of servers.