Abstract: Computer code embedded in an electronic component a medical device, such as a dialysis machine, can be authenticated by comparing a metadata signature derived from the computer code of the electronic component to a key derived from a pre-authenticated code associated with the electronic component. The metadata signature can be derived by running an error-check/error-correct algorithm (e.g., SHA256) on the computer code of the electronic component. A use of the metadata signature enables detection of any unauthorized changes to the computer code as compared to the pre-authenticated code.

Abstract: Information processing apparatus, mobile apparatus, and communication systems are disclosed. In one example, an information processing apparatus performs high-speed data transmission of data of a frame including image data, transmits an extended packet including an extended packet header and packet data to a different information processing apparatus. First protected data of the packet data is generated with use of a session key, and a nonce value for the session key is updated every time the first protected data is generated. Further, the image data is stored in the packet data, the high-speed data transmission includes transmission of part or a whole of the nonce value, and the part or the whole of the nonce value is stored outside the extended packet header and transmitted. As an example, the information processing can be applied to communication systems compliant with the MIPI standard.

Abstract: A system and method of securing artificial intelligence (AI) model based on field programmable gate array (FPGA) which is aimed at overcoming attacks against AI models by protecting the architecture of the AI model. The system includes a processor and a custom instruction hardware developed on at least one FPGA, wherein the processor and custom instruction hardware are connected via custom instruction interfaces. Through the custom instruction interfaces, the processor performs matching of an authentication key given by a user to ensure that the application is running on trusted devices while the custom instruction hardware decrypts an encrypted AI model if authentication is successful, before sending decrypted AI model to the processor to be executed in any suitable application such as AI inference.

Abstract: The systems and methods disclose creating variations of criteria for a query-based group of users. One or more criteria from a plurality of criteria available is selected to form a query to identify members of query-based group of users. Using the selected one or more criteria, query-based groups of users are generated. Each of the plurality of query-based groups of users may have a query with a variation of the selected one or more criteria. A user count data of user membership in each query-based group of the query-based groups of users is determined based at least on applying the query of each of the plurality of query-based groups of users to one or more databases. One or more of the plurality of query-based groups of users is identified as being validated for a statistical significance based at least on the user count data and the one or more criteria.

Abstract: Techniques for secure cryptographic secret bootstrapping balance the need to quickly and conveniently restore cryptographic secrets to server computers in the event of an outage with the need for security. Before the outage, a server computer uses a trusted platform module of the server computer to seal an encryption key used to encrypt a secret stored at the server computer. In response to the outage, the server computer restores the secret by using the trusted platform module to unseal the encryption key and then using the unsealed encryption key to decrypt the encrypted secret. The techniques can be used to restore cryptographic secrets rapidly and securely to a cluster of server computers used for cryptographic operations in a provider network without the overhead of safe room procedures.

Abstract: A tainting engine can work in conjunction with a syntax attack detection template to identify when a threat actor attempts a malicious attack in a cloud application scenario. Non-intrusive instrumentation can be used to provide detection of an attempted attack regardless of whether the cloud application is vulnerable to such attacks. Detection of attempted attacks can be an important part of maintaining network security, even in cases where an application itself is not vulnerable to such attacks. Further details about the attempted attack can be assembled, and a variety of actions can be taken in response to detection.

Abstract: A message authentication system for a network includes a private communication system including one or more private nodes in electronic communication with one another, a public communication system including one or more public nodes in electronic communication with one another, and a security proxy device that electronically connects the private communication system to the public communication system. The security proxy device includes a processing unit, a security module, and a lightweight security module that is electronic communication with the one or more private nodes of the private communication system. The lightweight security module generates message authentication codes for messages transmitted by the private communication system that are sent to the public communication system.

Abstract: A server determines an array [[addr]] indicating a storage destination of each piece of data, generates an array of concealed values, and connects the generated array to the array [[addr]] to determine an array [[addr?]]. The server generates a sort permutation [[?1]] for the array, applies the sort permutation [[?1]] to the array [[addr?]], and converts the array [[addr?]] into an array with a sequence composed of first Z elements set to [[i]] followed by ?i elements set to [[B]]. The server generates a sort permutation [[?2]] for the converted array [[addr?]], generates dummy data, imparts the generated dummy data to the concealed data sequence, applies the sort permutations [[?1]] and [[?2]] to the data array imparted with the dummy data, and generates, as a secret hash table, a data sequence obtained by deleting the last N pieces of data from the sorted data array.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for hardware security module communication management. An example method includes deriving, by a first HSM, a first cryptographic key based on an initial key and a first set of seed bits. The method also includes receiving a message comprising a second cryptographic key from a key exchange management device, wherein the second cryptographic key is associated with a second HSM. The method also includes deriving, a third cryptographic key based on the first cryptographic key and the second cryptographic key, wherein deriving the third cryptographic key establishes secure communication between the first HSM and the second HSM based on the second HSM having also derived the third cryptographic key. The method also includes performing, a first cryptographic data protection action using the third cryptographic key.

Abstract: A processing system including at least one processor associated with a second public service entity may obtain a notification of at least a first guest user to access at least one network-based resource of the second public service entity, where the at least the first guest user is associated with a first public service entity, and may obtain a request from a first device of the at least the first guest user to access the at least one network-based resource of the second public service entity. The processing system may then query an attribute provider to obtain one or more attributes of the first guest user and grant the first device an access to the at least one network-based resource of the second public service entity in accordance with at least one policy based on the one or more attributes.

Abstract: Authentication of a user wearing a head mounted display using wireless channel characteristics, such as wireless channel sounding, is disclosed. A transmission signal from a signal transmitter passes over the face or other parts of the head of the user and is received by a signal receiver, also in, at or near the head mounted display. The input signal received is processed according to the known transmission signal that was transmitted to obtain wireless channel characteristics. Based on these wireless channel characteristics a signal signature is identified, for example, using a machine learning based embedding technique. If the signal signature thus determined matches a signal signature previously associated with the user then the user is authenticated. User access to a resource or action may then be granted automatically.

Abstract: A method for securing communication within a system includes at least one server and at least two appliances able to communicate with the server and with each other. A pair of appliances communicating together, and having at least one shared one-time encryption key for securing communication between the two, has at least one other shared one-time encryption key supplied by the server following the connection of only one of the two appliances to the server.

Abstract: Disclosed herein are systems and methods for detecting harmful scripts. In one aspect, an exemplary method comprises, identifying a file containing a script, wherein the identification of the file is performed by analyzing each file of a plurality of files for a presence of a harmful script, generating a summary of the script based on the identified file, calculating static and dynamic parameters of the generated summary of the script, recognizing a script programming language based on the calculated static parameters and dynamic parameters of the generated summary of the script using at least one language recognition rule, processing the identified file based on the data about the recognized script programming language, generating a set of hash codes based on a processed file using rules for generating hash codes, and detecting the harmful script when the generated set of hash codes is similar to known harmful sets of hash codes.

Abstract: Described are methods, systems, and media for detecting malicious activity in a network by performing operations comprising: feeding network packets from the network into a header crypto engine; sending the network packets from the header crypto engine to a work scheduler; divaricating the network packets using the work scheduler based on flow data and header data of the network packets to at least one of a firewall and a neural network processor; generating output data comprising: a first output data from the firewall according to rules of the firewall; a second output data from the neural network processor based on behavioral analysis performed by the neural network processor, wherein the second output data is used to update the rules in the firewall; and aggregating the output data from the firewall and the neural network processor to detect malicious activity in the network.

Abstract: Generally discussed herein are devices, systems, and methods for secure cryptographic masking. A method can include generating a first random number, determining a result of the first random number modulo a prime number resulting in a second random number, subtracting the second random number from the prime number resulting in a first subtraction result, adding a private key value to the first subtraction result resulting in a first split, and responsive to determining the private key value is less than the random number, providing the first split and the second random number as splits of the private key.

Abstract: A method for protecting data from a user that traverses through a chain of microservices include retrieving information identifying the chain of microservices associated with a user identifier of the user and a time when the user provided data to the chain of microservices. A level of confidentiality stored in association with the user identifier and with the time is retrieved. One or more security measures corresponding to the stored level of confidentiality are implemented for each microservice of the chain of microservices during the time.

Abstract: The invention provides a device with cryptographic function, which includes: a hardware unit, exhibiting hardware-intrinsic properties; a key generating unit, generating a private key according to the hardware-intrinsic properties, and generating a public key according to the private key, for exchanging public keys with an outside device to convert communication payload information into first encrypted information based on the received public key; and a session operational unit, establishing a session key configured to encrypt the first encrypted information into second encrypted information to be transmitted between the cryptographic device with cryptographic function and the outside device. The key generating unit further optionally generates a secret key according to the hardware-intrinsic properties for securing data at rest in the cryptographic device.

Abstract: A method for handling an anomaly of data, in particular in a motor vehicle, is provided. At least one sensor obtains data for the anomaly detection. The sensor examines the obtained data for anomalies, and generates an event as a function of the associated data when an anomaly is detected. An event report is generated as a function of the event. The event report includes at least one variable that changes for each event report and/or is cyclically sent.

Abstract: Methods, systems, and computer-readable media (CRM) are disclosed for facilitating the electronic signing of a document. The disclosure includes methods, systems and CRM for performing at least the following: i) identifying an eligible witness electronic device from a signature request initiated by a signor electronic device associated with a signor; ii) verifying the signor electronic device with the witness electronic device based on at least one parameter associated with the signature request before making a document available to the signor electronic device; iii) transmitting the document to the signor electronic device upon verification; and iv) receiving an electronic signature of the signor through the signor electronic device.

Abstract: A system to create Data Loss Prevention (DLP) policies and adjust DLP policies over time in a computing system using agents running at an endpoint to intercept a data transfer in a network traffic. New data flow/DLP policy rules are created and updated with reference to behavior data of trusted and untrusted users.