Abstract: A method and apparatus for detecting disablement of a data backup process disclosed. The system inserts and periodically updates authenticatable sentinel data objects in the primary system. After the backup occurs, the backup data with the sentinel data objects are read and the sentinel data objects are detected and authenticated. If any of the sentinel data objects are not detected or cannot be authenticated, the system informs an administrator that the data backup has failed at least in part.

Abstract: One example method includes obtaining input including characteristics of a machine learning (ML) model, specifications of a hardware configuration on which the ML model has been run, and characteristics of a prospective workload, estimating, given the hardware configuration, an energy efficiency of the ML model, using a similarity measure to find peer ML models of the ML model, and each peer ML model is more energy efficient, given the hardware configuration, than the ML model, ranking the peer ML models as suggested alternatives to the ML model, storing, in a database, the characteristics of the ML model, the energy efficiency of the ML model, and the specifications of the hardware configuration, and transmitting the specifications of the hardware configuration, along with workload characteristics, to a recipient.

Abstract: Security and privacy mechanisms are provided to protect the L2 identifiers used in groupcast communications over the sidelink (e.g., PC5 interface) without requiring a UE to periodically refresh the L2 identifiers, which may cause extra signaling overhead, increased latency and greater risk of synchronization issues. To prevent tracking of a UE, a group identifier (ID) is used as a source layer 2 (L2) ID in groupcast messages. Additionally, a message authentication code (MAC) is introduced into the group discovery procedure to authenticate the UE sending a group discovery request.

Abstract: Disclosed in embodiments of the present application are an identity authentication method and apparatus, a device, a chip, a storage medium, and a program. Identify information of a requesting device and an authentication access controller is subjected to confidential processing to prevent the identify information of the requesting device and the authentication access controller from being exposed in a transmission process, so as to ensure that an attacker cannot obtain the private and sensitive information. Moreover, an authentication server is introduced, such that real-time authentication of bidirectional identity between the requesting device and the authentication access controller is achieved while the confidentiality of entity identity related information is guaranteed.

Abstract: An unauthorized communication detection method detects an unauthorized communication message on an in-facility network over which at least two devices including a first device and a second device are communicably connected, and includes: receiving, from the first device, a communication message transmitted from the first device to the second device; obtaining, when the communication message is received from the first device, first information indicating a state of at least one of (a) a person in a facility and (b) the at least two devices, and determining whether to execute processing pertaining to a device control command that controls the second device when the communication message received from the first device is a communication message including the device control command, the determining being performed based on the first information; and executing the processing pertaining to the device control command when the determining determines to execute the processing.

Abstract: A data processing system implements receiving an access request from the client device of a content requestor to access a content item for which access to the content item is managed by a content access management platform and obtaining access control information. The access control information comprising information associated with a content owner associated with the content item, information associated with the content requestor, and information associated with the content item.

Abstract: It is provided a method for providing data for training a machine learning model. The method is performed in a training data provider (1) and comprises the steps of: obtaining (40) a data structure comprising a chain of delegations, the chain of delegations covering a delegation path from a media capturing device (3) to the training data provider (1) such that, in the chain of delegations, each delegation is a delegation from a delegator to a receiver; sending (42) a key request to a delegation verifier (2), the key request comprising the data structure; receiving (44) a decryption key from the delegation verifier (2); obtaining (46) encrypted media data captured by the media capturing device (3); decrypting (48) the encrypted media data, resulting in decrypted media data; and providing (50) the decrypted media data for training the machine learning model.

Abstract: Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has a set of one or more servers that acts as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The server set in some embodiments also enforces these API-authorizing policies. Conjunctively, or alternatively, the server set in some embodiments distributes the defined policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls. From an associated application, a local agent receives API-authorization requests to determine whether API calls received by the application are authorized.

Abstract: Provided is a method for authentication. The method may include receiving first password data, first biometric input data, and first secret key data. A second secret key may be generated based on the first secret key and the first password. Fuzzy extractor helper data may be generated based on the first biometric input and the second secret key. The fuzzy extractor helper data and the first secret key may be stored. The user may be authenticated based on an attempted password and/or a second biometric input. A system and computer program product are also disclosed.

Abstract: An apparatus comprises at least one processing device configured to implement a multi-path layer in a host device, wherein the multi-path layer controls delivery of input-output (IO) operations from the host device to a storage system over selected ones of a plurality of paths through a network. The multi-path layer is configured, for each of at least a subset of the IO operations, to store at least a process identifier, a user identifier and an access type for the IO operation. The multi-path layer is further configured to perform analytics on the stored process identifiers, user identifiers and access types to detect an access pattern, and responsive to the detected access pattern having one or more designated characteristics associated with malware, to generate an alert. The alert may be generated by inserting security alert indicators into respective ones of the IO operations, for extraction therefrom by the storage system.

Abstract: Media items (e.g., images, videos) may be captured by one or more image capture devices. One or more of the media items may be identified as including/likely including depiction of a user based on proximity of capture of the media item(s) in time and location to the user. The identified media item(s) may be provided to the user.

Abstract: Various embodiments of the present application set forth a computer-implemented method that includes receiving, by a trusted tunnel bridge and from a first application executing in a first network, a first encrypted data packet, where the first encrypted data packet includes an encrypted portion of data, and a destination device identifier (DDI). The method further includes determining, by the trusted tunnel bridge, a particular device in a second network and associated with the DDI included in the first encrypted data packet. The method further includes sending, by the trusted tunnel bridge directly to the particular device, the first encrypted data packet.

Abstract: There is disclosed a computer-implemented system and method of analyzing a batch of objects, including bucketizing the batch of objects into a plurality of buckets according to a feature of the objects; for objects within a batch, performing malware analysis on the objects to assign a malware analysis score, and adjusting the malware analysis score based on the batch; and performing respective security actions on the objects within the batch, based on the adjusted malware analysis score.

Abstract: Techniques are provided for detection of anomalous backup files using known anomalous file fingerprints (or other file-dependent values such as hash values, signatures and/or digest values). One method comprises obtaining first file-dependent values corresponding to respective known anomalous files; obtaining a second file-dependent value for a stored backup file; comparing the second file-dependent value to the first file-dependent values; and performing an automated remedial action in response to a result of the comparing. The second file-dependent value for the stored backup file may be determined by a backup server in response to a source file corresponding to the stored backup file being backed up by the backup server, and may be stored as part of metadata associated with the stored backup file.

Abstract: A BIOS module provisioning sequence verification system includes a BIOS subsystem coupled to a TPM and a BIOS storage system including a plurality of firmware volumes. The BIOS subsystem provides a plurality of BIOS modules in a BIOS module provisioning sequence using the plurality of firmware volumes and, for each of the plurality of BIOS modules when that BIOS module is provided during the BIOS module provisioning sequence: retrieves a BIOS module identifier associated with that BIOS module, and updates BIOS module provisioning sequence information using that BIOS module identifier. Following the provisioning of the BIOS modules in the BIOS module provisioning sequence, the BIOS subsystem provides the BIOS module provisioning sequence information to the TPM, with the BIOS module provisioning sequence information configured to be compared to BIOS module provisioning sequence verification information to verify the BIOS module provisioning sequence.

Abstract: Runtime security threats are detected and analyzed for serverless functions developed for hybrid clouds or other cloud-based deployment environments. One or more serverless functions may be received and executed within a container instance executing in a controlled and monitored environment. The execution of the serverless functions is monitored, using a monitoring layer in the controlled environment to capture runtime data including container application context statistics, serverless function input and output data, and runtime parameter snapshots of the serverless functions. Execution data associated with the serverless functions may be analyzed and provided to various supervised and/or unsupervised machine-learning models configured to detect and analyze runtime security threats.

Abstract: A device receives network segment information identifying network segments associated with a network, and receives endpoint host session information identifying sessions associated with endpoint hosts communicating with the network. The device generates, based on the network segment information and the endpoint host session information, a data structure that includes information associating the network segments with the sessions associated with the endpoint hosts. The device updates the data structure based on changes in the sessions associated with the endpoint hosts and based on changes in locations of the endpoint hosts within the network segments, and identifies, based on the data structure, a particular endpoint host, of the endpoint hosts, that changed locations within the network segments. The device determines a threat policy action to enforce for the particular endpoint host, and causes the threat policy action to be enforced, by the network, for the particular endpoint host.

Abstract: The present invention is a distributed and autonomous digital data security agent that secures stored data and the storage device itself, from remote manipulation. The present system is an “agent” in that it acts independently in the accomplishment of its objects and is distributed in that its functionality is resides on firmware resident at disparate hardware locations. The agent is autonomous in that it cannot be remotely compromised. The system includes server having a dedicated Private link with a Chip Administrator, and a Data Link between a first-Chip, a second: Chip of said security agent. The first-Chip is resident and operable to control Write/Read calls and data transfers between the server and the second: Chips of the data storage. The Chip Administrator, first-Chip and second-Chip in combination with their associated Firmwares provide said distributed and autonomous data security agent.

Abstract: The techniques herein are directed generally to a “zero-knowledge” data management network. Users are able to share verifiable proof of data and/or identity information, and businesses are able to request, consume, and act on the data—all without a data storage server or those businesses ever seeing or having access to the raw sensitive information (where server-stored data is viewable only by the intended recipients, which may even be selected after storage). In one embodiment, source data is encrypted with a source encryption key (e.g., source public key), with a rekeying key being an encrypting combination of a source decryption key (e.g., source private key) and a recipient's public key. Without being able to decrypt the data, the storage server can use the rekeying key to re-encrypt the source data with the recipient's public key, to then be decrypted only by the corresponding recipient using its private key, accordingly.

Abstract: A method, system and computer program product for light-weight software license compliance management. One embodiment of the method comprises accessing a set of software logs from a target device, analyzing the set of software logs to generate a license violation probability score, determining the license violation probability score satisfies a predetermined threshold, and notifying a user of a need to scan the target device for software license compliance.