Abstract: Example techniques for establishing trusted communication with container-based services are described. In an example, a digital certificate stored in a memory is injected from the memory into a container. The container is external to the memory. The digital certificate is usable to establish a trusted communication between a service deployed in the container and a software program.

Abstract: Web sites are crawled using multiple browser profiles to avoid malicious cloaking. Based on web page content returned from HTTP requests using the multiple browser profiles, web sites returning substantively different content to HTTP requests for different browser profiles are identified. Web sites are further filtered by common cloaking behavior, and redirect scripts are extracted from web page content that performed cloaking. Signatures comprising tokenized versions of the redirect scripts are generated and compared to a database of known cloaking signatures. URLs corresponding to signatures having approximate matches with signatures in the database are flagged for recrawling. Recrawled URLs are verified for malicious cloaking again using HTTP requests from multiple browser profiles.

Abstract: Disclosed is a method of controlling an intelligent electronic device including initiating implicit continuous authentication, obtaining sensor data from at least one sensor, classifying a security level of the intelligent electronic device into at least two states having different security on the basis of the sensor data, and determining an authentication period of the implicit continuous authentication according to the classified security level, wherein the at least one sensor is continuously activated on the basis of the determined authentication period.

Abstract: The present disclosure provides a system for storing encrypted data. The system comprises a server and a plurality of clients. A first client of the plurality of clients is configured to send to the server a first reference value calculated from data to be encrypted and stored. The server is configured to determine a group of second clients from the plurality of clients, the second clients having each sent to the server data with a second reference value equal to the first reference value. The group of second clients is configured to perform a passive key exchange protocol with the first client, and the server is configured to determine, based on a result of the passive key exchange protocol, whether the data is to be stored in full or as deduplicated data.

Abstract: An embodiment of the present invention is directed to leveraging GPU farms for machine learning where the selection of data is self-service. The data may be cleansed based on a classification and automatically transferred to a cloud services platform. This allows an entity to leverage the commoditization of the GPU farms in the public cloud without exposing data into that cloud. Also, an entire creation of a ML instance may be fully managed by a business analyst, data scientist and/or other users and teams.

Abstract: The methods and apparatus for detecting malware using JAR file decompilation are disclosed. An apparatus for decompiling class files, the apparatus comprising a class feature unpacker to unpack a class feature from a class file included in an instruction set, a constant pool address generator to generate a constant pool address table, from the class features, including a plurality of constant pool blocks, based on constant pool type, through an iterative process, a class feature identifier to determine values for each constant pool block based on a constant pool type and store the determined values as a class file feature set, a feature value identifier to obtain raw feature values from a class file feature set and non-class file features, and a feature matrix generator to generate a matrix based on the raw features that correspond to the instruction set.

Abstract: Among other things, embodiments of the present disclosure are directed to providing authorization code management for published static applications. Other embodiments may be described and/or claimed.

Abstract: The present invention is a distributed and autonomous digital data security agent that secures stored data and the storage device itself, from remote manipulation. The present system is an “agent” in that it acts independently in the accomplishment of its objects and is distributed in that its functionality is resides on firmware resident at disparate hardware locations. The agent is autonomous in that it cannot be remotely compromised. The system includes server having a dedicated Private link with a Chip Administrator, and a Data Link between a first-Chip, a second-Chip of said security agent. The first-Chip is resident and operable to control Write/Read calls and data transfers between the server and the second-Chips of the data storage. The Chip Administrator, first-Chip and second-Chip in combination with their associated Firmwares provide said distributed and autonomous data security agent.

Abstract: A method for implementing confidential machine learning with program compartmentalization includes implementing a development stage to design an ML program, including annotating source code of the ML program to generate an ML program annotation, performing program analysis based on the development stage, including compiling the source code of the ML program based on the ML program annotation, inserting binary code based on the program analysis, including inserting run-time code into a confidential part of the ML program and a non-confidential part of the ML program, and generating an ML model by executing the ML program with the inserted binary code to protect the confidentiality of the ML model and the ML program from attack.

Abstract: A user is provided with a GUI that may allow the user to change functionality associated with a non-battery-powered card, a battery-powered card, a payment sticker, or another device (e.g., a mobile telephonic device). Such functionality may cause a network entity to deliver transaction details to a processing facility. The processing facility may be implemented with processing zones for scrubbing personal information from the transaction details and providing sanitized information to third party applications that may utilize the sanitized information for value. Third-party applications may interact with the processing facility via zone-based APIs to promote third-party software development within the processing facility and to promote third-party communications with the processing facility. Each of the processing zones may enforce security contexts such that processing zones of equal security contexts may communicate with other, while processing zones of unequal security contexts may not.

Abstract: Provided is passwordless user registration process in which a user initially registers a device or a network of trusted devices rather than submitting a password. Thus, example embodiments are directed to a truly passwordless user account across all devices. In one example, a method may include receiving a registration request of an unregistered user from an authentication device, the registration request comprising a user identifier and a device credential obtained by the authentication device, performing a passwordless registration of the unregistered user with an application, wherein the performing comprises registering the unregistered user as a passwordless user with passwordless access to the application and registering the authentication device as a first trusted device of the passwordless user, and transmitting a notification to the authentication device indicating successful passwordless registration.

Abstract: Embodiments disclosed herein describe systems and methods for assessing vulnerabilities of embedded non-IP devices. In an illustrative embodiment, a system of assessing the vulnerabilities of embedded non-IP devices may be within a portable device. The portable device may include a plurality of wired connectors for various wired communication/data transfer protocols. The portable device may include tools for analyzing the firmware binaries of the embedded non-IP devices, such as disassemblers and modules for concrete and symbolic (concolic) execution. Based upon the disassembly and the concolic execution, the portable device may identify vulnerabilities such as buffer overflows and programming flaws in the firmware binaries.

Abstract: In one implementation, a system for detecting counterfeit accessories that are consumable, disposable, or otherwise user replaceable is disclosed. The system includes a host controller, a processor, and a computer-readable storage medium that includes instructions. Upon execution by the processor, the instructions cause the system to perform operations. The operations include obtaining an identifier of an accessory, a current value of usage data for the accessory, and a usage digest of the current value from a storage device associated with the accessory. An expected usage digest is generated based on the current value, the identifier, and a host secret. The expected usage digest is compared with the usage digest and the current value with a threshold usage value. The accessory is activated with the host controller responsive to the expected usage digest being identical to the usage digest and the current value satisfying the threshold usage value.

Abstract: Systems and methods described herein provide access to encrypted user data at a multi-tenant hosted cloud service. The cloud service enrolls a first tenant in the cloud service. The cloud service receives a request for a ticket for a user of the first tenant to access the cloud service. The cloud service communicates a user data access ticket for the user to access a user data service of the cloud service. The cloud service receives a request to store user data of the user. The request includes encrypted user data. The cloud service stores the encrypted user data. The cloud service may provide the encrypted user data to a computing device of the user after validating the user data access ticket received from the computing device. The computing device may decrypt the encrypted user data and identify the data of the user for resources provided by server(s).

Abstract: Embodiments described include systems and methods for adding watermarks using an embedded browser. To provide protection to sensitive information from a network application rendered via an embedded browser of a client application, the client application can generate an overlay with a digital watermark, and apply the overlay over the embedded browser. The client application can selectively generate such overlays, and can customize the format of the digital watermark according to the information rendered on the embedded browser. The watermark can remain with any information that is imaged from the embedded browser, and provides a deterrent against misuse of the information via image capture from a computer screen for instance. By adjusting properties (e.g., contrast) of such an image, the watermark can be made visible and detectable, thus allowing such imaging activities and information to be tracked.

Abstract: Disclosed are systems, methods, and non-transitory computer-readable media for secure authentication using puncturing. An authentication system receives an encoded obfuscated authentication credential as part of an authentication request and accesses a stored authentication credential. The authentication system performs a puncturing of the encoded obfuscated authentication credential. The resulting punctured authentication credential includes a subset of individual values from the encoded obfuscated authentication credential. The authentication determines whether the punctured encoded data input corresponds to at least a portion of the stored authentication credential. In response to determining that the punctured encoded data input corresponds to at least a portion of the stored authentication credential, the authentication system approves the authentication request.

Abstract: The present invention provides a health file access control system and method in an electronic medical cloud. The system comprises: a medical management center unit configured to generate a system public key and a system private key, and generate a private key for corresponding utilizer's attributes according to the system public key, the system private key, and a set of utilizer's attributes; an electronic medical cloud storage unit configured to receive and store a privacy-protected health file ciphertext; and at least one health file user access unit configured to encrypt the health file according to the system public key to obtain the privacy-protected health file ciphertext, and/or generate the set of utilizer's attribute, and decrypt the privacy-protected health file ciphertext according to the system public key and the private key for utilizer's attributes.

Abstract: A processing apparatus includes at least one processor configured to function as: an input unit that receives encrypted data based on homomorphic encryption; and a process execution unit that executes a predetermined process by using the encrypted data while maintaining a secret state and includes one or more processing units. At least one of the processing units is a multiplication corresponding processing unit for executing a calculation corresponding to a processing of multiplying plaintext data by a predetermined multiplier.

Abstract: A processing apparatus includes at least one processor configured to function as: an input unit that receives encrypted data based on homomorphic encryption as an input; and a process execution unit that executes a predetermined process by using the encrypted data while maintaining a secret state by encryption and includes one or more processing units. At least one of the processing units is a multiplication corresponding processing unit for executing a calculation in a ciphertext space corresponding to a processing of multiplying plaintext data by a predetermined multiplier. The multiplication corresponding processing unit executes a calculation in the ciphertext space corresponding to a calculation of multiplying the plaintext data by an adjustment multiplication value on first encrypted data input from a preceding stage and outputs resulting data.

Abstract: Systems and methods are described for modifying input and output (I/O) to an object storage service by implementing one or more owner-specified functions to I/O requests. A function can implement a data manipulation, such as filtering out sensitive data before reading or writing the data. The functions can be applied prior to implementing a request method (e.g., GET or PUT) specified within the I/O request, such that the data to which the method is applied my not match the object specified within the request. For example, a user may request to obtain (e.g., GET) a data set. The data set may be passed to a function that filters sensitive data to the data set, and the GET request method may then be applied to the output of the function. In this manner, owners of objects on an object storage service are provided with greater control of objects stored or retrieved from the service.