Abstract: Methods, systems, and devices for wireless communications are described. A user equipment (UE) may participate in a registration procedure with an access and mobility management function (AMF). The UE may transmit to the AMF, as part of the registration procedure, an indication of one or more single network slice selection assistance information (S-NSSAI) or a network slice selection assistance information (NSSAI). Following, the UE may receive a control message from the AMF, wherein the control message includes one or more encrypted S-NSSAI values or an encrypted NSSAI value based on the indication. The UE may then transmit the encrypted S-NSSAI or the encrypted NSSAI to a base station as part of a message.

Abstract: Embodiments of the present invention provide a system and methods to prevent poisoning attacks in machine learning systems in real time. The invention includes methods for blocking the injection of abnormal data into training data sets used to train machine learning models for the identification of malfeasant activity by blocking certain data from entering the machine learning training dataset in real time, blocking certain interactions from being completed in real time, or placing holds on certain resources or users according to patterns detected by the ensemble of machine learning models. Various thresholds may be set manually or identified through the machine learning algorithm in order to determine which interactions or users should be blocked.

Abstract: Systems, methods, and computer program products are provided for disparate quantum computing (QC) detection. An example system includes QC detection data generation circuitry that generates a first set of QC detection data and generates a second set of QC detection data. The system also includes cryptographic circuitry that generates a first public cryptographic key and a first private cryptographic key via a first post-quantum cryptographic (PQC) technique and generates a second public cryptographic key and a second private cryptographic key via a second PQC technique. The cryptographic circuitry further generates encrypted first QC detection, second QC detection data, and destroys the first private cryptographic key and the second private cryptographic key. The system further includes data monitoring circuitry that monitors for the first encrypted QC detection data and the second encrypted QC detection data.

Abstract: An information processing system 100 comprising at least one first node 1, second nodes 2 for providing a public key change assistance service, and a blockchain 3, wherein the first node 1 comprises a new public key creation unit 151, a second node group selection unit 152, an old and new key information request unit 153, a draft contract preparation unit 154, a signature request unit 155, a first signature execution unit 156, and a registration unit 157; each second node 2 comprises an old and new key information transmission unit 251, a second signature execution unit 252, and a draft contract return unit 253; the draft contract preparation unit 154 randomly determines the order of new public keys as transmission destinations; and the signature request unit 155 and the first signature execution unit 156 perform signature request and execution, respectively, so that the order of the nodes that sign a draft transaction contract is random.

Abstract: A data processing system and a method are provided for recognizing a scanned biometric characteristic in the data processing system. The data processing system includes a biometric sensor, a rich execution environment (REE), and a secure element (SE). In one embodiment, during an enrollment operation, a random challenge is applied to scanned data to produce a biometric template that is stored. During subsequent validation operations, the SE determines if user data includes evidence of the random challenge before providing access to a secure application. Evidence of the random challenge indicates the user data was provided by the biometric sensor. In another embodiment, the sensor data is split between the REE and the SE and partially processed in the SE. The described embodiments prevent a replay attack from being conducted in communications between the REE and the SE.

Abstract: Mechanisms are provided to perform security incident disposition operations. A security incident is received that includes a security incident data structure comprising metadata describing properties of the security incident, and a corresponding security knowledge graph which includes nodes representing elements associated with the security incident and edges representing relationships between the nodes. The security incident data structure and security knowledge graph are processed to extract a set of security incident features corresponding to the security incident and input the extracted set of security incident features into a trained security incident machine learning model. The model generates a disposition classification output based on results of processing the extracted set of security incident features. The disposition classification output is output to the source of the security incident data structure.

Abstract: The present invention is direct a two-mode blockchain consensus protocol and a system implementing such a protocol. The system includes a plurality of node computers (and a communications network connecting the plurality of node computers. The plurality of node computers includes a first node computer, a collecting node computer, a committee of node computers, and one or more node computers that operate based on proof of work algorithms. Each node computer in the plurality includes a blockchain consensus software application running on the processor of the node computer. The blockchain consensus software application is adapted to connect to the plurality of node computers that are connected to the communications network. The blockchain consensus software application implements the two-mode blockchain consensus protocol. Through the software application, the plurality of node computers operate to reach a consensus on adding data to a public ledger.

Abstract: Systems and techniques for sensitive data movement detection are described herein. An attempt to relocate a file that is a member of a monitored data set may be identified. A user account associated with the attempt to relocate the file may be determined. A safe user group may be identified for the user account associated with the attempt to relocate the file. A destination may be obtained for the attempt to relocate the file. A safe zone may be determined for the monitored data set using the user account and the identification of the monitored data set. A notification may be provided based on the destination for the attempt to relocate the file and the safe user group and the safe zone.

Abstract: Systems, methods, and computer program products for controlling use of sensitive data. A heartbeat signal conveying a context identifier is transmitted into areas where access to sensitive data is granted to authorized users. In response to receiving a request to access the sensitive data, access may be granted if the context identifier in the request matches the context identifier in the heartbeat and denied otherwise. If the requestor has exceeded an access threshold, access may be granted at a reduced rate. This reduced rate may be achieved by reducing a rate at which encryption keys are provided to the requestor. An access control layer positioned between an application layer and a communication layer allows the application layer to use plaintext of the sensitive data while protecting the sensitive data as ciphertext in the communication layer.

Abstract: In an embodiment a single user authentication event, performed between a trusted path hardware module and a service provider via an out of band communication, can enable a user to transparently access multiple service providers using strong credentials that are specific to each service provider. The authentication event may be based on multifactor authentication that is indicative of a user's actual physical presence. Thus, for example, a user would not need to enter a different retinal scan to gain access to each of the service providers. Other embodiments are described herein.

Abstract: Some implementations of the disclosure are directed to: receiving an encrypted message from an entity, the encrypted message including a request to determine if a claimant of a distributed attestation is a holder of the distributed attestation; decrypting the encrypted message; using at least a public key of the entity to determine whether the entity is authorized to obtain information about the distributed attestation; and if the entity is authorized to obtain information about the distributed attestation, transmitting a response message to the entity indicating if the claimant of the distributed attestation is the holder of the distributed attestation. Authorization of the entity to obtain information about the distributed attestation may be based on role based access control rights to obtain information about the distributed attestation.

Abstract: A microcoded processor instruction may invoke a number of microinstructions to perform a round of a SHA3 operation using a circuit that includes a first stage circuit to perform a set of first bitwise XOR operations on a set of five input blocks to yield first intermediate output blocks; perform a set of second bitwise XOR operations on a first intermediate block and a rotation of another first intermediate block to yield second intermediate blocks; and perform a set of third bitwise XOR operations on a second intermediate block and an input block to yield third intermediate blocks. The circuit further includes a second stage circuit to rotate bits within each of the third intermediate blocks to yield a set of fourth intermediate blocks, and a third stage circuit to perform an affine mapping on bits within each of the fourth intermediate blocks to yield a set of output blocks.

Abstract: A technology for mutually isolating accessors of a shared electronic device from leakage of context data after a context switch comprises: on making the shared electronic device available to the plurality of accessors, establishing a portion of storage as an indicator location for the shared electronic device; when a first accessor requests use of the shared electronic device, writing at least one device-reset-required indicator to the indicator location; on switching context to a new context, after context save, when a second accessor requests use of the shared electronic device, resetting context data of the shared electronic device to a known state and reconciling the first device-reset-required indicator and a second device-reset-required indicator for the new context.

Abstract: Provided is a method for sending digital data over a number of channels wherein a sender performs the following steps: encoding source data having a first number of source symbols, the encoding being such that an error correction code is generated from the source data, the error correction code comprising a second number of repair symbols higher than the first number as well as identifiers where each identifier is assigned to a corresponding repair symbol, the error correction code adding redundancy to the source data; encrypting each repair symbol by an encryption process which is based on a shared secret between the sender and a receiver, where the encryption process for a respective repair symbol depends on the identifier assigned to the respective repair symbol; feeding pairs of the encrypted repair symbols and the assigned identifiers to the number of channels which are connected to the receiver.

Abstract: Disclosed is a computer security device configured to monitor data traffic between computing devices on a local area network and an external network in order to protect the local area network against unauthorized access and data exfiltration. Such computer security device includes each of a data transport module, a management information module, and a data storage module, each of which are operable independently of the other modules, but which modules together form the single computer security device. The computer security device is configured for connection between a router on a local network that is to be protected and a wide area network, such as the Internet, which such local network communicates with.

Abstract: There are provided systems and methods for a sentence based automated Turing test for detecting scripted computing attacks. A computing may request access to a service or data from a service provider, where the service provider may be required to determine that the device is used by a user and not a bot executing a scripted or automated process/attack against the service provider. To authenticate that the device is used by a user, the service provider may determine and output a challenge that queries the user to fill in one or more missing words from a sentence. Acceptable answers may be based on past messages and internal data that is specific to the service provider, as well as an external corpus of documents. The service provider may also further authenticate the user based on the user's response and a likely user response for that user.

Abstract: A method of monitoring network traffic in a communication network with a sentinel module to detect malicious activity is described. A gateway sentinel module receives network traffic directed through a gateway installed for a local distribution of the network, the gateway connecting the local distribution of the network to a core of the network. Malicious activity in the local distribution is detected based on a combination of: a local machine-learning model for identifying malicious activity in the local distribution, the local machine-learning model modelling network traffic from the local distribution; and a global machine-learning model. The global machine-learning model models network traffic from a plurality of local distributions of the network based training data from a plurality of local sentinel modules executed on a respective plurality of computing nodes. The computing nodes respectively receive network traffic from the plurality of location distributions.

Abstract: Disclosed are various approaches for providing a virtual badge credential to a user's device that is enrolled with a management service as a managed device. Upon authentication of a user's identity via an identity provider, a virtual badge credential can be provided to an application on the client device. The virtual badge credential can be presented by the client device to access control readers to gain access to physical resources, such as doors and buildings, that are secured by the access control readers.

Abstract: A key retrieval system includes a management system and a managed system that is coupled to the management system through a network. The managed system includes a managed device, a management system configuration storage, a remote access controller device that stores a management system configuration for the management system in the management system configuration storage and provides a key management client subsystem that is configured to use the management system configuration to access the management system. The managed system also includes a BIOS. The BIOS detects an event that triggers unlocking the managed device. The BIOS determines that the remote access controller device is unavailable and, in response, retrieves the management system configuration and accesses the management system using the management system configuration. The BIOS then retrieves the locking key from the management system and unlocks the managed device using the locking key.

Abstract: Disclosed are an information encryption method and device. A particular embodiment of the method comprises: acquiring customer information, wherein the customer information comprises an item number and a telephone number; selecting a random salt corresponding to the current date from a pre-generated random salt list, wherein the random salt list is used for storing a date and a random salt; using an irreversible encryption algorithm to encrypt the item number and the random salt corresponding to the current date so as to generate a first ciphertext; generating, based on the first ciphertext, a digital second ciphertext; and using the second ciphertext to process the telephone number so as to generate a first encrypted telephone number. This embodiment prevents private customer information from being leaked.