Abstract: Embodiments are directed to post quantum public key signature operation for reconfigurable circuit devices. An embodiment of an apparatus includes one or more processors; and a reconfigurable circuit device, the reconfigurable circuit device including a dedicated cryptographic hash hardware engine, and a reconfigurable fabric including logic elements (LEs), wherein the one or more processors are to configure the reconfigurable circuit device for public key signature operation, including mapping a state machine for public key generation and verification to the reconfigurable fabric, including mapping one or more cryptographic hash engines to the reconfigurable fabric, and combining the dedicated cryptographic hash hardware engine with the one or more mapped cryptographic hash engines for cryptographic signature generation and verification.

Abstract: A subscriber identity module (eUICC), comprises profiles for the utilization of a mobile terminal that include at least a first profile and at least a second profile, of which the second profile (Pr1, Pr2) is devised as an active profile. The first profile is designed as a root profile (PrR) which in a normal state of the subscriber identity module is in an inactive state, and which is devised to be activated in response to an authentication command (AUTHENTICATE) received at the subscriber identity module. The authentication command is specially parameterized for the root profile (PrR) with a specific root value of the network parameter (P2) to be activated during a change-over period. The initially active second profile (Pr1, Pr2) is deactivated during the change-over period. After the end of the change-over period, the first profile (PrR) is again deactivated and the second profile (Pr1, Pr2) is again activated.

Abstract: Provided herein are methods, systems, and computer program products for intelligent detection of multistage attacks which may arise in computer environments. Embodiments herein leverage adaptive graph-based machine-learning solutions that can incorporate rules as well as supervised learning for detecting multistage attacks. Multistage attacks and attack chains may be detected or identified by collecting data representing events, detections, and behaviors, determining relationships among various data, and analyzing the data and associated relationships. A graph of events, detections, and behaviors which are connected by edges representing relationships between nodes of the graph may be constructed and then subgraphs of the possibly enormous initial graph may be identified which represent likely attacks.

Abstract: In some examples, a software agent may request a token from a server. The request may include dock identifiers associated with one or more docks, credentials, and actions to be performed by the one or more docks. The server may determine, using an access control list, whether the credentials authorize the software agent to instruct the one or more docks to perform the actions. If the server determines that the software agent is authorized, then the server may send a token to the software agent. The software agent may send an action request to the one or more docks. The action request may include the token and the actions. Each dock that receives the request may attempt to validate the token. If the dock successfully validates the token, the dock may perform the actions and send a message to the software agent indicating a result of performing the actions.

Abstract: An object is to provide a monitor device capable of reducing threat of DoS attacks on a mobile network. A monitor device (10) according to the present invention includes a signal monitor unit (11) for estimating a specific base station communicating with a communication terminal (30) attacking a mobile network according to the number of times an ATTACH procedure is rejected, in which the ATTACH procedure is for registering information about a communication terminal (30) communicating with a base station (20) in a communication device (40) located in the mobile network, and a base station control unit (12) for causing the specific base station to determine whether to execute the ATTACH procedure related to a communication terminal served by the specific base station according to communication terminal identification information set in a signal transmitted from the communication terminal served by the specific base station.

Abstract: An example operation may include one or more of connecting, by a disposition node, to a blockchain comprised of a plurality of user nodes connected to a plurality of device nodes that store user data of the plurality of the user nodes, receiving, by the disposition node, a request from a user node of the plurality of the user nodes to dispose of user data (D) on at least one of the device nodes of the plurality of the device nodes, the request contains a disposal policy (P) and a disposal method (M) of the D, executing, by the disposition node, a consensus algorithm to validate the request based on the D, P and M, in response to a validation of the request, accessing, by the disposition node, the D on the at least one of the device nodes of the plurality of the device nodes, generating, by the disposition node, a location sensitive hash of the D (LSH(D)) and a crypto hash of the D (SHA256(D)), storing, by the disposition node, the LSH(D), the SHA256(D), the P and the M on the blockchain, executing, by the dis

Abstract: A secure bus for pre-placement of device capabilities across a set of cryptoprocessors may be provided. A first cryptoprocessor may receive a key corresponding to a second cryptoprocessor and it may receive an object in response to the object being instantiated on the second cryptoprocessor. Next, the first cryptoprocessor may use the key to determine that the second cryptoprocessor signed the object. The first cryptoprocessor may then store the object in the first cryptoprocessor in response to determining that the second cryptoprocessor signed the object. Then the first cryptoprocessor may receive a request for the object and provide a response to the request.

Abstract: The technology disclosed includes a system to reduce clutter during graph presentation for security incident analysis. The system includes logic to score nodes potentially collapsed by equivalence, of indicated interest for security incident analysis, to prevent aggregation. The system includes logic to aggregate and hide equivalent nodes that have matching degrees, that are connected to matching nodes by matching edge types, and that have scores below a first selected threshold. The system does not collapse nodes that are interesting for security analysis and keeps them visible. The technology disclosed identifies chains of at least three nodes having degrees of 1 or 2, without branching from any node in the chain. The identified chains are collapsed into chain-collapsed single nodes. Two different cases of chains including whisker chains ending in a leaf node and chains connected at both ends to two other nodes are presented.

Abstract: A method, computer system, and a computer program product for authenticating a user in a computing system is provided. A corresponding method comprises validating one or more user snapshots of the user that should have been acquired in corresponding acquisition conditions according to their match with the corresponding acquisition conditions; the user snapshots are then sent (at least in part) to one or more authenticators requesting them to identify the user. A computer program and a computer program product for performing the method are also proposed. Moreover, a corresponding system is proposed.

Abstract: Methods for managing a communication session in a communication network are disclosed. For example, a method includes detecting, by a first endpoint comprising at least one processor, an error condition associated with the communication session, sending, by the first endpoint, a notification of the error condition to a second endpoint that is using a transport layer session and receiving, by the first endpoint, a communication from the second endpoint, proposing a response to the error condition. Another method includes receiving, by a first endpoint comprising at least one processor, a notification of an error condition associated with the communication session, selecting, by the first endpoint, a response to the error condition, and sending, by the first endpoint, a communication to a second endpoint that is using a transport layer session, proposing a response to the error condition.

Abstract: A computer implemented method to identify a computer security threat based on communication via a computer network including receiving a definition of acceptable network communication characteristics for each of a plurality of communication protocols; receiving a set of security events for the communication, each security event including network communication characteristics for the communication; for each security event in the set of security events: a) identifying a communication protocol associated with the event; b) detecting deviations of network communication characteristics of the event from the acceptable network communication characteristics for the identified communication protocol; and c) generating a record of each deviation identifying a communication characteristic for which the deviation is detected, and identifying a computer security threat for the communication based on the records generated for the set of security events.

Abstract: The described technologies leverage a trained evaluation function to analyze an email message to determine if a password is included in the text of the email message. The text of the email message may be vectorized using a character lookup table including vector values for each ASCII character. The trained evaluation function analyzes the vectorized text to determine if a password is included in the text of the mail message. An email message found to include a password may be placed in a quarantine storage to at least temporality prevent the email message from being disseminated to a recipient.

Abstract: A method for performing user experience (UX) functions on an air-gapped endpoint is provided. The method includes monitoring a plurality of virtual machines to detect at least one user request to be executed within a security zone; intercepting the user request and analyzing a level of permission required to complete the user request; determining an appropriate security zone in which to execute the user request, wherein the appropriate security zone has the required level of permission; and executing the user request in the appropriate security zone.

Abstract: Privilege delegation in a computer device is managed by invoking a utility by a first user account. A requested command is captured by an agent plugin which is provided as a plugin to the utility. The agent plugin sends a request message to an agent, which determines an outcome for the requested command including allowing or blocking. If allowed, a reply message from the agent instructs the agent plugin to provide command information to the utility to run the requested command by the operating system with delegated privileges of the second user account. The agent plugin can also be instructed to perform custom messaging, or passively handle the requested command via a child plugin.

Abstract: Techniques are provided for communication-efficient device delegation. One method comprises, in response to a request for a new signing key of a given device, determining a number of new signing key requests received for the user of the given device; determining a new public verification key of the given device for an identity-based signature scheme by traversing a cryptographic hash chain backwards from a position of an initial selected value of the cryptographic hash chain; computing a new signing key based on public parameters and secret parameters of a backup component and the initial selected value; and providing the new public verification key and the new signing key to the given device. The given device authenticates to an authentication service using an identity-based signature computed using the new signing key. The request for the new signing key is submitted, for example, when the given device is lost, damaged, unavailable or stolen.

Abstract: A request to identify a data value may be received via a network at a designated one of a plurality of identity nodes. A query that includes the data value may be transmitted to an identity service associated with the designated identity node. A response message from the identity service may include one or more designated network identifiers corresponding with the data value. The designated identity node may communicate with the plurality of identity nodes to identify a plurality of network identifiers corresponding with the data value. A trust ledger may be updated to include a correspondence between a selected one of the network identifiers and the data value.

Abstract: Methodologies, systems, and computer-readable media are provided for in-field authentication of autonomous electronic devices. A first mobile autonomous electronic device wirelessly communicates with a second mobile autonomous electronic device and receives a set of identification information associated with the second mobile autonomous electronic device. The first electronic device autonomously travels to a specified location and transmits a first authentication signal to the second electronic device upon arrival at the specified location. The second electronic device confirms the identity of the first electronic device based on the first authentication signal and transmits a second authentication signal to the first electronic device. Once the first electronic device has confirmed that the identity of the second electronic device corresponds to an expected identity, the first electronic device transfers the object to the second electronic device.

Abstract: A first computing device receives a service access request to access a service provided by another computing device, the request including user authentication characteristics of a user. The first computing device forwards the service access request to the other computing device. The first computing device receives a user interface configuration file from the other computing device, that, when executed by the second computing device, enables the second computing device to display a user interface that provides access to the service. The first computing device modifies the user interface configuration file based on the user authentication characteristics to provide selective access to the service. The first computing device transmits the modified user interface configuration file to the second computing device, that, when executed by the second computing device, enables the second computing device to display a modified user interface that provides selective access to the service.

Abstract: An in-vehicle apparatus is an in-vehicle apparatus connected to a server via a network and mounted on a vehicle. The in-vehicle apparatus includes: a log collection unit configured to collect a log; a log storage unit for accumulation of at least a part of the log; a log priority information storage unit storing log priority information indicating a priority of a log to be accumulated in the log storage unit; an accumulation log determination unit configured to determine a log to be accumulated in the log storage unit based on the log priority information; a communication unit configured to transmit the log accumulated in the log storage unit to the server; and a log priority table management unit configured to update the log priority information stored in the log priority information storage unit based on an update command from the server.

Abstract: A method for using unified transaction services in a multi-tenant architecture system is discussed. The method includes receiving a request, at a first service provider, to provide a first transaction service for a user. The method includes accessing a first representation of the first service provider in a first hierarchical data structure, the first hierarchical data structure being managed by a second service provider, the second service provider managing user identity of the user. The method includes determining, based on the first representation, that transaction resources required for completion of the first transaction service are provided at the second service provider using a resource representation. The method also includes, responsive to determining that the transaction resources are accessible at the first service provider, accessing, at the first service provider, the transaction resources via the resource representation.