Abstract: A system and method for homomorphic encryption in a healthcare network environment is provided and includes receiving digital data over the healthcare network at a data custodian server in a plurality of formats from various data sources, encrypting the data according to a homomorphic encryption scheme, receiving a query at the data custodian server from a data consumer device concerning a portion of the encrypted data, initiating a secure homomorphic work session between the data custodian server and the data consumer device, generating a homomorphic work space associated with the homomorphic work session, compiling, by the data custodian server, a results set satisfying the query, loading the results set into the homomorphic work space, and building an application programming interface (API) compatible with the results set, the API facilitating encrypted analysis on the results set in the homomorphic work space.

Abstract: Systems and methods for receiving information on network firewall policy configurations are disclosed. Based on the received firewall configuration information, a configuration of a firewall and/or subnet of network devices is automatically provisioned and/or configured to control network traffic to and from the subnet.

Abstract: A method of executing a program operating on data encrypted by a homomorphic encryption. Execution of a program instruction includes the homomorphic evaluation of an associated function in the ciphertext space, homomorphic masking of the result of the evaluation with a previously encrypted random sequence, decryption of the evaluation result thus masked followed by a new encryption and then homomorphic unmasking in the ciphertext space. The result of execution of the instruction does not appear in plain text at any time during execution of the instruction.

Abstract: A method and apparatus for protecting boot variables is disclosed. A computer system includes a main processor and an auxiliary processor. The auxiliary processor includes a non-volatile memory that stores variables associated with boot code that is also stored thereon. The main processor may send a request to the auxiliary processor to alter one of the variables stored in the non-volatile memory. Responsive to receiving the request, the auxiliary processor may execute a security policy to determine if the main processor meets the criteria for altering the variable. If the auxiliary processor determines that the main processor meets the criteria, it may grant permission to alter the variable.

Abstract: An integrated security system which seamlessly assimilates with current generation logical security systems. The integrated security system incorporates a security controller having standard network interface capabilities including IEEE 802.x and takes advantage of the convenience and security offered by smart cards and related devices for both physical and logical security purposes. The invention is based on standard remote authentication dial-in service (RADIUS) protocols or TCP/IP using SSL, TLS, PCT or IPsec and stores a shared secret required by the secure communication protocols in a secure access module coupled to the security controller. The security controller is intended to be a networked client or embedded intelligent device controlled remotely by to an authentication server. In another embodiment of the invention one or more life cycle management transactions are performed with the secure access module.

Abstract: Technologies for depth-based user authentication include a mobile computing device to display a login image including a depth channel on a display of the mobile computing device. The mobile computing device determines a selection of a plurality of objects of the login image made by a user of the mobile computing device, generates a user-selected password based on a relative depth of each object of the plurality of objects selected by the user, and permits access to the mobile computing device in response to a determination that the user-selected password matches a device login password.

Abstract: Systems, methods, and other embodiments associated with placing a virtual machine or workload on one of a plurality of hosts are described. In one embodiment, a method includes analyzing the hosts to identify a set of candidate hosts. Each candidate host is analyzed and a threat score is calculated for each candidate host that is indicative of a degree of vulnerability of the candidate host to information-security threats. The corresponding threat scores from the candidate hosts are compared and a host with a lowest threat score is selected, and the virtual machine is placed on the selected host. Thereafter, the selected host is reanalyzed to calculate an updated threat score based at least in part upon the placement of the virtual machine, and in response to determining that the updated threat score exceeds a threshold, the virtual machine is moved to a different host.

Abstract: In one general aspect, a method can include determining that a computing device is in a peripheral mode of operation based on an orientation of a lid portion with respect to a base portion, the orientation allowing access to one or more input devices included in an input area included in the base portion. The method further includes entering a broadcast discovery mode when the computing device is in the peripheral mode of operation, connecting the computing device to a display system listening for broadcasts, sending, to the display system, network credentials and user credentials associated with the computing device, receiving, by the computing device and from a computer system, a request to confirm the connection between the computing device and the display system, and providing, by the computing device, to the computer system, confirmation of the connection between the computing device and the display system.

Abstract: Methods are systems are provided for onboarding network equipment to managed networks. An onboarding controller may be used in authenticating the to-be-onboarded network equipment. The onboarding controller may issue a challenge, which may comprise instructions for making configuration changes to the network equipment. The configuration changes may comprise adding, removing, and/or changing connections within and/or to the network equipment within a local network comprising the network equipment. The onboarding controller may determine whether or not the configuration changes have been made to the network equipment. The determination of configuration changes may be used in verifying the identity and/or location of the network equipment, and/or in determining determine to which managed network the network equipment should be onboarded.

Abstract: Embodiments of the present invention use a limited-use public/private key pair to encrypt and decrypt messages sent through an intermediary. The messages may contain sensitive information and may be transmitted between entities over one or more networks. In some embodiments, the entities and/or the networks may be untrusted. Nevertheless, the content of the messages may remain protected by virtue of the limited-use key pair infrastructure.

Abstract: Apparatuses and methods associated with configurable crypto hardware engine are disclosed herein. In embodiments, an apparatus for signing or verifying a message may comprise: a hardware hashing computation block to perform hashing computations; a hardware hash chain computation block to perform successive hash chain computations; a hardware private key generator to generate private keys; and a hardware public key generator to generate public keys, including signature generations and signature verifications. The hardware hashing computation block, the hardware hash chain computation block, the hardware private key generator, and the hardware public key generator may be coupled to each other and selectively cooperate with each other to perform private key generation, public key generation, signature generation or signature verification at different points in time. Other embodiments may be disclosed or claimed.

Abstract: A device includes: a memory configured to store in advance a command transmitted from malware to hardware via an operating system; and a processor coupled to the memory and configured to: hook a first command transmitted from the operating system to the hardware, and transmit information that causes the malware to determine to terminate operation of the malware to the operating system when the hooked first command corresponds with the command stored in the memory.

Abstract: The disclosed computer-implemented method for applying security updates to endpoint devices may include (1) calculating a reputation score for an endpoint device that indicates a security state of the endpoint device, (2) transmitting, from the endpoint device to a security server that provides security updates, a request to receive a security update with a degree of urgency based on the reputation score of the endpoint device, (3) receiving the security update from the security server in accordance with the degree of urgency, and then (4) applying the security update within the endpoint device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: In various implementations, a method of identifying anomalies is performed by a first network node that is configured to maintain a distributed ledger in coordination with a plurality of network nodes. In various implementations, the first network node includes one or more processors, a non-transitory memory, and one or more network interfaces. In various implementations, the method includes determining a characteristic value based on information associated with the distributed ledger. In some implementations, the distributed ledger stores blocks of transactions that were added to the distributed ledger based on a consensus determination between the plurality of network nodes. In various implementations, the method includes determining whether a current transaction satisfies the characteristic value. In various implementations, the method include indicating whether there is an anomaly based on a function of the current transaction in relation to the characteristic value.

Abstract: Systems and methods are provided for protecting identity in an authenticated data transmission. For example, a contactless transaction between a portable user device and an access device may be conducted without exposing the portable user device's public key in cleartext. In one embodiment, an access device may send an access device public key to a portable user device. The user device may return a blinded user device public key and encrypted user device data. The access device may determine a shared secret using the blinded user device public key and an access device private key. The access device may then decrypt the encrypted user device data using the shared secret.

Abstract: A computer performs dynamic address isolation. The computer comprises an application associated with an application address, a network interface coupled to receive incoming data packets from and transmit outgoing data packets to an external network, a network address translation engine configured to translate between the application address and a public address, and a driver for automatically forwarding the outgoing data packets to the network address translation engine to translate the application address to the public address, and for automatically forwarding the incoming data packets to the network address translation engine to translate the public address to the application address. The computer may communicate with a firewall configured to handle both network-level security and application-level security.

Abstract: In particular embodiments, a data processing data inventory generation system is configured to: (1) generate a data model (e.g., a data inventory) for one or more data assets utilized by a particular organization; (2) generate a respective data inventory for each of the one or more data assets; and (3) map one or more relationships between one or more aspects of the data inventory, the one or more data assets, etc. within the data model. In particular embodiments, a data asset (e.g., data system, software application, etc.) may include, for example, any entity that collects, processes, contains, and/or transfers personal data (e.g., such as a software application, “internet of things” computerized device, database, website, data-center, server, etc.). For example, a first data asset may include any software or device (e.g., server or servers) utilized by a particular entity for such data collection, processing, transfer, storage, etc.

Abstract: A service providing method, the method comprises transmitting, by a first information processing device, a certification token including a first role information on a service provided by the first information processing device to a terminal device when a certification is successful in response to a certification demand from the terminal device, receiving, by the first information processing device, the certification token and a first address information, that identifies a service providing device and indicates the first information processing device, from the terminal device, and transmitting, by the first information processing device, a first token including the first role information indicated by the certification token which is received and a second address information, that identifies the service providing device and indicates a second information processing device, to the second information processing device which is either one of the service providing device or a way device to the service providing dev

Abstract: A computer-implemented method includes executing one or more tests on a computing device. The computing device has Instruction Execution Protection (IEP), and each test of the one or more tests includes selectively setting one or more IEP bits of one or more page tables, where each IEP bit prevents code in a respective storage block from being executed. During the one or more tests, an IEP exception is detected, by a computer processor, each time an attempt is made to execute code in a storage block for which a respective IEP bit is set. Test results of the one or more tests are determined based on the detecting. A remedial action is performed in response to the test results of the one or more tests.

Abstract: A method and system for providing information management of data from hosted services receives information management policies for a hosted account of a hosted service, requests data associated with the hosted account from the hosted service, receives data associated with the hosted account from the hosted service, and provides a preview version of the received data to a computing device. In some examples, the system indexes the received data to associate the received data with a user of an information management system, and/or provides index information related to the received data to the computing device.