Abstract: The present disclosure describes systems and methods for aggregation and management of cloud storage among a plurality of providers via file fragmenting to provide increased reliability and security. In one implementation, fragments or blocks may be distributed among a plurality of cloud storage providers, such that no provider retains a complete copy of a file. Accordingly, even if an individual service is compromised, a malicious actor cannot access the data. In another implementation, file fragmenting may be performed in a non-standard method such that file headers and metadata are divided across separate fragments, obfuscating the original file metadata.

Abstract: A method of blocking access to files encrypted with a compromised key by mapping keys and ranges of containers encrypted by the keys. Upon notification that a key is compromised, fencing a container range corresponding to data segments encrypted by the compromised key to prevent deduplication operations on the segments. The method makes a point-in-time copy of the filesystem managing the segments, wherein each file of the file system is represented as tree structure having a root level and other levels. The method iteratively inspects in a level-wise manner, each container in each level of the file trees of the files to identify containers having segments encrypted by the compromised key, and marks files corresponding to the identified containers as not readable to block the access to the files encrypted with the compromised key.

Abstract: A control system for a technical installation, in particular a manufacturing facility or process plant, includes at least one first operator station server and one second operator station server and is configured to initiate the issuance and revocation of certificates for components of the technical installation as part of certificate management, and is configured to publish revocation of a previously issued certificate within the control system as a certificate revocation list, where the control system is configured to store the certificate revocation list on the first operator station server and/or on the second operator station server, where the control system is configured to synchronize the first operator station server and the second operator station server with one another such that a certificate revocation list with identical content is stored on both operator station servers.

Abstract: Described herein are a system and techniques for enabling access control utilizing one or more blockchains associated with a user. A blockchain provider can manage one or more blockchains specifically associated with a an entity, where each blockchain may be associated with a differing sensitivity level. The entity may be a person or a machine such as an IOT (Internet of Things) device. The blockchain provider can manage access control policies associated with each blockchain such that access to the data of the blockchain may be allowed or restricted to requesting entities according to those access control policies.

Abstract: An agent running on an IoT device of a client's network may receive a default password from a provider network and use the received default password to determine whether the password assigned to the IoT device has been changed from the default password to a different one. The agent may retrieve a salt string, a hashing algorithm, and a hashed string from a password database of the IoT device, combine the salt string with the received default password to generate a salted default password, and apply the hashing algorithm to the salted default password to generate a new hashed string. The agent may then compare the new hashed string to the hashed string retrieved from the password database. If they match, then the agent sends an indication to the provider network that the default password is still assigned to the IoT device.

Abstract: A server system for a map-based social media platform maintains user location information to enable the rendering of friend icons on a map at a corresponding display locations. The system maintains a per user access control list (ACL) that lists all users whose icons can be viewed by a requesting user. The ACL can include a designation of respective display granularity levels for different friend users.

Abstract: Systems, devices, and methods for correlating security policies to received packets are provided. In one example, a network device, maintains information regarding multiple security policies within a dual bitmap based search tree including a first bitmap and a second bitmap formatted as information embedded in a node structure. A packet is received by the network. A first field of the packet is compared with a first range, corresponding to a first bit location in the first bitmap in which the first bit location in the first bitmap is associated with at least a first security policy. After determining the first field is within the first range, the network device accesses a second bit location in the second bitmap, corresponding to the first bit location. Based at least in part upon a value in the second bit location, a set of one or more security policies are applied to the packet.

Abstract: A method for hierarchical Internet trust sharing includes dividing a network into intra-domain and inter-domain layers based on a management domain; performing authentication on a central certificate through a CA and publishing the central certificate to a blockchain; managing by the central node, a certificate of each communication node based on a real address; collecting by the central node, temporary data reported by each communication node every preset time interval, generating a trust evaluation value of each communication node based on the temporary data and forming a format file from the trust evaluation values; generating by the central node, a file digest from the format file at each preset time interval, and publishing the file digest verified by central nodes in the inter-domain to the blockchain; and automatically deleting by the blockchain, data from the time interval 1 to the time interval (N-T-1) to retain blockchain header information.

Abstract: A method for identifying adversarial attacks on an image based detection system for automated driving includes providing a reference signal and a potentially manipulated signal. The method also includes calculating a plurality of metrics which quantify differences between the signals in different ways. The method further includes creating a multi-dimensional feature space based on the calculated metrics and classifying the type of attack based on the calculated metrics. The class of the adversarial attack may then be output.

Abstract: A system and method for identifying unauthorized uploaded content that has been uploaded before a validated live reference stream has been ingested is disclosed herein. The live reference stream is compared against the indexed uploaded content repeatedly as the live reference stream is received. The matching process is done once per a time period until a match meeting a minimum match duration threshold is identified. The match is then determined to be unauthorized, and a claim is issued against the unauthorized uploaded content. The time period can be based on a utility based analysis that factors the computational costs of repeated matching versus the diminishing value of the live reference stream as time progresses.

Abstract: A method for extending a blockchain includes, at a space server in a distributed network: storing a plot file. The method also includes accessing a blockchain: during a current slot in the series of slots, accessing a proof-of-space challenge based on a current slot challenge associated with the current slot and a challenge chain signage point; in response to accessing the proof-of-space challenge, retrieving a proof-of-space based on the proof-of-space challenge and the plot file; calculating a quality-based number of iterations based on the quality of the proof-of-space; generating a block comprising the proof-of-space, the challenge chain signage point, and a reward chain signage point; and broadcasting the block to the distributed network.

Abstract: A method for preventing unauthorized access to information in a semiconductor device that is secured with a security protocol that uses a first portion of the information may include in response to a verified inaccessibility-inducing signal, unlocking safety lock circuitry which is operable to prevent unintentional activation of self-destruction in the semiconductor device, and initiating the self-destruction of at least a portion of the semiconductor device. A semiconductor device is configured to prevent unauthorized access to information available therein that is secured with a security protocol that uses a first portion of the information. The semiconductor device may include safety lock circuitry operable to prevent unintentional activation of self-destruction in the semiconductor device and control circuitry operable to unlock the safety lock circuitry and to initiate the self-destruction of at least a portion of the semiconductor device in response to a verified inaccessibility-inducing signal.

Abstract: In one embodiment, a read request is received from a peripheral device across an interconnect, with the read request including a process identifier and an encrypted virtual address. One or more keys are obtained based on the process identifier of the read request, and the encrypted virtual address of the read request is decrypted based on the one or more keys to obtain an unencrypted virtual address. Encrypted data is retrieved from memory based on the unencrypted virtual address, and the encrypted data is decrypted based on the one or more keys to obtain plaintext data. The plaintext data is transmitted to the peripheral device across the interconnect.

Abstract: A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.

Abstract: A method, computer system, and computer program product are provided for applying a dynamic security policy to shared content in collaborative applications. A selection of one or more content items is received for sharing in a communication session. A security policy is queried using a key that is associated with each of the one or more content items to determine a security policy for each of the one or more content items. A plurality of users participating in the communication session are identified. Each content item of the one or more content items is selectively presented to a subset of the plurality of users based on an identity of a respective user and the security policy of each content item.

Abstract: A hybrid-fabric apparatus comprises a black box memory configured to store a plurality of behavior metrics and an anomaly agent coupled to the black box. The anomaly agent determines a baseline vector corresponding to nominal behavior of the fabric, wherein the baseline vector comprises at least two different behavior metrics that are correlated with each other. The anomaly agent disaggregates anomaly detection criteria into a plurality of anomaly criterion to be distributed among network nodes in the fabric, the anomaly detection criteria characterizing a variation from the baseline vector, and each of the plurality of anomaly criterion comprising a function of a measured vector of behavior metrics. The variation can be calculated based on a variation function applied to a vector of measured behavior metrics having elements corresponding to member elements of the baseline vector. Anomaly criterion statuses calculated by at least some of the network nodes are aggregated.

Abstract: A system and method are disclosed for processing data subject rights requests. The system and method advantageously enable data controllers to train machine learning models on unaltered data having PII, while maintaining the privacy of the unaltered data and enabling compliance with data subject rights requests with respect to the data. The system and method incorporate a biometric database that stores biometric data extracted from the unaltered data having PII. In order to identify data relating to a data subject rights request, biometric data is received from the data subject and is matched against the biometric data stored in the biometric database. Based on the matched biometric data, the original unaltered source data having PII can be identified for the purpose of exercising one or more data subject rights, such as erasure, access, and objection to processing.

Abstract: A system and method for PIN authentication issuance from a MFP QR Code includes a QR code presented on an authentication screen of multifunction peripheral display. A user requiring a personal information number to access a multifunction peripheral printing system managed by a print server scans the QR code with their secure smartphone or tablet. The scanned QR code opens a web portal to the server on the user's device where they can select a new PIN. The new PIN is stored on the server for the user's account and access to the MFP is then granted when the user enters their new PIN.

Abstract: Technologies are shown for network attribution tracking for a multi-legged transaction. In accordance with some aspects, a request is received at a second service from a client device via a first redirect including a first token associated with a first service. The second service sends, to a token service, a token request including the first token, wherein the token request causes the token service to associate a second token with the first token. The second service receives, from the token service, a token response including the second token. The second service provides, to the client device, a second redirect to a third service, the second redirect including the second token. In some aspects, a transaction is attributed to at least the first service and the second service based on the association of the second token with the first token.

Abstract: The present disclosure provides a method and an apparatus for monitoring an abnormal host, and a data processing device. The method includes: host information of a deployed host is obtained from a controller, where the host information includes address information of the deployed host; routing information of a to-be-detected host is obtained, where the routing information includes the address information of the to-be-detected host; it is determined whether the address information of the deployed host includes the address information of the to-be-detected host; and it is determined that the to-be-detected host is an abnormal host when the address information of the deployed host does not include the address information of the to-be-detected host.