Abstract: In one embodiment, a read request is received from a peripheral device across an interconnect, with the read request including a process identifier and an encrypted virtual address. One or more keys are obtained based on the process identifier of the read request, and the encrypted virtual address of the read request is decrypted based on the one or more keys to obtain an unencrypted virtual address. Encrypted data is retrieved from memory based on the unencrypted virtual address, and the encrypted data is decrypted based on the one or more keys to obtain plaintext data. The plaintext data is transmitted to the peripheral device across the interconnect.

Abstract: A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.

Abstract: A method for preventing unauthorized access to information in a semiconductor device that is secured with a security protocol that uses a first portion of the information may include in response to a verified inaccessibility-inducing signal, unlocking safety lock circuitry which is operable to prevent unintentional activation of self-destruction in the semiconductor device, and initiating the self-destruction of at least a portion of the semiconductor device. A semiconductor device is configured to prevent unauthorized access to information available therein that is secured with a security protocol that uses a first portion of the information. The semiconductor device may include safety lock circuitry operable to prevent unintentional activation of self-destruction in the semiconductor device and control circuitry operable to unlock the safety lock circuitry and to initiate the self-destruction of at least a portion of the semiconductor device in response to a verified inaccessibility-inducing signal.

Abstract: A hybrid-fabric apparatus comprises a black box memory configured to store a plurality of behavior metrics and an anomaly agent coupled to the black box. The anomaly agent determines a baseline vector corresponding to nominal behavior of the fabric, wherein the baseline vector comprises at least two different behavior metrics that are correlated with each other. The anomaly agent disaggregates anomaly detection criteria into a plurality of anomaly criterion to be distributed among network nodes in the fabric, the anomaly detection criteria characterizing a variation from the baseline vector, and each of the plurality of anomaly criterion comprising a function of a measured vector of behavior metrics. The variation can be calculated based on a variation function applied to a vector of measured behavior metrics having elements corresponding to member elements of the baseline vector. Anomaly criterion statuses calculated by at least some of the network nodes are aggregated.

Abstract: A method, computer system, and computer program product are provided for applying a dynamic security policy to shared content in collaborative applications. A selection of one or more content items is received for sharing in a communication session. A security policy is queried using a key that is associated with each of the one or more content items to determine a security policy for each of the one or more content items. A plurality of users participating in the communication session are identified. Each content item of the one or more content items is selectively presented to a subset of the plurality of users based on an identity of a respective user and the security policy of each content item.

Abstract: A system and method are disclosed for processing data subject rights requests. The system and method advantageously enable data controllers to train machine learning models on unaltered data having PII, while maintaining the privacy of the unaltered data and enabling compliance with data subject rights requests with respect to the data. The system and method incorporate a biometric database that stores biometric data extracted from the unaltered data having PII. In order to identify data relating to a data subject rights request, biometric data is received from the data subject and is matched against the biometric data stored in the biometric database. Based on the matched biometric data, the original unaltered source data having PII can be identified for the purpose of exercising one or more data subject rights, such as erasure, access, and objection to processing.

Abstract: A system and method for PIN authentication issuance from a MFP QR Code includes a QR code presented on an authentication screen of multifunction peripheral display. A user requiring a personal information number to access a multifunction peripheral printing system managed by a print server scans the QR code with their secure smartphone or tablet. The scanned QR code opens a web portal to the server on the user's device where they can select a new PIN. The new PIN is stored on the server for the user's account and access to the MFP is then granted when the user enters their new PIN.

Abstract: Technologies are shown for network attribution tracking for a multi-legged transaction. In accordance with some aspects, a request is received at a second service from a client device via a first redirect including a first token associated with a first service. The second service sends, to a token service, a token request including the first token, wherein the token request causes the token service to associate a second token with the first token. The second service receives, from the token service, a token response including the second token. The second service provides, to the client device, a second redirect to a third service, the second redirect including the second token. In some aspects, a transaction is attributed to at least the first service and the second service based on the association of the second token with the first token.

Abstract: The present disclosure provides a method and an apparatus for monitoring an abnormal host, and a data processing device. The method includes: host information of a deployed host is obtained from a controller, where the host information includes address information of the deployed host; routing information of a to-be-detected host is obtained, where the routing information includes the address information of the to-be-detected host; it is determined whether the address information of the deployed host includes the address information of the to-be-detected host; and it is determined that the to-be-detected host is an abnormal host when the address information of the deployed host does not include the address information of the to-be-detected host.

Abstract: A service providing system, an information processing system, and a use permission assigning method. The service providing system registers one or more users in one or more groups in a tenant, assigns application use permission to a specific group, assigns the application use permission assigned to the specific group to a user in the specific group, generates screen information for restricting an assignment of the application use permission to a user registered in other group in the tenant, the other group to whom the application is not assigned, displays a screen based on the screen information, permit use of the application to the user to whom the application use permission is assigned among users registered in the specific group, and restrict a user registered in the other group to use the application.

Abstract: In an embodiment, a list of domains is received that includes one or more categories for each domain. The categories are assigned to each domain using a classifier that is trained using features extracted from webpages known to be associated with particular categories. An administrator creates access rules for users, or groups of users, that control the categories of domains that each user is permitted to access or not access. When a user makes a request for a webpage, access rules associated with the user are retrieved, and one or more categories associated with the domain of the requested webpage are determined using the list of domains. If any of the one or more categories of the domain violate an access rule associated with the user, the request for the webpage is denied. Otherwise the user is allowed to access the webpage.

Abstract: Apparatus, systems, and methods to classify malware with explainability are disclosed. An example apparatus includes at least one memory; instructions in the apparatus; and processor circuitry. The example processor circuitry is to execute the instructions to: generate feature vectors from a first input; train a neural network model using a first portion of the feature vectors; add one or more fully connected layers to the trained neural network model to form a hybrid model; validate the hybrid model using a second portion of the feature vectors; and deploy the validated hybrid model as a malware classifier, the malware classifier to provide a malware classification with explainability in response to a second input.

Abstract: A system on chip includes a memory, a main processor that runs an operating system, and first Intellectual Properties (IPs) that perform respective processing operations. The main processor operates to copy target firmware to the memory using a firmware loader, using a hypervisor, block access of the main processor and the first IPs to the target firmware before verification of the target firmware, and using the hypervisor, grant access to the target firmware by a target IP among the first IPs that corresponds to the target firmware after the verification of the target firmware.

Abstract: A method is disclosed. The method includes forming a local data connection between a mobile communication device comprising a voice assistant module, and an access device in an interaction. The method also includes receiving, by the mobile communication device, a voice command with a request for the access device to automatically provide a resource to a user of the mobile communication device.

Abstract: Methods, systems, and apparatuses are described herein for improving the accuracy of authentication questions using e-mail processing. A request for access to an account may be received from a user device. A plurality of organizations may be identified. One or more e-mail associated with the account may be identified. The e-mails may be processed to identify one or more organizations that correspond to transactions conducted by a user. A modified plurality of organizations may be generated by removing, from the plurality of organizations, the one or more organizations. An authentication question may be generated and provided to the user device. A response to the authentication question may be received, and the user device may be provided access based on the response.

Abstract: Methods and apparatus for provisioning and providing services to devices on a local network are described. The methods and apparatus allow for the provisioning of services to customer owned and managed devices on a local network on which another device, e.g., a first device, has already been authenticated and authorized to receive services corresponding to a customer account. After a first device on a local network is authenticated and associated with a customer account it detects the addition of new devices on the local network and assists in the registration of the new device by acting as an intermediary with a service provider device during the registration process. The security and registration established by the first device is leveraged allowing other devices on the network to be registered and authenticated for services corresponding to the same account as the first device without requiring user input of authentication and/or other information.

Abstract: A trusted application running method applied to a computer system on which a trusted execution environment (TEE) and a rich execution environment (REE) are deployed, where one or more trusted applications (TAs) run on the TEE operating system. The TEE operating system may start a target TA. Then, the target TA may send, to the TEE operating system, a loading request for a target dynamic library supporting the target service. The TEE operating system may load the target dynamic library to memory space of the target TA in response to the loading request. In this way, before the target TA runs the target service, a program module used to support the target service does not need to be loaded to the memory space of the TA, thereby reducing a waste of the memory space of the TA.

Abstract: Provided is a system for blocking a phishing attack including: a phishing attack prevention storage device; wherein a user terminal or a service server is connected with the phishing attack prevention storage device via a network, wherein a storage area in the phishing attack prevention storage device is mounted in a network drive at the user terminal or the service server, wherein when there is an open request for a real file stored in the storage area in the phishing attack prevention storage device from the user terminal or the service server, the phishing attack prevention storage device checks a storage operation mode and creates a fake file other than the open-requested original file when the storage operation mode corresponds to a list-only mode to return the fake file to the user terminal or the service server via the network.

Abstract: Provided are a method and system of providing personal information on the basis of a blockchain. The blockchain-based personal information providing method includes making a data privacy-related contract with a user and providing user data, which corresponds to personal information of the user according to the data privacy-related contract, to a service for accessing the user data using a contract with the service.

Abstract: Data of a computer system can be secured from malware. During a Primary Operating System (PrimaryOS) run-time, the system determines if the computer system has been compromised and, if so, a Trusted Operating System (TrustedOS) is launched and assumes control of the hardware resources and the software resources of the computer system. The TrustedOS obtains a cryptographic key that is inaccessible to the PrimaryOS. The TrustedOS uses the cryptographic key to disable writing to a first portion of the storage media that includes the first set of logical block addresses. The PrimaryOS can incrementally back-up files to a second set of logical block addresses on a second portion of the storage media. Control of the hardware resources and the software resources is returned to the PrimaryOS.