Abstract: A server system for a map-based social media platform maintains user location information to enable the rendering of friend icons on a map at a corresponding display locations. The system maintains a per user access control list (ACL) that lists all users whose icons can be viewed by a requesting user. The ACL can include a designation of respective display granularity levels for different friend users.

Abstract: A method for hierarchical Internet trust sharing includes dividing a network into intra-domain and inter-domain layers based on a management domain; performing authentication on a central certificate through a CA and publishing the central certificate to a blockchain; managing by the central node, a certificate of each communication node based on a real address; collecting by the central node, temporary data reported by each communication node every preset time interval, generating a trust evaluation value of each communication node based on the temporary data and forming a format file from the trust evaluation values; generating by the central node, a file digest from the format file at each preset time interval, and publishing the file digest verified by central nodes in the inter-domain to the blockchain; and automatically deleting by the blockchain, data from the time interval 1 to the time interval (N-T-1) to retain blockchain header information.

Abstract: Systems, devices, and methods for correlating security policies to received packets are provided. In one example, a network device, maintains information regarding multiple security policies within a dual bitmap based search tree including a first bitmap and a second bitmap formatted as information embedded in a node structure. A packet is received by the network. A first field of the packet is compared with a first range, corresponding to a first bit location in the first bitmap in which the first bit location in the first bitmap is associated with at least a first security policy. After determining the first field is within the first range, the network device accesses a second bit location in the second bitmap, corresponding to the first bit location. Based at least in part upon a value in the second bit location, a set of one or more security policies are applied to the packet.

Abstract: A system and method for identifying unauthorized uploaded content that has been uploaded before a validated live reference stream has been ingested is disclosed herein. The live reference stream is compared against the indexed uploaded content repeatedly as the live reference stream is received. The matching process is done once per a time period until a match meeting a minimum match duration threshold is identified. The match is then determined to be unauthorized, and a claim is issued against the unauthorized uploaded content. The time period can be based on a utility based analysis that factors the computational costs of repeated matching versus the diminishing value of the live reference stream as time progresses.

Abstract: A method for extending a blockchain includes, at a space server in a distributed network: storing a plot file. The method also includes accessing a blockchain: during a current slot in the series of slots, accessing a proof-of-space challenge based on a current slot challenge associated with the current slot and a challenge chain signage point; in response to accessing the proof-of-space challenge, retrieving a proof-of-space based on the proof-of-space challenge and the plot file; calculating a quality-based number of iterations based on the quality of the proof-of-space; generating a block comprising the proof-of-space, the challenge chain signage point, and a reward chain signage point; and broadcasting the block to the distributed network.

Abstract: A method for identifying adversarial attacks on an image based detection system for automated driving includes providing a reference signal and a potentially manipulated signal. The method also includes calculating a plurality of metrics which quantify differences between the signals in different ways. The method further includes creating a multi-dimensional feature space based on the calculated metrics and classifying the type of attack based on the calculated metrics. The class of the adversarial attack may then be output.

Abstract: A method for preventing unauthorized access to information in a semiconductor device that is secured with a security protocol that uses a first portion of the information may include in response to a verified inaccessibility-inducing signal, unlocking safety lock circuitry which is operable to prevent unintentional activation of self-destruction in the semiconductor device, and initiating the self-destruction of at least a portion of the semiconductor device. A semiconductor device is configured to prevent unauthorized access to information available therein that is secured with a security protocol that uses a first portion of the information. The semiconductor device may include safety lock circuitry operable to prevent unintentional activation of self-destruction in the semiconductor device and control circuitry operable to unlock the safety lock circuitry and to initiate the self-destruction of at least a portion of the semiconductor device in response to a verified inaccessibility-inducing signal.

Abstract: A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.

Abstract: In one embodiment, a read request is received from a peripheral device across an interconnect, with the read request including a process identifier and an encrypted virtual address. One or more keys are obtained based on the process identifier of the read request, and the encrypted virtual address of the read request is decrypted based on the one or more keys to obtain an unencrypted virtual address. Encrypted data is retrieved from memory based on the unencrypted virtual address, and the encrypted data is decrypted based on the one or more keys to obtain plaintext data. The plaintext data is transmitted to the peripheral device across the interconnect.

Abstract: A hybrid-fabric apparatus comprises a black box memory configured to store a plurality of behavior metrics and an anomaly agent coupled to the black box. The anomaly agent determines a baseline vector corresponding to nominal behavior of the fabric, wherein the baseline vector comprises at least two different behavior metrics that are correlated with each other. The anomaly agent disaggregates anomaly detection criteria into a plurality of anomaly criterion to be distributed among network nodes in the fabric, the anomaly detection criteria characterizing a variation from the baseline vector, and each of the plurality of anomaly criterion comprising a function of a measured vector of behavior metrics. The variation can be calculated based on a variation function applied to a vector of measured behavior metrics having elements corresponding to member elements of the baseline vector. Anomaly criterion statuses calculated by at least some of the network nodes are aggregated.

Abstract: A method, computer system, and computer program product are provided for applying a dynamic security policy to shared content in collaborative applications. A selection of one or more content items is received for sharing in a communication session. A security policy is queried using a key that is associated with each of the one or more content items to determine a security policy for each of the one or more content items. A plurality of users participating in the communication session are identified. Each content item of the one or more content items is selectively presented to a subset of the plurality of users based on an identity of a respective user and the security policy of each content item.

Abstract: A system and method are disclosed for processing data subject rights requests. The system and method advantageously enable data controllers to train machine learning models on unaltered data having PII, while maintaining the privacy of the unaltered data and enabling compliance with data subject rights requests with respect to the data. The system and method incorporate a biometric database that stores biometric data extracted from the unaltered data having PII. In order to identify data relating to a data subject rights request, biometric data is received from the data subject and is matched against the biometric data stored in the biometric database. Based on the matched biometric data, the original unaltered source data having PII can be identified for the purpose of exercising one or more data subject rights, such as erasure, access, and objection to processing.

Abstract: A system and method for PIN authentication issuance from a MFP QR Code includes a QR code presented on an authentication screen of multifunction peripheral display. A user requiring a personal information number to access a multifunction peripheral printing system managed by a print server scans the QR code with their secure smartphone or tablet. The scanned QR code opens a web portal to the server on the user's device where they can select a new PIN. The new PIN is stored on the server for the user's account and access to the MFP is then granted when the user enters their new PIN.

Abstract: The present disclosure provides a method and an apparatus for monitoring an abnormal host, and a data processing device. The method includes: host information of a deployed host is obtained from a controller, where the host information includes address information of the deployed host; routing information of a to-be-detected host is obtained, where the routing information includes the address information of the to-be-detected host; it is determined whether the address information of the deployed host includes the address information of the to-be-detected host; and it is determined that the to-be-detected host is an abnormal host when the address information of the deployed host does not include the address information of the to-be-detected host.

Abstract: Technologies are shown for network attribution tracking for a multi-legged transaction. In accordance with some aspects, a request is received at a second service from a client device via a first redirect including a first token associated with a first service. The second service sends, to a token service, a token request including the first token, wherein the token request causes the token service to associate a second token with the first token. The second service receives, from the token service, a token response including the second token. The second service provides, to the client device, a second redirect to a third service, the second redirect including the second token. In some aspects, a transaction is attributed to at least the first service and the second service based on the association of the second token with the first token.

Abstract: A service providing system, an information processing system, and a use permission assigning method. The service providing system registers one or more users in one or more groups in a tenant, assigns application use permission to a specific group, assigns the application use permission assigned to the specific group to a user in the specific group, generates screen information for restricting an assignment of the application use permission to a user registered in other group in the tenant, the other group to whom the application is not assigned, displays a screen based on the screen information, permit use of the application to the user to whom the application use permission is assigned among users registered in the specific group, and restrict a user registered in the other group to use the application.

Abstract: Apparatus, systems, and methods to classify malware with explainability are disclosed. An example apparatus includes at least one memory; instructions in the apparatus; and processor circuitry. The example processor circuitry is to execute the instructions to: generate feature vectors from a first input; train a neural network model using a first portion of the feature vectors; add one or more fully connected layers to the trained neural network model to form a hybrid model; validate the hybrid model using a second portion of the feature vectors; and deploy the validated hybrid model as a malware classifier, the malware classifier to provide a malware classification with explainability in response to a second input.

Abstract: In an embodiment, a list of domains is received that includes one or more categories for each domain. The categories are assigned to each domain using a classifier that is trained using features extracted from webpages known to be associated with particular categories. An administrator creates access rules for users, or groups of users, that control the categories of domains that each user is permitted to access or not access. When a user makes a request for a webpage, access rules associated with the user are retrieved, and one or more categories associated with the domain of the requested webpage are determined using the list of domains. If any of the one or more categories of the domain violate an access rule associated with the user, the request for the webpage is denied. Otherwise the user is allowed to access the webpage.

Abstract: A system on chip includes a memory, a main processor that runs an operating system, and first Intellectual Properties (IPs) that perform respective processing operations. The main processor operates to copy target firmware to the memory using a firmware loader, using a hypervisor, block access of the main processor and the first IPs to the target firmware before verification of the target firmware, and using the hypervisor, grant access to the target firmware by a target IP among the first IPs that corresponds to the target firmware after the verification of the target firmware.

Abstract: Methods and apparatus for provisioning and providing services to devices on a local network are described. The methods and apparatus allow for the provisioning of services to customer owned and managed devices on a local network on which another device, e.g., a first device, has already been authenticated and authorized to receive services corresponding to a customer account. After a first device on a local network is authenticated and associated with a customer account it detects the addition of new devices on the local network and assists in the registration of the new device by acting as an intermediary with a service provider device during the registration process. The security and registration established by the first device is leveraged allowing other devices on the network to be registered and authenticated for services corresponding to the same account as the first device without requiring user input of authentication and/or other information.