Abstract: Evaluation of security of a communication system. The security of the communication system is continuously monitored and the result of this assessment is indicated. In particular, characteristic security information provided by a communication partner may be continuously received and evaluated for determining the security status. In this way, a change of the security status can be immediately recognized. Thus, a transmission of sensible or confidential data over an insecure communication network can be avoided.

Abstract: Particular aspects of this disclosure relate to computerized systems for generating and using improved data structures and functionality to efficiently render different multiple access-controlled resources (or properties of access-controlled resources) that are part of a concept. Often times, two or more resources of a concept or properties of a resource are subject to different access controls. This adds computing complexity as to whether or not a user is granted access to the entire concept or resource, a portion of the concept or resource, or none of the concept or resources and what exactly is surfaced back to the user when there are resources or properties the user does and does not have access to. Some embodiments accordingly render an efficient composite view of concepts or resources where some resources or properties are accessible by the requesting user, while other resources or properties are not accessible by the requesting user.

Abstract: A request is received from a user at a client to access a file of a set of files backed up to a backup server. Upon verifying a password provided by the user, the client is issued another request for authentication. A first data structure is received responsive to the request. The first data structure is generated using identifiers corresponding to a set of files at the client of which at least some presumably have been backed up to the server. A second data structure is generated. The second data structure is generated using identifiers corresponding to the set of files backed up to the server. The first and second data structures are compared to assess a degree of similarity between the files at the client and the files backed up to the backup server. The user is denied access when the degree of similarity is below a threshold.

Abstract: The technology disclosed herein enables a computing device to use a trusted execution environment in an untrusted mobile device to distribute protected content to computing devices at different locations. An example method may include: establishing, by a processor of a mobile device, a trusted execution environment in the mobile device, wherein the trusted execution environment uses memory encryption; loading data of a computing device into the trusted execution environment in the mobile device, wherein the data comprises protected content and comprises executable code to control access to the protected content; receiving, by the mobile device, authentication data from a set of computing devices; and executing, by the mobile device, the executable code in the trusted execution environment to analyze the authentication data and to provide one or more of the computing devices of the set with access to the protected content.

Abstract: An information handling system includes a device capable of sending and receiving security protocol and data model messages. A management controller with an authorization role as a designated leader is configured to verify authenticity of the device, discover authorization capabilities of the device, and set the authorization role of the device as a follower.

Abstract: A method is provided for securely providing data for use in a consumer electronics device having a processor performing instructions defined in a software image. The method includes receiving the data encrypted according to a global key, further encrypting the data according to a device-unique hardware key, storing the further encrypted data in a secure memory of the consumer electronics device, providing the global key to a whitebox encoder for encoding according to a base key to generate a whitebox encoded global key, and transmitting the software image to the consumer electronics device for storage in an operating memory of the consumer electronics device, the software image having a whitebox decoder utility corresponding to the whitebox encoder and the whitebox encoded global key.

Abstract: An abnormal traffic detection method is provided according to an embodiment of the disclosure. The method includes: obtaining network traffic data of a target device; sampling the network traffic data by a sampling window with a time length to obtain sampling data; generating, according to the sampling data, an image which presents a traffic feature of the network traffic data corresponding to the time length; and analyzing the image to generate evaluation information corresponding to an abnormal traffic. In addition, an abnormal traffic detection device is also provided according to an embodiment of the disclosure to improve a detection ability and/or an analysis ability for the abnormal traffic and/or a malware.

Abstract: Technologies are shown for network attribution tracking for a multi-legged transaction. In accordance with some aspects, a first token is provided to a first partner service. A token request is received from a second partner service, wherein the token request includes the first token. A second token is associated with the first token, and the second token is provided to the second partner service. A transaction is attributed to the first partner service and the second partner service based on the association of the second token with the first token.

Abstract: Methods and systems disclosed herein relate generally to temporally prioritizing queries of queue-task partitions based on distributions of flags assigned to bits corresponding to access rights.

Abstract: Computer-readable media, methods, and systems are disclosed for encrypting and decrypting data pages in connection with a database employing group-level encryption. A request to load a group-level encrypted logical data page into main memory is received, the data page being identified by a logical page number. A block of group-level encrypted data is loaded into the main memory of the database system from an address corresponding to the physical block number. A block of group-level encrypted data is loaded into the main memory of the database system. A header associated with the block of group-level encrypted data is decrypted using a data-volume encryption key, and an encryption-group identifier is accessed from the decrypted header. A group-level encryption key is retrieved from a key manager, and the remainder of the block of group-level encrypted data is decrypted using the group-level encryption key.

Abstract: Embodiments of this disclosure provide techniques for communicating in a wireless communication system. In particular, a user equipment (UE) may receiving a security command message from a base station comprising an indication of an integrity protection algorithm and an indication of an encryption algorithm. The first security command message may trigger a radio resource control (RRC) traffic signaling protection procedure between the UE and the base station. The UE transmits a security command complete message to the base station. The security command complete message may trigger a packet data unit (PDU) session establishment procedure to establish a PDU session between the UE and the base station.

Abstract: An initiator device can broadcast a witness request to one or more authentication devices. The one or more authentication devices can then determine an assurance level from a range of assurance levels and determine a token share corresponding to the assurance level. The initiator device can then receive, from the one or more authentication devices, at least one witness response comprising the token share corresponding to the assurance level. The initiator device can generate an authentication token using a set of token shares. The initiator device can then transmit the authentication token to an authentication server, wherein the authentication server verifies the authentication token.

Abstract: The methods and system described herein automatically generate network router access control entities (ACEs) that are used to filter internet traffic and more specifically to block malicious traffic. The rules are generated by an ACE engine that processes incoming internet packets and examines existing ACEs and a statistical profile of the captured packets to produce one or more recommended ACEs with a quantified measure of confidence. Preferably, a recommended ACE is identified in real time of the attack, and preferably selected from a library of pre-authored ACEs. It is then deployed automatically or alternatively sent to system personnel for review and confirmation.

Abstract: A non-transitory computer-readable medium may include computer-executable instructions that, when executed, cause a processor to collect a portion of data associated with an asset from one or more sources based on a request received from a digital representation associated with the asset. The digital representation may perform a first set of simulations related to one or more operations of the asset over time. The processor may then generate a plurality of aligned datasets based the portion of the data, the one or more sources, and an identity of the asset. The processor may also aggregate the plurality of aligned datasets into a single dataset and transmit the single dataset to the digital representation to perform a second set of simulations based on the single dataset.

Abstract: Disclosed herein are devices, systems and methods for securely accessing data transferred via multiple isolated networks network, comprising adjusting one or more mapping records comprising network mapping and routing settings for a plurality of isolated networks connecting a plurality of clients to a server to expose one of the plurality of isolated networks to one or more processing engines executed by the server while concealing all other isolated networks from the respective processing engine, activating a lock configured to enable each processing engines to execute a single thread, executing the processing engine(s) to fetch data from the exposed isolated network(s), and releasing the lock. Wherein each processing engine is able to access the isolated network exposed to the respective processing engine while unable to access any of the isolated networks concealed from respective processing engine.

Abstract: A compute instance is instrumented to detect certain kernel memory allocation functions, in particular functions that allocate heap memory and/or make allocated memory executable. Dynamic shell code exploits can then be detected when code executing from heap memory allocates additional heap memory and makes that additional heap memory executable.

Abstract: Memory access circuitry enforces ownership rights for memory regions. A given memory region is associated with an owner realm specified from multiple realms, each realm corresponding to a portion of at least one software process executed by processing circuitry. A realm management unit (RMU) is provided to perform realm management operations for managing the realms. The memory access circuitry controls access to a given memory region in dependence on at least one status attribute specifying whether the given memory region is an RMU-private memory region reserved for exclusive access by the RMU.

Abstract: In exemplary aspects, a golden data structure can be used to validate the stability of machine learning (ML) models and weights. The golden data structure includes golden input data and corresponding golden output data. The golden output data represents the known correct results that should be output by a ML model when it is run with the golden input data as inputs. The golden data structure can be stored in a secure memory and retrieved for validation separately or together with the deployment of the ML model for a requested ML operation. If the golden data structure is used to validate the model and/or weights concurrently with the performance of the requested operation, the golden input data is combined with the input data for the requested operation and run through the model. Relevant outputs are compared with the golden output data to validate the stability of the model and weights.

Abstract: Some embodiments may facilitate boot-specific key access to perform cryptographic operations. A first boot record and a second boot record may be generated independently in response to a request to boot a virtual device. The first and second boot records may be compared and in response to a match between the first boot record and the second boot record, an identify certificate may be obtained. Authorization to access and use a key for cryptographic operations may be obtained in response to a verification of the identity certificate by a cryptographic processor.

Abstract: A unified data fabric for controlling data lifecycles and data flows between trusted data sources and data clients is described herein. A system can include a data ingestion engine and a data delivery engine. The data ingestion engine and the data delivery engine are connected to a data lifecycle engine that maintains data control policies and access control policies. The data ingestion engine is configured to control ingestion of data elements into the unified data fabric based on the data control policies, and the data delivery engine is configured to control access to data elements in the unified data fabric based on access control policies. Each data element from one or more trusted data sources is associated with a global identifier to provide a comprehensive view of information about a constituent from a variety of disparate data sources.