Abstract: Accelerator access control whereby an application's access to an accelerator is revoked in order to allow the system to perform a system function. In one or more embodiments, when an application is executing, a credit system is utilized to provide credits for controlled access to the accelerator. When request information is received to remove access to a credit associated with the application's access to the accelerator, the credit is marked to fail with operating system interfaces. Also, in one or more embodiments, if the credit is in use for accessing the accelerator, an effective address associated with the credit is unmapped from the accelerator.

Abstract: A system for transmitting an identification code in a telecommunications system via a mobile device. The mobile device includes a component to generate embed an identification code by generating an inaudible signal. The inaudible signal is either ultrasonic or infrasonic. The mobile device also generates an audible signal based on information received from a microphone associated with the mobile device, merges the inaudible signal with the audible signal to produce a combined signal, and transmits the combined signal from the mobile device to the other device via the wireless network.

Abstract: Systems, computer-implemented methods, and computer program products that facilitate container inspection components of a container-based virtualization environment are provided. According to an embodiment, a system can comprise a memory that stores computer executable components and a processor that executes the computer executable components stored in the memory. The computer executable components can comprise a container inspection control component that can define one or more constrained capabilities of a container inspection. The computer executable components can further comprise a container inspection component that can inspect a virtual container based on the one or more constrained capabilities.

Abstract: Technologies for secure key provisioning include a computing device having a processor with secure enclave support and a manageability controller. The manageability controller receives a secret key from a network source via a network interface that is isolated from untrusted software of the computing device. The manageability controller authenticates a secure enclave of the computing device and, if successful, securely provisions a session key derived from the secret key to the secure enclave. The manageability controller may provision additional session keys after expiration of the session key. The manageability controller may monitor for revocation of the secret key by the network source. If revoked, the manageability controller does not provision additional session keys to the secure enclave. The manageability controller may also provision the session key to a sensor device protected by the secret key, which is pre-provisioned to the sensor device. Other embodiments are described and claimed.

Abstract: Embodiments of the present application relate to a method for policy enforcement, a system for policy enforcement, and a computer program product for policy enforcement. A method for policy enforcement is provided. The method includes receiving a host information profile report from a client device, and enforcing a security policy for network access based on the host information profile report. The host information profile report includes device profile information associated with the client device.

Abstract: Privacy protection methods, systems, and apparatus, including computer programs encoded on computer storage media, are provided. One of the methods is performed by a second computing device and includes: receiving a data request for object data from a first computing device, wherein the object data is associated with an object and is stored in the second computing device; performing encryption of the object data using a public key associated with the object based on the data request to generate a first ciphertext; obtaining verification data based on the first ciphertext for verifying whether a ciphertext to be verified corresponds to the object data; and sending the verification data to the first computing device for the first computing device to execute a cryptography protocol with a third computing device based on the verification data.

Abstract: A method for performing authentication of a client device using a hash chain includes: receiving a first data request from a client device, the first data request including at least a user identifier and a first hash value; transmitting a first data response message to the client device; receiving a second data request from the client device, the second data request including at least the user identifier and a second hash value; generating a validating hash value by applying a hashing algorithm to the second hash value; validating the first hash value as being equal to the generated validating hash value; and transmitting a second data response message to the client device upon successful validation of the first hash value, wherein the second data response message includes one or more data values associated with the user identifier.

Abstract: A system, method, and computer program product are provided for centralized consent management. In operation, the consent management system receives user selections from a user indicating which user data is capable of being utilized for analysis by a company. The consent management system stores the user selections of which user data is capable of being utilized for analysis by the company in a consent database. The consent management system generates a consent vector corresponding to the user selections of which user data is capable of being utilized for analysis by the company. Additionally, the consent management system associates the consent vector with a consent vector identification. Further, the consent management system tags incoming data with the consent vector identification to associate a user consent with the incoming data. The consent management system stores and encodes the incoming data.

Abstract: A communication apparatus includes an authentication unit that sets a communication parameter for connecting to a wireless network, and executes authentication processing, with a base station, for registering the communication apparatus to the base station that forms the wireless network, as a management apparatus that is allowed to connect another apparatus to the wireless network, a setting unit that, based on information acquired from code information captured through imaging, sets the communication parameter to another communication apparatus corresponding to the code information, and a registration unit that executes registration processing for registering the other communication apparatus to the base station as the management apparatus, based on at least a condition that the communication parameter is set to the other communication apparatus by the setting unit.

Abstract: Systems and methods are provided for a content-based security for computing devices. An example method includes identifying content rendered by a mobile application, the content being rendered during a session, generating feature vectors from the content and determining that the feature vectors do not match a classification model. The method also includes providing, in response to the determination that the feature vectors do not match the classification model, a challenge configured to authenticate a user of the mobile device. Another example method includes determining a computing device is located at a trusted location, capturing information from a session, the information coming from content rendered by a mobile application during the session, generating feature vectors for the session, and repeating this until a training criteria is met. The method also includes training a classification model using the feature vectors and authenticating a user of the device using the trained classification model.

Abstract: Examples provided herein describe a method for providing security for Internet of Things (IoT) devices. For example, a data packet from an IoT device may be received at an edge device. A signature associated with the IoT device may be accessed at the edge device, where the signature includes network layer information about the IoT device. A set of rules may be applied by the edge device to validate the IoT device based on the accessed signature. Responsive to the IoT device being validated based on the accessed signature, received data packet, and the applied set of rules, the edge device may process the data packet from the IoT device.

Abstract: A method in a cloud network to detect compromises within an enterprise network based on tokens tunneled outside of the enterprise network to the cloud network. The method includes receiving, at a tunnel gateway server within the cloud network, a first set of packets via a tunnel across a public network from a first server within the enterprise network, where the first set of packets were generated responsive to the first server receiving a second set of packets that originated from within the enterprise network and that included data and a source enterprise network address, where the first set of packets does not include the source enterprise network address and the data includes a token. The method further includes transmitting, by the tunnel gateway server, the data within a third set of packets to a second server that acts as if it were an enterprise server within the enterprise network.

Abstract: An encryption scheme is provided in which subset-difference lists are generated by blacklisting subsets corresponding to compromised devices and splitting subset difference lists corresponding to the blacklisted subsets into multiple subset difference lists. In some embodiments, a subset-difference tree is generated. The subset-difference tree includes a plurality of subsets. The subset-difference tree covers a plurality of nodes. Each of the plurality of subsets has an apex node among the plurality of nodes. At least one blacklisted node of the plurality of nodes is determined. A first subset among the plurality of subsets is identified that covers the at least one blacklisted node. A plurality of substitute subsets is determined. Each of the plurality of substitute subsets overlaps the first subset and does not cover the at least one blacklisted node. The plurality of substitute subsets are substituted for the first subset.

Abstract: A data collection and analysis method includes applying a first noise step to an original data stream with an original character to generate a first data stream with a first character; and applying a second noise step to the first data stream to generate a second data stream with a second character, wherein a first variation between the original character and the first character is greater than a second variation between the original character and the second character.

Abstract: The fingerprint-based login method includes: waking up an operating system of a terminal device where a fingerprint sensor is disposed based on a detected non-press-type touch operation against the fingerprint sensor; controlling the fingerprint sensor to acquire fingerprint data based on a fingerprint data acquisition instruction sent by the waken-up operating system; storing the acquired fingerprint data to a designated security region in the terminal device by the waken-up operating system; and judging whether the fingerprint data stored in the designated security region matches fingerprint password data by the waken-up operating system upon detecting a press-type touch operation against the fingerprint sensor, such that a login operation is performed in the operating system if the stored fingerprint data matches the fingerprint password data, the problem that the fingerprint modules using the conventional MCUs failing to satisfy the requirements may not implement the system login function is effectively s

Abstract: A method, computer program product, and a system where a secure interface control configures a hardware security module for exclusive use by a secure guest. The secure interface control (“SC”) obtains a configuration request (via a hypervisor) to configure the hardware security module (HSM), from a given guest of guests managed by the hypervisor. The SC determines if the HSM is already configured to a specific guest of the one or more guests, but based on determining that the HSM is not configured to the and is a secure guest the SC forecloses establishing a configuration of the HSM by limiting accesses by guests to the HSM exclusively to the given guest. The SC logs the given guest into the HSM by utilizing a secret of the given guest. The SC obtains, from the HSM, a session code and retains the session code.

Abstract: Techniques to manage mobile devices are disclosed. In various embodiments, a request to perform a management action with respect to a mobile device is received from a mobile device management (MDM) authority. A scope of authority of the MDM authority with respect to the mobile device is determined. The management action is caused to be performed with respect to the mobile device based at least in part on the determined scope of authority of the MDM authority with respect to the mobile device.

Abstract: Systems and methods for controlling the exposure of data privacy elements are provided. The systems and methods may generate an artificial profile model. The artificial profile model may include a constraint for generating new artificial profiles. A signal may be received indicating that a computing device is requesting access to a network location. One or more data privacy elements associated with the computing device can be detected. An artificial profile can be determined for the computing device. The artificial profile may be usable to identify the computing device. The one or more data privacy elements may be automatically modified according to the constraint included in the artificial profile model. The method may include generating a new artificial profile for the computing device. The new artificial profile may include the modified one or more data privacy elements. The new artificial profile may mask the computing device from being identified.

Abstract: Trusted nodes in a network perform secure out-of-band symmetric encryption key delivery to user devices. A first trusted node receives a request from a first user device to deliver symmetric encryption keys to the first user device and a second user device, as a pair of user devices. The first trusted node delivers a second symmetric encryption key to the second user device, via trusted nodes. The first trusted node receives confirmation of delivery of the second symmetric encryption key. Responsive to the confirmation of delivery, the first trusted node delivers the first symmetric encryption key to the first user device.

Abstract: An abstract enclave identity is presented. An abstract identity may be a secure identity that may be the same for multiple related, but not identical, enclave instantiations. An enclave identity value may be determined from an abstract enclave identity type with respect to a instantiated enclave. Various enclave operations may be performed with an abstract identity, such as sealing data to an abstract identity, incrementing a monotonic counter, making trusted time measurement.