Abstract: Systems, devices, and methods for hybrid secret sharing are disclosed. In accordance with embodiments, a computing device may encrypt the secret message using a first encryption key to generate an encrypted secret message. The computing device may also split a second encryption key into a plurality of key shares in accordance with a threshold number. The threshold number is less than or equal to the number of the plurality of key shares. Then, the computing device may transmit a plurality of messages. Each message of the plurality of messages comprises the encrypted secret message and one of the plurality of key shares.

Abstract: Techniques are described for budget tracking in a differentially private security system. A request to perform a query of a private database system is received by a privacy device from a client device. The request is associated with a level of differential privacy. A privacy budget corresponding to the received request is accessed by the privacy device. The privacy budget includes a cumulative privacy spend and a maximum privacy spend, the cumulative privacy spend representative of previous queries of the private database system. A privacy spend associated with the received request is determined by the privacy device based at least in part on the level of differential privacy associated with the received request. If a sum of the determined privacy spend and the cumulative privacy spend is less than the maximum privacy spend, the query is performed. Otherwise a security action is performed based on a security policy.

Abstract: Disclosed is a system and method of obtaining data in a system in which share volumes of the data are dispersed across a communication network. A first computer requesting the data forwards the request to a second computer. The second computer determines if another computer has reassembled the data, and if so, responds to the first computer that the request cannot be granted. Otherwise, the second computer enables the first computer to access personal information associated only with a user of the first computer that authorizes the user to access the data. The personal information is used to determine reassembly information necessary to reassemble the data. The reassembly information is used to reassemble the data. The personal information may then be destroyed. The reassembled data is dispersed across the communication network. New personal information is created for the user.

Abstract: A system for identifying Internet attacks may include: a Web server having a Web application residing therein; a Traffic inspector; and a Traffic Analyzer. The Traffic Inspector may add an agent code portion to DOM server code received from the Web server to thereby generate DOM client code, and may send the DOM client code to a Web browser residing in at least one client computer. The Web browser may automatically generate DOM rendered code. The agent code portion may automatically instruct the Web browser to send the DOM rendered code to the Traffic inspector. The Traffic Inspector may send at least the DOM client code and the DOM rendered code to the Traffic Analyzer. An algorithm application residing in the Traffic Analyzer may process the DOM rendered code and to compare the processed DOM rendered code with the DOM client code to identify at least one code difference.

Abstract: The technology disclosed relates to enforcing multi-part policies on data-deficient transactions of independent data stores. In particular, it relates to combining active analysis of access requests for the independent object stores with inspection of objects in the independent object stores, each of the analysis and inspection generating and persisting object metadata in a supplemental data store, actively processing data-deficient transactions that apply to the objects by accessing the supplemental data store to retrieve object metadata not available in transaction streams of the data-deficient transactions, and actively enforcing the multi-part policies using the retrieved object metadata.

Abstract: Systems, computer program products and methods implementing consensus-based policy management are described. A policy administration point communicates with multiple user devices through policy collaboration plugins. Each user device includes a computer through which an administrator can edit a policy. A first user device can obtain a policy from the policy administration point for editing. The first user device stores the edited policy in a policy store. The first user device notifies one or more second user devices of the edit. Administrators on the second user devices can approve or disapprove the edit. Each second user device notifies the first user device of a respective approval or disapproval. The first user device can determine whether the edit is acceptable based on consensus. The policy store can be implemented locally to the first user device, in a centralized place, or distributed as a blockchain.

Abstract: A tampering verification system and method for financial institution certificates are based on blockchain and verify whether one of the financial institution certificates has been tampered with by comparing the contents of the financial institution certificate at the point of first being generated by a financial institution and at the point of client issue.

Abstract: A method, system and computer-usable medium are disclosed for enforcing a security policy, comprising: determining when an endpoint device initiates a web transaction with a web server, the endpoint device initiating the web transaction with a web-enabled application; establishing a side channel to a security service when the endpoint device initiates the web transaction with the web-enabled application; performing a categorization and policy enforcement operation via the security service in parallel with initiating the web transaction, the categorization and policy enforcement operation determining a security policy result regarding the web transaction; withholding content resulting from performance of the web transaction until the security policy result is provided by the security service, the content being withheld at the endpoint device; and, releasing the content resulting from the web transaction to the web-enabled application of the endpoint device upon receipt of an affirmative policy result from the

Abstract: Generation of a first prediction model is caused based on first training data, where the first prediction model enables determining whether an exploit to be developed for software vulnerabilities will be used in an attack. For each training instance in the first training data, the first prediction model is used to generate a score. Each training instance is added to second training data if the score is greater than a threshold value. The second training data is a subset of the first training data. Generation of a second prediction model is caused based on the second training data, where the second prediction model enables determining whether an exploit to be developed for software vulnerabilities will be used in an attack.

Abstract: A system and device, including reconfigurable physical unclonable functions (‘RPUFs’) and threshold cryptography, use cryptographic and physical means of security. A plurality of reconfigurable physical unclonable functions (‘RPUFs’) and a memory are connected to a processor that is configured to derive information associating the RPUFs with cryptographic shares of a sensitive value, store such information in the memory, and reconfigure a RPUF upon powering up of the device such that information stored in the memory is not valid for the reconfigured RPUF.

Abstract: Systems, apparatus, methods, and articles of manufacture are described herein for providing for a proof-of-work parallel-chain architecture for a distributed ledger system (e.g., a blockchain) with efficient throughput and security.

Abstract: The application provides a managing method and device for a sensor access authority, and relates to the field of information security. The method includes: determining a second sensor corresponding to a first sensor and having a type different from the first sensor in response to adjustment of an access authority of an application program to the first sensor, and then adjusting the access authority of the application program to the second sensor. The second sensor corresponding to a first sensor is determined when an access authority of an application program to the first sensor is adjusted, and the access authority of the application program to the second sensor is adjusted, thereby avoiding the second sensor collecting and leaking privacy information of the user and protecting privacy security of the user.

Abstract: Systems and methods for extending and re-using an IP multimedia subsystem (IMS) to extend the trust relationship from a closed group of customers of wireless service providers to users of other ecosystems (e.g., GMAIL, FACEBOOK, or YAHOO!) for IMS services are disclosed. Some embodiments include receiving a request from an initiating device to establish a service connection between the initiating device and an endpoint through an Internet Protocol Multimedia Subsystem (IMS) session. The request may include third-party domain credentials (e.g., maintained by a third-party domain) associated with an end-user. The third-party domain credentials can be extracted from the request. Communications with the third-party domain can be used to verify the third-party domain credentials. The IMS session can be established between the initiating device and the endpoint upon verification of the third-party domain credentials.

Abstract: Methods are provided for building and tuning a correlation data structure. The correlation data structure includes relationship correlations with relationship scores that reflect the level of correlation between alert conditions and feature set events that occurred in a machine. Each relationship correlation further includes a time of influence associated with the times of occurrence for each alert condition and corresponding feature set event. The correlation data structure is built and tuned using sourcing to leverage the alert conditions and feature set events on each machine for all machines in the network. Methods are also provided to use the correlation data structure to monitor the machines in a network, detect feature set events, and detect if alert conditions correlated with those feature set events are likely to occur. The methods further provide for mitigating those alert conditions.

Abstract: A data file is encrypted with a file-specific encryption key and sent to a remote data storage system. The file-specific encryption key is encrypted with a master key. The encrypted file-specific encryption key and the master key are both stored remotely from the encrypted file and they are stored remotely from one another.

Abstract: A hotspot provides an open wireless network and a secure wireless network. The open wireless network has no network-level encryption and allows open association therewith. The secure wireless network employs network-level encryption and requires authentication of a received access credential from a client device before allowing association therewith. A system for authorizing the client device for secured access at the hotspot includes an access controller configured to establish an encrypted connection between the client device and a login portal of the hotspot over the open wireless network, and to store a user-specific access credential transmitted via the encrypted connection as a valid access credential in a credential database. The credential database is accessed by wireless access points of the hotspot to authenticate the received access credential from the client device in response to a request from the client device to associate with the secure wireless network.

Abstract: A method and a system embodying the method for a multi-entity secure software transfer are disclosed, the method operating by: configuring a communication interface controller at each trusted hardware entity of a first hardware entity and a second hardware entity to disallow all external access except a communication link configuration access; establishing the communication link between the first hardware entity and the second hardware entity; configuring write access from the second hardware entity to only a first storage at the first hardware entity; and writing the secure software received from the second hardware entity via the communication link to the first storage at the first hardware entity.

Abstract: A first server receives a set of cryptographic parameters from a second server. The set of cryptographic parameters is received from the second server as part of a secure session establishment between a client device and the second server. The first server accesses a private key that is not stored on the second server. The first server signs the set of cryptographic parameters using the private key. The first server transmits the signed set of cryptographic parameters to the second server. The first server receives, from the second server, a request to generate a premaster secret using a value generated by the second server that is included in the request and generates the premaster secret. The first server transmits the premaster secret to the second server for use in the secure session establishment between the client device and the second server.

Abstract: Various embodiments include one or more of systems, methods, software, and data structures for validating a digital signature, wherein common information in a certification chain is maintained in one entry of a Document Secure Store (DSS). The DSS separates the Long Term Validation (LTV) information from the digital signature, allowing amendment of and addition to the LTV information in the DSS after a digital signature is applied to a document.

Abstract: A non-transitory processor-readable medium stores code that represents instructions that, when executed at a processor, cause the processor to access an attack description; intercept a data set from an application via an application programming interface (API), where the intercepted data set is based on an attack data set and where the attack data set is used to test for a security vulnerability in the application; correlate, using a Hamming distance, the intercepted data set with the attack description using a correlation type identifier; and report the security vulnerability for the application in response to the intercepted data set based at least in part on a result of the correlation.