Abstract: Technologies are disclosed for computing heavy hitter histograms using locally private randomization. Under this strategy, “agents” can each hold a “type” derived from a large dictionary. By performing an algorithm, an estimate of the distribution of data can be obtained. Two algorithms implement embodiments for performing methods involving differential privacy for one or more users, and usually are run in the local model. This means that information is collected from the agents with added noise to hide the agents' individual contributions to the histogram. The result is an accurate enough estimate of the histogram for commercial or other applications relating to the data collection of one or more agents. Specifically, the proposed algorithms improve on the performance (measured in computation and memory requirements at the server and the agent, as well as communication volume) of previously solutions.

Abstract: An example computing device includes a functional encryption unit configured to generate a master secret key and public key; apply functional encryption using the public key to biometric information of a user to produce functionally encrypted biometric information, the functional encryption is based on an encryption function that encodes the biometric information, a computation engine configured to perform re-enrollment by at least one of 1) retrieving a pre-generated function key from a memory, or 2) retrieving a dynamically generated function key from the one or more storage nodes that can be inaccessible during user authentication, the function key dynamically generated using the master secret key, and applying, using the function key and functionally encrypted biometric information, a decryption operation to generate new helper data, wherein the new helper data is generated as an evaluation of a cryptographic function during the decryption operation without the need to decrypt the biometric information.

Abstract: A system and method to encrypt a block of data is disclosed. A block of original data is retrieved from a data store, block of original data including a N number of words, each word including one or more bits of data. A multiplier matrix is provided, the multiplier matrix having N×N words, a plurality of sub matrices arranged diagonally within the N×N matrix, with each of the sub matrix arranged as a binomial matrix. All the words in the multiplier matrix not part of the sub matrix are set to zero. The block of original data is multiplied with the multiplier matrix to generate a block of modified original data with N number of words.

Abstract: A data partition unit partitions character string data D into N pieces of element data w1, w2, . . . , wN from a front to an end of the character string data D. A partial character string generation unit generates a set A={A1, A2, . . . , AN} and an element Ai={(wi), (wiwi+1), . . . , (wiwi+1 . . . wN)} of the set A where i=1, . . . , N, from the element data w1, w2, . . . , wN. A position information assignment unit generates a set B={B1, B2, . . . , BN} and an element Bi={(i, wi, (i, wiwi+1), . . . , (i, wiwi+1 . . . wN)} of the set B by associating each of (wi), (wiwi+1), . . . , (wiwi+1 . . . wN) which are components of the element Ai with position information i. An encryption unit encrypts each of (i, wi), (i, wiwi+1), . . . , (i, wiwi+1 . . . wN) which are components included in the element Bi.

Abstract: A method for signing up a user to a service for controlling at least one functionality in a vehicle (10) by means of a user terminal (20) comprises the following steps: —communicating a user identifier and an identifier associated with the vehicle (10) to a server (50); —having the server (50) authenticate an electronics unit (11) of the vehicle (10); —in the event of successful authentication, registering the user identifier and the identifier associated with the vehicle (10) in association with one another in the server (50).

Abstract: Embodiments for watermarking anonymized datasets using decoys in a computing environment are provided. One or more decoy records may be embedded in an anonymized dataset such that a re-identification attack on the anonymized dataset targets the one or more decoy records.

Abstract: Techniques for making preliminary authorization determinations based on partial contextual information are disclosed. In one or more embodiments, an API receives an authorization request and partial contextual information associated with the authorization request. The API submits the partial contextual information to an authorization service, without submitting complete contextual information associated with the authorization request. The API receives, from the authorization service, a preliminary authorization response based on the partial contextual information. The preliminary authorization includes one of (a) denial of the authorization request and (b) non-denial of the authorization request.

Abstract: Systems and methods for managing data stream identity are provided. Ownership information regarding a data stream may be analyzed to identify at least one owner. The data stream may be filtered to identify at least one portion that is associated with the identified owner. A unique identifier may be assigned to the identified portion. The identified portion may be stored in memory in association with the assigned unique identifier and information regarding the identified owner. Access to the identified portion may be controlled based on settings set by the identified owner.

Abstract: A system for real time federation of file permissions for digital content protection is described. The system automatically protects the files as the files leave application boundaries and then ensures that the files can only be used as per the permissions defined on those files while they were inside the application. The system also provides real time federation of policies with the application that generated the file and automatic protection of files as the files leave the application boundary. The system thus creates a single integral platform that is easy to access as well as reliable, and provides ease-of-use, advanced technology, and connectivity that delivers automated file protection.

Abstract: Security management techniques for service authorization for communication systems are provided. In one or more methods, a first element or function in a home network of a communication system registers a second element or function in the home network as a service consumer of one or more services provided by at least a third element or function in the home network, receives a request from the second element or function, and provides an access token to the second element or function responsive to authenticating the second element or function, the access token being used by the second element or function to access the one or more services provided by the third element or function.

Abstract: Disclosed herein are systems and methods for device authentication or pairing. In an aspect, a wearable display system comprises a display, an image capture device configured to capture images of a companion device, a computer-readable storage medium configured to store the images of the companion device, and a processor in communication with the image capture device and the storage medium. The processor can be programmed with executable instructions to receive a first image of a first optical pattern displayed by the companion device captured by the image capture device, wherein the first optical pattern is generated by the companion device based on first shared data, extract first data from the first optical pattern in the received first image, authenticate the companion device based on the first data extracted from the first optical pattern, and notify a user of the wearable display system that the companion device is authenticated.

Abstract: A computer-implemented method, computerized apparatus and computer program product for supporting fairness in secure computations. A trusted execution platform with remote attestation (“enclave”) is provided to each of a plurality of participants. An authenticated public ledger accessible by all participants is also provided. Each of the enclaves is configured for obtaining at least a portion of an input to a function for computing a joint secret output, complementing the input by obtaining any remainder portion(s) thereof from one or more other enclaves, and, responsive to obtaining an indication from the ledger that the output can be computed by each of the enclaves, providing to the owner participant the output computed using the function and input. At least one of the enclaves is further configured for providing the indication to the ledger responsive to obtaining knowledge that the output can be computed by each of the enclaves.

Abstract: Embodiments of the disclosure provide a method of incorporating multiple authentication systems and protocols. The types of authentication systems and protocols can vary based on desired assurance levels. A Centralized Authentication System together with an authentication policy dictates acceptable authentication systems. Authorization data for each authorization system are captured and packaged into a single Object Data Structure. The authorization data can be compared to data stored in an identity store for authentication. The authorization data can also be used for user and device registration and for transferring an authentication or registration token from a previously authenticated and registered device to a new device.

Abstract: This application provides a verification method, apparatus, and system that are used for network application access, and the method includes: performing, by a verification server, user identity verification on a terminal, where the user verification request includes first location information; generating, by the verification server, an encrypted token according to the first location information in the user verification request after determining that the terminal succeeds in the user identity verification; and sending, by the verification server, the encrypted token to a control device. It may be determined whether a terminal that performs content access is a terminal used by a user on which user verification is performed. Therefore, this can effectively avoid an application-layer-based network attack such as an MITM attack, and further effectively improve security of the network application access.

Abstract: A method includes determining, by a tracker controller of a hardware security module, that a first processor has submitted a first request to access a computing resource. The method also includes determining, by the tracker controller, whether the first request and a second request both request access to the same computing resource. The second request is submitted by a second processor. The method also includes preventing access to the computing resource based on a determination that the first request and the second request do not request access to the same computing resource. The method also includes permitting access to the computing resource based on a determination that the first request and the second request both request access to the same computing resource.

Abstract: An apparatus and a method for registering a device in a cloud server are provided. The apparatus includes detecting the device by using short-range communication, requesting an authentication code used for registering the device in the cloud server from an account server in response to the device being detected, receiving the authentication code from the account server, and transmitting the received authentication code and connection address information of the cloud server to the device.

Abstract: Syncing compliance policies on a private cloud network and a public cloud network is disclosed. The technology accesses a hybrid cloud environment including: at least one private cloud network and at least one public cloud network. A private policy gateway appliance is coupled with the private cloud network and a public policy gateway appliance, in communication with the private policy gateway appliance, is coupled with the public cloud network. One or more policy rules for the hybrid cloud environment are provided to the private policy gateway appliance which then disseminates the one or more policy rules to the public policy gateway appliance, such that the one or more policy rules are synced for the at least one private cloud network and the at least one public cloud network.

Abstract: A method includes obtaining a dictionary, data for a set of web requests, and definitions of a first set of clusters associated with vulnerability scanners. The method includes identifying a set of clients that transmitted the second set of web requests. The method includes generating a second set of feature vectors, which each corresponds to one of the clients. Each element in each feature vector corresponds respectively to an entry in the dictionary. The method includes clustering the second set of feature vectors into a second set of clusters. The method includes, in response to a first distance between a selected cluster of the second set of clusters and one of the first set of clusters being less than a first predetermined distance, (i) identifying one of the set of web services that received web requests corresponding to feature vectors in the selected cluster and (ii) generating a scanning alert.

Abstract: Computer systems and methods are provided for using a machine learning system to analyze authentication information. First authentication information for a first transaction includes at least a first image that corresponds to a first identification document is received. First validation information that corresponds to a first validation fault is received from a validation system. Data storage of a machine learning system stores the first validation information. Second authentication information for a second transaction includes a second image that corresponds to a second image is received. The machine learning system determines a first validation value that corresponds to a probability that the second image includes the first validation fault. The first validation value is used to determine whether fault review criteria are met. In accordance with a determination that the fault review criteria are met, the second image is transmitted to the validation system.

Abstract: A system may include a plurality of matching block cipher devices, and a hardware state machine communicatively coupled to each of the plurality of matching block cipher devices. Each of the plurality of matching block cipher devices can be independently invoked by the hardware state machine such that the hardware state machine causes two or more of the plurality of matching block cipher devices to selectively perform a block-cipher-based symmetric cryptographic operation in a redundant mode or a parallel mode. The block-cipher-based symmetric cryptographic operation may be associated with securing a communication channel of an automotive system.