Abstract: Described is a system for biometric authentication. The system converts biometric data into a cryptographic key r? using a reusable fuzzy extractor process having an underlying hash function modeling a random oracle model. The system allows access to secured services when a comparison of r? to a previously computed cryptographic key r shows a match.

Abstract: Described is a system for anonymous job allocation and majority voting in a cloud computing environment. The system broadcasts a job to physical nodes, each of the physical nodes having a control operations plane (COP) node and one or more service nodes associated with the COP node. A set of redundant job assignments is distributed to individual COP nodes pursuant to a private job assignment schedule, such that each individual COP node is only aware of its own assignment and corresponding job. The service nodes execute the job assigned to the COP nodes such that the service nodes each complete a task associated with the job and forward an individual result to their associated COP node. A privacy-preserving result checking protocol is performed amongst the COP nodes such that secret shares of a majority result are obtained and the majority result is provided to a client.

Abstract: Described is a system for biometric based security. The system converts biometric data into a cryptographic key using a reusable fuzzy extractor process. The reusable fuzzy extractor process comprises a generation process and a reconstruction process. The generation process takes as input a public parameter and a first biometric input and outputs a public helper string and a first random string. The reconstruction process takes as input a public helper string and a second biometric input and outputs a second random string. The reusable fuzzy extractor process is reusable such that multiple public helper strings do not reveal any information about the first biometric input and the first random string. Secured data is unlocked by applying the cryptographic key for biometric security of access to secured data.

Abstract: Described is a system for secure database searching. The system comprises a client-server architecture which allows a client to securely search a database of records possessed by a server. A database query is generated by the client and transmitted to the server. The database query is processed by the server using a privacy-preserving search protocol. An encrypted match result is produced by the server without decrypting the database query. The encrypted match result is sent to the client, and the client decrypts the encrypted match result to obtain a set of block identifiers representing blocks of records in the database that match the database query. The client obtains a block of encrypted records containing match results using only the set of block identifiers. The match results are decrypted by the client using a key obtained from the server. The unencrypted match results to the database query are then output.

Abstract: Described is a system for secure multiparty computation. The system uses a secret sharing protocol to share secrets among servers of a synchronous network. An Open-Semi-Robust protocol or an Open Robust protocol is used to allow the servers to open their shares of secret data. If a server is corrupt, the Open-Robust protocol is used, otherwise, the Open-Semi-Robust protocol is used. A Deal-Semi-Robust protocol or a Deal-Robust protocol is utilized by a server to distribute its shares of secret data among the other servers. If a server is corrupt, the Deal-Robust protocol is used, otherwise, the Deal-Semi-Robust protocol is used. A Recover-Semi-Robust protocol or a Recover-Robust protocol is used to allow servers that were previously corrupted to recover their shares of secret data, such that each uncorrupted server holds correct shares of secret data. If a server is corrupt, the Recover-Robust protocol is used, otherwise, the Recover-Semi-Robust protocol is used.

Abstract: A method for generating a security policy for a network includes classifying a sample of network flows into at least one flow type selected from a group including a service flow, mirror flow, network address translation flow, and arbitrary flow; grouping the network flows based on flow type and one or more of an associated service port, source port, and destination port. Network security rules for the network are automatically generated based on the groups of network flows. The network security rules may further be transformed into a security policy and configuration files.

Abstract: Described is a system for biometric based security. The system converts biometric data into a cryptographic key using a reusable fuzzy extractor process. The reusable fuzzy extractor process comprises a generation process and a reconstruction process. The generation process takes as input a public parameter and a first biometric input and outputs a public helper string and a first random string. The reconstruction process takes as input a public helper string and a second biometric input and outputs a second random string. The reusable fuzzy extractor process is reusable such that multiple public helper strings do not reveal any information about the first biometric input and the first random string. Secured data is unlocked by applying the cryptographic key for biometric security of access to secured data.

Abstract: Described is a secure system for generic pattern matching. In operation, the system determines if a pattern p, as presented by a second party, is within a textual pattern T, as maintained by a first party. In making such a determination, the system uses a series of binary value matrices and corresponding pairs of encrypted permuted matrices. Challenge bits are then used to generate permutations and later verify correctness of the various encrypted permuted matrices. If it is determined that pattern p is within text T, the, for example, an access protocol is initiated.

Abstract: Described is a system for anonymous job allocation and majority voting in a cloud computing environment. The system broadcasts a job to physical nodes, each of the physical nodes having a control operations plane (COP) node and one or more service nodes associated with the COP node. A set of redundant job assignments is distributed to individual COP nodes pursuant to a private job assignment schedule, such that each individual COP node is only aware of its own assignment and corresponding job. The service nodes execute the job assigned to the COP nodes such that the service nodes each complete a task associated with the job and forward an individual result to their associated COP node. A privacy-preserving result checking protocol is performed amongst the COP nodes such that secret shares of a majority result are obtained and the majority result is provided to a client.

Abstract: Described is a system for cloud-based privacy-preserving navigation operations between multiple parties. The system performs a two-party computation (2PC) between input data related to a current location of a first party and public data stored on a cloud computing infrastructure. Each party individually performs a 2PC on the public data while maintaining privacy of their input data. The system then performs multi-party computations (MPC) between multiple parties and the cloud computing infrastructure. The multiple parties privately update the public data with a result obtained from the 2PC. For the first party, a privacy-preserved navigation result is generated using results obtained from the 2PC and the MPC. The first party is caused to perform a navigation operation based on the privacy-preserved navigation result.

Abstract: Systems and methods for generating filtering rules are provided. One computer implemented method includes receiving a command to modify existing network traffic rules. The method further includes performing a quality calculation for the existing network traffic rules, the quality calculation being a function of a number of distinct flows permitted by a particular rule, wherein (i) if the command to the network is to increase the number of rules, then identifying a rule of the existing network traffic rules with a highest quality calculation, splitting the rule into sub-rules and adding a new rule, and (ii) if the command to the network is to decrease the number of rules, then identifying the existing network traffic rules with quality rule calculations near a predetermined value, adding new rules, and merging the new rules to the identified rules with quality rule calculations near the predetermined value.

Abstract: Described is a system for the implementation of biometric scanning in a user-privacy preserving fashion with respect to identification, authentication, and online credential systems. At enrollment, the user enrolls or initially registers at a physical location, where the user is provided a Fuzzy Extractor (FE) encrypted output (Enc(R)). The user is then registered with an online server, which creates an ID-Wallet for the user and stores the ID-Waller. During operation, the user sends an authentication request to the online server, which provides a corresponding authentication response. The user or user's client then extracts secret (R) for user authentication. The user can then be authenticated with the online server to retrieve credentials from the ID-Wallet, which can be used for a variety of online services.

Abstract: Described is a system for protecting sensitive information that is hardcoded in polynomial-size ordered binary decision diagram (POBDD) form. A software executable represented as a POBDD having sensitive information embedded therein is obfuscated into an obfuscated POBDD. An input query on the obfuscated POBDD is evaluated, and the sensitive information is revealed only if the input query is a correct input. Thus, an adversary is prevented from extracting the sensitive information embedded in the POBDD.

Abstract: Described is system for inferring networks service dependencies. The system detects a set of network services from a set of network data. The system additionally detects a set of network service profiles in the set of network data. A network switching topology of the network is then determined. Finally, network service dependencies are inferred by analyzing a dependency structure of the network using at least one of the set of network services, the set of network service profiles, and the network topology.

Abstract: Described is a proactive digital currency (PDC) system and method. In an embodiment, the PDC system operates using a plurality of ledger servers. Thereafter, the user can use a secret sharing protocol to transfer coins amongst users of the PDC system. In doing so, the system receives, at the plurality of collectively operated ledger servers, a first address of the first user, a second address of the second user, and a secret share of each bit in a binary representation of the transaction value. The secret share conceals the transaction amount. The ledger servers verify that the transaction value will not overdraw a balance ledger associated with the first address of the first user. The transaction value and a transaction fee are subtracted from the first address of the first user, with the transaction value being added to the second address of the second user.

Abstract: Described is a system for securely searching streaming data. The system executes a secure pattern matching protocol between a client and at least one of a server and a processing element. Using the processing element, an encryption of a character delay based on a pattern to be searched is received. Streaming data is received at the processing element. A secure search is performed blindly at the processing element to find a match for the pattern in the streaming data, the search being performed using the encryption of the character delay vector. Encrypted results from the secure search are sent back to the client.

Abstract: Described is system for automatically detecting network services and their dependencies. The system generates a first context table having rows of packet headers and columns of header field values. A first concept lattice is generated from the first context table, and network services and corresponding packet headers are identified. A second context table is generated using the networks services data, and a second concept lattice is generated from the second context table. Network service dependencies are identified using the second concept lattice. The context tables are used to monitor the plurality of network service dependencies.

Abstract: Described is a system for cloud-based privacy-preserving navigation operations between multiple parties. The system performs a two-party computation (2PC) between input data related to a current location of a first party and public data stored on a cloud computing infrastructure. Each party individually performs a 2PC on the public data while maintaining privacy of their input data. The system then performs multi-party computations (MPC) between multiple parties and the cloud computing infrastructure. The multiple parties privately update the public data with a result obtained from the 2PC. For the first party, a privacy-preserved navigation result is generated using results obtained from the 2PC and the MPC. The first party is caused to perform a navigation operation based on the privacy-preserved navigation result.

Abstract: Described is a system for obfuscating a computer program. Sensitive data of an unprotected computer program is received as input. A random oracle is used to algebraically hide a set of polynomial-size point functions representing the sensitive data. The system outputs a set of obfuscated instructions internally hiding the sensitive data. The set of obfuscated instructions are used to transform the unprotected computer program into a protected, obfuscated computer program that is accepting of the set of polynomial-size point functions. The obfuscated computer program is written to a non-volatile computer-readable medium.

Abstract: A method and apparatus for discovering a service dependency chain. Service dependencies are discovered. A potential service dependency chain is identified based on at least a portion of the service dependencies. A number of data paths are built for the potential service dependency chain. A chain transfer entropy is computed for the potential service dependency chain based on the number of data paths. A determination is made as to whether the potential service dependency chain is the service dependency chain based on the chain transfer entropy.