Abstract: An image sensor structure includes a semiconductor substrate, a plurality of image sensing elements, a reflective element, and a high-k dielectric structure. The image sensing elements are in the semiconductor substrate. The reflective element is in the semiconductor substrate and between the image sensing elements. The high-k dielectric structure is between the reflective element and the image sensing elements.

Abstract: Semiconductor structures are provided. The semiconductor structure includes a substrate and nanostructures formed over the substrate. The semiconductor structure further includes a gate structure surrounding the nanostructures and a source/drain structure attached to the nanostructures. The semiconductor structure further includes a contact formed over the source/drain structure and extending into the source/drain structure.

Abstract: Preventing Transport Layer Security session man-in-the-middle attacks is provided. A first security digest generated by an endpoint device is compared with a second security digest received from a peer device. It is determined whether a match exists between the first security digest and the second security digest based on the comparison. In response to determining that a match does not exist between the first security digest and the second security digest, a man-in-the-middle attack is detected and a network connection for a Transport Layer Security session is terminated with the peer device.

Abstract: Embodiments provide a system and method for stateless session synchronization between inspectors for high availability deployments. Man in the Middle inspectors of a communication session between a client and server exchange a shared key that is used as a common seed value in a mapping function algorithm. Each inspector generates identical key-pairs using the common mapping function algorithm, and the inspectors generate the session keys from the key-pairs. Inspectors use the session keys to decrypt and either actively or passively inspect data transferred in a session between a client and server.

Abstract: An embodiment of the invention may include a method, computer program product and system for secure authentication within a communication protocol session. The embodiment may include retrieving, by a client computer of the TLS session, a challenge string associated with the TLS session. The embodiment may include generating, by the client computer, a first digest based on the challenge string and authentication information of a user of the client computer. The embodiment may include sending, by the client computer, the first digest to a server of the TLS session. The retrieving, generating and sending, by the client computer, are carried out after the TLS session has been established between the client computer and the server.

Abstract: Optimizing receive side scaling (RSS) key selection is provided. Different weights are assigned to different fields of flow data corresponding to a network connection of a registered client device. A score is generated representing an amount of balanced processor loading for each RSS key corresponding to the registered client device based on the different fields of the flow data with assigned weights. A current RSS key on the registered client device is updated with an optimal RSS key based on the score corresponding to the optimal RSS key representing balanced loading of processors on the registered client device.

Abstract: An example operation may include one or more of obtaining a request to validate an application with respect to an OAuth provider, identifying a previously registered digital signature of the application, generating verification information of the application based on the identified digital signature of the application, and passing the generated verification information of the application to the OAuth provider via a user login page.

Abstract: A computer network endpoint is secured to prevent information leak or other compromise by instantiating in memory first, second and third security zones. With respect to an authorized user, the first zone is readable and writable, the second zone is read-only, and the third zone is neither readable nor writable. System information (e.g., applications, libraries, policies, etc.) are deployed into the first zone from the second zone. When sensitive data is generated in the first zone, e.g., when a secure communication session is established using a cryptographic key, the sensitive data is transferred from the first zone to the third zone, wherein it is immune from information leak or other compromise. The sensitive information is transferable from the third zone to one or more external having a need to know that information. Because information does not pass directly from the first security zone to the external systems, the endpoint is secured against information leak or other attack.

Abstract: Embodiments provide a system and method for stateless session synchronization between inspectors for high availability deployments. Man in the Middle inspectors of a communication session between a client and server exchange a shared key that is used as a common seed value in a mapping function algorithm. Each inspector generates identical key-pairs using the common mapping function algorithm, and the inspectors generate the session keys from the key-pairs. Inspectors use the session keys to decrypt and either actively or passively inspect data transferred in a session between a client and server.

Abstract: A computer network endpoint is secured to prevent information leak or other compromise by instantiating in memory first, second and third security zones. With respect to an authorized user, the first zone is readable and writable, the second zone is read-only, and the third zone is neither readable nor writable. System information (e.g., applications, libraries, policies, etc.) are deployed into the first zone from the second zone. When sensitive data is generated in the first zone, e.g., when a secure communication session is established using a cryptographic key, the sensitive data is transferred from the first zone to the third zone, wherein it is immune from information leak or other compromise. The sensitive information is transferable from the third zone to one or more external having a need to know that information. Because information does not pass directly from the first security zone to the external systems, the endpoint is secured against information leak or other attack.

Abstract: Establishing Transport Layer Security/Secure Sockets Layer (TLS/SSL) sessions with destination servers for Internet of Things (IoT) devices is provided. A request is sent to establish a TLS/SSL session with a target destination server in a set of destination servers using destination server information related to a particular IoT device in a plurality of IoT devices. A TLS/SSL session is established with the target destination server corresponding to the particular IoT device. TLS/SSL session credential information is received for the particular IoT device from the target destination server. The TLS/SSL session credential information for the particular IoT device is saved in a session credential information table. The TLS/SSL session is suspended with the target destination server corresponding to the particular IoT device.

Abstract: Preventing Transport Layer Security session man-in-the-middle attacks is provided. A first security digest generated by an endpoint device is compared with a second security digest received from a peer device. It is determined whether a match exists between the first security digest and the second security digest based on the comparison. In response to determining that a match does not exist between the first security digest and the second security digest, a man-in-the-middle attack is detected and a network connection for a Transport Layer Security session is terminated with the peer device.

Abstract: Embodiments provide a system and method for stateless session synchronization between inspectors for high availability deployments. Man in the Middle inspectors of a communication session between a client and server exchange a shared key that is used as a common seed value in a mapping function algorithm. Each inspector generates identical key-pairs using the common mapping function algorithm, and the inspectors generate the session keys from the key-pairs. Inspectors use the session keys to decrypt and either actively or passively inspect data transferred in a session between a client and server.

Abstract: A system, method and computer program product for detecting distributed denial-of-service (DDoS) attacks is provided. Current aggregated flow information for a defined period of time is analyzed. It is determined whether network flow increased above a defined flow threshold value to a second data processing system connected to a network within the defined period of time based on analyzing the current aggregated flow information. In response to determining that the network flow has increased above the defined flow threshold value to the second data processing system connected to the network within the defined period of time, it is determined that the second data processing system is under a DDoS attack.

Abstract: An example operation may include one or more of obtaining a request to validate an application with respect to an OAuth provider, identifying a previously registered digital signature of the application, generating verification information of the application based on the identified digital signature of the application, and passing the generated verification information of the application to the OAuth provider via a user login page.

Abstract: Optimizing receive side scaling (RSS) key selection is provided. Different weights are assigned to different fields of flow data corresponding to a network connection of a registered client device. A score is generated representing an amount of balanced processor loading for each RSS key corresponding to the registered client device based on the different fields of the flow data with assigned weights. A current RSS key on the registered client device is updated with an optimal RSS key based on the score corresponding to the optimal RSS key representing balanced loading of processors on the registered client device.

Abstract: A system and computer program product for preventing abnormal application activity is provided. Packets are retrieved from a packet buffer using packet location information corresponding to information associated with the abnormal application activity in a data processing system. The packets are analyzed to identify content of the network packets causing the abnormal application activity. Network packets containing the content causing the abnormal application activity in the data processing system are blocked.

Abstract: A method for preventing abnormal application activity is provided. Packets are retrieved from a packet buffer using packet location information corresponding to information associated with the abnormal application activity in a data processing system. The packets are analyzed to identify content of the network packets causing the abnormal application activity. Network packets containing the content causing the abnormal application activity in the data processing system are blocked.

Abstract: Optimizing receive side scaling (RSS) key selection is provided. Different weights are assigned to different fields of flow data corresponding to a network connection of a registered client device. A score is generated representing an amount of balanced processor loading for each RSS key corresponding to the registered client device based on the different fields of the flow data with assigned weights. A current RSS key on the registered client device is updated with an optimal RSS key based on the score corresponding to the optimal RSS key representing balanced loading of processors on the registered client device.

Abstract: An embodiment of the invention may include a method, computer program product and system for secure authentication within a communication protocol session. The embodiment may include retrieving, by a client computer of the TLS session, a challenge string associated with the TLS session. The embodiment may include generating, by the client computer, a first digest based on the challenge string and authentication information of a user of the client computer. The embodiment may include sending, by the client computer, the first digest to a server of the TLS session. The retrieving, generating and sending, by the client computer, are carried out after the TLS session has been established between the client computer and the server.