Abstract: A reliable video streaming method using blockchain technology resisting cyber-attacks such as external and DDOS, malware, virus, and bandwidth reduction during video streaming of mobile devices connected over a same network is provided. The reliable video streaming method enables mobile devices connected to each other over a network to stream video over a reliable network.

Abstract: Described herein are systems, methods, and software to manage the approval of new computing elements for a private network. In one implementation, an administrator computing device in a private network is configured to receive a notification for a computing element to join the private network, wherein the notification includes a public key for the computing element and supplemental information for the computing element. The administrator computing device further identifies input indicating that the computing element is approved for the private network and, in response to the input, signs at least the public key. Once signed, the administrator computing device distributes the signed public key to one or more other computing elements in the private network.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, apparatuses, and processes that dynamically manage consent, permissioning, and trust between computing systems and unrelated, third-party applications operating within a computing environment. By way of example, the apparatus may receive a request for an element of data that includes an access token and first credential data associated with an application program. When the first credential data corresponds to second credential data associated with the application program, may determine that the requested data element is accessible to the application program and perform operations that validate the access token. Further, and based on the validation of the access token, that apparatus may obtain and encrypt the requested data element, and may transmit the encrypted data element to a device via the communications interface.

Abstract: A security server device, method, non-transitory computer readable medium and security system that receives request data for a request from a client to a web server system where the request comprises a session identifier (ID) for a session between an authenticated user and the web server system. A determination is made whether the client is a single-user device based on the request data and multi-domain data. Another determinations is made on whether the client is compromised based on the request data. In response to the determinations that the client is a single-user device and is not compromised an extension of the session between the authenticated user on the client and the web server system is caused.

Abstract: A method for providing an enterprise distribution platform to facilitate software distribution over a public computer network is disclosed. The method includes receiving, via a network interface, a request from the public computer network, the request relating to a solicitation for a software package; determining, by using a network security system, whether the request is forwarded from the public computer network to a private computer network based on a predetermined security rule; authenticating, via a web proxy, the request based on a result of the determining; identifying, based on a result of the authentication, the software package corresponding to the request; retrieving, from a memory, the identified software package; and transmitting, via the network interface, the retrieved software package in response to the request.

Abstract: A system includes at least one processor to receive a second public key, a first random number, and a second random number, and store the second public key, the first random number, and the second random number in an installation record, perform key agreement with a first private key and the second public key to determine a MasterSecret, perform key expansion with the MasterSecret, the first random number, and the second random number to generate a client authentication key, a server authentication key, a client encryption key, and a server encryption key, and store the client authentication key, the server authentication key, the client encryption key, and the server encryption key and delete the MasterSecret.

Abstract: A method for distributing an electronic content item for consumption with advertisements is provided. In one embodiment, a content provider creates a license identifying one or more slots within an electronic content item at which advertisements are to be inserted. The license specifies one or more types of advertisements that are not permitted to be inserted into the slots, and also specifies criteria for dynamically selecting advertisements to insert into the one or more slots. The content provider securely associates the electronic license with the electronic content item and distributes the electronic content item and the electronic license to a third party for consumption or subsequent transfer to an end user.

Abstract: Various embodiments include implementing an interceptor for application security testing. The interceptor may intercept traffic, including one or more traffic items, between a scan engine and a target application. The traffic item(s) may include a request directed to the target application from a scan engine implementing application security testing or a response from the target application responsive to request(s) from the scan engine. The interceptor may determine that a particular traffic item satisfies a particular traffic trigger associated with a particular traffic action comprising a manipulation to the traffic between the scan engine and the target application. The particular traffic action is one of a plurality of predefined traffic actions that the interceptor is configured to perform across different scan engine versions, different scan configurations, or both.

Abstract: A system can register, by a replication component and with a notification component, for notifications to changes in a group of data in data storage, wherein the notification component is configured to write respective changes in the group of data to a replication stream. The system can retrieve, by the replication component, a change of the changes in the group of data from the replication stream. The system can, in response to determining that the change corresponds to a replication policy, replicate, by the replication component, data of the group of data that corresponds to the change to a target system, wherein the replication component is configured to perform a replication on target systems having respective different storage types.

Abstract: A secure data exchange system permits device to exchange secure message keys and securely transmit messages between devices. The devices may initially exchange temporary message keys that are used to encrypt permanent message keys. In addition, devices may have pairing managed that authenticates devices. Devices may be associated with an address ledger that maintains address information and is accessible with a public ledger key, which may provide different access to address information to different paired devices. Data within the system may also be encrypted with user device keys that prevents unauthorized access to data while permitting recreation of the user device key for data backup and migration.

Abstract: A method, system, and computer program product generate, with a payment network, a first value (a) and a second value (ga), the second value (ga) generated based on the first value (a) and a generator value (g); generate, with the payment network, a plurality of random merchant numbers (mi) for a respective plurality of merchant banks; determine, with the payment network, a merchant product (M) based on a product of the plurality of random merchant numbers (mi); generate, with the payment network, a public key (pki) based on the second value (ga), the merchant product (M), and the random merchant number (mi) and a random key (rki) based on the merchant product (M) and the random merchant number (mi) for each respective merchant bank; and communicate, with the payment network, the public key (pki) and the random key (rki) to at least one respective merchant bank.

Abstract: In one embodiment, a method comprises: generating and maintaining, by a network device in a secure peer-to-peer data network, a secure private key and a corresponding secure public key; establishing, by the network device, a two-way trusted relationship with a second network device in the secure peer-to-peer data network; generating by the network device a temporal key, and encrypting a data packet payload using the temporal key into an encrypted payload; encrypting, by the network device, the temporal key into an encrypted temporal key using a second secure public key of the second network device; and generating and outputting a secure data packet comprising the encrypted temporal key and the encrypted payload, enabling a receiving network device to verify the secure data packet is not a copy based on a determined absence of a prior prescribed hash of at least a portion of the encrypted temporal key.

Abstract: A system and method for advanced document redaction are disclosed. According to one embodiment, a system comprises a parser that analyzes documents to identify structured, semi-structured, and unstructured data from a document. A candidates generator generates a list of words for redaction from the structured, semi-structured, and unstructured data. A replacement engine replaces one or more words from the list of words with one or more of a replacement word, random characters, and random numbers.

Abstract: Systems and methods for supporting dynamic disk growth within a virtual storage appliance are provided. According to one embodiment, a portion of a logical size of respective hyperscale disks provided by a hyperscaler are provisioned for use by a virtual storage system as backing for respective file system disks. To accommodate growth, block numbers for the file system disks are pre-allocated within a sparse space of a contiguous sequence of block numbers corresponding to a number of blocks represented by the logical size. Metadata is maintained for the file system disks regarding a range of the pre-allocated block numbers that are available for use. Responsive to a triggering condition, the provisioned portion of a hyperscale disk is increased and subsequently, responsive to detecting a change in a size of the hyperscale disk by the virtual storage system, a size of the corresponding file system disk is updated within the metadata.

Abstract: In one embodiment, a method is disclosed for mobile device security that includes receiving a label ID from a low power mobile device via a first access point, wherein the label ID is a randomized value that substitutes a device address of the low power mobile device during wireless communication. The method includes mapping the label ID to the device address, and transmitting the device address to the first access point, and responsive to the transmitting, causing the first access point to pair with the low power mobile device.

Abstract: Embodiments of the disclosure relate to proxying at least one email resource from at least one email service to at least one client device, determining whether the email resources are accessible to the client devices via at least one unauthorized application on the client devices, and modifying the email resources to be inaccessible via the unauthorized applications on the client devices in response to a determination that the email resources are accessible via the unauthorized applications on the client devices.

Abstract: An example method of operation may include exchanging data between a client device and a server at a first transmission rate via at least one of a first channel and a second channel, monitoring an amount of data exchanged, comparing the amount of data exchanged to a first data amount threshold and a second data amount threshold for at least one time period, partially limiting subsequent transfers of data between the client device and the server when the first data amount threshold is reached in the at least one time period, and further partially limiting the subsequent transfers of data or ending transfer of data between the client device and the server when the second data amount threshold is reached in the at least one time period.

Abstract: A smart home system such a smart security system includes at least one controlled module capable of performing monitoring and/or control functions, and a controller that is in communication with the controlled module and a user device such as a smart phone or computer tablet. The system is operable to configure the user device with a first set of user interfaces and control functionalities in response to selection of a first operating mode, and to configure the user device with a second set of user interfaces and control functionalities in response to selection of a second operating mode. The first mode may be a master-controller mode in which the user device's graphics are displayed in portrait orientation, and the second mode may be a panel mode in which the user device's graphics are displayed in landscape orientation.

Abstract: A method for managing data availability includes making a first determination by a first security module (FSM) that a first storage area network (SAN) infrastructure in a first data center has experienced a failure. The method also includes generating a secure string based on a first configuration parameter. Further, the method includes appending the secure string to a SAN failure notification to generate a secure string-appended request. In addition, the method includes sending the secure string-appended request to a second data center, wherein the second data center is selected based on a second configuration parameter. Moreover, the method includes making a second determination that the encrypted secure string-appended request is valid. Further, the method includes offloading processing of requests sent to the first data center using the second data center.

Abstract: Some embodiments provide a method for authorizing application programming interface (API) calls on a host computer in a local cluster of computers. The method is performed in some embodiments by an API-authorizing agent executing on the host computer in the local computer cluster. From a remote cluster of computers, the method receives (1) a set of API-authorizing policies to evaluate in order to determine whether API calls to an application executing on the host computer are authorized, and (2) a set of parameters needed for evaluating the policies. With the remote cluster of computers, the method registers for notifications regarding updates to the set of parameters. The method then receives notifications, from the remote cluster, regarding an update to the set of parameters, and modifies the set of parameters based on the update.

Abstract: A computer-implemented method, according to one approach, includes: determining whether a destination for a domain name system (DNS) query corresponds to an existing source network address translation (SNAT) port in response to receiving the DNS query. In response to determining that the destination for the DNS query corresponds to an existing SNAT port, the DNS query is modified to incorporate the existing SNAT port. A map entry corresponding to the existing SNAT port is also updated, and the modified DNS query is satisfied. Other systems, methods, and computer program products are described in additional approaches.

Abstract: Systems, computer program products, and methods are described herein for establishing secure communication channels for peripheral hardware devices. The present invention is configured to receive, via a computing device system comprising at least one peripheral hardware device, a request to begin a virtual interaction between the computing device system and a virtual network system configured to establish connections and transmit information across or between systems. The invention may then establish the virtual interaction via a first communication channel and then receive a request to establish a second communication channel, where the second communication channel comprises a direct communication channel between the at least one peripheral hardware device and the virtual network system that is separate and distinct from the first communication channel.

Abstract: Techniques for leveraging a distributed Domain Name System (DNS) infrastructure for preserving Personally Identifiable Information (PII) data for distributed resolvers using a hash to policy pair (HPP) database are described. A DNS security service receives metadata including PII associated with a client. A cryptographic hash function is applied to the metadata including PII associated with the client to generate a client hash value. A client HPP is created by mapping the client hash value to a set of DNS policy instructions associated with the client. The client HPP is stored in a HPP database. A distributed resolver is authorized to provide DNS services to the client. Finally, the HPP database is published to the distributed resolver.

Abstract: The present disclosure relates to a method, apparatus, and computer program for setting an encryption key in a wireless communication system; and a recording medium for same. According to one embodiment of the present disclosure, a method for setting an encryption key size in a wireless communication system may comprise: a step in which a first controller of a first device receives a first message containing information on a minimum value of a first encryption key size from a first host of the first device; and a step in which the first controller transmits, to the first host, a second message indicating an encryption change. The second message may contain information on the first encryption key size.

Abstract: A user accesses a remote session, the connection to which is managed by a connection broker, according to a single sign-on (SSO) process. The SSO process includes the user entering his or her credentials and being authenticated to the connection broker. In addition to user authentication, the SSO process includes connection broker authentication to confirm that the connection broker is trustworthy. When the connection broker is authenticated, the user credentials are transmitted to the connection broker in a secure manner and the connection broker forwards them onto a machine hosting the remote session so that the user can be logged into the remote session without entering his or her credentials again.

Abstract: Apparatus and methods disclosed herein provide technical solutions improving the security of email messages. An email message may be encrypted so that a predetermined passcode is not required to access the email message. Apparatus and methods may route email messages through a remote portal. The email message may only be transmitted to the recipient via the portal. In some instances, the contents of an email message may not be transmitted from the portal to the recipient. Rather, the recipient may only access the email message from within the portal. Such restricted access may be preferably less complex because the recipient's computer terminal may automatically connect to the portal.

Abstract: An event graph associated with a root cause for a change in security state on an endpoint is used to facilitate malware detection on other endpoints.

Abstract: Examples disclosed herein include accessing, by a host device, device information corresponding to an intermediate communication device communicatively coupled to the host device. Identifying, by the host device, a unique identifier corresponding to the intermediate communication device from the accessed device information. Query, by the host device, a public key from a remote resource, based on the identified unique identifier. Receiving, by the host device, the public key from the remote resource. Authenticating, by the host device, the intermediate communication device based on the received public key and a private key stored in the intermediate communication device.

Abstract: An illustrative fraud deterrent method includes presenting an identity verification option for a first website displayed in a web-browser, the option including offering a login to a third-party website, unrelated to the first website. The method further includes receiving login information for a first user account on the third-party website and verifying the login information through a verification service associated with the third-party website, to verify that the login information is valid for the first user account, identified by the login information. The method additionally includes verifying an identity at the first website, responsive to the verification.

Abstract: A dongle for ciphering, receiving and transmitting data to and from an external device is provided. The dongle includes a user interface configured to receive authentication data to confirm an identity of a user. The dongle is disabled for ciphering data unless an authorised user is identified. A data transfer channel is configured to couple the dongle to the external device to receive and transmit user data between the dongle and the external device. A hardware encryption engine is configured to perform a ciphering transformation on user data received from the external device. The dongle is configured to perform a return transmission to return the user data that has been transformed to the external device via the data transfer channel in real-time using a single data transfer channel without storage of the user data on the dongle.

Abstract: One or more processors receive a request for a secure digital asset and execute a validation protocol defined for validating the request. The validation protocol may define conditions for fulfilling the request that include one or more conditions related to information about an identified user requesting the request or information indicative of a routing-aspect of the request. The one or more processors attempt to validate the request based on assessment of the conditions specified in the validation protocol. If validation is unsuccessful, the one or more processors instruct the user to undertake one or more multi-factor authentication actions, which may include choices from a plurality of possible multi-factor authentication options and/or certain required multi-factor authentication options, defined by the protocol. The one or more processors validate and fulfil the request responsive to confirming successful undertaking of the one or more multi-factor authentication actions by the user.

Abstract: A device including a processor and a memory, in which the memory includes executable instructions for detecting that a first user has invited a second user to a communication session, wherein the first user is associated with a first user account registered to a first domain platform and the second user is not associated with any of user accounts registered to the first domain platform, the first domain platform defining a first user privilege granted to the user accounts registered to the first domain platform; causing a second user account associated with the second user to be created and registered to a second domain platform, the second domain platform being different from the first domain platform and defining a second user privilege granted to user accounts registered to the second domain platform; and granting the second user account the second user privilege.

Abstract: The present technology relates to an information processing apparatus enabling services using broadcasting and communication to be more flexibly served, a client apparatus, and a data processing method. An information processing apparatus inserts identification information for identifying the identity of a source of content into a request for the content to more flexibly serve services using broadcasting and communication. For example, the present technology can be applied to a gateway apparatus connected to a network such as home LAN or a client apparatus capable of reproducing content.

Abstract: Secure authentication using attestation tokens and inviolable quotes to validate request origins is performed by systems and platforms. An application programming interface (API) service is hosted via secure enclave of a computing platform container. Requests to a resource system for highly confidential/sensitive information persisted in a data storage, or for computational services, are made through the enclave, which is a source from which requests are trusted. An API call is made from the secure enclave to the resource system to establish a secure communication session based on a signed certificate for the secure enclave that is signed using an encrypted memory of the secure enclave. The API call also includes an attestation token used to validate the secure enclave as the source requesting the information or service via the API call. Confidential/sensitive information is provided to the secure enclave if the API call source is validated by the resource system.

Abstract: A device, method and system for changing communication infrastructure based on call security level is provided. A device determines a call security level of a call occurring at a first communication infrastructure; the first communication infrastructure associated with a first security level; the call security level determined from one or more of; a profile of a caller on the call; and audio on the call. In response to determining that the call security level and the first security level are misaligned, the device causes the call to change to a second communication infrastructure associated with a second security level aligned with the call security level.

Abstract: Systems and methods systems and methods for efficiently and securely forming a communication network. As a non-limiting example, various aspects of the present disclosure provide systems and methods, for example utilizing a plurality of different security modes, for forming a premises-based network (e.g., a MoCA network).

Abstract: A non-interactive protocol is provided for evaluating machine learning models such as decision trees. A client can delegate the evaluation of a machine learning model such as a decision tree to a server by sending an encrypted input and receiving only the encryption of the result. The inputs can be encoded as vector of integers using their binary representation. The server can then evaluate the machine learning model using a homomorphic arithmetic circuit. The homomorphic arithmetic circuit provides an implementation that requires fewer multiplication than a Boolean comparison circuit. Efficient data representations are then combined with different algorithmic optimizations to keep the computational overhead and the communication cost low. Related apparatus, systems, techniques and articles are also described.

Abstract: Systems and methods for resource management are disclosed. A search request may be received at a resource management service of a provider network. The search request may be received from a client device that does not have permission to access resources in a protected region of a provider network. The search request may specify a query associated with at least one operational health indicator in the protected region. It may be determined, using a secure query service, that the at least one operational health indicator does not exist in the protected region. The secure query service enables the client device to obtain information about the resources in the protected region without gaining access to the resources in the protected region. Sending of a notification indicating that the at least one operational health indicator does not exist in the protected region to the client device may be caused.

Abstract: Once a new session of data packets is detected, whether to proxy encrypt the data packets, on behalf of a specific headless endpoint device from the plurality of headless endpoint devices for a session, is determined based on analysis of payload data of a data packet from a session. Responsive to a determination to proxy encrypt data packets, encryption attributes are set up between a local data port on the network device and a remote data port on a remote network device as parsed from a header of the data packet. Outbound and inbound data packets of the session secure OSI layers 4 to 7 of the outbound data packets of the session are encrypted, according to the encryption attributes, without interference to OSI layers 1 to 3.

Abstract: A secure trusted service manager provider may include at least one processor configured to provide, to an electronic device, a first script to provision an applet instance corresponding to a third party server, the script including a public key corresponding to the third party server. The at least one processor may be configured to receive, from the electronic device, an encrypted symmetric key and provide the encrypted symmetric key to the third party server, the symmetric key being encrypted with the public key. The at least one processor may be configured to receive, from the third party server, an encrypted data element corresponding to a transaction to be performed by the applet instance, the encrypted data element being encrypted with the symmetric key, generate a second script that includes the encrypted data element and provide, to the electronic device, the second script that includes the encrypted data element.

Abstract: A method for disrupting a detected cyberthreat can include receiving a request, the request identifying suspected malicious content; identifying one or more indicators of compromise (IOCs) associated with the content; enriching the request with the IOCs; verifying the request; and reporting the verified request and the one or more IOCs to a disruption network.

Abstract: A video distribution network includes a distribution plant and a first bulk encryption device connected to the distribution plant, wherein the bulk encryption device outputs a first encrypted video service stream to the distribution plant via an internet protocol (IP) interface.

Abstract: A secure data broker includes a public network interface, an authorization module, a database interface, and an encryption module. The public network interface is configured to receive a database query and authorization information from a client device over a secure connection and return a response to the database query to the client device over the secure connection. The authorization module is configured to authorize the client device based on the authorization information, which was issued to the client device by the public safety platform. The database interface is configured to submit the database query to a secure database in response to the authorization of the client device and to receive the response to the database query from the secure database. The encryption module is configured to encrypt the response to the database query using a broker key.

Abstract: Techniques are described for monitoring and analyzing input/output (I/O) messages for patterns indicative of ransomware attacks affecting computer systems of a cloud provider, and for performing various remediation actions to mitigate data loss once a potential ransomware attack is detected. The monitoring of I/O activity for such patterns is performed at least in part by I/O proxy devices coupled to computer systems of a cloud provider network, where an I/O proxy device is interposed in the I/O path between guest operating systems running on a computer system and storage devices to which I/O messages are destined. An I/O proxy device can analyze I/O messages for patterns indicative of potential ransomware attacks by monitoring for anomalous I/O patterns which may, e.g., be indicative of a malicious process attempting to encrypt or otherwise render in accessible a significant portion of one or more storage volumes as part of a ransomware attack.

Abstract: A data storage device and method to selectively enable access to stored user data files. The method includes receiving authentication credential from a user and, in response, retrieving a unique user identifier associated with the authentication credential. The stored user data files on the data storage device each has respective data file identifier. The method includes, for each user, enumerating a directory of stored data files where the data file identifier matches the unique user identifier of that user. This enables selective access of files corresponding the user. Multiple users can be registered to the same data storage device and selective access prevents one user from accessing another user's data files.

Abstract: According to one aspect of the present invention, when a combination rule of event information to be monitored is created by aggregating a plurality of pieces of event information generated in a network, an information processing device executes: collecting the plurality of pieces of event information; calculating a correlation value for a plurality of combinations of event information including m (m?3) pieces of event information generated from the plurality of pieces of event information collected; selecting a combination of the pieces of event information for which the calculated correlation value is equal to or higher than a predetermined value, wherein the correlation value increases as the number of times or frequency that the event information included in a combination appears according to the combination increases and also increases as a time interval between the pieces of event information included in the combination decreases; and generating the combination rule on the basis of the event information

Abstract: A method for securing access to a data storage device (DSD), comprising: receiving, from a host connected to a data port of the DSD, a data access request to access user data stored on the DSD. In response to receiving the data access request, the DSD transmits, to the host, a Long Term Device Key (LTDK) of the DSD and a session identifier uniquely generated for the data access session. An access token is received from the host, signed by a private Long Term Host Key (LTHK) of the host. The LTHK and the LTDK form a cryptographic pair. The access token is validated using the LTDK to determine whether the host is authorized to access the DSD. In response to determining that the host is authorized to access the DSD, a data access state of the DSD is set to an unlocked state to enable access to the user data by the host via the data port, wherein the LTDK is obtained from a registration token transmitted to the DSD by the host.

Abstract: Techniques are described for the creation of application templates, which can in turn be used to create scoped or customized applications. Such scoped applications may be suitable for use in a local computing environment or a cloud-based platform. As discussed, such scoped or customized applications may be variations of an existing or base application, such as a global or general application or a previously generated scoped application, but may be targeted to a specific audience or function.

Abstract: Disclosed are various embodiments relating to a security framework for media playback. In one embodiment, a client device has a decryption module, a streaming module, and a playback module. The playback module may be configured to request media data from the streaming module and render the media data on an output device. The streaming module may be configured to obtain the media data from the decryption module by a request that specifies a size of the media data. The size may be dynamically determined based at least in part on an amount of available temporary data storage. The decryption module may be configured to decrypt a portion of an encrypted media file based at least in part on the specified size to produce the media data.

Abstract: A method for acquiring and disseminating network node characteristics to enable policy decisions including receiving a resolution request from one or more clients in a network environment. Information, for example, network address, is then acquired from one or more sources regarding a specific location in a network, for example, a network node. A list of the network addresses is then generated and ranked based on one or more parameters that merit making traffic handling decisions. The network addresses are then associated with a host name on at least one directory server and then propagated to the one or more clients.