Abstract: An event graph associated with a root cause for a change in security state on an endpoint is used to facilitate malware detection on other endpoints.

Abstract: An illustrative fraud deterrent method includes presenting an identity verification option for a first website displayed in a web-browser, the option including offering a login to a third-party website, unrelated to the first website. The method further includes receiving login information for a first user account on the third-party website and verifying the login information through a verification service associated with the third-party website, to verify that the login information is valid for the first user account, identified by the login information. The method additionally includes verifying an identity at the first website, responsive to the verification.

Abstract: Examples disclosed herein include accessing, by a host device, device information corresponding to an intermediate communication device communicatively coupled to the host device. Identifying, by the host device, a unique identifier corresponding to the intermediate communication device from the accessed device information. Query, by the host device, a public key from a remote resource, based on the identified unique identifier. Receiving, by the host device, the public key from the remote resource. Authenticating, by the host device, the intermediate communication device based on the received public key and a private key stored in the intermediate communication device.

Abstract: A dongle for ciphering, receiving and transmitting data to and from an external device is provided. The dongle includes a user interface configured to receive authentication data to confirm an identity of a user. The dongle is disabled for ciphering data unless an authorised user is identified. A data transfer channel is configured to couple the dongle to the external device to receive and transmit user data between the dongle and the external device. A hardware encryption engine is configured to perform a ciphering transformation on user data received from the external device. The dongle is configured to perform a return transmission to return the user data that has been transformed to the external device via the data transfer channel in real-time using a single data transfer channel without storage of the user data on the dongle.

Abstract: One or more processors receive a request for a secure digital asset and execute a validation protocol defined for validating the request. The validation protocol may define conditions for fulfilling the request that include one or more conditions related to information about an identified user requesting the request or information indicative of a routing-aspect of the request. The one or more processors attempt to validate the request based on assessment of the conditions specified in the validation protocol. If validation is unsuccessful, the one or more processors instruct the user to undertake one or more multi-factor authentication actions, which may include choices from a plurality of possible multi-factor authentication options and/or certain required multi-factor authentication options, defined by the protocol. The one or more processors validate and fulfil the request responsive to confirming successful undertaking of the one or more multi-factor authentication actions by the user.

Abstract: The present technology relates to an information processing apparatus enabling services using broadcasting and communication to be more flexibly served, a client apparatus, and a data processing method. An information processing apparatus inserts identification information for identifying the identity of a source of content into a request for the content to more flexibly serve services using broadcasting and communication. For example, the present technology can be applied to a gateway apparatus connected to a network such as home LAN or a client apparatus capable of reproducing content.

Abstract: A device including a processor and a memory, in which the memory includes executable instructions for detecting that a first user has invited a second user to a communication session, wherein the first user is associated with a first user account registered to a first domain platform and the second user is not associated with any of user accounts registered to the first domain platform, the first domain platform defining a first user privilege granted to the user accounts registered to the first domain platform; causing a second user account associated with the second user to be created and registered to a second domain platform, the second domain platform being different from the first domain platform and defining a second user privilege granted to user accounts registered to the second domain platform; and granting the second user account the second user privilege.

Abstract: A device, method and system for changing communication infrastructure based on call security level is provided. A device determines a call security level of a call occurring at a first communication infrastructure; the first communication infrastructure associated with a first security level; the call security level determined from one or more of; a profile of a caller on the call; and audio on the call. In response to determining that the call security level and the first security level are misaligned, the device causes the call to change to a second communication infrastructure associated with a second security level aligned with the call security level.

Abstract: Secure authentication using attestation tokens and inviolable quotes to validate request origins is performed by systems and platforms. An application programming interface (API) service is hosted via secure enclave of a computing platform container. Requests to a resource system for highly confidential/sensitive information persisted in a data storage, or for computational services, are made through the enclave, which is a source from which requests are trusted. An API call is made from the secure enclave to the resource system to establish a secure communication session based on a signed certificate for the secure enclave that is signed using an encrypted memory of the secure enclave. The API call also includes an attestation token used to validate the secure enclave as the source requesting the information or service via the API call. Confidential/sensitive information is provided to the secure enclave if the API call source is validated by the resource system.

Abstract: A non-interactive protocol is provided for evaluating machine learning models such as decision trees. A client can delegate the evaluation of a machine learning model such as a decision tree to a server by sending an encrypted input and receiving only the encryption of the result. The inputs can be encoded as vector of integers using their binary representation. The server can then evaluate the machine learning model using a homomorphic arithmetic circuit. The homomorphic arithmetic circuit provides an implementation that requires fewer multiplication than a Boolean comparison circuit. Efficient data representations are then combined with different algorithmic optimizations to keep the computational overhead and the communication cost low. Related apparatus, systems, techniques and articles are also described.

Abstract: Systems and methods systems and methods for efficiently and securely forming a communication network. As a non-limiting example, various aspects of the present disclosure provide systems and methods, for example utilizing a plurality of different security modes, for forming a premises-based network (e.g., a MoCA network).

Abstract: A video distribution network includes a distribution plant and a first bulk encryption device connected to the distribution plant, wherein the bulk encryption device outputs a first encrypted video service stream to the distribution plant via an internet protocol (IP) interface.

Abstract: A secure data broker includes a public network interface, an authorization module, a database interface, and an encryption module. The public network interface is configured to receive a database query and authorization information from a client device over a secure connection and return a response to the database query to the client device over the secure connection. The authorization module is configured to authorize the client device based on the authorization information, which was issued to the client device by the public safety platform. The database interface is configured to submit the database query to a secure database in response to the authorization of the client device and to receive the response to the database query from the secure database. The encryption module is configured to encrypt the response to the database query using a broker key.

Abstract: Systems and methods for resource management are disclosed. A search request may be received at a resource management service of a provider network. The search request may be received from a client device that does not have permission to access resources in a protected region of a provider network. The search request may specify a query associated with at least one operational health indicator in the protected region. It may be determined, using a secure query service, that the at least one operational health indicator does not exist in the protected region. The secure query service enables the client device to obtain information about the resources in the protected region without gaining access to the resources in the protected region. Sending of a notification indicating that the at least one operational health indicator does not exist in the protected region to the client device may be caused.

Abstract: Once a new session of data packets is detected, whether to proxy encrypt the data packets, on behalf of a specific headless endpoint device from the plurality of headless endpoint devices for a session, is determined based on analysis of payload data of a data packet from a session. Responsive to a determination to proxy encrypt data packets, encryption attributes are set up between a local data port on the network device and a remote data port on a remote network device as parsed from a header of the data packet. Outbound and inbound data packets of the session secure OSI layers 4 to 7 of the outbound data packets of the session are encrypted, according to the encryption attributes, without interference to OSI layers 1 to 3.

Abstract: A method for disrupting a detected cyberthreat can include receiving a request, the request identifying suspected malicious content; identifying one or more indicators of compromise (IOCs) associated with the content; enriching the request with the IOCs; verifying the request; and reporting the verified request and the one or more IOCs to a disruption network.

Abstract: A secure trusted service manager provider may include at least one processor configured to provide, to an electronic device, a first script to provision an applet instance corresponding to a third party server, the script including a public key corresponding to the third party server. The at least one processor may be configured to receive, from the electronic device, an encrypted symmetric key and provide the encrypted symmetric key to the third party server, the symmetric key being encrypted with the public key. The at least one processor may be configured to receive, from the third party server, an encrypted data element corresponding to a transaction to be performed by the applet instance, the encrypted data element being encrypted with the symmetric key, generate a second script that includes the encrypted data element and provide, to the electronic device, the second script that includes the encrypted data element.

Abstract: A data storage device and method to selectively enable access to stored user data files. The method includes receiving authentication credential from a user and, in response, retrieving a unique user identifier associated with the authentication credential. The stored user data files on the data storage device each has respective data file identifier. The method includes, for each user, enumerating a directory of stored data files where the data file identifier matches the unique user identifier of that user. This enables selective access of files corresponding the user. Multiple users can be registered to the same data storage device and selective access prevents one user from accessing another user's data files.

Abstract: According to one aspect of the present invention, when a combination rule of event information to be monitored is created by aggregating a plurality of pieces of event information generated in a network, an information processing device executes: collecting the plurality of pieces of event information; calculating a correlation value for a plurality of combinations of event information including m (m?3) pieces of event information generated from the plurality of pieces of event information collected; selecting a combination of the pieces of event information for which the calculated correlation value is equal to or higher than a predetermined value, wherein the correlation value increases as the number of times or frequency that the event information included in a combination appears according to the combination increases and also increases as a time interval between the pieces of event information included in the combination decreases; and generating the combination rule on the basis of the event information

Abstract: Techniques are described for monitoring and analyzing input/output (I/O) messages for patterns indicative of ransomware attacks affecting computer systems of a cloud provider, and for performing various remediation actions to mitigate data loss once a potential ransomware attack is detected. The monitoring of I/O activity for such patterns is performed at least in part by I/O proxy devices coupled to computer systems of a cloud provider network, where an I/O proxy device is interposed in the I/O path between guest operating systems running on a computer system and storage devices to which I/O messages are destined. An I/O proxy device can analyze I/O messages for patterns indicative of potential ransomware attacks by monitoring for anomalous I/O patterns which may, e.g., be indicative of a malicious process attempting to encrypt or otherwise render in accessible a significant portion of one or more storage volumes as part of a ransomware attack.

Abstract: An over-the-air updating method, an update server, a terminal, and an internet of things system are provided. The over-the-air updating method is applied to an update server in an internet of things system which further includes a terminal. The update server is communicatively connected to the terminal. The method includes: generating an encryption public key and an encryption private key which match each other; sending the encryption public key to the terminal; generating an update key, and encrypting the update key with the encryption private key; sending the encrypted update key to the terminal, for the terminal decrypts the encrypted update key with the encryption public key; encrypting update data with the update key; sending the encrypted update data to the terminal, for the terminal decrypts the update data with the decrypted update key, and performing data updating with the update data.

Abstract: Disclosed are various embodiments relating to a security framework for media playback. In one embodiment, a client device has a decryption module, a streaming module, and a playback module. The playback module may be configured to request media data from the streaming module and render the media data on an output device. The streaming module may be configured to obtain the media data from the decryption module by a request that specifies a size of the media data. The size may be dynamically determined based at least in part on an amount of available temporary data storage. The decryption module may be configured to decrypt a portion of an encrypted media file based at least in part on the specified size to produce the media data.

Abstract: Techniques are described for the creation of application templates, which can in turn be used to create scoped or customized applications. Such scoped applications may be suitable for use in a local computing environment or a cloud-based platform. As discussed, such scoped or customized applications may be variations of an existing or base application, such as a global or general application or a previously generated scoped application, but may be targeted to a specific audience or function.

Abstract: A method for securing access to a data storage device (DSD), comprising: receiving, from a host connected to a data port of the DSD, a data access request to access user data stored on the DSD. In response to receiving the data access request, the DSD transmits, to the host, a Long Term Device Key (LTDK) of the DSD and a session identifier uniquely generated for the data access session. An access token is received from the host, signed by a private Long Term Host Key (LTHK) of the host. The LTHK and the LTDK form a cryptographic pair. The access token is validated using the LTDK to determine whether the host is authorized to access the DSD. In response to determining that the host is authorized to access the DSD, a data access state of the DSD is set to an unlocked state to enable access to the user data by the host via the data port, wherein the LTDK is obtained from a registration token transmitted to the DSD by the host.

Abstract: Embodiments extend protocols for secure communication between two parties to allow a party to securely communicate with multiple parties using a single message. For example, the sending party can determine a unique shared secret for each recipient and encrypt data for a recipient using a session key generated from the corresponding shared secret. The encrypted data can be combined into a single message, and each recipient can decrypt only the subset of the message that it is authorized to.

Abstract: A method including monitoring, by a first device communicating meshnet data via a meshnet connection with a second device in a mesh network, occurrence of a triggering event indicating that the first device and the second device are to communicate the meshnet data via a relay connection; determining, by the first device, occurrence of the triggering event based at least in part on a rate of communication of the meshnet data via the meshnet connection; and transmitting, by the first device to the second device based at least in part on determining the occurrence of the triggering event, a message indicating that the first device and the second device are to communicate the meshnet data via a relay connection is disclosed. Various other aspects are contemplated.

Abstract: Delivery destination designation information, pertaining to a multicast address to which per-multicast-address delivery is requested by a communication terminal connected to a receiving station, is transmitted from the receiving station to a transmitting station, the transmitting station generates a multicast delivery destination table, in which a multicast address to which the delivery is requested from the communication terminal is associated to the communication terminal, from the delivery destination designation information received from a plurality receiving stations, and the transmitting station refers to the multicast delivery destination table when performing multicast transmission via a satellite.

Abstract: A cybersecurity platform is described that processes collected data using a data model to identify and link anomalies and in order to identify generate security events and intrusions. The platform generates graph data structures using the security anomalies extended using additional data. The graph data structures represent links between nodes, the links being events, the nodes being machines and user accounts. The platform processes the graph data structures by combining similar nodes or grouping security events with common features to behaviour indicative of a single or multiple security events to identify chains of events which together represent an attack.

Abstract: A method, a device, and a non-transitory storage medium are described in which a SmartNIC-based inline secure communication service is provided. The service is provided by a SmartNIC. The SmartNIC-based inline secure communication service includes encryption and decryption of traffic originating from and destined to virtual devices of a device.

Abstract: Secure communication of payload data is provided from a server system to a destination system used by a recipient. The recipient is associated with a key pair including a public key and a private key, the private key being protected by a password or passphrase of the recipient. The server system generates and sends a conveyance message to the destination system. The conveyance message contains at least the payload data encrypted using a payload key. After receipt of the conveyance message, the destination system prompts the recipient for his or her password or passphrase. The server system uses the recipient's password or passphrase to access the recipient's private key, and then uses the private key to decrypt the encrypted version of the payload key. The server system sends the payload key to the destination system, and the destination system in turn uses the payload key to decrypt the payload data.

Abstract: Techniques for sharing private data objects in a trusted execution environment using a distributed ledger are described. The techniques described herein may enable sharing of data objects, referred to herein as private data objects (PDOs), between individuals and organizations with access and update policies mediated by execution of code (referred to herein as a “smart contract”) carried with the PDO in a secure enclave. A distributed ledger may serve as a “public commit log” to ensure that there is a single, authoritative instance of the object and provide a means of guaranteeing atomicity of updates across interacting objects.

Abstract: A computer implemented method can receive a metadata definition of a restricted measure pertaining to a database including a plurality of database tables. The restricted measure has a label, and the metadata definition includes one or more filter criteria configured to filter values contained in the plurality of database tables. In a report designer user interface for a report, the method can present the label of the restricted measure as an option based on the metadata definition. The method can receive a selection of the label of the restricted measure in the report designer user interface. Responsive to the selection, the method can link the metadata definition of the restricted measure to the report. When generated, the report requests access to the values contained in the plurality of database tables via application of the one or more filter criteria of the metadata definition.

Abstract: A permissioned blockchain is used in a lawful interception, LI, context. Participants include a law enforcement agency, LEA, function, a LI mediation and delivery function, MF/DF, and an intercepting network function. A smart contract registered in the blockchain includes conditions associated with intercept related information, IRI, and/or communication content, CC, transactions. Registration is made in the blockchain of IRI and/or CC transactions performed by the participants during LI of a communication between two entities in a telecommunication network. The registered IRI and/or CC transactions are propagated among the participants and the smart contract is executed to verify whether or not the registered IRI and/or CC transactions are compliant with the smart contract. The participants are then informed about whether or not the registered IRI and/or CC transactions are compliant with the smart contract.

Abstract: An authentication method for authenticating a wireless power transmitter to a wireless power receiver includes receiving a SSP value, an ID, and a random number RND from a wireless power receiver; determining an index based on the RND; choosing a base code from a set of base codes according to the index; determining a secure code from the base code, the index, the RND, the SSP value, and the ID; and transmitting the secure code to the wireless power receiver. A further method includes receiving a secure code from the wireless power transmitter; retrieving an index from the secure code; determining a base code from a set of base codes according to the index; calculating a second secure code; and authenticating the wireless power transmitter by comparing the secure code and the second secure code.

Abstract: Some embodiments of the invention provide a method for defining code-based policies. The method generates a policy-builder first view of a policy for display in a graphical user interface (GUI) by processing a syntax tree that is generated from a code second view of the policy. The method receives, through the policy-builder first view, a modification to a portion of the policy. To reflect the modification, the method updates a portion of the syntax tree that corresponds to the portion of the policy that is affected by the modification. Based on the updating of the syntax tree, the method updates the code second view by modifying a portion of the code second view that corresponds to the updated portion of the syntax tree.

Abstract: Aspects of the present disclosure relate to transaction security techniques. In examples, a resource platform causes a set of executable verification instructions associated with an authorization processor to be executed by a user computing device. The verification instructions may be encrypted by the authorization processor for decryption by the user computing device. The verification instructions may generate verification information associated with the user computing device. In some instances, the verification information may be encrypted for decryption by the authorization processor. The encrypted verification instructions may be provided to the authorization processor (e.g., via the resource platform), such that the authorization processor may provide an indication to the resource platform as to whether the verification is verified.

Abstract: Some embodiments described herein relate managing communications between an origin and a destination using end-user and/or administrator configurable virtual private network(s) (VPN(s)). A first VPN that defines a first data path between an origin and a destination can be defined at a first time. A second VPN that defines a second, different data path between the origin and the destination can defined at a second time. Each packet sent across the first VPN and each packet sent across the second VPN can follow the same data path for that VPN, such each packet can be sent across the first VPN or the second VPN in the order it was received, and the transition between the first VPN and the second VPN can be “seamless,” and communications between the origin and the destination are not disrupted between the first time period and the second time period.

Abstract: The present disclosure discloses a compiling system for a compiling system and a compiling method for a programmable network element.

Abstract: The present embodiments relate to systems and methods for using a blockchain to record information related to the lifecycle of a vehicle associated with a Vehicle Identification Number (VIN). For example, the VIN lifecycle process may be used to develop safety-feature based insurance models. The systems and methods may include calculating a safety rating for a safety feature based upon data accessed at a blockchain. The safety rating may be used to generate a product associated with a new vehicle type, such as an insurance product covering the new vehicle type. The systems and methods described herein may allow for using a blockchain which gives the option for private information, and permissioned participants in the blockchain. In particular, the systems and methods may allow for a distributed consensus amongst businesses, consumers, and authorities, as to the validity of information and transactions stored on the blockchain.

Abstract: A conversion device analyzes an input packet and acquires header information included in the packet. Furthermore, the conversion device classifies packets into one of a plurality of groups on the basis of the acquired header information and set grouping conditions. Subsequently, the conversion device generates packets for analysis on the basis of the processing corresponding to the classified groups.

Abstract: An ultra low power network device is disclosed. The network device utilizes a Near Field Communications (NFC) tag to enable ultra low power communications with a configuration tool. The configuration tool writes information to the NFC tag that is accessible by the processing unit on the ultra low power network device. Additionally, the processing unit can write information into the NFC tag that is readable by the configuration tool. By exchanging messaged in this manner, the ultra low power network device and the configuration tool may create a shared encryption key. The ultra low power network device utilizes this shared encryption key when transmitting BLUETOOTH® packets. The configuration tool may then transmit the shared encryption key to either another BLUETOOTH® device or to a remote server. The ultra low power network device may also periodically refresh the shared encryption key.

Abstract: A copy control device for controlling a data copy between a plurality of cloud systems each including one or a plurality of storage devices collects predetermined information for determining data duplication between storage devices, accepts a copy process request for a data copy from a storage device in a copy source cloud system to a copy destination storage device in a different cloud system, determines duplication between copy target data designated in the copy process request and data in the different cloud system on the basis of the collected predetermined information, instructs the different cloud system to copy duplicate data from the storage device having the duplicate data to the copy destination storage device, and instructs the copy source cloud system to copy remaining data of the copy target data to the copy destination storage device.

Abstract: Method for utilizing a communication line certificate corresponding to a first device and a second device for a communication line, each of the first and second devices including a hardware processor and associated memory includes: creating a unique ID, by a third electronic device; transmitting the unique ID to the first generating a digitally signed request by the first device, wherein the digitally signed request comprises a first proof of an association of the first device to the communication line; transmitting the digitally signed request to the second device; verifying the first proof by the second device to produce a first verification of the association of the first device to the communication line; and generating a digitally signed acceptance by the second device, wherein the digitally signed acceptance comprises a second proof of an association of the second device to the communication line.

Abstract: Methods, systems, and apparatus, including a method for determining network measurements. In some aspects, a method includes receiving, by a first aggregation server and from each of multiple client devices, encrypted impression data. A second aggregation server received from each of at least a portion of the multiple client devices, conversion data that includes, for each conversion recorded by the client device, encrypted conversion value data. The first aggregation server and the second aggregation server perform a multi-party computation process to decrypt the encrypted impression data and the encrypted conversion data.

Abstract: The present invention provides a debugging system, which is embedded on a forwarding path of a module and includes a service flow matching module and a service flow debug execution module. The service flow matching module receives and analyzes a message, and determines a service flow type and a debugging mean involving the message according to a dynamic service flow type association table, wherein the dynamic service flow type association table includes a corresponding service flow type and a corresponding debugging mean involving the message. The service flow debug execution module executes the corresponding debugging means for the message according to a determination result from the service flow snatching module.

Abstract: Systems, methods, and apparatus for satellite operations with a secure enclave for secure hosted payload operations are disclosed. In one or more embodiments, a disclosed method for payload operations comprises receiving, by a command receiver on a vehicle (e.g., a satellite), host commands from a host spacecraft operations center (SOC). The method further comprises reconfiguring a host payload on the vehicle according to the host commands. Also the method comprises transmitting, by a telemetry transmitter on the vehicle, host payload telemetry to the host SOC. In addition, the method comprises receiving, by a payload antenna on the vehicle, hosted commands from a secure enclave of the host SOC. Additionally, the method comprises reconfiguring a hosted payload on the vehicle according to the hosted commands. Further, the method comprises transmitting, by the payload antenna, host payload data, hosted payload data, and hosted telemetry to the secure enclave of the host SOC.

Abstract: Disclosed here is a system and method to determine which wireless telecommunication network functionalities are impaired when using end-to-end encryption and to ameliorate the impairment of the functionality. The system receives a request from a sender device to communicate with a receiver device, where the request indicates whether the sender device is capable of an end-to-end encryption. The system determines whether the receiver device is capable of the end-to-end encryption, and whether the receiver device is associated with a functionality provided by a wireless telecommunication network that is impaired when the end-to-end encryption is used. Upon determining that the receiver device is not capable of the end-to-end encryption or that the receiver device is associated with the functionality that is impaired, the system performs an action to ameliorate the impairment to the functionality.

Abstract: Special performance standby nodes for data storage in a cloud computing security system are disclosed. Performance standby nodes are standby nodes that are configured to service requests that do not modify the underlying data store. These pseudo read-replica nodes are further configured to forward any request that results in a storage write onto an active node, while being able to service read-only requests locally.

Abstract: A robot system includes: a robot; a plurality of operation terminals that receive an input of a password for acquiring operation authority of the robot and an operation input for operating the robot from a user; and a robot controller communicable with the operation terminals. The robot controller drives, in a controlled manner, the robot according to operation from a single operation terminal among the operation terminals. The robot controller includes a password storage unit that stores a password for granting operation authority of the robot to the operation terminal. The robot controller further includes an operation authority grant processing unit that grants operation authority of the robot to a single operation terminal to which a proper predetermined password stored in the password storage unit is first input in a state in which operation authority of the robot is not granted to any operation terminal.

Abstract: A method for acquiring and disseminating network node characteristics to enable policy decisions including receiving a resolution request from one or more clients in a network environment. Information, for example, network address, is then acquired from one or more sources regarding a specific location in a network, for example, a network node. A list of the network addresses is then generated and ranked based on one or more parameters that merit making traffic handling decisions. The network addresses are then associated with a host name on at least one directory server and then propagated to the one or more clients.