Abstract: A system accesses a task log comprising text that is confidential information. The system selects a first portion of the task log. The system compares each word in the first portion with keywords that are known to be confidential information. The system determines that a word in the first portion is among the keywords. The system determines a hierarchical relationship between the word and neighboring words. The system determines that the word is associated with the neighboring words based on the hierarchical relationship. The system generates a template pattern comprising the word and one or more words associated with the word. The system obfuscates the template pattern.

Abstract: A processor for building a homogeneous dual computing system is shown. The processor has a trusted core, a normal core, and a shared cache. The trusted core has an access right to an isolated storage space of a system memory. The normal core is homogeneous with the trusted core, and is prohibited from accessing the isolated storage space. In response to a cache flush instruction issued by the normal core, the trusted core initiates and executes a second cache write-back instruction that is different from the first cache write-back instruction. According to the second cache write-back instruction, isolated data associated with the isolated storage space and cached in the shared cache is written back to the isolated storage space before being flushed.

Abstract: A system and method that detects malicious account creation in a web-based platform. A method includes detecting suspicious events associated with an account creation process using a username classifier that evaluates a username used to create a new account, an IP address classifier that evaluates an IP address used to create the new account, and a domain classifier that evaluates a domain from an email address used to create the new account; analyzing each detected suspicious event with a density analysis classifier to determine if each detected suspicious event comprises a malicious event based on a density of detected suspicious events from a collections of account creation processes; and determining an alert condition based on at least one malicious event detection.

Abstract: A secure computing control method, a data packet processing method and device, and a system thereof are disclosed. The secure computing method may include: receiving a first data packet message for secure computing from a processor, the first data packet message including data packet information and secure computing configuration information corresponding to the data packet information; acquiring corresponding first data packet data from a memory according to the data packet information of the first data packet message; selecting a corresponding security algorithm according to the secure computing configuration information corresponding to the first data packet message; performing secure computing on the first data packet data by the selected security algorithm to generate secure computed second data packet data and a second data packet message corresponding to the second data packet data; transmitting the second data packet data to the memory; and transmitting the second data packet message to the processor.

Abstract: A communication system and a computer-implemented method for recording and retaining live share AV content and annotations, comprising: a system and method for provide one or more live AV content feeds to one or more computing devices as a live share, wherein the parties involved in the live share can annotate the live AV content in real-time; recording the annotations in real-time in a synchronized temporal and spatial state, such that when the live share AV content is played back, the annotations are reproducible exactly as when originally made to the AV content during the original live share, including at the same points in time and location as in the original live share experience. The communication system can be arranged to capture and retain information about each live share participant that contributed to an annotation.

Abstract: A system for providing a geofence service is disclosed. The geofence service receives an encrypted geospatial index for a specified geofence based on application of a hash function to respective ones of a plurality of locations for the specified geofence in accordance with a secret key that is unknown to the geofence service. The geofence service stores the encrypted geospatial index to a data store according to a geofence identifier for the specified geofence. The geofence service receives an encrypted device location identifier generated based on application of the hash function to a representation of a current location of a user device in accordance with the secret key. The geofence service determines whether the user device is located in a location of the plurality of locations based on a query of the encrypted geospatial index according to the encrypted device location identifier.

Abstract: A data sending method and apparatus and a data receiving method and apparatus for resisting network communication monitoring, wherein the data sending method including: acquiring a target packet; adding an encapsulation header into the target packet and encrypting application data in the target packet to obtain a to-be-sent packet; constructing a confusing packet, the header of the confusing packet being different from the header of the to-be-sent packet at a preset position; and sending a mixed packet of the to-be-sent packet and the confusing packet. In the present disclosure, a communication source hides a data packet to confuses probes, adds an encapsulation header on the basis of the data packet, hides the data packet in a large number of similar packets in a network, and makes an encryption in combination with a mature encryption technology, thereby effectively resisting malicious network communication monitoring and preventing eavesdropping of network communications.

Abstract: Transitioning leadership in a cluster of nodes, including: initiating, by two or more nodes among a cluster of nodes, a leadership transition, wherein: a first node transmits a first secret key identifier to each of the other nodes in the cluster of nodes; and a second node transmits a second secret key identifier to each of the other nodes in the cluster of nodes; updating, by each node and based at least in part on a resolution policy, the current secret key identifier to be the second secret key identifier instead of the first secret key identifier; and transitioning, based at least in part on the second secret key identifier being selected to be the current secret key identifier, the second node to be a leader node of the cluster of nodes.

Abstract: In embodiments of the present invention, methods are provided for maintaining a plurality of public addresses and a plurality of virtual representations and digital tokens of a plurality of items where each digital token is cryptographically linked to a respective instance of the item represented by the virtual representation. A request may be received to participate in a transaction for an item represented by a specific virtual representation and a transfer request received to transfer the specific digital token to a different user, where the transfer request includes a digital-token identifier that identifies the specific digital token and a public address of the different user, and a token validation and redemption process is completed.

Abstract: A vehicle control system (VCS) for a vehicle may include an in-vehicle bus and an intrusion detection system (IDS). The IDS may: calculate a planned output of the vehicle based on a message of a message stream received from at least one electronic control unit (ECU) coupled to the in-vehicle bus, calculate a reachable set based on an uncertainty metric, and identify an intrusion of the VCS based on a comparison of the planned output and the reachable set.

Abstract: An encryption method applied to an encryption system is disclosed. The encryption system includes a transmission module, an encryption module and a memory. The memory contains n data, where n is an integer and n?0, and the n data are encrypted by the encryption module. The multiple encryption method includes: via the transmission module, receiving an encryption request and an n+1th data; storing the n+1th data in the memory; via the encryption module, according to the encryption request, encrypting the n data and the n+1th data to form an encrypted data.

Abstract: A method is described for biometric enrolment of a biometrically authorisable device having a biometric sensor for identification of an authorised user and a processor capable of permitting access to one or more secure feature(s) based on authentication of the user's identity. The enrolment method includes mounting the biometrically authorisable device to a holder in order to form an enrolment system arranged to be delivered to the end user by mail. The holder has a power source such that during delivery the supply of power is deactivated and the holder includes a switching arrangement configured to activate the supply of power in response to manipulation of the holder. The enrolment system is delivered to the user and the supply of power is activated in response to manipulation of the holder by the user.

Abstract: Disclosed herein are an apparatus and method for providing sensor data in a sensor device based on a blockchain. A method for providing sensor data in a sensor device based on a blockchain may include creating a device record using encrypted device identification information, registering the device record in the blockchain, creating an event record using event information collected from a sensor, registering the header of the event record, including information about a link to the device record, in the blockchain, and distributing the body of the event record, the body being linked to the header of the event record.

Abstract: An intelligent key device and a verification method therefor. The verification method comprises: determining the type of an instruction by means of an intelligent key device; determining a key area according to the type of the instruction; acquiring a biometric verification identifier corresponding to the key area; determining, according to the biometric verification identifier, a biometric verification mode corresponding to the key area; and executing a corresponding operation according to the biometric verification mode. According to the present invention, a user can realize multiple verification modes of biometric features according to a key area in the process of performing verification using the intelligent key device, such that different verification requirements of the user for the key used in different application scenarios are met.

Abstract: Data is encoded to be incrementally authenticable. A plaintext is used to generate a ciphertext that comprises a plurality of authentication tags. Proper subsets of the authentication tags are usable to authenticate respective portions of plaintexts obtained from the ciphertext. Portions of the plaintext can be obtained and authenticated without decrypting the complete ciphertext.

Abstract: Method for authenticating at least one ventilator with at least one remote station, wherein the ventilator can connect itself via at least one interface to the remote station, at least one authentication file is stored on the ventilator, the authentication file contains at least one signature code of a signing authority, and a public keycode of the signing authority is known to the remote station, the ventilator sends the authentication file to the remote station when establishing the connection to the remote station, the remote station checks the signature code of the authentication file using the public keycode as to whether the signature code originates from the signing point and the ventilator is authenticated when the remote station recognizes the signature code as originating from the signing authority.

Abstract: A scheme for restoring a password-protected endpoint device (e.g., a memory device) of a computer system to an operational state from a low power state without requiring user input of a device password. A password received for unlocking the device during a boot process is stored in a secure memory. The password-protected endpoint device subsequently enters the low power state, causing it to lock. During a transition from the low power state to an operational state, it is detected that the password for the endpoint device is stored in the secure memory. The password is fetched from the secure memory and used to unlock the endpoint device, thereby restoring the endpoint device to an operational state.

Abstract: A solution is proposed for performing authentications. A corresponding method comprises storing a verification string corresponding to applying a one-way function iteratively starting from a secret string. An authentication request is received in association with an authentication string (or more) being generated by applying the one-way function iteratively starting from the secret string for a lower number of times. A result of the authentication request is determined by comparing the verification string with a comparison string being generated by applying the one-way function to the authentication string (or a few times iteratively). Corresponding computer programs and a computer program products for performing the method are also proposed. Moreover, corresponding systems for implementing the method are proposed.

Abstract: Various embodiments are described herein for systems and methods that can be used to determine a destination location in a network fabric. In one example embodiment, the method comprises receiving an application server attribute at a fabric controller from a source port, generating at the fabric controller a destination location based on the application server attribute and mapping information stored on the fabric controller, and transmitting the destination location to the source port, where the source port transmits packetized data to a destination location based on the destination location.

Abstract: Method and apparatus relating to a wireless device supporting 3GPP 4G and 5G radio interfaces and also supporting non-3GPP access, i.e., WiFi, for selecting a security gateway of a first type e.g., ePDG or a security gateway of a second type, e.g., N3IWF for accessing to the core network of first type, e.g., EPC or of a second type e.g., SGC. As the access methods via ePDG and N3IWF are not the same, the wireless device has to determine based on information obtained by a function in the network and its capabilities whether to use an ePDG or an N3IWF for untrusted non-3GPP access. The wireless device may take into account in the selection whether it is connected to the Core network over 3GPP 4G or 5G radio access network. A corresponding apparatus claim is provided.

Abstract: Systems and methods for mutual authentication of a user and a container administrator computer system. A container administrator computer system receives a request from a mobile computing device for a user to access a secure container. The request includes a user identifier. The administrator system receives a first authentication factor corresponding to the user. The administrator system authenticates the user by verifying that the first authentication factor matches a first reference authentication factor associated with the user identifier. The administrator system sends a second authentication factor associated with the administrator system to a human-machine interface associated with the secure container or the mobile computing device. The administrator system receives a notification of authentication of the administrator system using the authentication factor. The administrator system transmits an unlock signal to unlock the secure container.

Abstract: A Reference Time Scale Dissemination System (RTS-DS) is provided that includes a RTS Dissemination Data Provider (RTS-DDP) and a User Terminal. The RTS Dissemination Data Provider is equipped with a radio receiver designed to receive radio signals and to compute a RTS-DDP Computed Time Scale based on received radio signals. The User Terminal (UT) is equipped with a Radio Receiver designed to receive radio signals and to compute a UT Computed Time Scale based on received radio signals, and with a Clock Device designed to be locked to the UT Computed Time Scale and to provide a UT Local Time Scale resultingly locked to the UT Computed Time Scale.

Abstract: A system for bidirectional device authentication between two computing devices is disclosed. A first processor generates a first random number sequence, performs a first operation on the first random number sequence to determine a first table address, and retrieves a first entry in the first table based on the first table address. The processor also executes a first transformation function on the first entry to generate a first transformed entry, transmits the first random number sequence to the second computing device, receives an encoded entry from a second computing device in response to transmission of the first random number sequence, and decodes the encoded entry to determine a second transformed entry. The first transformed entry matches the second transformed entry, and the first processor performs an update to a dynamic table by replacing each entry of the dynamic table with an associated transformed entry.

Abstract: A method for maintaining an availability of a storage system, the method may include obtaining, by a control module of the storage system, problem related information generated by one or more compute nodes of the storage system, the problem related information is indicative of one or more problems associated with an execution of one or more storage operations; determining, by the control module and based on the problem related information, whether to forbid an execution of a storage operation of the one of more storage operations; and updating, by the control module, and based on the determining, a forbidden storage operation data structure that is accessible to the compute nodes of the storage system.

Abstract: An apparatus may include a pipeline circuit configured to process packets and an authentication engine configured to authenticate packets and to provide an authentication signal to the pipeline circuit based on whether packets have been authenticated. The apparatus may further include a control circuit configured to route a given incoming packet to both the authentication engine and to a bypass path. The bypass path may be configured to provide a copy of the given incoming packet to the pipeline circuit to bypass the authentication engine.

Abstract: Methods and systems for a browser extension system are disclosed. In some embodiments, a browser extension server includes a communication device configured to communicate with a first computing device executing a browser extension application and a web browser application and a second computing device executing an authentication application. The browser extension server further includes a memory storing instructions, and a processor configured to execute the instructions to perform operations. The operations may include receiving from the first computing device an indication of a financial service account associated with the first computing device, detecting a payment field in a web page provided by the computing device through the web browser application and, in response, generating a secure token mapped to the financial service account.

Abstract: A method for utilizing a registration authority to facilitate a certificate signing request is disclosed. In at least one embodiment, a registration authority computer may receive a certificate signing request associated with a token requestor. The registration authority may authenticate the identity of the token requestor and forward the certificate signing request to a certificate authority computer. A token requestor ID and a signed certificate may be provided by the certificate authority computer and forwarded to the token requestor. The token requestor ID may be utilized by the token requestor to generate digital signatures for subsequent token-based transactions.

Abstract: A computing resource service provider provides a certificate management service that allows customers of the computing resource service provider to create, distribute, manage, and revoke digital certificates issued by public and/or private certificate authorities. In an embodiment, when a new certificate is generated, a certificate template is used to apply various settings and policies for the new certificate. In various examples, templates may be used to establish default values, enforce required and optional values, place restrictions on one or more data fields, and enforce signature requirements. In some embodiments, the template establishes rules for rejecting certificate requests that don't conform to the template.

Abstract: A method is provided. The method includes receiving a request message, the request message relating to a transaction between a first client and a second client, the request message including first client data and second client data, the first client data identifying an account to be used by the first client in the transaction, the second client data indicating if the second client is subscribed to a service. The method further includes determining if the second client is subscribed to the service, and generating an authentication request message if the second client is not subscribed to the service, the authentication request message requesting confirmation that a holder of the account is the first client. The method further includes sending the authentication request message, and receiving an authentication response message from the external server in response, the authentication response message including an indication whether the holder is the first client.

Abstract: The present invention is the invention for providing a guidance service by using a robot. For example, the robot may provide the guidance service in an airport. The robot may receive a destination, acquire a movement path from a current position to the destination, and transmit the movement path to the mobile terminal. The mobile terminal may receive the movement path from the robot and display a guidance path representing a movement path and a user path representing a position movement of the mobile terminal and overlapping the guidance path.

Abstract: Provided is an electromyogram (EMG) signal-based user authentication apparatus and method. The apparatus includes an EMG signal receiver configured to receive an EMG signal measured using an EMG sensor, a pre-processor configured to remove a partial signal from the received EMG signal according to a preset frequency band, and a controller configured to authenticate a user by comparing a pre-stored EMG signal with the EMG signal in which the partial signal has been removed.

Abstract: An electronic device may include a printed circuit board having a physically unclonable function (PUF) source. The electronic device may also include an integrated circuit (IC) chip positioned on the printed circuit board, and the first PUF source may be embedded in or formed on the printed circuit board external to the IC chip. The IC chip has processing circuitry that is configured to determine PUF data based on the PUF source. The processing circuitry is further configured to determine a cryptographic key or authentication token based on the PUF data and to perform at least one secure operation using the cryptographic key or authentication token.

Abstract: A data storage device including a non-volatile memory and a micro-controller is provided. The non-volatile memory stores a firmware file. The micro-controller is coupled to the non-volatile memory, and performs an encryption procedure on the firmware file. The encryption procedure includes: using a first key and a first algorithm to encrypt the firmware file to generate a signature, using the first key and a second algorithm to scramble the signature to generate a scrambled signature, and attaching the scrambled signature to the firmware file.

Abstract: A system and method for at least partially completing a user profile. The method includes analyzing the user profile to identify at least one missing informational element in the user profile, wherein identifying the at least one missing element further comprises determining at least one concept based on the user profile and matching the determined at least one concept to a plurality of category concepts, each concept including a collection of signatures and metadata describing the concept, wherein each category concept is associated with at least one required informational element, wherein each missing informational element is one of the at least one required informational element that is not included in the user profile; sending a query for the missing informational element; and updating at least a portion of the user profile based on a response to the query.

Abstract: Disclosed are various examples for multi-party authentication and authentication. In one example, a user can gain access to secured data stored by a managed device based on the presence of the minimum quantity of other users within a threshold proximity of the user who desires access.

Abstract: Data messages such as data packets in an IPv4 or IPv6 format are processed with a view to compression/decompression, using information obtained from sources other than the field data packet itself, or the stream to which it belongs. This may involve additional dynamic processing defined in specifications identified by a shared marker, or obtained from an additional data source such as a static file, database application or the like. Embodiments described herein enhance this approach with a dynamic determination of data components.

Abstract: An example operation may include one or more of connecting to a blockchain configured to store transactions executed by the participating node, executing a transaction to produce a transaction trail, assigning a transaction identifier (ID) to the transaction, generating a transaction tag based on the transaction ID, and sending to the blockchain the transaction tag and the transaction trail to be entered into the blockchain.

Abstract: An information processing apparatus includes an acquisition unit that acquires first communication information for connecting with an apparatus via a first network and second communication information for connecting with the apparatus via a second network, a determination unit that determines whether communication between an information processing apparatus and the apparatus via the first network based on the first communication information is possible, a connection unit that connects the information processing apparatus with the apparatus via the second network based on the second communication information when the communication via the first network is impossible, and a request unit that transmits a processing request to the apparatus via the first network when the communication via the first network is possible, and transmits the processing request to the apparatus via the second network when the information processing apparatus is connected with the apparatus via the second network.

Abstract: In various embodiments described herein, a content extension and programming interface enable third-party content extensions to supply transformation and filtering actions and associated criteria to native web clients on a system. In one embodiment, the native web client loads data for a third-party content filtering, blocking, or transformation extension and conducts extension defined actions without requiring additional intermediation by the third-party content. In one embodiment, a third-party application downloaded to a mobile or handheld device can include an extension data object that provides actions and triggers that are loaded by a native web client of the system. The third-party application is not required to execute continuously and can exit or be terminated once the web client retrieves the extension data object.

Abstract: Systems and methods are provided for a network appliance comprising a plurality of virtual private network nodes operating on the network appliance, each virtual private network node being configurable to connect to selectable virtual private network end points in an on-demand computing network. A web interface is configured to connect a client device to the network appliance and to identify a selected virtual private network end point, where the client device is connected to a particular one of the virtual private network nodes and the particular virtual private network node is connected to the selected virtual private network end point based on interactions with the web interface.

Abstract: Blockchain-based, smart contract platforms have great promise to remove trust and add transparency to distributed applications. However, this benefit often comes at the cost of greatly reduced privacy. Techniques for implementing a privacy-preserving smart contract is described. The system can keep accounts private while not losing functionality and with only a limited performance overhead. This is achieved by building a confidential and anonymous token on top of a cryptocurrency. Multiple complex applications can also be built using the smart contract system.

Abstract: A text comparison method is adapted for comparing a query file with an existing file. The text comparison method includes: converting the existing file, by an irreversible method, to obtain a first intermediate file, wherein the first intermediate file includes a plurality of characters, and a number of different characters of the plurality of characters is a predetermined value; receiving a second intermediate file which is a file converted from the query file by the irreversible method; and according to a predetermined string length, comparing the second intermediate file with the first intermediate file by a high repeating-character comparison method to output a comparison result. Therefore, the second intermediate file can be created offline and then only the second intermediate file but not the original query file is submitted through internet for private text comparison.

Abstract: A system and method to access one or more insights to display in a context-specific display pane based on PIM application context data, filter the one or more insights to display in the context-specific display pane, and display the filtered one or more insights in the context-specific display pane.

Abstract: A network device may receive, from a first network, a network packet of a first network packet type that encapsulates a fragment of a second network packet of a second network packet type, where the network packet is part of a flow of a plurality of network packets of the first network packet type that encapsulates fragments of the second network packet, and where the network packet includes a flow label that indicates a source port for the second network packet. The network device may perform an anti-spoof check on the fragment of the second network packet based at least in part on the source port for the second network packet that is indicated by the flow label of the network packet. The network device may, based on the fragment passing the anti-spoof check, forward the fragment of the second network packet to a second network.

Abstract: A System-on-Chip (SoC) performs secure communication operations. The SoC may include a peripheral interface configured to communicate with a host system. The SoC may also include a network interface configured to receive network packets in a secure communication session. The SoC may further include a processor configured to execute an Operating System (OS) software and a secure communication software stack to process at least one received network packet in the secure communication session. In addition, the SoC may include a secure communication engine configured to perform cryptographic operations and generate at least one decrypted packet in the secure communication session. The at least one decrypted packet may be provided to the host system via the peripheral interface.

Abstract: Plugins are authenticated for purposes of accessing and using application program interfaces (APIs) of a management service of a virtualized computing environment. In an authentication process, each plugin is associated with a session ticket that is unique to the plugin. The session ticket may be in the form of a single-use token that has a finite duration, and which may be used by the plugin to establish a session with the APIs of the management service. Because of the single-use and finite duration constraints of the token, the plugin is unable to use the token for other sessions and other plugins are also unable to use the same token to conduct their own sessions with the management service.

Abstract: Software for immutably storing computational determinations using distributed ledgers. The software performs the following operations: (i) receiving an indication that a first computational model is ready to be deployed; (ii) storing a copy of the first computational model in a first distributed ledger; (iii) computing a hash of the first computational model using a cryptographic hash function; (iv) receiving an indication that a second computational model has been used to produce a first computational determination; (vi) receiving a hash of the second computational model; and (vii) in response to determining that the hash of the second computational model matches the hash of the first computational model, storing a record of the first computational determination in a second distributed ledger, wherein the record of the first computational determination identifies the second computational model as being the first computational model and includes the hash of the first computational model.

Abstract: A method for authorizing access includes generating a public identity parameter and a private identity parameter for each server, and using the public identity parameter of a first server indicated by a first credential from a resource owner to perform identity encryption on the first credential and a first random parameter so as to generate and transmit a first request message to the first server. The private identity parameter is used to decrypt the first request message. The public identity parameter of a second server indicates by the second credential to perform identity encryption on the second credential and a second random parameter so as to generate and transmit a second request message. The second server uses the private identity parameter to perform decryption on the second request message, and the method determines, according to the decrypted second credential, a resource to be provided to the client.

Abstract: An aspect of performing logical validation on loaded data in a database includes a rule engine configured to, in response to an addition or update of a new rule for logical validation, determine a delta rule that includes a delta part of the new rule with respect to existing rules. An aspect also includes an object container containing object instances that have been validated using the existing rules. The object instance contains only data related to the existing rules and extracted from the database. An aspect further includes a validation engine configured to, upon determining that the delta rule relates to extra data other than the data contained in the object instance, extract the extra data from a database and add it to corresponding object instances, and use at least a part of the new rule to perform logical validation on the relevant object instances in the object container.

Abstract: The present disclosure provides a method of embedding finer grained information such as user identity and application identity in IPv6 addresses used for end-to-end communications within a network. The finer grained information can be used for improved policy enforcement within the network. In one aspect, generating an address for an end-to-end communication within a network, the address including a user identifier and an application identifier for network policy enforcement; assigning the address to an application used in the end-to-end communication; and performing network segmentation and the network policy enforcement within the network using the address.