Abstract: A system and method for encrypting portions of data for storage in a remote network have been provided. The system comprises a memory with instructions executable by a processor to receive data for forwarding to a server device, wherein the received data comprises an indication of one or more portions of the received data to be encrypted; identify a portion comprising the one or more portions of the received data based at least in part on the indication; encrypt the identified portion of the data; generate a payload that comprises the encrypted portion and one or more unencrypted portions of the received data; and transmit, to the server device, the payload.

Abstract: Techniques for computer security, and more specifically timestamp-abased authentication, are described. Some implementations provide an authentication method that utilizes an authentication process that is shared as a secret between a first and second computing system. The process provides as output a number that is based on a timestamp. The first computing system executes the authentication process using a timestamp obtained from its clock. The resulting number is transmitted to the second computing system, possibly along with other authentication data, such as a username and/or password. In response, the second computing system executes the authentication process using a timestamp obtained from its clock. If the numbers generated by the first and second computing systems match, the first computing system is authenticated.

Abstract: Disclosed are examples of decentralized systems and related apparatus, devices, computer program products, and methods for secure access of digital content. In some implementations, a first request from a client to access encrypted digital content includes a call on a digital contract. The call passes an ephemeral key set encrypted with a public key of a consumer. A transaction identifying the first request in association with the encrypted ephemeral key set is recorded in the digital contract. The transaction is identified by a transaction identifier (ID), which is sent to the client. A second request from the client includes: an authorization token including the transaction ID, and a signature of the consumer. Authorization of the consumer is verified based on the authorization token. A transaction identifying one or more keys is recorded in the digital contract. The digital content can be re-encrypted and sent to the client.

Abstract: In one implementation, a computer-implemented method includes receiving, at a computing device and from a computer server system, digital content that is for sale and that is received without having yet been purchased by a user of the computing device; storing the digital content locally on the computing device in a manner that prohibits user access to the digital content; after storing the digital content: receiving user input that indicates the user is purchasing at least a portion of the stored digital content; and in response to the received user input, storing information that indicates the user purchased the portion of the digital content and providing the user with access to the purchased portion of the digital content; and in response to detecting that the computing device is communicatively connected to the computer server system over a network, providing the stored information to the computer server system.

Abstract: A method for managing security settings of a print device using a lockdown mode includes receiving a request for enabling a lockdown mode. The lockdown mode prevents modifications to configurations of one or more components of the print device. The method further includes activating the lockdown mode. Activating the lockdown mode includes modifying a plurality of security settings corresponding to lockdown configurations of the one or more components of the print device, and disabling one or more modes that a user may use to modify the plurality of security settings. The method includes storing the plurality of security settings and the associated lockdown values in a security module, performing a compliance check to detect if current values associated with the plurality of security settings have changed by comparing to the lockdown values, and performing a remediation action in response to detecting that the one or more security settings have changed.

Abstract: Techniques are disclosed for implementing scalable port range policies across a plurality of categories that support application workloads. In one example, a policy agent receives, from a centralized controller for a computer network, a plurality of policies. Each policy of the plurality of policies includes one or more policy rules, and each of the one or more policy rules specifies one or more tags specifying one or more dimensions for application workloads executed by the one or more computing devices and a corresponding port range. The policy agent assigns, based on a policy rule, a port range specified by the policy rule to objects of the one or more computing devices that belong to categories described by the one or more dimensions of the one or more tags of the policy rule. The categories support the application workloads and are assigned to the tags by a centralized controller.

Abstract: The present disclosure relates to systems and methods for communicating over a IoT network, including encrypting and decrypting communications of data over the network for providing enhanced security. The following also discloses systems for IoT device initialization, automation, data capture, security, providing alerts, personalization of settings, and other objectives described in the disclosure. Methods of establishing and monitoring IoT network communications is also disclosed.

Abstract: Access between a plurality of nodes of the computing environment is controlled by a key server. The key server receives from one node of the plurality of nodes, a request for a shared key, in which the shared key is created for a selected node pair. A determination is made by the key server as to whether the one node is a node of the selected node pair. In one example, the determining checks an alternate name of the one node to determine whether it matches an alternate name associated with the shared key. Based on determining the one node is a node of the selected node pair, the key server provides the shared key to the one node.

Abstract: Systems and methods are described for receiving an input binary file, extracting character string information from the input binary file, defining search parameters to include a software name and associated software version as a name-version pair, applying the search parameters to the extracted character string information to detect instances of the name-version pair, and querying a vulnerability database based on the name-version pair to identify a vulnerability in the input binary file.

Abstract: A computer device for effecting an authentication procedure associated with a service provider or an application, including a plurality of sensors; and one or more processors in communication with the sensors and non-transitory data storage including, stored thereon, a plurality of instructions which, when executed, cause the one or more processors to perform the steps of (a) receiving an authentication procedure request; (b) determining a hierarchy of authentication processes for the authentication procedure; (c) selecting an authentication process from the hierarchy of authentication processes; and (d) executing the authentication process.

Abstract: A computing system for managing storage relative to a storage subsystem is provided. The computing system includes a processor and a first interface configured to interact with a deployed software system using a representational state transfer communication technique. A second interface is configured to interact with the storage subsystem in accordance with the representational state transfer technique. The computing system is configured to interact with the storage subsystem via the second interface in response to a request from the deployed software system via the first interface and to provide an output to the deployed software system through the first interface based on the interaction with the storage subsystem.

Abstract: Systems and methods for manufacturing Information Handling Systems (IHSs) with Operating System (OS)-specific hardware and/or firmware components. In some embodiments, an IHS may include a first Operating System (OS)-specific chip coupled to a motherboard; and an Embedded Controller (EC) coupled to the motherboard, the EC configured to execute program instructions that cause the IHS to, in response to a user interface device having a second OS-specific chip being coupled to the IHS during manufacturing of the IHS deactivate the first OS-specific chip and activate the second OS-specific chip.

Abstract: A method, a system, and a computer readable medium for determining a readiness of a computerized network against distributed denial of service (DDoS) attacks are provided herein. The system may include: an interface configured to obtain properties characterizing the computerized network; a knowledge base containing a plurality of rules taking into account DDoS risks and best practice related thereto; and a computer processor configured to: analyze the properties using the knowledge base to yield an analysis; and determine a readiness of the computerized network against DDoS attacks, based on the analysis. In some embodiments, the properties are obtained by analyzing a filled-in questionnaire relating to the computerized network under test. In other embodiments, these properties are automatically derived from databases containing data pertaining to the computerized network.

Abstract: A system and method for static detection and categorization of information-flow downgraders includes transforming a program stored in a memory device by statically analyzing program variables to yield a single assignment to each variable in an instruction set. The instruction set is translated to production rules with string operations. A context-free grammar is generated from the production rules to identify a finite set of strings. An information-flow downgrader function is identified by checking the finite set of strings against one or more function specifications.

Abstract: Embodiments of the present disclosure relate to automatically and dynamically elevating permissions on a mainframe system. Initially, a user may request an elevation class which corresponds to elevated class resources of the mainframe system. The elevation class may enable the user to perform actions to datasets, files, applications, or systems of the mainframe system the user may not otherwise be able to perform. If the user has permission to the elevation class, a user identification corresponding to the user and the elevation class is registered in an elevated permission structure. An access control environment element (ACEE) is dynamically created with the elevated permission structure and the elevated class resources of the elevation class are associated with the ACEE. The user can then be validated with access to the elevated class resources. At the expiration of a limited duration of time, the elevated class resources are automatically disassociated with the ACEE.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to monitor access to data in a secured area of memory at a hypervisor level, receive a request from a process to the data in the secured area, and deny the request if the process is not a trusted process. In an example, the electronic device is a point of sale device.

Abstract: Activity specifications of a plurality of activities to be monitored are received. Each activity specification of the activity specifications identifies properties of a corresponding activity of the activities to be monitored. A fingerprint specification of a computer security risk fingerprint is received. The fingerprint specification identifies a combination of two or more of the activities to be detected. A log of activities to identify occurrences of the activities to be monitored is analyzed. Based on the analysis, the computer security risk fingerprint in the log of activities is detected, including by detecting an occurrence of at least a portion of the combination of the activities identified by the fingerprint specification. A computer security action based on the detection of the computer security risk fingerprint is performed.

Abstract: Systems and methods are provided for authenticating a user of a computing device. An example system includes a memory storing instructions, and a processor configured to execute the instructions to receive an authentication request from a user of a computing device, determine a context of the authentication request, determine a physical location of the user, and perform, based on the context of the authentication request and the physical location of the user, an associate proximity detection. The associate proximity detection includes steps to identify an associate based on at least one of the context of the authentication request or the physical location of the user, determine a physical location of the identified known associate, and determine a proximity of the user to the identified known associate. The authentication request may be approved when the determined proximity is within a threshold.

Abstract: Technologies for secure I/O with an external peripheral device link controller include a computing device coupled to an external dock device by an external peripheral link, such as a Thunderbolt link. The external dock device includes an I/O controller that receives device data from an I/O device, generates a channel identifier associated with the I/O device, and transmits I/O data that includes the channel identifier to a dock controller. The dock controller encapsulates the I/O data to generate peripheral link protocol data and transmits the peripheral link protocol data to a host controller of the computing device over the external peripheral link. The host controller de-encapsulates the peripheral link protocol data and forwards the I/O data to memory. The channel identifier may be a predetermined value associated with the I/O controller, or may include a controller identifier associated with the host controller. Other embodiments are described and claimed.

Abstract: Private network request forwarding can include receiving a request from a user for Internet services over a public network. Private network request forwarding can include analyzing the request and determining whether the request is legitimate. Private network request forwarding can include forwarding the request to an entity through a private network when it is determined that the request is legitimate, wherein the user has access to the entity through a proxy.

Abstract: A storage controller that is coupled to a plurality of storage clouds is maintained. The storage controller determines security requirements for performing a selected operation in the plurality of storage cloud. A subset of storage clouds of the plurality of storage clouds that are able to satisfy the security requirements are determined. A determination is made as to which storage cloud of the subset of storage clouds is most responsive for performing the selected operation. The selected operation is performed in the determined storage cloud that is most responsive.

Abstract: In an embodiment a single user authentication event, performed between a trusted path hardware module and a service provider via an out of band communication, can enable a user to transparently access multiple service providers using strong credentials that are specific to each service provider. The authentication event may be based on multifactor authentication that is indicative of a user's actual physical presence. Thus, for example, a user would not need to enter a different retinal scan to gain access to each of the service providers. Other embodiments are described herein.

Abstract: Disclosed is an orthogonal access control system based on cryptographic operations provided by multi-hop proxy re-encryption (PRE) that strictly enforces only authorized access to data by groups of users, scalable to large numbers of users. Scalable delegation of decryption authority can be shared with a plurality of members of a group whether those members be users or devices, and members of a group can further create sub groups and delegate decryption authority to those members, whether users or devices. Members are granted access via generation of transform keys, and membership or access can be revoked merely be deleting the transform key—no elimination of the encrypted data, regardless of its storage location, is needed.

Abstract: A system for data processing is disclosed that includes a computing cluster allocation system operating on a processor and configured to receive a work project, to segment the work project into a plurality of tasks and to distribute the plurality of tasks to a plurality of anonymous computing units using a block chain algorithm, and a computing cluster monitor system operating on the processor and configured to receive data associated with the plurality of tasks from the computing cluster allocation and response data from the anonymous computing units and to determine whether the project has been completed.

Abstract: An example method for facilitating conflict avoidant traffic routing in a network environment is provided and includes detecting, at a network element, an intent conflict at a peer network element in a network, and changing a forwarding decision at the network element to steer traffic around the conflicted peer network element. The intent conflict refers to an incompatibility between an asserted intent associated with the traffic and an implemented intent associated with the traffic. In specific embodiments, the detecting includes mounting rules from the peer network element into the network element, and analyzing the mounted rules to determine intent conflict. In some embodiments, a central controller in the network deploys one or more intentlets on a plurality of network elements in the network according to corresponding intent deployment parameters.

Abstract: A cryptography service allows for management of cryptographic keys in multiple environments. The service allows for specification of policies applicable to cryptographic keys, such as what cryptographic algorithms should be used in which contexts. The cryptography service, upon receiving a request for a key, may provide a referral to another system to obtain the key.

Abstract: A system and method for early detection of a compromised client device includes a tamper detection service configured to monitor modifications to resource access privileges over time to identify unusual variations in jailbreak status that indicate compromise of the client device. For example, the tamper detection service may monitor the jailbreak status of system files over time to expose attempts to hide the jailbreak status of a protected resource. To validate that malware is attempting to hide the jailbreak status of a protected resources, the tamper detection process may launch multiple different resource accesses, targeting the protected resource, to determine whether different accessibility results are returned, indicating a compromised device.

Abstract: A non-transitory computer-readable medium comprising a black zone and a plurality of other electronic components for protecting a data exchange from a malicious attack on the data, that when executed on a processor, perform the steps comprising receiving a client hello message from a client, transmitting a server hello message, receiving a pre-master secret message encrypted with a server public key, storing the pre-master secret, protecting the black zone from malicious attacks on data by isolating hardware of the black zone from the plurality of other electronic components, calculating a master secret in the black zone, storing the master secret as a black key in the black zone, receiving a changed cipher specification and finished message encrypted with a session key, and transmitting a finished message encrypted with a symmetric key. The server hello message comprises a certificate.

Abstract: A secure communication between computer systems over a network, such as the Internet, is performed utilizing an enhancement to the IKEv2 key exchange protocol that provides more security by exchanging the IKE_SA_INIT messages in a secure and protected manner. Cryptographic suites are utilized to encrypt and authenticate the IKE_SA_INIT exchange messages in order to prevent cyberattacks against such a messaging protocol.

Abstract: A system, method and media are shown for emulating potentially malicious code involving emulating a first ring of an operating system, emulating a second ring of the operating system, where the second ring has greater access to system resources than the first ring and where the first and second rings are separately emulated, executing a code payload in the emulated first ring, checking the behavior of the executing code payload for suspect behavior, and identifying the code payload as malicious code if suspect behavior is detected. Some examples emulate the second ring by operating system or microarchitecture functionality such that the second ring emulation returns results to the executing code payload, but does not actually perform the functionality in a host platform. Some examples execute the code payload in the emulated first shell at one or more offsets.

Abstract: Accessing a security enabled application may require certain access privileges that are not readily available or associated with the application at the time a user is seeking access via a login operation. In operation, an access attempt to a security enabled application may include identifying user credentials associated with the access attempt, generating a query based on the user credentials to identify whether the user credentials are associated with a predetermined group membership. A response to the query may be received that includes group information corresponding to the user and the group information may be compared to a set of predetermined rules to determine whether the group information includes privilege rules used to grant access to the access attempt.

Abstract: A method for extracting display data from a computing resource of a computer system comprises the dynamic selection of a display capturing mode among a plurality of display capturing modes.

Abstract: According to an aspect, a system comprises at least one processor, a memory, and a non-transitory computer-readable storage medium storing instructions. The stored instructions are executable to cause the at least one processor to: receive a digital image that represents an object scanned by a detection device, determine a region of the digital image that is likely to contain an item, transform the region of the digital image to an embedding, classify, based on the embedding, the region as containing a known class of known item, and responsive to classifying the region as containing the known class of item: generate a graphical representation based on the known class of item.

Abstract: Methods, systems, and computer-readable media for optimizing web pages using a rendering engine are presented. In some embodiments, a cloud service computing platform may receive, via a communication interface and from a user device, a request for a web page. Subsequently, the cloud service computing platform may retrieve, via the communication interface, and from a server, the web page. Further, the cloud service computing platform may render, using a headless browser, the web page to identify a plurality of content parts associated with the web page. Next, the cloud service computing platform may optimize the plurality of content parts associated with the web page. Additionally, the cloud service computing platform may transmit, via the communication interface and to the user device, the plurality of optimized content parts associated with the web page. Subsequently, the user device may render the plurality of optimized content parts associated with the web page.

Abstract: Operations include extracting and presenting data associated with a media stream being transmitted from a source device to a target device. The media stream may include a stream of video frames displayed by the source device. A screen sharing application, executing on the source device, may capture the stream of video frames. The screen sharing application may transmit the stream of video frames to a target application executing on a target device. The target device (or an intermediate device) analyzes the media stream, as the media stream is received from the source device. The target device may execute pattern matching to extract information, including text, images, and audio clips from the media stream. The target device may present the extracted information or use the extracted information to perform tasks, such as filling in a form.

Abstract: A system and method for managing and analyzing security requirements in reusable models. At least one functional model, at least one security implementation model, at least one requirement model, and meta models of the models are read by a reader. A correspondence between the functional model, security implementation model, and the requirements model is analyzed, whereby the correspondence indicates that compliance/security/accreditation requirements defined in the requirement model match with security objectives implemented by controls defined by the security implementation model. Next, it is determined whether correspondence is or is not given based on the analysis of the correspondence and then evidence is generated based on the analysis of the correspondence and the determination and the impact of changes is analyzed.

Abstract: A system, method and storage medium for operating a stealth mode of an emergency vehicle includes receiving input data including at least one of an input from an operator or one or more program input parameters; determining a data operation mode based on the received input data, wherein the data operation mode is one of a normal mode and one or more stealth modes; and generating a control signal based on the determined operation mode. When the data operation mode is one of the one or more stealth modes, the control signal is adapted to control a first device to suspend a transmission of at least one data group among candidate suspended data to at least one second device in communication with the first device.

Abstract: A message processing server includes a memory and a message processor. The message processor is configured to receive first data; save an identifier in association with a first-layer access restriction indicator and a first key, generate a first encrypted layer by encrypting the first data with the first key, and generate a token from the identifier and the first encrypted layer; receive second data and the token; recover the identifier and the first encrypted layer from the token; confirm that the identifier was saved in the memory in association with the first indicator; save the identifier in association with a second-layer access restriction indicator and a second key, generate a second encrypted layer by encrypting the first encrypted layer and the second data with the second key, and regenerate the token from the identifier and the second encrypted layer.

Abstract: A user device and a server conduct a secure online transaction. The user device transmits received user login and credentials to the server, as well as one or more properties of the user device, such as a list of applications stored on the user device. The server transmits one or more restrictions back to the user device, such as which ports to close, which applications to close, and what features of applications and the operating system should be limited during the transaction. After implementing the restrictions, the user device and the server conduct the online transaction. A unique ID may be transmitted throughout the transaction and the unique ID may be a hash. After the transaction, the user device purges transaction data, restores normal operation, and notifies the server. The transaction may be conducted in a second tunnel and the other communication via a first tunnel.

Abstract: There is provided an information processing device including: a user information management unit configured to set a user in a window in which an operation screen of an application is displayed and grant at least one of execution authority of the application set in the window according to the user and browsing authority of content in the window to the window.

Abstract: An image forming apparatus including a communication circuit configured to establish proximity communication with a biometric authentication apparatus, a display, and a processor configured to perform authentication processing with biological information detected by the biometric authentication apparatus is provided. The processor is configured to carry out control for reducing a quantity of light output from the display and incident on the biometric authentication apparatus during detection of the biological information by the biometric authentication apparatus when the processor receives information representing optical detection of the biological information by the biometric authentication apparatus from the biometric authentication apparatus through the communication circuit.

Abstract: Exemplary embodiments relate to techniques for improving startup times of a cloud-based virtual servers in response to a spike in service usage (although other applications are contemplated and described). According to some embodiments, in response to a request to provision a new virtual server in a cluster, high-priority services (e.g., those that enable the server to respond to system health checks or that support an application providing the service) are started while lower-priority services are delayed. In some embodiments, prior to receiving such a request, a new server may be started and then hibernated to create a “hot spare.” When the request is received, the hot spare may be taken out of hibernation to quickly bring the hot spare online. It is contemplated that the delayed-startup and hot spare embodiments may be used together to further improve performance.

Abstract: Techniques are described for responding to queries of a private database system. A request is received from a client device to perform a query of the private database system. A level of differential privacy corresponding to the request is identified comprising privacy parameters ? and ?. A set of data stored in the private database system and a set of operations corresponding to the query are identified. The set of operations comprises generating a density plot visualization for one or more subsets of the set of data. The set of data is segmented into disjoint regions. For each disjoint region, a density is identified, and the density is plotted in a differentially private density plot visualization using one or more graphical elements.

Abstract: Non-limiting example embodiments include methods and systems for acquiring private financial data from multiple disparate sources. The private financial data is normalized, aggregated, preferably enhanced, and stored in secure storage. Entitled entities may retrieve selected private financial data from that secure storage efficiently, flexibility, and rapidly. Examples of financial private data include non-liquidity destination related sources of private data as well as liquidity destination related sources. A non-limiting example of a computer-implemented, consolidated, private financial data service is based on a secure, permission-based, aggregated and consolidated data cloud, which enables provision/distribution to one or more authorized parties with legitimate interests selected portions of the consolidated, private financial data.

Abstract: An information processing apparatus includes a setting unit, an extracting unit, a transmitting unit, a receiving unit, and a display. The setting unit sets, in a first area that displays thumbnails, a second area that includes a thumbnail that is open to a person concerned among the thumbnails. The extracting unit extracts a thumbnail displayed in the second area. The transmitting unit transmits information on the thumbnail extracted by the extracting unit to an information processing apparatus used by the person concerned. The receiving unit receives information on a thumbnail that is open, from the information processing apparatus used by the person concerned. The display displays, in a third area, the thumbnail displayed in the second area and a thumbnail based on the information received by the receiving unit.

Abstract: In one embodiment, a device receives control logic programmed within at least one controller included within an industrial network. The device also determines a network topology of the industrial network, and derives a network policy for the industrial network based upon, at least in part, the control logic and the network topology.

Abstract: An endpoint and methods of operating the same. In one embodiment, an endpoint is connected to one or more sensors and/or actuators. The endpoint is also connected through a communication channel to a server. Each endpoint uses a unique identifier (“ID”) hidden within a protected boundary of the endpoint to associate with a lockless, single-writer thread on the server dedicated to the endpoint. The endpoint ID is encrypted within the protected boundary of the endpoint and is not communicated unencrypted. Furthermore, no association between the ID and private information associated with reader, analysis, or control threads at the server is available outside of a protected boundary of the server and this association is never transmitted on a communication channel. The endpoint can include one or more communication interfaces (e.g., of different modalities) to provide resilience to failures, errors, and computer network attacks.

Abstract: A method and apparatus for identifying malicious activity. At least one memory is configured to store historical communication data. At least one processor is configured to retrieve the historical communication data related to communications between a server and a plurality of clients in a system. The processor is further configured to cluster the historical communication data to group communications of the historical communication data. The processor is further configured to identify a plurality of patterns that indicate malicious activity based on the grouped communications. The processor is further configured to receive current communication data. The processor is further configured to determine whether the current communication data matches the one of the plurality of patterns.

Abstract: A computer system authenticates a logical port for a virtual machine. A logical network maintains logical network data for a logical switch having the logical port. A virtual switch identifies a logical port authentication request for the virtual machine and transfers the logical port authentication request. A logical port authenticator receives the logical port authentication request and transfers the logical port authentication request for delivery to an authentication database. The logical port authenticator receives a logical port authentication response transferred by the authentication database that grants the logical port authentication request for the virtual machine and transfers authorization data for the logical port. The virtual switch transfers user data for the virtual machine when the virtual machine uses the logical port responsive to the authorization data.

Abstract: In some implementations, a scheme for data communication in an automobile includes generating a cleartext message to be transmitted to a second ECU, generating a pseudo-random counter by applying a pseudorandom function to a counter value that is incremented for each cleartext message generated by the ECU; combining the cleartext message and the pseudo-random counter to create a randomized message; selecting from a plurality of available cryptography techniques, a selected cryptography technique; applying to the randomized message, the selected cryptography technique to create a ciphertext; and transmitting to the second ECU over the CAN bus, the ciphertext.