Abstract: Disclosed are systems and techniques for enhanced protection of cryptographic key generation in cryptographic applications. In particular, described is a method and a system that performs the method of obtaining input numbers associated with a cryptographic application, generating masking matrix based on at least one random value, obtaining masked numbers using a matrix product of the MM and the input numbers, determining a greatest common divisor (GCD) of the masked numbers, identifying a GCD of the input numbers, and using the identified GCD to generate a cryptographic key.

Abstract: A system and method for encrypting portions of data for storage in a remote network have been provided. The system comprises a memory with instructions executable by a processor to receive data for forwarding to a server device, wherein the received data comprises an indication of one or more portions of the received data to be encrypted; identify a portion comprising the one or more portions of the received data based at least in part on the indication; encrypt the identified portion of the data; generate a payload that comprises the encrypted portion and one or more unencrypted portions of the received data; and transmit, to the server device, the payload.

Abstract: Results of an authentication process are received. The authentication process allows for a graded level of authentication using a plurality of authentication types (e.g., a username/password and a fingerprint scan). Encrypted data is then accessed. The encrypted data has been encrypted using a plurality of encryption levels. The data is unencrypted based on the graded level of authentication. In a second embodiment, a system and method are provided that establish a communication session (e.g., a voice or email communication session). The communication session is between a plurality of users. During the communication session, an indication is received to change an encryption level for the communication session. In response to receiving the indication to change the encryption level for the communication session, an encryption level of the first communication session is dynamically changed from a first level of encryption to a second level of encryption.

Abstract: The system and method may assess the merchant risk level on a more continuous scale rather than a binary categorization. It may produce a continuous risk score proportional to the likelihood of a merchant being risky, effectively addressing the issue of shades of gray encountered by the traditional blacklisting approach. The continuous risk score feature provides greater flexibility as it allows the payment network to make dynamic pricing decisions (known as interchange optimization) based on the merchant risk level. Using collective intelligence from transactions across the payment network, the system and method may be able to assess the merchant risk level with high accuracy. The system and method may be particularly beneficial to small merchants with low transaction volume as even a few fraudulent transactions can easily put them in the high-risk merchant category. Further, the system and method may help payment processing networks make better decision on cross-border transactions.

Abstract: In function-as-a-service (FaaS) environments, a client makes use of a function executing within a trusted execution environment (TEE) on a FaaS server. Multiple tenants of the FaaS platform may provide functions to be executed by the FaaS platform via a gateway. Each tenant may provide code and data for any number of functions to be executed within any number of TEEs on the FaaS platform and accessed via the gateway. Additionally, each tenant may provide code and data for a single surrogate attester TEE. The client devices of the tenant use the surrogate attester TEE to attest each of the other TEEs of the tenant and establish trust with the functions in those TEEs. Once the functions have been attested, the client devices have confidence that the other TEEs of the tenant are running on the same platform as the gateway.

Abstract: Methods and apparatus for trusted devices using trust domain extensions. The method is implemented on a compute platform including one or more devices and a set of hardware, firmware, and software components associated with a trusted computing base (TCB), including a host operating system and virtual machine manager (VMM). A device trust domain (dTD) is implemented in a trusted address space that is separate from the TCB, and one or multiple of the devices are bound to the dTD, which enables one or more virtual machines (VMs) or trusted domains (TDs) to access one or more functions provided by the bound device(s) in a secure and trusted manner. Firmware from a device is onloaded to the dTD and executed in the trusted address space to facilitate secure access to functions provided by the bound devices without using the VMM. Moreover, the VMM and any other software in the TCB cannot access data such as cryptographic keys and secrets that are employed by the dTD.

Abstract: The present application relates to a method for managing and controlling a system permission, a data center, a management and control apparatus, and a storage medium. The method for managing and controlling a system permission includes: obtaining personnel change information, wherein the personnel change information includes personal information of a changed person and information about a position change mode of the changed person; obtaining a current permission interface of the changed person based on the personal information; determining, based on the permission interface, whether the changed person has an operation permission for a current object system; if the changed person has the operation permission for the current object system, determining whether the position change mode of the changed person is transfer; sending a notification message if the position change mode of the changed person is the transfer.

Abstract: Technologies are shown for trust delegation that involve receiving a first request from a subject client and responding by sending a first token having first permissions to the subject client. A second request from a first partner actor is received that includes the first token, and in response, the first partner actor is linked to the subject client in a trust stack and a second token is sent to the first actor with second permissions, the second token identifying the subject client and the first partner actor. A third request from a second partner actor is received that includes the second token, and in response, the second partner actor is linked to the first partner actor in the trust stack and a third token is sent to the second partner actor with third permissions, the third token identifying the first partner actor and the second partner actor.

Abstract: In some implementations, a system may receive a set of data intended for storage. The system may detect, within the set of data and using pattern matching, a set of potential sensitive data fields. The system may detect, using characters not included in the potential sensitive data fields, at least one non-sensitive data field included in the set of potential sensitive data fields. The system may mask first data included in the set of potential sensitive data fields other than the at least one non-sensitive data field and may refrain from masking second data included in the at least one non-sensitive data field. The system may generate a modified set of data based on masking the first data and refraining from masking the second data and output the modified set of data for storage.

Abstract: A method for converting data on a computer from an original encrypted format to a new encrypted format without exposing the data in a decrypted state during the conversion process. The computer(s) is locked during the conversion process. The computer data is now re-encrypted to the new format, the original encryption is then removed, and the new encryption software is applied. Finally, the computer with its newly-encrypted data is unlocked for normal usage.

Abstract: Private network request forwarding can include receiving a request from a user for Internet services over a public network. Private network request forwarding can include analyzing the request and determining whether the request is legitimate. Private network request forwarding can include forwarding the request to an entity through a private network when it is determined that the request is legitimate, wherein the user has access to the entity through a proxy.

Abstract: Exemplary systems and methods are directed to embedding data into a machine learning model. A processing device executes program code for running a machine learning model, which has a plurality of parameter values. The processing device receives a message to be embedded into the machine learning model. The message is encrypted according to a set of keys of a cryptographic algorithm. The encrypted message is converted to a corresponding binary representation. The binary representation of the encrypted message is embedded into at least one of the one or more parameters of the machine learning model. The embedding operation modifies the at least one parameter value of the machine learning model.

Abstract: Provided herein are systems and methods for sanitizing logged data packets in a distributed system prior to storing them in a remote or third-party data server. Interactions with an application are monitored and values in a data packet are extracted from the interaction. The values are classified based on a classification configuration and respective labels of the values. The values are then sanitized based on the classification to prevent exposure of secure or private data. The sanitized data packets are then logged into the remote data server. The logged data can be used to help resolve events occurring in the application. The classification configuration can be iteratively updated and the interactions repeated to capture data that was previously sanitized to aid in resolution of events. The logged data can also be used in research or analysis, such as for identifying potential improvements to the application.

Abstract: Fraud detection and response associated with various access points is disclosed. Characteristics associated with events or activity on an access point can be compared to thresholds to detect risky behavior and measures implemented in response to the risky behavior. In one instance, operations can include monitoring one or more events associated with at least one account at a financial institution, analyzing characteristics associated with a first event of the one or more events, determining whether to designate the first event or the access point as risky, and implementing one or more measures in response to a risky designation.

Abstract: In one embodiment, a system includes a computing device providing a computing environment including a number of user accounts, where each of the user accounts is assigned specified privileges to execute particular commands or programs, receiving a request to temporarily escalate privileges for one of the user accounts during a specified duration, where the request includes an identifier of the user account, requested privileges, and the specified duration, granting the requested privileges for the specified duration in conjunction with specific restrictions on one or more prohibited activities that are normally permitted for user accounts with the requested privileges, monitoring, during the specified duration, for any indication that the user account has attempted a prohibited activity, detecting an indication that the user account attempted one of the prohibited activities, and initiating an automated remediation corresponding to the indication.

Abstract: An identity verification system receives context signals from an authenticating computing device in response to a target user requesting access to a secure asset. The identity verification system identifies candidate locations for the operational context assigned to historical context signals labeled as being measured at a known location and compares the context signal to each historical signal to determine a location of the operational context corresponding to the received context signal. The identity verification system determines a match probability for the target user based on a risk score assigned to the location of the operational received context signal and grants the requesting target user access to the secured asset in response to determining that the match probability is greater than the operational security threshold.

Abstract: Embodiments of the invention relate to methods and systems for predicting what files and/or folders will be skipped during a backup based on the file system's meta-data. Various embodiments of the invention may determine based on a file system's meta-data that specific files and/or folders will not be backed up in accordance with a backup's current rules or configuration. The aforementioned information can then be used to notify a user or administrator what files and/or folders will not be backed up and based on that notification, they may make changes to the backup's current rules or configuration. This advantageously provides the user or administrator knowledge of gaps in the protection provided by a backup and the ability to configure it to meet their needs.

Abstract: Methods and apparatus consistent with the present disclosure may use instrumentation code that remains transparent to an application program that the instrumentation code has been injected into. In certain instances, data sets that include executable code may be received via packetized communications or be received via other means, such as, receiving a file from a data store. The present technique allows a processor executing instrumentation code to monitor actions performed by the program code included in a received data set. Malware may be detected by scanning suspect program code with a malware scanner, malware may be detected by identifying suspicious actions performed by a set of program code, or malware may be detected by a combination of such techniques.

Abstract: An information handling system sets up at power-on self-test, a system management interrupt based on a trap on an input/output port used for a real-time clock and detects at runtime, an operation on the input/output port. In response to detecting the operation on the input/output port, generates the system management interrupt based on the trap on the input/output port. In addition, the information handling system handles the system management interrupt by emulating the real-time clock according to the operation on the input/output port that includes determining a register that is mapped to an index associated with the operation and accessing the register and executing a function associated with the register.

Abstract: A method and a system for managing login information of a computing system during a debugging process are disclosed. The login information is composed according to a number of roles and their associated policies. Some roles have higher authorized levels to view sensitive information. To protect privacy, a technician who access the computing system will not be able to view all content of information. If this restriction prevents the technician to debug the system, the technician can request an upgrade. A new login information with a higher authorized level will be temporarily granted to the technician that allows the technician to view and access more content of information.

Abstract: In an embodiment, a method comprises detecting, by a network control entity associated with a software-defined network, a network event in the software-defined network. The network control entity determines, based on the network event, an application for installation at the network control entity or in the software-defined network. The application is automatically installed at the network control entity or in the software-defined network.

Abstract: A method for execution by one or more processing modules of one or more computing devices begins by encoding data using a dispersed storage error encoding function to produce a plurality of sets of encoded data slices arranged into a plurality of chunksets of encoded data slices. The method continues by selecting a set of storage units for storing the plurality of chunksets and assigning a distributed computing task to each storage unit of the set of storage units. The method then continues by generating a unique key set for each storage unit of the storage units, encrypting each chunkset of encoded data slices with a corresponding one of the unique key sets to produce a plurality of encrypted chunksets and sending an encrypted chunkset of the plurality of encrypted chunksets and an indication of a corresponding distributed computing task to each storage unit of the set of storage units for storage of the encrypted chunksets and execution of the distributed computing task.

Abstract: A network system is provided between at least a first client site and a second client site, the first and the second client site are at a distance from one another. A client site network component is implemented at least at the first client site, the client site network component bonding or aggregating one or more diverse network connections so as to configure a bonded/aggregated connection that has increased throughput. At least one network server component may be configured to connect to the client site network component using the bonded/aggregated connection. A cloud network controller may be configured to manage the data traffic and a virtual edge providing transparent lower-link encryption for the bonded/aggregated connection between the client site network component and the network server component.

Abstract: An electronic device includes a network communications interface, a processor, and a memory configured to store instructions that, when executed by the processor, cause the processor to instantiate a set of processes; receive, over a network and via the network communications interface, a policy for network socket creation; receive, from the set of processes, a set of requests to create a first set of network sockets used to communicate over the network via the network communications interface; collect telemetry pertaining to a second set of network sockets used to communicate over the network via the network communications interface; allow or block creation of network sockets in the first set of network sockets, in accordance with the collected telemetry and the policy for network socket creation; and transmit at least part of the collected telemetry to a controller, over the network and via the network communications interface.

Abstract: An Authorization Verification Service (AVS) is disclosed that may be provided by an IoT/M2M service layer to registrants of the service layer for Dynamic Context Aware Authorization. The AVS may allow the IoT/M2M service layer entities to define dynamic limits for authorizing access to services or data. The limits may be set, for example, in terms of the number of allowed accesses. When an IoT/M2M registrant makes a request for data or services for which it has dynamic context aware authorization, the AVS may maintain records of the remaining accesses available.

Abstract: Technologies are shown for trust delegation that involve receiving a first request from a subject client and responding by sending a first token having first permissions to the subject client. A second request from a first actor includes the first token and responding involves linking the first actor to the subject client in a trust stack and sending a second token to the first actor with second permissions, the second token being a first complex token that identifies the subject client and the first actor. A third request from a second actor includes the second token and responding to the third request involves linking the second actor to the first actor in the trust stack, and sending a third token to the second actor partner with third permissions, the third token being a second complex token that identifies the first actor and the second actor.

Abstract: A method and system for processing an email having redacted content, and/or where the message content has been encrypted and recorded as encrypted, is provided.

Abstract: Methods, computer readable media, and devices for escrow of master keys and recovery of previously escrowed master keys may be disclosed. A method for escrow of master keys may include registering a root certificate authority (CA) within each of two first-party hardware security modules (HSMs), initializing each of three third-party HSMs as master escrow recovery devices, performing a bootstrap operation on an authoritative blockchain to generate three master keys, generating a first set of master key shard ciphertexts using a first one of the three master escrow recovery devices, a second set using a second one of the three master escrow recovery devices, and a third set using a third one of the three master escrow recovery devices, and storing the first, the second, and the third set of master key shard ciphertexts as opaque objects in each of the two first-party HSMs.

Abstract: A system and method for generating a column-oriented data structure repository for columns of single data types. The method includes: receiving instructions to generate a new column of a single data type for a first data structure, wherein the first data structure is a column oriented data structure; and storing, based on the instructions, the new column within the column-oriented data structure repository, wherein the column-oriented data structure repository is accessible to at least a second user account.

Abstract: Techniques for providing hybrid access control in a cloud-services computing environment are provided. In one embodiment, a method for providing hybrid access control is provided at a host computing device. The method includes obtaining access control settings including at least a first user's role-based access settings with respect to a first sub-system of a hierarchical computing-resource system. The method further includes propagating the access control settings from the first sub-system to a second sub-system; obtaining user group domains assigned to a plurality of sub-systems; and obtaining a group membership associated with the first user. The method further includes determining, based on the obtained user group domains and the obtained group membership associated with the first user, whether the first user's role-based access settings propagated to the second sub-system are to be adjusted; and making adjustments accordingly.

Abstract: A mobile device can receive input to execute a target application in a private session. The target application is a native application for a mobile platform of the mobile device. The private session is a native function of the mobile device configured to isolate data of the target application. In response to the input, the mobile device can configure a local resource of the mobile device to support the target application in the private session, instantiate a procedure that utilizes the local resource to isolate the data of the target application while in the private session, and execute the target application in the private session on the mobile device. The operation of the private session is transparent and undetectable to the target application.

Abstract: An illustrative embodiment provides a computer-implemented process for navigation through historical stored interactions associated with a multi-user view that receives a previously saved multi-user view, wherein the multi-user view comprises a set of artifact attributes, receives an identified filter from a user, and presents a filtered view to the user. The process further determines whether to amend the filtered view, and responsive to a determination to amend the filtered view, generates an amended view from the filtered view, and responsive to a determination to save the amended view, saves the amended view as one of a new view or an updated view.

Abstract: Distributed firewalls in a network are disclosed. Example firewall controllers disclosed herein are to instruct a first network node of a software-defined network to implement a first firewall instance of a distributed firewall, the first network node to implement the first firewall instance with a first virtual machine. Disclosed example firewall controllers are also to configure a second network node of the software-defined network to route network traffic through the first firewall instance and, after at least some of the network traffic is dropped by the first firewall instance, instruct the second network node to implement a second firewall instance of the distributed firewall, the second network node to implement the second firewall instance with a second virtual machine.

Abstract: Systems and methods for self-protecting and self-refreshing workspaces are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: receive, from a workspace orchestration service, one or more files or policies configured to enable the client IHS to instantiate a workspace based upon a workspace definition; determine that a context of the client IHS has been modified; in response to the determination, terminate the workspace; and receive, from the workspace orchestration service, one or more files or policies configured to enable the client IHS to re-instantiate the workspace based upon the workspace definition.

Abstract: Provided herein are systems and methods for sanitizing logged data packets in a distributed system prior to storing them in a remote or third-party data server. Interactions with an application are monitored and values in a data packet are extracted from the interaction. The values are classified based on a classification configuration and respective labels of the values. The values are then sanitized based on the classification to prevent exposure of secure or private data. The sanitized data packets are then logged into the remote data server. The logged data can be used to help resolve events occurring in the application. The classification configuration can be iteratively updated and the interactions repeated to capture data that was previously sanitized to aid in resolution of events. The logged data can also be used in research or analysis, such as for identifying potential improvements to the application.

Abstract: An information providing system is an information providing system for selecting reference information that is appropriate when a user to perform a task related to a device works on the task, and has an acquiring unit for acquiring acquired data including first image data, in which a specific device and a specific identification label for identifying the specific device are photographed. The system also includes a first database that is built on machine learning, using a data structure for machine learning, which includes a plurality of items of training data that each include evaluation target information including image data, and a meta-ID linked with the evaluation target information. The image data includes an image showing the device and the identification label for identifying the device.

Abstract: A computing system provides clock readings from an untrusted code to trusted code, where the trusted code is executed in a secure enclave and the untrusted code is executed outside the secure enclave. The computing system allocates a pointer to shared memory that is shared between the untrusted code and the trusted code. Under control of the untrusted code, the computing system periodically writes a clock reading to the shared memory. Under control of the trusted code, the computing system reads the clock reading stored in shared memory. The untrusted code cannot determine when the trusted code reads a clock reading.

Abstract: In certain embodiments, an electronic device may include: a touch-sensitive display; a processor operatively connected to the display; and a memory operatively connected to the processor, wherein the memory stores instructions which, when executed, cause the processor to: provide, through the display, a registration screen for registering an automation in the electronic device, the automation being defined as at least one action automatically executed when a designated trigger occurs; register an action in the electronic device as a feature of the automation through the registration screen, the action being selected by a user; and when the action registered as the feature of the automation corresponds to a data reference action configured to refer to data, display guidance information for a data processing action, the data processing action being configured to output a result value by using, as a first input value, an output value output as a result of executing the data reference action.

Abstract: A computer-implemented method, computer program product and computing system for: obtaining system-defined consolidated platform information for a computing platform from an independent information source; obtaining client-defined consolidated platform information for the computing platform from a client information source; and comparing the system-defined consolidated platform information to the client-defined consolidated platform information to define differential consolidated platform information for the computing platform.

Abstract: A method in a peer-to-peer network for recording maintenance data is provided. The method comprises receiving troubleshooting summary secured data (TSSD) from a plurality of sources; entering the TSSD from the plurality of sources using a Blockchain framework, wherein TSSD from a source is entered as a unique transaction in the Blockchain framework when a set of smart maintenance keys possessed by the source authorizes the entry of the TSSD; providing a first level of controlled access to a first subset of entered TSSD to an entity possessing a first level controlled access set of keys; providing a second level of controlled access to a second subset of the entered TSSD to an entity possessing a second level controlled access set of keys; and providing a third level of controlled access to all of the entered TSSD to an entity possessing a third level controlled access set of keys.

Abstract: An information providing system is an information providing system for selecting reference information that is appropriate when a user to perform a task related to a device works on the task, and has an acquiring unit for acquiring acquired data including first image data, in which a specific device and a specific identification label for identifying the specific device are photographed. The system also includes a first database that is built on machine learning, using a data structure for machine learning, which includes a plurality of items of training data that each include evaluation target information including image data, and a meta-ID linked with the evaluation target information. The image data includes an image showing the device and the identification label for identifying the device.

Abstract: Provided is a user authentication management device including a login request receiver that receives a login request from a user from a plurality of inputters via a path corresponding to each of the plurality of inputters, an authentication scheme selector that selects any one of a plurality of authentication schemes and provides identification information of a user related to the received login request to the selected authentication scheme to perform user authentication, and a user information storage that stores a user authentication result received from the selected authentication scheme as user information related to the user, in which the authentication scheme selector selects an authentication scheme predetermined corresponding to a path through which the login request is received.

Abstract: In some examples, in response to a request from a client device for information relating to a transaction stored by a blockchain, a system identifies, using information stored in a distributed storage system that stores data for the blockchain, multiple data owner entities from which permissions are to be obtained for access of the information, and determines an authorization requirement for the information based on a smart contract. The system sends authorization information based on the authorization requirement to trigger a retrieval of authorization tokens from the identified data owner entities for access of the information, and sends the information to the client device in response to receiving the authorization tokens.

Abstract: The present invention relates to methods, processes, and systems for monitoring security policy violations in a computer network. Details of such monitoring include creating a rule according to a security policy, determining if the rule is violated by a value of a variable, and recording security events and comparing the number of events to a threshold.

Abstract: Technologies are shown for trust delegation that involve receiving a first request from a subject client and responding by sending a first token having first permissions to the subject client. A second request from a first actor includes the first token and responding involves linking the first actor to the subject client in a trust stack and sending a second token to the first actor with second permissions, the second token being a first complex token that identifies the subject client and the first actor. A third request from a second actor includes the second token and responding to the third request involves linking the second actor to the first actor in the trust stack, and sending a third token to the second actor partner with third permissions, the third token being a second complex token that identifies the first actor and the second actor.

Abstract: The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside.

Abstract: A computing system may include a server, and a client computing device in communication with the server and operating a local mobile OS. One of the client computing device and the server may be configured to compare a notification message with a database of flagged terms to determine whether the notification message includes a flagged term. If the notification message includes the flagged term and the local mobile OS is in a locked state, the notification message is revised by replacing the flagged term with a placeholder term, and the revised notification message is displayed on a display.

Abstract: A content model data base stores past target information, which includes past first video information acquired in advance, reference IDs, which are linked with the past target information, and which correspond to contents, and three or more levels of degrees of content association between the past target information and the reference IDs. A first acquiring unit acquires the target information from a user terminal, a first evaluation unit looks up the content model database and acquires ID information, which includes the degrees of content association between the target information and the reference IDs, and a judging unit judges the ID information. Contents that correspond to the ID information are output to the user terminal based on the result of judgment by the judging unit.

Abstract: A content model data base stores past target information, which includes past first video information acquired in advance, reference IDs, which are linked with the past target information, and which correspond to contents, and three or more levels of degrees of content association between the past target information and the reference IDs. A first acquiring unit acquires the target information from a user terminal, a first evaluation unit looks up the content model database and acquires ID information, which includes the degrees of content association between the target information and the reference IDs, and an output unit outputs the contents corresponding to the ID information. After the output from the output unit, the ID information, acquired by the first evaluation unit, is stored in an ID history unit.

Abstract: A method for wrapped keys with access control predicates includes obtaining a cryptographic key for content. The method also includes encrypting the content using the cryptographic key and generating an encryption request. The encryption request requests that a third party cryptography service encrypts an encapsulation of the cryptographic key and an access control condition governing access to the content. The method also includes communicating the encryption request to the third party cryptography service. The encryption request includes the cryptographic key.