Abstract: Techniques are disclosed for migrating data objects stored by the source DDOS from the source DDOS to the target DDOS while at least the source DDOS is live and available to process requests for access to the data objects being migrated. The techniques also provide eventual consistency between data objects that are created, updated, or deleted in the source DDOS that are applicable to the migration and that occur while the migration is being performed.

Abstract: Systems, methods, and computer-readable media for assessing reliability and trustworthiness of devices across domains. Attestation information for an attester node in a first domain is received at a verifier gateway in the first domain. The attestation information is translated at the verifier gateway into translated attestation information for a second domain. Specifically, the attestation information is translated into translated attested information for a second domain that is a different administrative domain from the first domain. The translated attestation information can be provided to a verifier in the second domain. The verifier can be configured to verify the trustworthiness of the attester node for a relying node in the second domain by identifying a level of trust of the attester node based on the translated attestation information.

Abstract: Various aspects of the present disclosure generally relate to wireless communication. In some aspects, a user equipment (UE) may transmit to a base station (BS), information indicating a medium access control (MAC) security capability of the UE. The UE may receive from the BS, a communication that includes an indication of a MAC security configuration for communications between the UE and the BS. The indication of the MAC security configuration may be based at least in part on the MAC security capability of the UE. Numerous other aspects are provided.

Abstract: An information processing apparatus includes a normal user interface (NUI) functional unit, a secure user interface (SUI) functional unit having a protection level higher than that of the NUI functional unit, and an input/output unit that receives an input of information and displays and outputs the information. The NUI functional unit causes the input/output unit to display a NUI screen which receives an input of a query and transmits, as a query, the query input via the NUI screen to the SUI functional unit. The SUI functional unit produces a summary corresponding to the query on the basis of certification data including a query and a summary corresponding to the query and causes the input/output unit to display a SUI screen having the query and the summary.

Abstract: In a cloud-based multiple client encryption and deduplication environment, secret plaintext data of a client is encrypted to produce ciphertext in an enclave comprising a trusted execution environment which is inaccessible by unauthorized entities and processes even with administrator privileges. Encryption is performed with an initialization vector and an encryption key calculated in the enclave. The encrypted ciphertext is deduplicated prior to storage by comparing a hash of the corresponding plaintext data to hashes of previously stored plaintext data.

Abstract: According to one aspect of the present disclosure, provided is a method for providing a notary service for a file, the method comprising the steps in which: (a) when a notary service request for a specific file is obtained, a server generates, by using a hash function, or supports the generation of, a message digest of the specific file; and (b) if a predetermined condition is satisfied, the server registers, in a database, or supports the registration of, a representative hash value or a value obtained by processing the representative hash value, the representative hash value being generated by calculating at least one neighboring hash value that matches a specific hash value, wherein the specific hash value is a hash value of the result of encrypting the message digest with a private key of a first user, a private key of a second user and a private key of the server.

Abstract: A detection device includes: an object data extraction unit that extracts, from one or more pieces of communication data which are transmitted from one or more electronic control units, at least part of a payload contained in communication data that satisfies a predetermined condition, information by which the communication interval between the communication data can be calculated, and a serial number of the communication data as object data; a partial sequence creation unit that creates, using the extracted object data, a partial sequence containing information corresponding to at least part of a payload and information indicating a communication interval from two or more pieces of object data with the same serial number; and a detection unit that detects, using the created partial sequence, predetermined communication data based on the order relation between at least part of a payload and the corresponding part of another payload and a communication interval.

Abstract: Aspects discussed herein relate to providing alerts to a community of devices located in or near a geographic are such as a building or property. The alerts override any alert-inhibiting state of the mobile device to deliver audio, visual, and/or haptic alerts in emergency situations. The communication and emergency alert system may be used to communicate with many different communities of people. Moreover, certain individuals may be members of more than one community at the same time, and the communities themselves may change over time based both on the user's preferences and on their physical locations. Multiple different alerts can be sent to different mobile devices for a single event. The alerts can be customized to particular mobile devices depending on the community to which the mobile device belongs for the event.

Abstract: A technique for oblivious filtering may include receiving an input data stream having a plurality of input elements. For each of the input elements received, a determination is made as to whether the input element satisfies a filtering condition. For each of the input elements received that satisfies the filtering condition, a write operation is performed to store the input element in a memory subsystem. For those of the input elements received that do not satisfy the filtering condition, at least a dummy write operation is performed on the memory subsystem. The contents of the memory subsystem can be evicted to an output data stream when the memory subsystem is full. The memory subsystem may include a trusted memory and an unprotected memory.

Abstract: A computer-implemented method includes determining, by a processor, an authenticity of a software object and its supply chain and providing an authenticity result indicative thereof; determining, by the processor, an integrity of the software object and its supply chain and providing an integrity result indicative thereof; and determining, by the processor, from the authenticity result and the integrity result, a score indicative of an amount of trust in the supply chain of the software object and in the software object, wherein the score is indicative of an amount of trust that the software object will work correctly if installed in a system that utilizes the software object.

Abstract: An operation method of a UE in a communication system includes receiving, from a base station, a security mode command message including information requesting reporting of capability information and security configuration information; identifying the security configuration information included in the security mode command message; and transmitting, to the base station, a security mode complete message including the capability information requested by the security mode command message.

Abstract: In one aspect, a system for managing data processes in a network of computing resources is configured to: receive, from an instructor device, a parent request for execution of at least one parent data process executable by a plurality of computing resources at least one computing resource; generate at least one child request for execution of at least one corresponding child data process for routing to at least one corresponding destination device, each of the at least one child data process for executing at least a portion of the at least one parent data process, and each of the at least one child request including a respective destination key derived from at least one instructor key; and route each of the at least one child request to the at least one corresponding destination device. The at least one child request can be obtained by a supervisor server via the routing.

Abstract: Methods, computer program products, and/or systems are provided that can perform the following operations: receiving a connection request from a first user device; creating an authentication container for the first user device; authenticating the first user device using the authentication container; in response to authentication for the first user device being successful, creating a first user request processing container for the first user device; and processing user requests received from the first user device using the first user request processing container.

Abstract: Techniques for providing data protection in an integrated circuit are provided. An example method according to these techniques includes determining that an unauthorized update has been made to software or firmware associated with the integrated circuit, and corrupting an anti-replay counter (ARC) value, maintained in a one-time programmable memory of the integrated circuit and used by the integrated circuit to protect contents of a non-volatile memory, responsive to determining that the unauthorized update has been made to the software or the firmware.

Abstract: Embodiments of the disclosure relate to a memory system and an operating method thereof. The memory system may decrypt first firmware which is stored in the memory device and is encrypted using a symmetric-key encryption algorithm, with a first key stored in the memory device, may generate a second key based on second firmware, which is obtained by decrypting the first firmware, first data stored in a first area in the memory controller, and second data stored in a second area in the memory device, and may drive the second firmware when the first key and the second key are the same.

Abstract: Techniques for securing communication. The techniques include using at least one device to perform: selecting a first operation from a plurality of operations, each of the plurality of operations associated with a respective type of data to be encrypted; generating first data to be encrypted at least in part by performing the first operation; encrypting both information identifying the first operation and the first data to obtain corresponding first ciphertext; and outputting the first ciphertext.

Abstract: The present disclosure is directed to systems and methods that include a beacon that includes an antenna; data storage configured to store a code that is calculated according to an algorithm and based on a first variable, the first variable being defined according to a first interval of time; and a processor configured to cause the code to be emitted by the beacon.

Abstract: Herein are techniques for dynamic aggregation of results of a database request, including concurrent grouping of result items in memory based on quasi-dense keys. Each of many computational threads concurrently performs as follows. A hash code is calculated that represents a particular natural grouping key (NGK) for an aggregate result of a database request. Based on the hash code, the thread detects that a set of distinct NGKs that are already stored in the aggregate result does not contain the particular NGK. A distinct dense grouping key for the particular NGK is statefully generated. The dense grouping key is bound to the particular NGK. Based on said binding, the particular NGK is added to the set of distinct NGKs in the aggregate result.

Abstract: A processing system of a vehicle having at least one processor may obtain, from a network-based security system, at least a first security code, apply a hash operation to a firmware code of the vehicle in accordance with the at least the first security code to generate a first hash value, and transmit the first hash value to the network-based security system. The processing system may then obtain from the network-based security system at least a first verification code, the network-based security system providing the at least the first verification code in response to a confirmation of the first hash value, apply the at least the first verification code to a verification function, and generate a signal to enable the operation of the vehicle, in response to a positive verification via the verification function.

Abstract: According to one embodiment, an electronic apparatus used in a vehicle generates a first to fourth log of the vehicle for a first to fourth period, a first to fourth code used to validity of the first to fourth log, a fifth code used to collectively determine a validity of the first log and the second log, a sixth code used to collectively determine a validity of the third log and the fourth log, and a seventh code used to collectively determine a validity of the first to fourth logs, and transmits the first to seventh codes to a server, and transmits the first to fourth logs to the server after a transmission of the first to seventh codes.

Abstract: The presently disclosed method and apparatus for sharing security metadata memory space proposes a technique to allow metadata sharing two different encryption techniques. A section of memory encrypted using a first type of encryption and having first security metadata associated therewith is converted to a section of memory encrypted using a second type of encryption and having second security metadata associated therewith. At least a portion of said first security metadata shares a memory space with at least a portion of said second security metadata for a same section of memory.

Abstract: A hybrid device includes a plurality of diverse subsystems, including a first and a second subsystem. The first subsystem includes at least one first secured storage device configured to store a first software and a first CPU configured to boot and execute the first software. The second subsystem includes at least one second secured storage device configured to store a second software and a second CPU configured to boot and execute the second software. The first CPU is configured to generate the first hash of the first software and transmit the generated first hash of the first software to the second subsystem. The second CPU is configured to perform a first authenticity validation check on the first software using the received first hash of the first software, and generate an error signal on a condition that the first authenticity validation check on the first software fails.

Abstract: A communication network system, in which a transmission node for transmitting a message is connected to a reception node for receiving the message, is configured to periodically transmit a count-value notification message to notify a count value, which is used to generate and check a message authentication code for the message, to the transmission node and the reception node.

Abstract: Efficient uniques querying is disclosed, including: receiving a search query for a number of unique audience members across a plurality of groups of audience members; obtaining a plurality of sets of representations corresponding to respective ones of the plurality of groups of audience members; selecting at least a subset from each of the plurality of sets of representations; merging the selected at least subsets of the plurality of sets of representations into a merged set of representations; determining the number of unique audience members across the plurality of groups of audience members based at least in part on the merged set of representations; and outputting the number of unique audience members across the plurality of groups of audience members.

Abstract: Systems and methods with multiple different modes for bidirectional data transfer of messages encrypted with Random Cipher Pads (RCPs) are disclosed. A direct mode is from one single endpoint to another endpoint in a peer-to-peer fashion. A throughput mode may be configured as a communication between endpoints with a cryptographic data server (CDS) managing communications and additional encryption between the endpoints. The CDS further encrypts the messages such that there is a peer-to-peer encryption between the source endpoint and the CDS and a different peer-to-peer encryption between the CDS and destination endpoints. The throughput mode may also be configured as a broadcast communication between a sender and multiple destinations, each with its own different RCP encryption. A router-to-router mode may be thought of as a specific type of peer-to-peer transfer where the peers on each end are routers, servers, Virtual Private Network servers, and gateways rather than user endpoints.

Abstract: A terminal device, for example a 3GPP Proximity Services (ProSe)-enabled user equipment, obtains imprecise location information relating to a location of the terminal device, and transmits a proximity service discovery message, wherein the discovery message includes the imprecise location information. A second terminal device, again for example a 3GPP Proximity Services (ProSe)-enabled user equipment, receives a proximity service discovery message containing location information. The second terminal device obtains location information relating to its location, and calculates a distance from the location indicated by the location information in the received discovery message to its location. The second terminal device acts on the received discovery message only if the calculated distance is less than a predetermined distance.

Abstract: A system, method, and computer program product for collaborative online gaming, including at least one of providing a central repository master browser system; providing an experience calibrated match-making service; providing a dynamic multiplayer server component auto deployment and aggregation system; providing a lobby centric simultaneous and collaborative client game play launching feature; and providing a video game screen over-layer technology giving users access to a control interface while inside a video game being played.

Abstract: An access controller combines one or more Secure Access Modules (SAMs) or other cryptographic processors with embedded storage, individually accessible by the controller such that waiting on the reply from one of the modules does not prevent accessing the others, a host CPU, running the computer program to perform authentication and access control, and a waiting queue, possibly in system memory, to put the request in when all SAMs are used. The state of the SAMs, possibly using system memory, is tracked to be able to find a free access module or to be able to match a response to the corresponding request. One or more connections (serial, network, wireless or otherwise) are used to connect to transparent smart card readers and door controllers.

Abstract: Technologies are generally described for methods and systems effective to secure process synchronized requests after at least one secure inter-device communication link between the originating and confirming communication devices is established. A method may include forwarding, by the confirming communication device the request and receiving, by a server, a first request from the originating device and at least one second request from the confirming device. The method may also include, by the server, determining a sequence of receiving of the first and the at least one second requests and processing the requests in order to authenticate a communication device, accept or reject a financial transaction, based on the receiving sequence and receiving time difference.

Abstract: This document discloses a solution for providing channel usage information. In an embodiment, an apparatus managing a wireless network and being in an unassociated state towards an access node managing another wireless network is provided with the channel usage information. The channel usage information is provided together with a further information element enabling the apparatus to verify that the channel usage information originates from a trusted source.

Abstract: Optimizing receive side scaling (RSS) key selection is provided. Different weights are assigned to different fields of flow data corresponding to a network connection of a registered client device. A score is generated representing an amount of balanced processor loading for each RSS key corresponding to the registered client device based on the different fields of the flow data with assigned weights. A current RSS key on the registered client device is updated with an optimal RSS key based on the score corresponding to the optimal RSS key representing balanced loading of processors on the registered client device.

Abstract: Concepts and technologies of latency sensitive tactile network security interfaces are provided herein. In an embodiment, a method can include identifying, by a tactile network interface controller, encrypted command packets that are being sent as a data stream to a tactile application. The method can include obtaining a command sequence model based on the encrypted command packets being sent to the tactile application, and decrypting at least some of the encrypted command packets based on the command sequence model, where decrypting the encrypted command packets identifies non-sequential command instructions. The method can include determining, based on the command sequence model, that at least some of the non-sequential command instructions do not conform to the command sequence model, and dropping, by the tactile network interface controller, the non-sequential command instructions that do not conform to the command sequence model from the data stream.

Abstract: A system for signaling coordinated workers in a common goal through intelligent icons transferred across networks to computer screens. The system can comprise one or more electronic data processors. The system can also include a module configured to execute on the more or more electronic data processors, where the module can be configured to display a plurality of intelligent icons, each containing authorizing information that is retained in a file associated with a authorizing entity on a computer screen. The intelligent icons can be potentially loaned to authorized individuals on a list and used to authenticate users of the system with biometric, image, machine readable codes stored surreptitiously within the intelligent icon. Also, the intelligent icon can be used for friend-foe identification in battlefield and homeland security/border control scenarios.

Abstract: Various embodiments are generally directed to techniques for dynamic resource allocation among cryptographic domains, such as with memory pages in a platform that implements a plurality of cryptographically isolated domains, for instance. Some embodiments are particularly directed to a platform that includes a resource allocation manager (RMGR) that allows for page reassignment among cryptographically isolated virtual machines (VMs) while ensuring functional correctness with respect to integrity. In many embodiments, the RMGR may include hardware and/or software support for a new instruction that enables efficient key reassignment for memory pages.

Abstract: Systems, methods, and apparatuses for defending against cross-privilege linear access are described. For example, an implementation of an apparatus comprising privilege level storage to store a current privilege level and address check circuitry coupled to the privilege level storage, wherein the address check circuitry is to determine whether a linear address associated with an instruction is allowed to access a partition of a linear address space of the apparatus based upon a comparison of the current privilege level and a most significant bit of the linear address is described.

Abstract: Mobile collection and vetting of user supplied information is described. The systems, techniques, devices, methods, and approaches described herein can be used to obtain, validate, and vet information, such as customs information, in a mobile environment. In embodiments, methods comprise receiving information input via a mobile device. The information is encapsulated by an intermediate to escort the information through a firewall to the database. In response to vetting the information to determine if it meets one or more criteria, the method involves creating a record associated with a unique identifier, information that bio-identifies a user, or an indication of a determination that results from the vetting. In this embodiment, the method includes generating an electronic receipt for communication to the mobile device, the electronic receipt including the unique identifier.

Abstract: Output is obtained from a remote computer function on a first set of arguments. Responsive to determining that the output exhibits an error, a fixer routine, other than a retry, is applied to the arguments to produce new arguments. Output is obtained from the remote computer function on the new arguments. In a case where the output from the remote computer function on the new arguments is acceptable, the output from the remote computer function on the new arguments is used as a corresponding output from the remote computer function on the first set of arguments. These steps can advantageously be carried out without modifying program code of the remote computer function and without access to the program code of the remote computer function; for example, by a wrapper which black-box wraps the remote computer function.

Abstract: A method for saving the information security of data transmitted by a databus, in which the data to be transmitted via the databus from a transmitter (ECUs) to at least one receiver (ECUR) are divided into data blocks (M0 . . . Mn) before being sent off, wherein the data blocks (M0 . . . Mn) are encrypted and/or signed block by block by means of a sponge construction for forming a cryptological hash function, utilizing a key, and cipher blocks (C0 . . . Cn) generated in this way are transmitted via the databus to the at least one receiver. The invention also relates to a corresponding databus system.

Abstract: An evaluation apparatus that is connected to a bus used by a plurality of electronic control units that constitute an electronic control system for communication and that evaluates security of the electronic control system. The evaluation apparatus includes a transmitter that sends, to the bus, at least one attack frame including an invalidation frame for invalidating a frame on the bus, a monitor that monitors at least one of the plurality of electronic control units, and an evaluator that evaluates the electronic control system in terms of security on the basis of the result of monitoring performed by the monitor when the attack frame is sent from the transmitter to the bus.

Abstract: A method is provided for authenticating a log message in a distributed network having a plurality of nodes coupled to a serial bus. In the method, a log session is started by a first device at a first node of the plurality of nodes. A first counter value is provided by the first device to the serial bus. A log message is generated by a second device at a second node of the plurality of nodes. A second counter value is generated by the second device. A log message payload is generated for the log message, wherein the log message payload includes a log message authentication code. A computation of the log message authentication code includes the first counter value and the second counter value. The second device does not store the first counter value in a non-volatile memory on the second device.

Abstract: The embodiments herein relate to a method performed by a mobility node for handling network connections for a UE. The UE is simultaneously connected to a first gateway via a connection to a 3GPP network and a connection to a non-3GPP network. The mobility node detects that the UE has moved to another location. The mobility node selects a second gateway that the UE should be relocated to. The second gateway is closer to the UE at the other location. The mobility node transmits relocation information to the first gateway. The relocation information indicates that a gateway relocation to the second gateway is required for the UE. The gateway relocation involves deactivation of both the connection to the 3GPP and the non-3GPP network.

Abstract: Embodiments include methods, systems and computer program products for minimizing face-to-face interaction for law enforcement officers during traffic stops. Aspects include broadcasting, by a law enforcement device, a request to initiate a secure communication channel with a driver device and receiving by the law enforcement device, a notification that the driver device has accepted the request. Aspects also include initiating a video conference between the law enforcement device and the driver device over the secure communication channel and transferring, between the driver device and the law enforcement device, one or more documents over the secure communication channel.

Abstract: An anomaly detection electronic controller performs anomaly detection processing and is connected to a bus, which a plurality of electronic controllers use for communication to communicate following a Controller Area Network (CAN) protocol. The anomaly detection electronic controller includes an anomaly detection processor that performs anomaly detection processing regarding a data frame. The anomaly detection controller also includes an anomaly detection processing requester that decides an anomaly detection processing timing in accordance with a state of a vehicle in which the bus is installed when receiving the data frame, the anomaly detection processing timing being a reception timing of one or multiple fields in the data frame. The anomaly detection processor further performs the anomaly detection processing regarding the data frame at the anomaly detection processing timing decided by the anomaly detection processing requester.

Abstract: Optimizing receive side scaling (RSS) key selection is provided. Different weights are assigned to different fields of flow data corresponding to a network connection of a registered client device. A score is generated representing an amount of balanced processor loading for each RSS key corresponding to the registered client device based on the different fields of the flow data with assigned weights. A current RSS key on the registered client device is updated with an optimal RSS key based on the score corresponding to the optimal RSS key representing balanced loading of processors on the registered client device.

Abstract: In an embodiment, a computer-implemented method comprises: in response to receiving a first authentication request from one or more first computing devices, authenticating the first computing devices on behalf of a first client device using a first set of identity information; in response to authenticating the first computing devices, generating and queuing a first set of one or more transactions corresponding to at least one of the one or more first computing devices; in response to receiving a second authentication request from the first client device configured to access the first set of one or more transactions, authenticating the first client device on behalf of a second computing device using a second set of identity information that is associated with the first client device; in response to performing the second authentication service, encrypting and sending the first set of one or more transactions to the first client device.

Abstract: A configurable sponge function engine. The configurable engine includes a register having bitrate and capacity sections, each having a variable size, where a sum of the bitrate and capacity sizes is fixed. A controller generates a bitrate size indication. A configurable message processor receives an input message from an input bus, receives the size indication, fragments the input message into fragmented blocks of a size specified by the size indication, and converts the blocks to a bus width of the bitrate and capacity sizes. An iterative calculator receives the blocks, performs iterative processing operations on the blocks, and stores a result of each operation in the register overwriting a previous register value. An output adaptor receives a value stored in the register after the block corresponding to the end of the input message is processed and outputs the register value converted to have an output bus width.

Abstract: A method for providing a security environment. The method includes detecting user information from an accessory in response to detection of the accessory, performing security authentication with input security information if the user information is detected; and providing the security environment when the security authentication is successful.

Abstract: A method for determining malicious attachments on messages is described. A computing device may receive an electronic message, including one or more unopened attachments, and identify one or more characteristic values of the message header, message body, or attachments of the message. The computing device may analyze the identified characteristics and in some instances compare at least a portion of the characteristics, individually or in combination, with one or more configured thresholds of the computing device. The computing device may determine an attachment is embedded with a macro. The macro may be associated with a visual basic application (VBA) and contain malicious code. Based on the determination, the computing device may initiate a security protocol, including notification via a user interface of the device.

Abstract: An anomaly detection electronic control unit, that performs anomaly detection processing and that is connected to a bus which a plurality of electronic control units use for communication to communicate following a Controller Area Network (CAN) protocol, includes an anomaly detection processing requester that decides an anomaly detection processing timing based on an ID of a data frame acquired from the bus, and an anomaly detection processor that performs anomaly detection processing regarding the data frame at the anomaly detection processing timing decided by the anomaly detection processing requester.

Abstract: A privacy management system that is adapted for, in the course of processing a particular data subject access request, automatically determining a type of the data subject access request, such as: (1) a request to delete personal data of the requestor that is being stored by a particular organization; (2) a request to provide, to the requestor, personal data of the requestor that is being stored by the particular organization; (3) a request to update personal data of the requestor that is being stored by the particular organization; and (4) a request to opt out of having the particular organization use the requestor's personal information in one or more particular ways. After making this determination, the system may determine, based on the determined type of data subject access request, a particular workflow to follow in processing the data subject access request, and then execute the determined workflow.