Abstract: A method and system for securing an operating domain that spans one or more distributed information technology networks is disclosed. In the present invention, a state machine reference monitor, comprising a monitor port operatively connected to one or more network traffic capture devices positioned across a distributed network of an operating domain, with each traffic capture interception network device in communication with a central server. Each interception network device along with the central server having a processor and a memory comprising instructions, which when executed by each device processor perform the method of extracting logic state data and deducting ancillary logic state data across the distributed operating domain.

Abstract: A processing service of a provider network may protect media content from being tampered with when it is transmitted from the provider network/transcoder to untrusted networks (e.g., third-party networks/CDNs) and to a media player. The processing service (e.g., the transcoder) generates a public and a private key. The service uses the private key to digitally sign content portions (e.g., video frames) before distribution to untrusted CDNs. The provider network creates a manifest that includes the public key. To play the media content, the media player obtains a manifest that includes the public key (via a secure/trusted connection with the provider network). The media player may then obtain the media content from an untrusted edge server/CDN and validate it using the public key that was separately obtained from the manifest (to verify the content was not tampered with).

Abstract: System and methods of gating notifications for content objects of an electronic learning platform are described herein. The notification may be conditioned on whether the content object is available to a user receiving the notification, or the state of the content object, for example.

Abstract: An industrial control system module and methods are described for self-destruction or the destruction and/or erasure of sensitive data within the industrial control system module upon an indication of an unauthorized module access event. In an implementation, a secure industrial control system module includes a circuit board including electrical circuitry; a sealed encasement that houses the circuit board, where the sealed encasement includes a housing having a first housing side and a second housing side, where the housing is configured to house the circuit board when the first housing side and the second housing side are coupled together; and a first sensor component integrated with the sealed encasement, where the first sensor component is communicably coupled to the circuit board and electrical circuitry and is configured to provide an indication of an unauthorized access event.

Abstract: A page processing method. The method includes generating a loading masking directory when page data of a target page is being loaded, the loading masking directory including a data directory corresponding to a data module set to be loaded in the target page, and loading state information of data modules in the data module set; and displaying the loading masking directory at least during a loading period of the page data.

Abstract: A command to perform a data operation at a memory device is received. The command includes an encryption key tag. A first key table is accessed from local memory. The first key table includes a first set of key entries corresponding to a first set of encryption keys. The first key table is searched to determine whether it includes an entry corresponding to the encryption key tag. Based on determining the first key table does not include an entry corresponding to the tag, a second key table is accessed from RAM. The second key table includes a second set of key entries corresponding to a second set of encryption keys. A key entry corresponding to the encryption key tag is identified from the second key table. The key entry includes an encryption key corresponding to the encryption key tag. The command is processed using the encryption key.

Abstract: An apparatus includes a cache controller circuit and a cache memory circuit that further includes cache memory having a plurality of cache lines. The cache controller circuit may be configured to receive a request to reallocate a portion of the cache memory circuit that is currently in use. This request may identify an address region corresponding to one or more of the cache lines. The cache controller circuit may be further configured, in response to the request, to convert the one or more cache lines to directly-addressable, random-access memory (RAM) by excluding the one or more cache lines from cache operations.

Abstract: A programmable integrated circuit device includes a programmable core, a boot device configured to boot up the programmable core, and a one-time programmable memory module controlling life cycle states of the programmable integrated circuit device, including (i) an operational state during which programming resources of the programmable device are locked, and (ii) an inspection state in which the programming resources of the programmable device are accessible. The one-time programmable memory module is configured to allow unidirectional advance from the operational state to the inspection state, when authorized by a lock control circuit responsive to control signals from the boot device to authorize the unidirectional advance from the operational state to the inspection state. Authorization of the unidirectional advance may be limited to a time interval during a boot cycle of the programmable device. The unidirectional advance may be based on receipt of an authenticated request from a requester.

Abstract: A method for authenticating a mobile device in real-time. The method includes detecting the mobile device, sending a text message containing a unique uniform resource locator (“URL”) to the mobile device, and detecting an access of the unique URL by the mobile device through a first communication path. In response to detecting the access of the unique URL, requesting and subsequently receiving, by the host system in real-time, a phone number and a subscriber identification ID associated with the mobile device through a second communication path distinct from the first communication path, and a device fingerprint of the mobile device through the first communication path. The method further includes initiating a risk analysis based on the phone number, the subscriber ID, and the device fingerprint and determining an authentication status of the mobile device based on the risk analysis.

Abstract: A computing system may receive a request of the user for a first action of the user with an entity. In connection with granting the request of the user, the computing system may configure a token for use by the user and the entity such that (i) the entity is added as an approved entity, and (ii) the token is configured with a resource amount of the first action as a usage threshold of the token. The computing system may receive a request of the entity to use the token. The computing system may determine whether granting the request of the entity would cumulatively exceed the usage threshold of the token. Based on a determination that granting the request of the entity would not cumulatively exceed the resource usage of the token, the computing system may grant the request of the entity to use the token.

Abstract: There is provided a method of communication among at least two processes miming on the same computer. The method comprises: generating, by at least one process of the at least two processes, a group key usable for encrypting/decrypting a data unit retrieved from/stored to shared access memory, wherein the generating utilizes, at least, a nonce provided by each of the at least two processes, and wherein the nonces are provided as encrypted integrity-protected data according to, at least, a platform-provided hiding function, wherein each process executes in a protected container, the processes are signed by a single signing authority, and the protected container infrastructure enables use of encrypted, integrity-protected data according to a platform-provided hiding function and a platform-provided revealing function; and verifying, by at least one process of the at least two processes, that a data unit read from shared access memory is successfully decrypted using the group key.

Abstract: Provided is an electronic device, an information processing apparatus, an information processing method, and an information processing system capable of improving convenience in a case where a floating license is used in an electronic device that does not directly communicate with an information processing apparatus providing the floating license.

Abstract: Techniques are described for determining account features based on a risk assessment. A first set of account features may be determined, including security feature(s) such as mode(s) for authenticating and/or verifying the identity of a user associated with account(s). Based on the first set of features, a risk metric may be determined for the account(s). The risk metric may indicate a risk that fraud may be committed against the account or using the account. Based on the determined risk metric, a second set of account features may be determined for the account(s). The first and second sets of account feature(s) may be applied to the account(s). Disabling a particular feature may cause a reevaluation of the risk metric and a redetermination of the feature sets to be applied to the account(s).

Abstract: Aspects of the disclosure relate to preventing unauthorized access to secured information systems. A computing platform may receive, from an end user desktop computing device, a request to login to a user account associated with a user account portal. In response to receiving the request, the computing platform may generate an authentication token in an authentication database and may send a notification to at least one registered device linked to the user account. After sending the notification, the computing platform may receive, from the at least one registered device, an authentication response message. If the authentication response message indicates that valid authentication input was received, the computing platform may update the authentication token to indicate that the request to login to the user account has been approved. After updating the authentication token, the computing platform may provide, to the end user desktop computing device, access to a portal interface.

Abstract: A memory controller can include a front end portion configured to interface with a host, a central controller portion configured to manage data, a back end portion configured to interface with memory devices. The memory controller can manage memory devices according to different protocols. For a first protocol, the memory device performs error correction operations and for a second protocol, the memory controller performs error correction operations. For the first protocol, error correction information, error detection information, and/or metadata is exchanged between the memory devices and the memory controller via data pins. For the second protocol, error correction information, error detection information, and/or metadata is exchanged between the memory devices and the memory controller via data mask inversion pins. The second protocol can have some features disabled that are enabled according to the first protocol, such as low-power features.

Abstract: A method for automatically creating a honeyfile for a file system, includes the steps of: surveying a file set of the file system to identify tokenisable data in the file set, tokenising the identified tokenisable data to form a plurality of token sequences, and either selecting one of the plurality of token sequences or generating a token sequence to operate as an exemplar token sequence; applying a substitution method to substitute the tokens of the exemplar token sequence with replacement tokenisable data; and packaging the replacement tokenisable data into a honeyfile.

Abstract: Embodiments of the present invention are directed to methods and systems for managing a cryptocurrency payment network comprising one or more issuer nodes and one or more distributor nodes. Issuer nodes may be granted different rights from distributor nodes with respect to the issuance and distribution of digital currency within the cryptocurrency payment network. A management system server computer may generate unique node verification key pairs for each node in the cryptocurrency payment network, where the node verification key pairs may be used to identify and authenticate issuer nodes and distributor nodes.

Abstract: According to an aspect, a method for accessing a computing device includes receiving, by the computing device, an authentication credential for recovery access to the computing device, the authentication credential being different from an authentication credential used to access encrypted data on the computing device, obtaining, in response to receipt of the authentication credential for recovery access, a first key portion stored on the computing device, transmitting, over a network, a request to receive a second key portion, receiving, over the network, a response that includes the second key portion, recovering a decryption key using the first key portion and the second key portion, and decrypting the encrypted data on the computing device using the decryption key.

Abstract: Example storage systems, storage devices, and methods provide proactive management of storage operations to, for example, beneficially minimize bottlenecking, latency, and other issues. An example system has a storage pool with a first storage device and a second storage device, and a processor configured to generate a storage request including a storage command, include a command processing time constraint in the storage request, send the storage request to the first storage device, and receive, from the first storage device, a proactive response including an estimation for an execution of the storage command by the first storage device based on the command processing time constraint. The processor may then select a fallback mechanism for executing the storage command based on the proactive response.

Abstract: Systems and methods for malware detection using multiple neural networks are provided.

Abstract: A memory controller includes a key generator, an encryption and decryption circuit, and a processor. The key generator generates a first security key and a second security key based on a write request from a host. The encryption and decryption circuit encrypts write data corresponding to the write request based on the first security key to generate encrypted write data, and encrypts the first security key based on the second security key to generate a first encrypted security key. The processor controls nonvolatile memories such that the encrypted write data, the first encrypted security key, and the second security key are programmed in at least one of the nonvolatile memories, and controls the nonvolatile memories such that a dummy program operation is performed on a page of the nonvolatile memories in which the second security key is programmed instead of erasing the encrypted write data.

Abstract: An equality determination unit obtains [ei] in which ei=(ei,1, . . . , ei,N) is concealed, ei in which ei,j=a1 is established when xi,j is kj and ei,j=a0 is established when xi,j is not kj, by secure computation using a concealed search target word [xi] and a concealed search word [k]. A wildcard determination unit obtains [w] in which w=(w1, . . . , wN) is concealed, w in which wj=b1 is established when kj is a wildcard character and wj=b0 is established when kj is not a wildcard character, by secure computation using [k]. An OR operation unit obtains [yi] in which yi=(yi,1, . . . , yi,N) is concealed, yi in which yi,j=d1 is established when at least one of ei,j=a1 and wj=b1 is satisfied and yi,j=d0 is established when at least one of ei,j=a1 and wj=b1 is not satisfied, by secure computation using [ei] and [w].

Abstract: A data operations system receives compressed data and a search term. The data operations system completes a modified decoding of the compressed data, resulting in distinguishable data terms that are smaller than the corresponding data terms, and loads modified decoded terms into a data register. The data operations system generates a truncated search term and loads instances of the truncated search term into a query register. The data operations system performs a parallel data operation, such as a query operation, by comparing each of the modified decoded terms to an instance of the truncated search term. The data operations system returns the results of the operation.

Abstract: A processor includes a register to store an encoded pointer to a memory location in memory and the encoded pointer is to include an encrypted portion. The processor further includes circuitry to determine a first data encryption factor based on a first data access instruction, decode the encoded pointer to obtain a memory address of the memory location, use the memory address to access an encrypted first data element, and decrypt the encrypted first data element using a cryptographic algorithm with first inputs to generate a decrypted first data element. The first inputs include the first data encryption factor based on the first data access instruction and a second data encryption factor from the encoded pointer.

Abstract: The various examples are directed to establishing a secure session between a device and a server. The device and the server may establish a session key. The session key may be used for encrypting data. After authenticating the session key, the server may transmit secure session data to the device, and the device may store the secure session data. The server may transmit information for deriving, based on secure session data, the session key to a different server. The device may transmit the secure session data to the server, or to the different server, to re-establish the secure session. The different server may derive, using the information and based on the secure session data, the session key. The different server may re-establish, using the session key, the secure session.

Abstract: A method for supporting TCM communication by a BIOS of an ARM server, including: setting an access mode of a LPC bus device to a 4-byte mode by means of a BIOS of an ARM server; causing the BIOS to perform data communication with a TCM chip of the LPC bus device in the 4-byte mode; in response to the BIOS reading a register by means of the LPC bus device, determining a type of the register; in response to determining that the type of the register is a specific FIFO register, changing a control register from the 4-byte mode to a single-byte mode, and performing single-byte read-write on the specific FIFO register; and in response to completion of read-write of the specific FIFO register, changing the control register to the 4-byte mode by means of the BIOS, and performing a read-write operation on other FIFO registers.

Abstract: A method includes: detecting, by a computing device, a new entry in one of plural databases; comparing, by the computing device, the new entry to watch entries defined in a watch database; determining, by the computing device, whether the new entry matches a watch entry in the watch database; creating, by the computing device, a new watch in the watch database when the new entry does not match any watch in the watch database; and updating, by the computing device, a watch in the watch database when the new entry matches the watch in the watch database.

Abstract: An anti-virus chip includes a first connection terminal, a second connection terminal, a detection unit and a processing unit. The first connection terminal and the second connection terminal are respectively coupled to a connection port and a system circuit of an electronic device. The detection unit detects whether the connection port is connected to an external device via the first connection terminal. When the detection unit detects that the connection port is connected to the external device, the processing unit performs a virus-scan program on the external device to determine whether a virus exists in the external device. When determining that a virus does not exist in the external device, the processing unit establishes a first transmission path between the first connection terminal and the second connection terminal. When determining that a virus exists in the external device, the processing unit does not establish the first transmission path.

Abstract: The present invention relates to data rights management and more particularly to a secured system and methodology and production system and methodology related thereto and to apparatus and methodology for production side systems and are consumer side systems for securely utilizing protected electronic data files of content (protected content), and further relates to controlled distribution, and regulating usage of the respective content on a recipient device (computing system) to be limited strictly to defined permitted uses, in accordance with usage rights (associated with the respective content to control usage of that respective content), on specifically restricted to a specific one particular recipient device (for a plurality of specific particular recipient devices), or usage on some or any authorized recipient device without restriction to any one in specific, to control use of the respective content as an application software program, exporting, modifying, executing as an application program, viewing,

Abstract: A memory controller and a storage device including the same are provided. The memory controller generates a plurality of scrambled data by randomizing input data, counts the number of toggles per bit of each scrambled data, and writes one scrambled data with a smallest number of toggles in a non-volatile memory.

Abstract: Recovery of an in-memory database is initiated. Thereafter, pages for recovery having a size equal to or below a pre-defined threshold are copied to a superblock. For each copied page, encryption information is added to a superblock control block for the superblock. The copied pages are encrypted within the superblock using the corresponding encryption information added to the super block control block. The superblock is then flushed from memory (e.g., main memory, etc.) of the database to physical persistence.

Abstract: According to one embodiment, a memory system includes a nonvolatile memory and a controller. In response to receiving from a host a write request designating a first address for identifying data to be written, the controller encrypts the data with the first address and a first encryption key, and writes the encrypted data to the nonvolatile memory together with the first address. In response to receiving from the host a read request designating a physical address indicative of a physical storage location of the nonvolatile memory, the controller reads both the encrypted data and the first address from the nonvolatile memory on the basis of the physical address, and decrypts the read encrypted data with the first encryption key and the read first address.

Abstract: Systems and methods for generating and validating certified electronic credentials are disclosed. A publisher may receive a certified electronic credential order from a credentialer and prepare a plurality of certified electronic credentials. The publisher may associate each credential with authentication information and a credential record, and retain a database of associated authentication information and credential records. The publisher may provide validation services, receiving a validation request through a credentialer's validation portal, and provide a response through the credentialer's portal indicative of the validity, additional information about the credential and/or the credential holder. The credential holder may assign a personal access key to control or limit the validation of a credential. A validating entity may receive credential validation through the credentialer with a heightened degree of confidence in the validation and lack of forgery.

Abstract: A backend computer and methods of using the backend computer are described. The method may comprise: receiving, at a first backend computer, sensor data associated with a vehicle; determining a labeling of the sensor data, comprising: determining personal data and determining non-personal data that is separated from the personal data, wherein each of the personal and non-personal data comprise labeled data, wherein the personal data comprises information relating to at least one identified or identifiable natural person; and performing via the personal data and the non-personal data that is separated from the personal data, at the first backend computer, data processing associated with collecting sensor data associated with the vehicle.

Abstract: Embodiments of the inventive concept include solid state drive (SSD) multi-card adapters that can include multiple solid state drive cards, which can be incorporated into existing enterprise servers without major architectural changes, thereby enabling the server industry ecosystem to easily integrate evolving solid state drive technologies into servers. The SSD multi-card adapters can include an interface section between various solid state drive cards and drive connector types. The interface section can perform protocol translation, packet switching and routing, data encryption, data compression, management information aggregation, virtualization, and other functions.

Abstract: A system for distributed key storage, comprising a requesting device communicatively connected to a plurality of distributed storage nodes, the requesting device designed and configured to receive at least a confidential datum, select at least a distributed storage node of a plurality of distributed storage nodes, whereby selecting further comprises receiving a storage node authorization token from the at least a distributed storage node, querying an instance of a distributed authentication listing containing authentication information using at least a datum of the storage node authorization token, retrieving an authentication determination from the instance of the authentication listing, and selecting the at least a distributed storage node as a function of the authentication determination, generate at least a retrieval authentication datum, and transmit the at least a confidential datum and the at least a retrieval verification datum to the at least a distributed storage node.

Abstract: Methods and systems described herein improve blockchain storage operations in a variety of environments. A blockchain compression system may determine that a blockchain compression condition associated with a blockchain having a first plurality of blocks has been satisfied. In response, the system compresses the first plurality of blocks using a first hash tree into a first root hash value and stores the first plurality of blocks in a first database. The blockchain compression system generates a first new era genesis block that includes the first root hash value and a first database address of the first database at which the first plurality of blocks are stored. The blockchain compression system stores the blockchain at one or more nodes in a blockchain network. The blockchain includes the first new era genesis block and any previous new era genesis blocks. This may effectively reduce storage requirements for the blockchain, in various embodiments.

Abstract: Systems and methods for processing tokenization requests to facilitate safe storage of tokens. A tokenization request comprising sensitive data is received. A sensitive data digest is generated based on the sensitive data and a query comprising the sensitive data digest is submitted to a database. The database stores a plurality of relational elements. Each relational element being mapped to: (i) a given sensitive data digest stored in the database and (ii) a given token digest stored in the database. A token associated with the sensitive data is generated based on a response to the query received from the database.

Abstract: Methods and apparatus for providing a resource element identification system to process received uplink transmissions. In an embodiment, a method is provided that includes receiving soft-demapped symbols that comprises resource elements. The method also includes descrambling the resource elements of the symbols one-by-one using descrambling bits generated by at least one linear feedback shift register (LFSR). After each symbol is descrambled, a state of the at least one LFSR is stored as a stored state. The method also comprises restoring the stored state to the at least one LFSR before a next symbol is descrambled so that generation of the descrambling bits continues from symbol to symbol. The method also comprises forwarding the descrambled symbols to a downstream combining function.

Abstract: Various embodiments relate to an inline encryption engine in a memory controller configured to process data read from a memory, including: a first data pipeline configured to receive data that is plaintext data and a first validity flag; a second data pipeline having the same length as the first data pipeline configured to: receive data that is encrypted data and a second validity flag; decrypt the encrypted data from the memory and output decrypted plaintext data; an output multiplexer configured to select and output data from either the first pipeline or the second pipeline; and control logic configured to control the output multiplexer, wherein the control logic is configured to output valid data from the first pipeline when the second pipeline does not have valid output decrypted plaintext data available.

Abstract: Described herein are systems and methods for controlling access to a protected resource based on various criteria. In one exemplary aspect, a method comprises designating a plurality of program data installed on a computing system as protected program data; intercepting, by a kernel mode driver, a request from an untrusted application executing on the computing system to alter at least one of the protected program data; classifying, by a self-defense service, the untrusted application as a malicious application based on the intercepted request and information related to the untrusted application; and responsive to classifying the untrusted application as a malicious application, denying, by the kernel mode driver, access to the at least one of the protected program data.

Abstract: Techniques are described herein for performing key rotation and key replacement. In an embodiment, a request is received that specifies key names. A first set of messages is generated, where each message identifies a table that is associated with the encrypted-data locations, and stored in a queue for processing by a first plurality of worker processes. Each worker process retrieves a message from the queue and generates a second message that identifies a subset of encrypted data records from the table. Each second message is stored in a distinct queue which is assigned to a worker process of a second plurality of worker processes. Each worker process retrieves the message from the assigned queue, decrypts the subset of encrypted data records, re-encrypts the decrypted data records using a new encryption key that corresponds to a new key name, and stores the re-encrypted data records in a database.

Abstract: A method for multi-party authorization includes a security component determining that a request for the performance of an action on a computing device is from a first party. The security component initiates transmissions to the computing device of first and second information indicating knowledge of first and second secrets provisioned on the computing device. The computing device, upon verifying the knowledge of first and second secrets, then permits the requested action.

Abstract: The purpose of the present invention is to provide a new data utilization system in which, while an individual independently uses and utilizes one's own personal data, security and anonymity of the data can be effected.

Abstract: A novel architecture for a data sharing system (DSS) is disclosed and seeks to ensure the privacy and security of users' personal information. In this type of network, a user's personally identifiable information is stored and transmitted in an encrypted form, with few exceptions. The only key with which that encrypted data can be decrypted, and thus viewed, remains in the sole possession of the user and the user's friends/contacts within the system. This arrangement ensures that a user's personally identifiable information cannot be examined by anyone other than the user or his friends/contacts. This arrangement also makes it more difficult for the web site or service hosting the DSS to exploit its users' personally identifiable information. Such a system facilitates the encryption, storage, exchange and decryption of personal, confidential and/or proprietary data.

Abstract: An embodiment is directed to a hardware circuit for encrypting and/or decrypting data transmitted between a processor and a memory. The circuit is situated between the processor and memory. The circuit includes a first interface communicatively coupled to the processor via a set of buses. The circuit also includes a second interface communicatively coupled to the memory. The circuit further includes hardware logic capable of executing an encryption operation on data transmitted between the processor and memory, without adding latency to data transmission speed between the processor and the memory. The hardware logic is configured to encrypt data received at the first interface from the processor, and transmit the encrypted data to the memory via the second interface. The hardware logic is also configured to decrypt data received at the second interface from the memory, and transmit the decrypted data to the processor via the first interface.

Abstract: A system and method for digitally signing data. A method includes generating, by a first device, at least one first secret share based on a secret key chosen by the first device, wherein the first device is offline with respect to a second device; partially signing data by the first device using the at least one secret share, wherein the data is received from the second device without establishing direct communications between the first device and the second device; and sending the partially signed data from the first device to the second device, wherein the second device generates signed data using the partially signed data, wherein the signed data corresponds to a public key generated based on the at least one first secret share and at least one second secret share generated by the second device.

Abstract: A computer-implemented method of authenticating a memory of a gaming machine uses a computing device having a processor communicatively coupled to a memory. The method includes identifying a first subset of the memory including one or more operational data components associated with operating the gaming machine. The method also includes identifying a second subset of the memory. At least some of the second subset of the memory is distinct from the first subset of the memory. The method further includes authenticating the first subset of the memory while the gaming machine is in a disabled state. The method also includes enabling operation of the gaming machine after the authenticating the first subset of the memory if the authentication of the first subset of the memory is successful. The method further includes authenticating the second subset of the memory while the gaming machine is in an enabled state.

Abstract: In one embodiment, a service receives administration traffic data in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the administration traffic data to determine whether any portion of the administration traffic data is resulting from an administration session involving a trusted administrator. The service flags a first portion of the administration traffic data as authorized when the first portion of the administration traffic data is determined to result from an administration session involving a trusted administrator, and a second portion of the administration traffic data is non-flagged. The service assesses the second portion of the administration traffic data using a machine learning-based traffic classifier to determine whether the second portion of the administration traffic data is malicious.

Abstract: Methods and systems are presented for facilitating a data migration process between two data centers in an automated and secured manner. Based on detection of an event, a migration server initiates a data migration process for migrating data from a source data center to a destination data center. The migration server transmits instructions to a first migration application of the source data center, which causes the first migration application to retrieve the data, encrypt the data within an attested enclave of the source data center, and transfer the encrypted data to a pipeline. The migration server also transmits instructions to a second migration application of the destination data center, which causes the second migration application to retrieve the encrypted data from the pipeline, decrypt the encrypted data in an attested enclave of the destination data center, and store the decrypted data in a data storage of the destination data center.