Abstract: Methods and systems for data are disclosed. A system implementation includes a data module for storing data received from an external source. The data module includes a file system for unstructured data, a database for structured data, a transform for operating upon unstructured or structured data, a data broker for receiving data having a first format and providing the data in a second format, a data network for communications within the data module, and a processing module for performing operations upon data. The processing module further includes a process broker and a process container. The process container is for providing one or more instances of processes during a runtime operation. The system further includes an inter-process network for communications within the processing module and an internal gateway for the data module to communicate with the processing module.

Abstract: Systems and methods for malware detection using multiple neural networks are provided. According to one embodiment, for each training sample, a supervised learning process is performed, including: (i) generating multiple code blocks of assembly language instructions by disassembling machine language instructions contained within the training sample; (ii) extracting dynamic features corresponding to each of the code blocks by executing each of the code blocks within a virtual environment; (iii) feeding each code block into a first neural network and the corresponding dynamic features into a second neural network; (iv) updating weights and biases of the neural networks based on whether the training sample was malware or benign; and (v) after processing a predetermined or configurable number of the training samples, the neural networks criticize each other and unify their respective weights and biases by exchanging their respective weights and biases and adjusting their respective weights and biases accordingly.

Abstract: A system for detecting and mitigating attacks using forged authentication objects within a domain is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to retrieve the new authentication object from the authentication object inspector, calculate a cryptographic hash for the new authentication object, and store the cryptographic hash for the new authentication object in a data store; wherein subsequent access requests accompanied by authentication objects are validated by comparing hashes for each authentication object to previous generated hashes.

Abstract: A confidentiality preserving system and method for performing a rank-ordered search and retrieval of contents of a data collection. The system includes at least one computer system including a search and retrieval algorithm using term frequency and/or similar features for rank-ordering selective contents of the data collection, and enabling secure retrieval of the selective contents based on the rank-order. The search and retrieval algorithm includes a baseline algorithm, a partially server oriented algorithm, and/or a fully server oriented algorithm. The partially and/or fully server oriented algorithms use homomorphic and/or order preserving encryption for enabling search capability from a user other than an owner of the contents of the data collection. The confidentiality preserving method includes using term frequency for rank-ordering selective contents of the data collection, and retrieving the selective contents based on the rank-order.

Abstract: A system and methods for mitigating golden ticket attacks within a domain is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to retrieve the new authentication object from the authentication object inspector, calculate a cryptographic hash for the new authentication object, and store the cryptographic hash for the new authentication object in a data store; wherein subsequent access requests accompanied by authentication objects are validated by comparing hashes for each authentication object to previous generated hashes.

Abstract: A technique and system protects documents at rest and in motion using declarative policies and encryption. Encryption in the system is provided transparently and can work in conjunction with policy enforcers installed at a system. A system can protect information or documents from: (i) insider theft; (ii) ensure confidentiality; and (iii) prevent data loss, while enabling collaboration both inside and outside of a company.

Abstract: Embodiments relate to a computer system, computer program product, and method to prevent unauthorized file dissemination and replication. A file parameter is defined, with the defined file parameter including a file dissemination characteristic. The file is encoded with the defined file parameter as file metadata. Dissemination and replication of the file is managed responsive to the encoded file parameter. The defined parameter is assessed along with a physical replication destination. The file is selectively replicated or transmitted responsive to the file parameter and the destination assessment.

Abstract: A compound social network site can manage complex organizational entities, such as businesses, via a compound social network graph. Nodes of the compound social network graph are connected by compound edges which correspond to multiple tiers of profile data of the organizational entities.

Abstract: Methods and systems for controlling access to secure data use a custodial TRNG disk. Source data is encrypted using first key data from a first TRNG disk to generate encrypted data which is stored at a first location by a first entity. A second TRNG disk has second key data which is stored at a second location by a second entity. A first TRNG disk copy and a second TRNG disk copy are made identical to the first TRNG disk and the second TRNG disk, respectively, and are stored at one or more locations by a custodial entity. The first key data and the second key data are encoded together, and then transmitted to one or more of the first or second entities. The first quantity of encrypted data is decryptable using the encoded first key data and the second key data.

Abstract: Described herein are systems and methods for abstracted analysis system design for a dynamic API scanning service. The disclosure provides a simplified API scanning service by abstracting underlining security scanning techniques and configurations. This presents a normalized view to users of the service. Both input parameters and scan output data is abstracted from users, and is driven based on logic in the service. By providing this simplified view, users can quickly, and without prior security scanning knowledge, use this service to measure their security exposure and mitigate as needed.

Abstract: A compromised data exchange system extracts data from websites using a crawler, detects portions within the extracted data that resemble personally identifying information (PII) data based on PII data patterns using a risk assessment module, and compares a detected portion to data within a database of disassociated compromised PII data to determine a match using the risk assessment module. A risk score may be assigned to a data item within the database in response to determining the match. In some embodiments, URL data may also be detected in the extracted data. The detected URL data represents further web sites that can be automatically crawled by the system to detect further PII data.

Abstract: Data race detection in multi-threaded programs can be achieved by leveraging per-thread memory protection technology in conjunction with a custom dynamic memory allocator to protect shared memory objects with unique memory protection keys, allowing data races to be turned into inter-thread memory access violations. Threads may acquire or release the keys used for accessing protected memory objects at the entry and exit points of critical sections within the program. An attempt by a thread to access a protected memory object within a critical section without the associated key triggers a protection fault, which may be indicative of a data race.

Abstract: Systems and methods enabling marketing and distribution of motion pictures and other media content by content creators and other content providers are described herein. A platform is provided by which a plurality of content providers can market and distribute media content to users. Information about activity of the users on the platform is obtained in relation to the item of media content or in relation to media content related to the item of media content. A request is received for an activity report comprising information related to a user demographic or a media content characteristic. Responsive to the activity report request, the activity report is provided to the content provider.

Abstract: A method for determining a storage location includes one or more processing modules of one or more computing devices of a storage network (SN) receiving a data object to store in a storage network (SN) and determining whether the data object is subject to a legal restriction, where a data object is subject to a legal restriction based on the data object requiring storage in a jurisdiction that subjects the data object to a retention policy. The method continues by determining one or more attributes of a first storage location of a plurality of storage locations and based on a determination that the data object is subject to a legal restriction and at least one attribute of the one or more attributes of the first storage location, transmitting a write threshold number of write requests to a plurality of SUs at the first storage location.

Abstract: The systems and methods disclosed herein comprise computer-based platforms configured for automated early-stage application security monitoring for allowing users (e.g., application developers) to make decisions at the early stage of the application development.

Abstract: A system and method are disclosed for rendering printed documents tamper evident. Examples render classes of documents tamper evident with cryptographic level security or detect tampering events, where such security was previously unavailable, for example, in documents printed using common printers without special paper or ink. Examples enable proving the date of document content without the need for expensive third party archival, including documents held, since their creation, entirely in secrecy or in untrustworthy environments, such as on easily-altered, publicly-accessible internet sites. Examples can use a document's prior registration date in a blockchain to establish a no-later than date-of-existence for that document. Examples can extend the useful life of integrity verification algorithms, such as hash functions, even when applied to binary executable files.

Abstract: In a storage system including a plurality of nodes that provide a storage area and a drive that physically stores data, a parity group is configured with a plurality of data including user data stored in the storage area and redundant data for protecting the user data, a plurality of data in the parity group are stored in a storage area within one predetermined range across a plurality of nodes, and processing for dividing the predetermined range or processing for merging a plurality of predetermined ranges is performed based on a state of the predetermined range.

Abstract: Systems and methods for validating credentials are disclosed. One example method, performed by one or more processors of a computing device associated with a neural network, includes training the neural network to infer validity information for encrypted credentials received from a credential source, wherein the validity information is inferred without decrypting the encrypted credentials, receiving a first encrypted credential from the credential source, generating an encrypted validity indicator for the first encrypted credential based on the validity information inferred by the neural network, and providing the encrypted validity indicator to the credential source.

Abstract: Methods and apparatus for protecting trace data of a remote debug session for a computing system. In one embodiment, a method includes storing trace data received from one or more trace interfaces to a storage location of a target device, where the trace data is generated from execution at the target device, and where the trace data is protected from an unauthorized access. The method continues with transmitting the trace data to a debug host computer with encryption through a communication channel between the target device and the debug host computer.

Abstract: A system and method for the decentralized storage of data is provided that pre-processes data files to generate multiple subsets of encrypted data that includes randomly selected portions of data from different data files. The subsets of encrypted data are then transmitted to multiple remote servers that are randomly chosen for each subset of encrypted data. The local encryption key that was used to encrypt the data is required to reconstruct the data file. The system and method is particularly suited for the decentralized storage of medical data.

Abstract: A method (400) for accessing one or more service processes (222) of service (250) includes executing at least one service enclave (220) and executing an enclave sandbox (200) that wraps the at least one service enclave. The at least one service enclave provides an interface to the one or more service processes. The enclave sandbox is configured to establish an encrypted communication tunnel (210) to the at least one service enclave interfacing with the one or more service processes, and communicate program calls (302) to/from the one or more service processes as encrypted communications through the encrypted communication tunnel.

Abstract: A method watermarks speech data by using a generator to generate speech data including a watermark. The generator is trained to generate the speech data including the watermark. The training process generates first speech from the generator. The first speech data is configured to represent speech. The first speech data includes a candidate watermark. The training also produces an inconsistency message as a function of at least one difference between the first speech data and at least authentic speech data. The training further includes transforming the first speech data, including the candidate watermark, using a watermark robustness module to produce transformed speech data including a transformed candidate watermark. The transformed speech data includes a transformed candidate watermark. The training further produces a watermark-detectability message, using a watermark detection machine learning system, relating to one or more desirable watermark features of the transformed candidate watermark.

Abstract: Methods and systems for securing data using random bits and encoded key data. A plurality of true random number generator (TRNG) disks and a plurality of key data sets are provided. A key data set from the plurality of key data sets is associated with each of the plurality of TRNG disks, respectively. The key data set comprises at least a block of random bits of an associated TRNG disk. An encoded key data set is formed by encoding at least two of the key data sets together. The source data can be encrypted with the encoded key data set to produce a quantity of encrypted data. The encrypted data can be decrypted with the encoded key data set or the at least two of the key data sets retrieved from the associated TRNG disks.

Abstract: A storage system and method for token provisioning for faster data access are provided. In one embodiment, a storage system is provided comprising a memory and a controller. The controller is configured to receive a write command from a host to write data in the memory; write the data in the memory at a starting physical address; provide the host with a token indicating the starting physical address; receive a read command and the token from the host; and read the data stored in the memory at the starting physical address as indicated by the token. Other embodiments are provided.

Abstract: Developing a cyber security protocol to enable two members of a community to conduct a conversation without revealing neither their identity, nor the fact that a conversation took place. Secret randomized matching is used to allow people to claim certain personal attributes like age, place of residence, having a license, but without exposing their individual identity.

Abstract: Techniques for reducing piracy of media content are described. In some embodiments, a collusion resistant method is performed at a device, where the device receives a first request for a base copy of a media content item. In response, the device determines a first transformation based on a statistical performance criterion and a viewing performance criterion. The device further generates a first copy of the media content item by replicating and applying a first transformation to the base copy, where the first copy of the media content item satisfies the viewing performance criterion, and the first copy of the media content item is statistically different from the base copy or other copies in accordance with the statistical performance criterion. The device then causes transmission of the first copy of the media content item in combination with a first watermark for the base copy of the media content item.

Abstract: Systems, computer program products, and methods are described herein for enhanced data security using versioned encryption. The present invention is configured to electronically receive, from a computing device of a user, a confidential data entry at a first server; encrypt the confidential data entry using a public key at the first server to generate an encrypted confidential data entry; transmit the encrypted confidential data entry to a second server, wherein the encrypted confidential data entry comprises a hash value, wherein the hash value indicates a numbered version of the public key used to encrypt the confidential data entry; and store the encrypted confidential data entry in a database associated with the second server.

Abstract: An embodiment integrated circuit includes a first electromagnetic pulse detection device that comprises a first loop antenna formed in an interconnection structure of the integrated circuit, a first end of the first antenna being connected to a first node of application of a power supply potential and a second end of the antenna being coupled to a second node of application of the power supply potential, and a first circuit connected to the second end of the first antenna and configured to output a first signal representative of a comparison of a first current in the first antenna with a first threshold.

Abstract: An example method for restricting read access to content in the component circuitry and securing data in the supply item is disclosed. The method identifies the status of a read command, and depending upon whether the status disabled or enabled, either blocks the accessing of encrypted data stored in the supply chip, or allows the accessing of the encrypted data stored in the supply chip.

Abstract: A decryption-enabling device for decrypting a disk image of a computer device, comprising a processor, memory and a hardware connector for connecting to the hardware interface connection of the computer device. The decryption-enabling device is arranged to create using the processor a copy of the random-access memory of the computer device, analyse using the processor the copy of the random-access memory to extract one or more potential decryption keys, and store the one or more potential decryption keys in the memory.

Abstract: For access policy enforcement, a method restricts access to a decryption key for private data on an electronic device. The private data is encrypted and includes group communications. The method determines an electronic device profile that includes a device time and a device location of the electronic device. The method releases the decryption key in response to the electronic device profile satisfying an access policy. The method decrypts the private data using the decryption key.

Abstract: The described embodiments relate to data protection methods, systems, and computer program products. A process-based encrypted data access policing system is proposed based on methods of encrypted data file management, process authentication and authorization, Trojan detection for authorized processes, encryption key generation and caching, and encrypted-file cache management. The process-based encrypted data access policing system may be implemented as a kernel level file system filter and a user-mode filter companion application, which polices the reading/writing of encrypted data in either a server system or an endpoint computer and protects data from data breaches and known or unknown attacks including ransomware and/or phishing attacks.

Abstract: A solution is proposed for managing containers isolating corresponding application environments from one or more shared operating systems in a computing system. One or more relevant groups are determined among one or more candidate groups (each comprising private data in common among a plurality of the containers); the candidate groups are determined according to corresponding access commands submitted by the containers and the relevant groups are determined according to one or more relevance policies. The private data of the relevant groups are consolidated into corresponding shared data.

Abstract: Disclosed herein are systems and methods for granting access to a file. In one aspect, an exemplary method comprises, calculating a first hash of a portion of the file, searching for the first hash in a local database, when the first hash is found indicates that the file is malicious, calculating a second hash, searching for the second hash in the verdict cache, and pronouncing a final decision as to a harmfulness of the file, and when either the first hash is not found in the verdict cache or the first hash is found and indicates that the file is trusted, granting access to the file, calculating a second hash of the file, generating a request for information about the file and sending the request to a remote server, and pronouncing a decision as to harmfulness of the file based on results of the search received from the remote server.

Abstract: A self-correcting secure computer system is provided. The computer system includes a read-only memory (ROM) device, a random access memory (RAM) device, and at least one processor in communication with the ROM device and the RAM device. The at least one processor is programmed to receive an activation signal; retrieve, from the ROM device, data to execute a first configuration including an encryption suite; execute, on the RAM device, the first configuration including the encryption suite; execute the encryption suite to generate a key; store the key at a first memory location; and delete volatile memory associated with the encryption suite.

Abstract: A memory chip comprises a first memory controller, a first data storage zone, a security unit and an address configuration unit. The first data storage zone is coupled to the first memory controller, and represented by a first physical address range. The security unit is coupled to the first memory controller. The address configuration unit is coupled to the first memory controller. The memory chip is configured to be coupled between a host controller and another memory chip. The another memory chip comprises a second data storage zone represented by a second physical address range. The address configuration unit records one or more relationships of a logical address range corresponding to the first physical address range and the second physical address range. The security unit is configured to encrypt and decrypt data in the first data storage zone and the second data storage zone.

Abstract: Aspects of the invention include protecting data objects in a computing environment based on physical location. Aspects include receiving, by a computing system, a request to access an encrypted data from an authenticated user, wherein the encrypted data includes information about a data encryption key used to encrypt the encrypted data. Aspects also include providing, by the computing system, the encrypted data to the computer system where the user was authenticated, the computer system including a set of decryption keys protected by a master key stored within a hardware security module associated with the location of the hardware security module. Aspects further include decrypting, by the hardware security module, the encrypted data based on a determination that the data encryption key corresponds to one of the set of decryption keys, wherein the set of decryption keys are determined based on the location of the hardware security module.

Abstract: An apparatus, such as a memory system (e.g., a NAND memory system), can have a controller with a first error correction code component and a memory device (e.g., a NAND memory device) coupled to the controller. The memory device can have an array of memory cells, a second error correction code component coupled to the array and configured to correct data from the array, and a cryptographic component coupled to receive the corrected data from the second error correction code component.

Abstract: In a key management method performed by a terminal, a device key including a device public key and a device private key is generated in a security zone. A local device parameter and the device public key are transmitted to a certificate authentication server. A device certificate fed back by the certificate authentication server is received by the terminal. The signature data of the device certificate is generated by signing the device parameter and the device public key by using an authentication private key of the certificate authentication server. The terminal then stores the device private key and the device certificate in the security zone.

Abstract: A processing system selectively compresses cache lines at a cache or at a memory or encrypts cache lines at the memory based on evictions of entries mapping virtual-to-physical address translations from a translation lookaside buffer (TLB). Upon eviction of a TLB entry, the processing system identifies cache lines corresponding to the physical addresses of the evicted TLB entry and selectively compresses the cache lines to increase the effective storage capacity of the processing system or encrypts the cache lines to protect against vulnerabilities.

Abstract: A hardware security module (HSM) generates a client key for an account holder of a cryptoasset custodial system. The HSM encrypts the client key to generate an encrypted client key using a hardware-based cryptographic key within a secure storage device. The encrypted client key is transmitted to client devices. The HSM deletes the encrypted client key from the secure storage device. Each client device stores the encrypted client key in an offline secure enclave. A request to authorize a cryptoasset transaction is received. The HSM determines that signed messages endorsing the cryptoasset transaction have been received from at least some client devices in satisfaction of a quorum. The encrypted client key is received from at least one client device. The HSM decrypts the encrypted client key. The HSM signs an approval message for the cryptoasset transaction using a cryptoasset key based at least in part on the client key.

Abstract: Generally described, one or more aspects of the present application correspond to techniques for creating encrypted block store volumes of data from unencrypted object storage snapshots of the volumes. These encryption techniques use a special pool of servers for performing the encryption. These encryption servers are not accessible to users, and they perform encryption and pass encrypted volumes to other block store servers for user access. The encryption context for the volumes can be persisted on the encryption severs for as long as needed for encryption and not shared with the user-facing servers in order to prevent user access to encryption context.

Abstract: The present disclosure is related to methods, systems, and machine-readable media for supporting deduplication in file storage using file chunk hashes. A hash of a chunk of a log segment can be received from a software defined data center. A chunk identifier can be associated with the hash in a hash map that stores associations between sequentially-allocated chunk identifiers and hashes. The chunk identifier can be associated with a logical address corresponding to the chunk of the log segment in a logical map that stores associations between the sequentially-allocated chunk identifiers and logical addresses. A search of the hash map can be performed to determine if the chunk is a duplicate, and the chunk can be deduplicated responsive to a determination that the chunk is a duplicate.

Abstract: An apparatus to facilitate security of a shared memory resource is disclosed. The apparatus includes a memory device to store memory data, wherein the memory device comprises a plurality of private memory pages associated with one or more trusted domains and a cryptographic engine to encrypt and decrypt the memory data, including a key encryption table having a key identifier associated with each trusted domain to access a private memory page, wherein a first key identifier is generated to perform direct memory access (DMA) transfers for each of a plurality of input/output (I/O) devices.

Abstract: This disclosure includes techniques for using multiple cryptographic certificates for a secure connection. One embodiment is a method including: receiving by a client N public encryption keys over a network from a server, wherein N is an integer greater than 1; generating N session keys in response to receiving the N public encryption keys; encrypting each of the N session keys with a respective one of the N public encryption keys; subsequent to encrypting each of the N session keys, sending the N session keys encrypted over the network to the server; encrypting, with a first one of the N session keys, a first portion of a payload associated with a first message; encrypting, with a second one of the N session keys, a second portion of the payload associated with the first message; and sending the first message, comprising the payload encrypted, to the server from the client.

Abstract: Various embodiments include processing devices and methods for integrity verification of a news item. A processor of a network element may obtain an electronic news item that is ready for publication, and may determine a fingerprint using one or more portions of the electronic news item. The processor may determine for the electronic news item a record including the determined fingerprint and a second fingerprint of a previous electronic news item. The processor may store the determined record in a publicly available digital ledger, embed the determined fingerprint in the electronic news item, and publish the electronic news item. A computing device may obtain the published news item and may use the embedded fingerprint in the record that is stored in the digital ledger to verify the integrity of the electronic news item.

Abstract: Security can be provided for data stored using resources that are deployed in an environment managed by a third party. Physical and logical detection mechanisms can be used to monitor various security aspects, and the resulting security data can be used to identify potential threats to these resources. In some embodiments, suspicious activity can cause resources such as data servers to be automatically and remotely rebooted such that keys stored in volatile memory on those data servers will be lost from those servers, such that an attacker will be unable to decrypt data stored on those servers. Once a determination of safety is made, the keys can be provided to the respective data servers such that data operations can resume.

Abstract: A method for securing data in a storage grid is provided. The method includes generating a storage key from key shares of at least two storage clusters of a storage grid having at least three storage clusters and generating a grid key from the storage key and an external secret. The method includes encrypting data with the grid key to yield once encrypted data and encrypting the once encrypted data with the storage key to yield twice encrypted data. The method includes storing the twice encrypted data in a first storage cluster of the storage grid and storing the twice encrypted data in a second storage cluster of the storage grid, wherein at least one method operation is performed by a processor.

Abstract: According to one embodiment, a medical information processing apparatus has processing circuitry. The processing circuitry acquires medical data on a subject, acquires numerical data obtained by digitizing an acquisition condition of the medical data, and applies a machine learning model to input data including the numerical data and the medical data, thereby generating output data based on the medical data.

Abstract: Systems, methods, and circuitries are disclosed for a per-process memory encryption system. At least one translation lookaside buffer (TLB) is configured to encode key identifiers for keys in one or more bits of either the virtual memory address or the physical address. The process state memory configured to store a first process key table for a first process that maps key identifiers to unique keys and a second process key table that maps the key identifiers to different unique keys. The active process key table memory configured to store an active key table. In response to a request for data corresponding to a virtual memory address, the at least one TLB is configured to provide a key identifier for the data to the active process key table to cause the active process key table to return the unique key mapped to the key identifier.