Abstract: The present disclosure relates to a system, method, and computer program for restoring extracted data to a cloud-based application. The system extracts a copy of data associated with a cloud-based application. The system provides a user interface that enables a user to enter a restoration flow for restoring the extracted data to the cloud-based application, where the restoration flow includes one or more routines for execution. The system receives a restoration flow comprising a pre-restoration routine and a restoration routine, where the pre-restoration routine specifies one or more data transformations to render the extracted data compatible with a restoration to the cloud-based application. The system executes the pre-restoration routine to transform the extracted data to be compatible with a restoration to the cloud-based application. The system executes the restoration routine to restore the transformed data to the cloud-based application.

Abstract: In an embodiment, an application is created on a data-provider platform. The application includes one or more application programming interfaces (APIs) corresponding to one or more underlying code blocks. Provider data is shared with the application on the data-provider platform. An application instance of the application is installed in a trusted execution environment (TEE). The application instance includes one or more APIs corresponding to the one or more APIs in the application on the data-provider platform. Consumer data is shared with the application instance from a data-consumer platform. One or more of the APIs of the application instance are invoked to execute, on the TEE, respective associated underlying code blocks that are not visible on the TEE. The output of the one or more respective associated underlying code blocks is saved to the data-consumer platform.

Abstract: The subject application relates to a method and server for handling streaming data, and includes: Obtaining a request for entering the live streaming as an invisible viewer; in response to obtaining the request, starting to provide a first user terminal of a first viewer with the streaming data for the live streaming while setting information on the first viewer invisible to other viewers and a streamer; and in response to detecting a first action of the first viewer in the live streaming, setting at least a part of the information visible to at least a part of the other viewers and the streamer. According to the subject application, it is possible to encourage further communication between the streamer and the viewer, and enhance user-user interactions through the live streaming.

Abstract: A system comprises a memory and a processing apparatus. The memory stores a collection of personal information data and a data catalog of the collection of personal information data. The processing apparatus executes generating the machine learning model according to a designated machine learning logic, based on personal information data, corresponding to designated metadata in the data catalog and a designated data range. And the processing apparatus, executes calculating a personal identification risk which shows a risk of a person being identified based on an output of the machine learning model. Then the processing apparatus executes outputting the machine learning model when the personal identification risk, does not exceed a predetermined threshold.

Abstract: In order to automatically classify data without using a classifier constructed by machine learning, an information processing apparatus (1) includes: a data acquiring section (11) for acquiring target data, which is data to be classified into one of a plurality of categories in a hierarchical structure; and a classifying section (12) for classifying the target data into one of the plurality of categories in accordance with (i) a matching degree indicating a degree to which the target data matches that category and (ii) an upper-level matching degree indicating a degree to which the target data matches an upper-level category of that category.

Abstract: A method for performing a power disturbing operation to reduce a success rate of cryptosystem power analysis attack, an associated cryptosystem processing circuit and an associated electronic device are provided.

Abstract: A system includes a memory and processor. The memory stores code segment vulnerability findings that were generated through static application security testing (SAST). For a first code segment, a first vulnerability finding has been classified as a real vulnerability, and a second vulnerability finding has been classified as a false positive by external review. The processor generates a code fingerprint for each code segment, which corresponds to an abstract syntax tree that has been augmented by data flow information and flattened. The processor determines that the fingerprint for the first code segment matches the fingerprint for a second code segment and that the vulnerability findings for the first code segment match those for the second. In response, the processor automatically classifies a matching first vulnerability finding for the second code segment as the real vulnerability, and a matching second vulnerability finding for the second code segment as the false positive.

Abstract: An example system includes a processor to receive an instance of a composite format comprising a masking restriction. The processor can generate a mask for the instance of the composite format based on the masking restriction. The processor can output the generated mask.

Abstract: The present disclosure relates to systems and methods for providing cloud-based services securely to on-premises networks or other infrastructure. More particularly, the present disclosure relates to systems and methods for enriching first-party data (e.g., data collected directly by an on-premises server) stored within on-premises networks by enabling the on-premises networks to retrieve and process third-party data stored on cloud-based networks. As a technical benefit, cloud-based services can be performed on the first-party data within the on-premises networks.

Abstract: Embodiments related to using a foundational model for network packet traces. A technique includes receiving network traffic of a network and extracting features from the network traffic, the features having a function related to communications in the network. The technique includes generating tokens from the features, each of the features corresponding to a respective one of the tokens, training a machine learning model by inputting the tokens, the machine learning model being trained to output contextual embeddings for the tokens, and using the contextual embeddings to determine an anomaly in the network traffic.

Abstract: In accordance with an embodiment, described herein are systems and methods for use with a microservices or other computing environment, including a web server together with related libraries and features usable to build cloud-native applications or services. The system provides, by means of a header enumeration, an abstraction that allows message headers to be treated as objects, accessible via an application program interface that supports multiple communication protocols and allows clients and servers to communicate request/response messages using any of the supported protocols. When a request message with a known header type is encountered, the system can obtain an indexed value from the enumeration, if available, and provide the associated data directly to the process to which the request is directed, and/or cache the header value for later use.

Abstract: A system and method for automated cybersecurity defensive strategy analysis that predicts the evolution of new cybersecurity attack strategies and makes recommendations for cybersecurity improvements to networked systems based on a cost/benefit analysis. The system and method use machine learning algorithms to run simulated attack and defense strategies against a model of the networked system created using a directed graph. Recommendations are generated based on an analysis of the simulation results against a variety of cost/benefit indicators.

Abstract: Content data is registered in a file management system, an identifier of a user in the file management system is registered in blockchain data, and a right-holder terminal includes a permission request receiving unit that receives, from the file management system, permission request data for the content including an identifier of the user, a verification unit that verifies that the identifier of the user registered in the blockchain data corresponds to the identifier of the user included in the permission request data, and an permission issuing unit that transmits, to the file management system, permission data for permitting a use of the content by the user.

Abstract: A system and method including receiving, from a first user of a first service, an indication of a second service to integrate with the first service; correlating a presence of the first user of the first service with an identifier of the first user in the second service; receiving, from a second user of the first service, an indication of the second service to integrate with the first service; correlating a presence of the second user of the first service with an identifier of the second user in the second service; receiving, from the second service via an application programming interface, a replication of a statement of work generated by the second service and associated with the second user; and persisting the replication of the statement of work in a data store of the first service that is accessible by the first user of the first service.

Abstract: A method for privacy preserving data processing in a linked data operating environment wherein applications have secure and permissioned access in an interoperable manner to data that is stored in one or more online data stores. The method begins by creating a privacy preserving data processing (PPDP) agent for use by an entity to process the data in association with the online data stores. The PPDP agent is then subjected to a certification process that ensures that the PPDP agent does not exfiltrate any data from the online data stores. After a successful certification, and following registration of the agent with an agent repository, a secure PPDP environment is instantiated in association with the data stores and in which the PPDP agent is then configured to execute. The PPDP agent is then executed within the secure PPDP environment over a configured security context and life-cycle of the PPDP agent.

Abstract: Examples of the present disclosure describe systems and methods for discrete processor feature behavior collection and analysis. In aspects, a monitoring utility may initialize a set of debugging and/or performance monitoring feature sets for a microprocessor. When the microprocessor receives from software content a set of instructions that involves the loading of a set of modules or code segments, the set of modules or code segments may be evaluated by the monitoring utility. The monitoring utility may generate a process trace of the loaded set of modules or code segments. Based on the process trace output, various execution paths may be reconstructed in real-time. The system and/or API calls made by the microprocessor may then be compared to the process trace output to quickly observe the interaction between the software content and the operating system of the microprocessor.

Abstract: Embodiments of the present disclosure relate to electronic lockout of a client device, specifically to managing electronic lockout of a client device associated with a claim process via a device protection program management system and third-party provider. In this regard, embodiments herein may process various data associated with determining whether to authorize a claim under a device protection program, and cause initiation of and/or termination of an electronic lockout of a client device depending on received data and/or lack of received data. In this regard, example embodiments include receiving a device claim request indication associated with a client device, where the client device is associated with a functionality lockout state; initiating a claim associated with the client device; causing initiation of an electronic lockout of the client device; processing the claim to determine whether to authorize the claim; and causing updating of the electronic lockout based on the determination.

Abstract: The present disclosure relates to a remote attestation in a network. Embodiments provide a method comprising: attesting a first node in a network, by a node adjacent to the first node in the network; and generating an attestation result of the first node. A plurality of attestation results of the first node generated by a plurality of nodes adjacent to the first node in the network are combined to determine a credibility of the first node. In such embodiments, a fixed verifier for other nodes is eliminated, and a risk of a collapse due to a failure of such fixed verifier may be avoided.

Abstract: A system and method for providing access to third-party application programming interfaces (APIs) as a service. In particular, an API access manager can be configured to execute one or more serverless functions selected form a database of serverless functions in order to obtain data from one or more third-party APIs. Retrieved data can be used to evaluate compliance with one or more information security policies.

Abstract: A system and method for providing access to third-party software tools as a service. A service access manager can communicate with one or more third parties to manage licenses associated with third-party software tools. A machine learning model can be trained using logs generated by the system and causes of detected errors to automatically determine the cause of errors occurring in the future. Vendor logs generated by software instances instantiated by third-party systems can be collected and used to improve error attribution.

Abstract: Embodiments of the present disclosure provide methods, apparatus, systems, computing devices, and computing entities for predictive data protection using a data protection policy determination machine learning model.

Abstract: In an embodiment, a data platform creates an application in a data-provider account. The application includes one or more APIs corresponding to one or more underlying code blocks. The data platform shares provider data with the application in the data-provider account, and also installs, in a data-consumer account, an application instance of the application. The application instance includes one or more APIs corresponding to the one or more APIs in the application in the data-provider account. The data platform shares consumer data with the application instance in the data-consumer account, and invokes one or more of the APIs of the application instance to execute respective associated underlying code blocks, which are not visible to the data-consumer account. The data platform also saves output of the one or more respective associated underlying code blocks locally within the data-consumer account.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for using additive and subtractive noise for preserving the privacy of users. In one aspect, a method includes obtaining a first set of genuine user group identifiers that identify user groups that include a user as a member. A second set of user group identifiers is generated for the user by removing zero or more genuine user group identifiers from the first set to generate the second set and adding, to the second set, one or more fake user group identifiers for user groups that do not include the user as a member. A probabilistic data structure is generated based on the second set of user group identifiers. The probabilistic data structure is transmitted. Data indicating a set of digital components including at least one digital component selected based on the probabilistic data structure is received.

Abstract: An example method for data auditing for object storage public clouds includes a service broker receiving a request to store data in public object storage, where the request includes user information or a container image. The service broker, based on either the user information or the container image, determines that data auditing is necessary. The service broker creates a storage unit, in public object storage, and a storage proxy. The method further includes the storage proxy storing data, and a data auditor retrieving data from the storage proxy. The data auditor determines a data qualification for the data, and notifies the storage proxy of the data qualification.

Abstract: An assessment apparatus is able to access a surrogate model generation apparatus that comprises a query generation part that generates a first query causing an assessment target model to make an inference to obtain an inference result; an MIA execution part that executes a membership inference attack using as an input the inference result obtained by sending the first query to the assessment target model and infers virtual training data used to train the assessment target model; and a surrogate model generation part that uses the virtual training data to generate a surrogate model that emulates the behavior of the assessment target model, and the assessment apparatus comprises a security assessment part that transmits a second query to both the surrogate model and the assessment target model to assess the security of the assessment target model using the results therefrom.

Abstract: A system processes an API specification provided by a vendor to determine and classify the functions defined therein by CRUD operation type based on analysis of the function names. Classification of the function includes associating a bitmask corresponding to the class with the function name. The system then subscribes to an event stream including logged API function call events during a time window overlapping with a “blind spot” period of attack detection. The system analyzes incoming events to identify an associated resource and an API function call. The system classifies the function based on the determined function classes and performs a bitwise operation between bit values maintained for the identified resource that are indicative of resource state and the bitmask of the function class. If the resulting bit values indicate that the resource was both created and deleted during the time window, the system flags the resource as potentially involved in an attack.

Abstract: An indication of an application to be installed on a local device is received. A request is transmitted to a remote server for information associated with the application. In some cases, in response to the receipt of a report from the remote server, a set of rules restricting behaviors of the application is implemented at the local device. In some cases, in response to the receipt of a report from the remote server, the installation of the application on the local device is prevented.

Abstract: A system and method for performing distributed recognition divides processing steps between a device, having lower processing power, and a remotely located server, having significantly more processing power. Images captured by the device are processed at the device by applying a first set of image processing steps that includes applying a first detection. First processed images having at least one detected human is transmitted to the server, whereas a second set of image processing steps are applied to determine a stored entry matching the detected human of the first processed image.

Abstract: A system, method, and device for generating data visualizations are disclosed. The method includes (i) obtaining a natural language query, (ii) determining an intent for the natural language query, (iii) generating one or more data requests to one or more selected data sources, the one or more data requests being based at least in part on the intent, (iv) abstracting result data to obtain a data abstraction, the result data being responsive to the one or more data requests, and (v) generating a visualization for the result data based at least in part on the data abstraction.

Abstract: Systems and methods are disclosed for batch processing of key generation requests for internet-of-things (IoT) device vendors. An example method may include maintaining a queue of internet of things (IoT) devices for which encryption material generation has been requested. The method may also include receiving, from a first vendor, a first order to generate first encryption material for a first set of IoT devices and receiving, from a second vendor, a second order to generate second encryption material for a second set of IoT devices. The method may further include generating a dynamic encryption material schedule configured to partition the first set of IoT devices and partition the second set of IoT devices and applying the dynamic encryption material schedule such that the first encryption material and the second encryption material are generated at least partially in parallel.

Abstract: A method of designing a multi-party system in quotient algebra partition-based homomorphic encryption (QAPHE), which is based on the framework of quotient algebra partition (QAP) and the computation of homomorphic encryption (HE), wherein the method comprises: increasing single model provider A to multiple ones, wherein the number of the multiple model providers is L and let A1?i?L and L?2; increasing single data provider B to multiple ones, wherein the number of the multiple data providers is R and let B1?j?R and R?2; and encoding plaintexts, each of which is of kj qubits, from all data providers into ciphertexts respectively; aggregating the ciphertexts by a form of tensor product and generating an encoded state for computation; and preparing a model operation to conduct the encrypted computation via an encoded operator and the encoded state in a cloud. The method can improve the security of public-key/semi-public-key system and be applied to a threshold HE or a multi-key HE to solve actual problems.

Abstract: The present disclosure provides a joint training method and apparatus for models, a device and a storage medium. The method may include: training a first-party model to be trained using a first sample quantity of first-party training samples to obtain first-party feature gradient information; acquiring second-party feature gradient information and second sample quantity information from a second party, where the second-party feature gradient information is obtained by training, by the second party, a second-party model to be trained using a second sample quantity of second-party training samples; and determining model joint gradient information according to the first-party feature gradient information, the second-party feature gradient information, first sample quantity information and the second sample quantity information, and updating the first-party model and the second-party model according to the model joint gradient information.

Abstract: Methods and systems for securely managing personal data associated with image processing include an image sensor configured to capture an image, a local computer system local to the image sensor, and a backend computer system remote from the image sensor. The local computer system has a processor with a trusted execution environment (TEE) that detects anomalies in images from the image sensor, extracts personal data from the image, and encrypts the personal data. The local computer system then sends the extracted, encrypted personal data to the backend computer system, where a backend TEE decrypts the extracted, encrypted personal data, and performs data processing by comparing the decrypted personal data to other personal data that is stored in a backend database in the backend computer system.

Abstract: A memory device and an associated control method are provided. The memory device includes a non-volatile memory array and a memory control circuit. The non-volatile memory array includes M secured memory zones. The memory control circuit is electrically connected to the non-volatile memory array. The memory control circuit provides a set of mapping information and searches a request key in the set of mapping information. The set of mapping information represents correspondences between N access keys and the M secured memory zones. The memory control circuit acquires at least one of the M secured memory zones if the request key is one of the N access keys, and performs an access command to the at least one of the M secured memory zones. M and N are positive integers.

Abstract: This patent disclosure provides various verification techniques to ensure that anonymized surgical procedure videos are indeed free of any personally-identifiable information (PII). In a particular aspect, a process for verifying that an anonymized surgical procedure video is free of PII is disclosed. This process can begin by receiving a surgical video corresponding to a surgery. The process next removes personally-identifiable information (PII) from the surgical video to generate an anonymized surgical video. Next, the process selects a set of verification video segments from the anonymized surgical procedure video. The process subsequently determines whether each segment in the set of verification video segments is free of PII. If so, the process replaces the surgical video with the anonymized surgical video for storage. If not, the process performs additional PII removal steps on the anonymized surgical video to generate an updated anonymized surgical procedure video.

Abstract: A data storage device and method for token generation and parameter anonymization are provided. In one embodiment, a data storage device is provided comprising a memory and a controller. The controller is configured to receive a plurality of tokens and data comprising a plurality of data portions, which each token identifies a different set of the data portions to anonymize; create a plurality of anonymized versions of the data per the plurality of tokens; and store each of the plurality of anonymized versions of the data in different physical addresses in the memory, wherein the different physical addresses map to a same logical address in a mapping structure. Other embodiments are possible, and each of the embodiments can be used alone or together in combination.

Abstract: A computer system includes a processor that operates in a normal world and a secure world and that provides hardware-level isolation between the normal world and the secure world. A storage device of the computer system has a protected data region that stores critical data. A random-access memory of the computer system has a normal memory space that is accessible in the normal world and a secure memory space that is accessible only in the secure world. The secure memory space stores commands that transfer the critical data between the protected data region and the normal memory space by direct memory access.

Abstract: A method and apparatus for a distributed service provider augmenting user data during data access and deletion is described. The method may include monitoring a plurality of user data returned by service system responses to requests for user data associated with a user identifier. The method may further include building an additional user data search query using a subset of user data from the monitored plurality of user data returned by the service system responses to the initial requests for user data. Furthermore, the method can include executing the additional user data search query at each of the plurality of service systems to identify additional user data stored by one or more of the plurality of service systems, wherein the identified additional data is not associated with the user identifier.

Abstract: A method for protecting a disaster recovery site, the method may include receiving by source compute nodes of a storage system, during source storage periods, write requests for storing content in the storage system; writing by source compute nodes, during the source storage periods, the content into the storage nodes of the storage system; maintaining replication compute nodes of the storage system deactivated during the source storage periods; reading the content by the replication compute nodes from the storage nodes during replication periods; participating, by the replication compute nodes, in outputting the content to one or more data recovery sites during the replication periods; and maintaining the source compute nodes deactivated during the source storage periods.

Abstract: The present disclosure relates to activity monitoring systems and methods for gating whether or not steps should be counted in an observation window based on whether a decision tree concludes there are consecutive step activities (versus no activity or other activities) in the observation window. Particularly, certain aspects are directed to a method that includes obtaining acceleration data for an observation window of an accelerometer, inputting two or more characteristics of the acceleration data into a decision tree to determine activity occurring within the observation window, assigning a first class to the observation window when the determined activity is associated with consecutive steps, assigning a second class to the observation window when the determined activity is not associated with consecutive steps, and when the first class is assigned to the observation window, determining a step count for the observation window using frequency analysis.

Abstract: One embodiment provides a method comprising verifying a digital asset to determine ownership, provenance, and lineage of the digital asset. The verifying includes blockchain forensic analysis and triangulation of one or more electronic devices involved in one or more blockchain transactions relating to the digital asset. The method further comprises computing a confidence score corresponding to the digital asset. The confidence score is a measurement derived from the verifying. The method further comprises maintaining a record of the digital asset in an electronic registry. The record includes the confidence score and is indicative of the ownership, the provenance, and the lineage of the digital asset. The method further comprises monitoring one or more changes to the ownership, the provenance, and the lineage of the digital asset, and updating the record including the confidence score in response to the one or more changes.

Abstract: A method and apparatus are disclosed for a multi-processor SoC which includes an execution domain processor for running an execution domain; a control point processor that is physically and programmatically independent from the execution domain processor and configured to generate control data for controlling access by the execution domain to one or more SoC resources by identifying at least a first SoC resource that the execution domain is allowed to access; and an access control circuit connected between the execution domain and the SoC resources and including a programmable front end which is connected to receive the control data from the control point processor, and a signals-based back end which is configured to provide a dynamic runtime isolation barrier in response to the control data, thereby controlling access to the one or more system-on-chip resources by the execution domain.

Abstract: A method and system for maintaining tenant isolation in a messaging service are disclosed. The method includes receiving, in at least one source topic, records sent by a plurality of producer systems associated with a plurality of tenants, wherein each of the plurality of tenants is associated with a unique tenant identifier (ID); partitioning the received records into a plurality of partitions in an intermediate topic based on the respective tenant IDs of respective tenants that sourced the records; grouping, for each of the plurality of partitions in the intermediate topic, records within the partition into an isolated batch, wherein the records in each isolated batch belong to the same tenant; and placing the isolated batches in a destination topic to be consumed system by a consumer, wherein the isolated batches are placed in the destination topic in a round-robin manner.

Abstract: A system and method are disclosed for processing data subject rights requests. The system and method advantageously enable data controllers to train machine learning models on unaltered data having PII, while maintaining the privacy of the unaltered data and enabling compliance with data subject rights requests with respect to the data. The system and method incorporate a biometric database that stores biometric data extracted from the unaltered data having PII. In order to identify data relating to a data subject rights request, biometric data is received from the data subject and is matched against the biometric data stored in the biometric database. Based on the matched biometric data, the original unaltered source data having PII can be identified for the purpose of exercising one or more data subject rights, such as erasure, access, and objection to processing.

Abstract: The present disclosure provides an identity authentication method, a personal security kernel node, a device, and a medium. The personal security kernel node is part of an identity authentication system, the identity authentication system further comprising a relying party node and a user identity credential certifier node. The method includes: obtaining an identity authentication assurance level corresponding to a service provided by a relying party; determining, according to the identity authentication assurance level, a user identity credential used by a user for the service; transmitting the user identity credential to a user identity credential certifier node through a relying party node, so that the user identity credential certifier node performs user identity credential authentication; and performing the service with the relying party node. According to the embodiments of the present disclosure, security of user identity assets can be improved during identity authentication.

Abstract: The present invention provides for generating high volumes of synthetic data records for testing data processing applications associated with one or more operating fields, such as healthcare without using any confidential Information. In operation, the present invention provides for retrieving a predefined dataset. Further, the present invention provides for extracting data values associated with selected relevant data fields from the retrieved predefined dataset. Furthermore, the present invention provides for defining rules for generating data values of specific data fields out of the selected relevant data fields. Yet further, the present invention provides for evaluating a number of possible data records. Yet further, the present invention provides for generating evaluated number of synthetic data records using a predefined file format based on the extracted data values and the defined rules.

Abstract: Systems, methods and computer readable products are provided for enabling dynamic loading of one or more digital image branding functions associated with one or more distribution rules. A distribution rule is used to target a group of end users that are selected from a dataset mapping a plurality of end-users according to one or more distribution rules. Instructions are forwarded to present an indication the digital image branding function to each member of the end users group.

Abstract: One variation of a method for securing synthetic video conference feeds includes, during a setup period: accessing a target image depicting a face of a user; generating a face model based on a target set of facial features detected in the target image; and linking the face model to a target set of facial biometric values of the user. The method also includes, during an operating period succeeding the setup period: accessing a frame; deriving characteristics of a set of facial features detected in the frame; extracting a set of facial biometric values from the frame; in response to alignment between the target set of facial biometric values and the set of facial biometric values, generating a synthetic face image based on characteristics of the set of facial features, the face model, and a synthetic face generator; and rendering the synthetic face image in place of the frame.

Abstract: Methods and systems are described whereby a server can forward a request from a device behind a NAT router to a system to determine if the request is suspicious. A server can receive a message via a network device, such as a NAT router, disposed at a location. The message can originate from one of a plurality of computing devices located downstream of the network device. The server can determine that the message originated from a compromised device and transmit a signal to facilitate execution of a first process on the computing devices located downstream from the compromised device, wherein, upon execution, the first process is configured to compare information located in a local storage of the computing device with a predetermined list of domains.

Abstract: Techniques and apparatuses are described that implement the secure external data storage. A computing system may include a system-on-chip as a main processing complex and one or more secure elements that execute specialized functions related to sensitive information. While the secure element may use an external flash for storage for performance reasons, storing sensitive information on an external flash may expose the sensitive information if the external flash is ever compromised. The disclosed techniques and apparatuses provide an integrated secure element, of a system-on-chip, which leverages a secure channel with a secure flash to manage a cryptographic key for securing sensitive information stored on an unsecured external flash to prevent the exposure of sensitive information.