Abstract: Protecting membership and data in secure multi-party computation and communication is provided. A method of protecting membership and data includes generating a padding dataset. A size of the padding dataset is determined based on a data privacy configuration. The method also includes up-sampling a first dataset with the padding dataset, transforming the first dataset, dispatching the first dataset, performing an intersection operation based on the first dataset and a second dataset to generate a third dataset, generating a first share based on the third dataset, and constructing a result based on the first share and a second share.

Abstract: An example operation includes one or more of receiving an authorization code for a software update by a transport component, executing the software update on the transport component, responsive to a successful execution of the software update, generating a validation code by the transport component, and running the software update on other transport components based on the validation code.

Abstract: A method comprising maintaining, in a central database, stored host device information related to one or more host devices associated with providing harmful data, which potentially includes harmful content; configuring a VPN server to receive, from a DNS server, obtained host device information associated with a host device based at least in part on receiving an indication that data of interest is to be requested from the host device; configuring the VPN server to determine that the data of interest potentially includes harmful content based at least in part on determining that the obtained host device information matches the stored host device information; and configuring the VPN server to transmit, based at least in part on determining that the data of interest potentially includes harmful content, a notification indicating that the data of interest to be requested potentially includes harmful content. Various other aspects are contemplated.

Abstract: The method provides an automated and scalable system for device onboarding and an asset metadata-based device directory service. It helps perform zero touch device onboarding at first-time power cycle of a device in operational environments with device two-factor authentication to configure and manage the lifecycle of device and application-level quantum-safe keys for secure communications with client authentication, data authentication, and data encryption over secure and insecure transport protocols. It helps achieve device onboarding and accelerated provisioning with secure scanning of printed device labels for device identifiers assigned by the device manufacturer and/or device owners/operators. It helps provision device and application-level pre-shared keys for client authentication, data authentication, and data encryption over any transport or network protocol stack for secure authenticated communications between devices and services hosted on-cloud or on-premises.

Abstract: A marketplace network for facilitating transactions among a plurality of marketplace participants. The marketplace network includes a plurality of service provider systems associated with respective service provider participants. Each of the plurality of service provider systems are communicatively coupled to a respective merchant server. The marketplace network includes a plurality of user systems associated with respective user participants configured to generate a service request to one of the plurality of service provider systems. The marketplace server facilitates transactions digitally by executing a set of computer-executable tasks for securely processing transactional exchanges among the marketplace participants. The transactional exchanges include at least exchanges of ownership rights for digitally stored data at least in part owned originally by the user participants.

Abstract: A method to optimize the usage of these crypto resources for effectively sharing the resource with identical configuration crypto material and thereby reducing the operation overhead associated with cryptographic operations is disclosed.

Abstract: Differential privacy composition determination in secure computation and communication of a dataset is provided. A method for differential privacy composition determination includes determining a differential privacy configuration that includes a first privacy parameter and a second privacy parameter, determining a privacy loss distribution, and providing a number of composition operations. The method also includes determining a third privacy parameter and a fourth privacy parameter for a differential privacy composition based on the differential privacy configuration, the privacy loss distribution, and the number of composition operations. The method further includes controlling the dataset based on at least one of the third privacy parameter and the fourth privacy parameter.

Abstract: This disclosure provides methods and techniques of referencing row access policy (RAP) protected mapping tables in a RAP for a data table are disclosed herein. An example method of referencing a mapping table in a data table using nested RAP includes defining, by a processing device, a first access policy for the mapping table to control access by specific users or under specific conditions. The processing device further defines a second access policy attached to the data table referencing the mapping table. The processing device in response to a query, executes the second access policy of the data table to provide a response or operation of data associated with the data table and the mapping table. Executing the second access policy invokes executing the first access policy of the mapping table.

Abstract: A system device and a method for managing access to data in an automation environment are disclosed. The data is associated with assets in an automation environment, where the data includes one of restricted data and unrestricted data. The automation environment is accessible via one or more computing platforms including a plurality of computing resources that are classifiable into a trusted computing platform and a non-trusted computing platform. The method includes classifying analytics operations performable on the data into a first operation set that is executable on the trusted computing platform. The analytics operations are associated with one or more applications executable on at least one of the computing platforms. The method includes enabling access to at least one of the unrestricted data and a first unrestricted output of the first operation set outside the trusted computing platform by a communication operation.

Abstract: A system, apparatus, method, and machine readable medium are described for secure authentication. For example, one embodiment of a system comprises: an authenticator on a client device to securely store one or more private keys, at least one of the private keys usable to authenticate a block of a blockchain; and an attestation module of the authenticator or coupled to the authenticator, the attestation module to generate a signature using the block and the private key, the signature usable to attest to the authenticity of the block by a device having a public key corresponding to the private key.

Abstract: Implementations of the present disclosure are directed to providing remote access to electronic documents stored in a server system using a virtual secure room, and include actions of authenticating a user at least partially based on credentials the user, at least partially in response to authenticating the user, providing a secure connection between a computing device of the user and the server system, transmitting at least one electronic document for display to the user on the computing device, monitoring the user, while the at least one electronic document is displayed to the user on the computing device, and selectively closing the secure connection in response to one or more of at least one activity and at least one state of the user.

Abstract: The present disclosure relates to activity monitoring systems and methods for gating whether or not steps should be counted in an observation window based on whether a decision tree concludes there are consecutive step activities (versus no activity or other activities) in the observation window. Particularly, certain aspects are directed to a method that includes obtaining acceleration data for an observation window of an accelerometer, inputting two or more characteristics of the acceleration data into a decision tree to determine activity occurring within the observation window, assigning a first class to the observation window when the determined activity is associated with consecutive steps, assigning a second class to the observation window when the determined activity is not associated with consecutive steps, and when the first class is assigned to the observation window, determining a step count for the observation window using frequency analysis.

Abstract: Various embodiments of a hierarchical system or method of identifying sensitive content in data is described. In some embodiments, sensitive data classifiers local to a data storage system can analyze a plurality of data items and classify at least some data items as potentially containing sensitive data. The sensitive data classifiers can provide the classified data items to a separate sensitive data discovery component. The sensitive data discovery component can, in some embodiments, obtain the classified data items, perform a sensitive data location analysis on the classified data items to identify a location of sensitive data within some of the classified data items, and generate location information for the sensitive data within the data items containing sensitive data. The sensitive data discovery component can provide to a destination this information, in some embodiments, where the destination might redact, tokenize, highlight, or perform other actions on the located sensitive data.

Abstract: A method of a payment for an Internet of Things (IoT) device is provided. The method includes steps of: a payment supporting server (a) on condition that the payment supporting server has registered certificates of the IoT device, a service providing device, and a digital wallet in a first blockchain, manages their transaction IDs, has registered a representative hash value in a second blockchain, manages their transaction IDs, and manages link information between the IoT device and the digital wallet, confirming validity of a billing transaction, and (b) acquiring identification information on the digital wallet; and (c) paying the billing detail using the digital wallet, registering its payment result in the first blockchain, registering in the second blockchain, if one anchoring condition is satisfied, a first representative hash value, and transmitting the payment result to the service providing device, the IoT device, and the digital wallet.

Abstract: A data privacy protecting tool operates on behalf of a user to watermark or otherwise fingerprint selected data provided to a digital service provider (DSP) sites/apps. The watermarked data can then be used to monitor a DSP's compliance with distribution or access rules for the user data.

Abstract: Systems and methods are described for modifying input and output (I/O) to an object storage service by implementing one or more owner-specified functions to I/O requests. A function can implement a data manipulation, such as filtering out sensitive data before reading or writing the data. The functions can be applied prior to implementing a request method (e.g., GET or PUT) specified within the I/O request, such that the data to which the method is applied may not match the object specified within the request. For example, a user may request to obtain (e.g., GET) a data set. The data set may be passed to a function that filters sensitive data to the data set, and the GET request method may then be applied to the output of the function. In this manner, owners of objects on an object storage service are provided with greater control of objects stored or retrieved from the service.

Abstract: A method of utilizing a distributed ledger for a cloud service access control. The method may include receiving, by an identity and access management (IAM) service, an identifier of a client of a cryptographically protected distributed ledger; transmitting, to a proxy service, a subscription request for distributed ledger transactions initiated by the client; receiving, from the proxy service, a transaction notification comprising an identifier of the client, an identifier of an autonomous agent, and an identifier of a cloud service; receiving, from the cloud service, a validation request with respect to an action request submitted by the autonomous agent; validating, using the transaction notification, the action request; and notifying the cloud service of validity of the action request.

Abstract: Systems and methods are provided for storing data blocks in distributed storage. One example computer-implemented method includes receiving a request for data included in a data block, where the request includes index addresses for different ones of multiple storage devices of a distributed storage. The method also includes, based on the index addresses, retrieving the N segments of the data block and the M segments of chaff from the storage devices of the distributed storage, decrypting the N segments of the data block and the M segments of chaff, and discarding the M segments of chaff. The method then further includes reconstructing the data block from the retrieved N segments of the data block, thereby providing access to the data included in the data block.

Abstract: Systems, methods, and software are disclosed herein for presenting sensitive information in accordance with a level of concealment. In an implementation, an object is identified comprising text that includes sensitive information. A contextual privacy setting for the sensitive information and a context surrounding a presentation of the object is then identified. Based on the contextual privacy setting and the context surrounding the presentation of the object, a level of concealment for the sensitive information in the text is determined. The object comprising the text is then presented, wherein the sensitive information included in the text is revealed in accordance with the level of concealment.

Abstract: Techniques are disclosed of detection and analysis of network-based assets under common management by an entity. Network-based assets that are under common management by an entity may be owned or associated with the entity. Some network assets may appear to be under the common management of an entity, but may be operated by an unauthorized entity. Detecting a relationship between or ownership of network assets for malicious network activity may be a challenge. Specifically, the connection between authorized assets and unauthorized assets may be difficult to identify, especially if assets are masked or changed to evade detection. A network analytic system is disclosed that can process different data from multiple sources (e.g., at least multiple, disparate data sources) to identify relationships between network-based assets.

Abstract: Apparatuses, systems, and techniques to train a generative model based at least in part on a private dataset. In at least one embodiment, the generative model is trained based at least in part on a differentially private Sinkhorn algorithm, for example, using backpropagation with gradient descent to determine a gradient of a set of parameters of the generative models and modifying the set of parameters based at least in part on the gradient.

Abstract: Techniques for managing an application token may include providing, by a first service provider application on a communication device to a first service provider computer, a first request for a first application token, receiving, by an account management application on the communication device from a token service computer in communication with the first service provider computer, the first application token, and storing the first application token in a token container in the account management application.

Abstract: A device may include a processor, a wireless transceiver in communication with the processor, and a non-transitory memory. The memory may store instructions that, when executed by the processor, cause the processor to perform processing. The processing may include sending, by the wireless transceiver, a request to share a transaction to at least one external user device in communication range of the device. The processing may include receiving, at the wireless transceiver, at least one sharing confirmation from the at least one external user device. The processing may include generating a transaction request. The transaction request may include data describing the transaction and a transaction portion to be paid by an account associated with the device. The processing may include sending the transaction request to a transaction service for fulfillment.

Abstract: Embodiments described include systems and methods for incorporating tags in content of network applications. An embedded browser, which is executable on one or more processors of a client device, may detect content from a network application accessed via the embedded browser. A DRM engine of the embedded browser identifies a DRM scheme for the network application from the plurality of DRM schemes and according to the network application. The DRM engine generates a DRM tag for the content according to the DRM scheme identified for the network application. The DRM tag includes a classification of the content. The DRM engine incorporates the DRM tag into the content for managing usage of the content according to the classification.

Abstract: A method and apparatus for providing an online meeting, capable of detecting an online meeting and blocking disruption factors are provided. The method includes: detecting execution of a conferencing program for an online meeting on a user terminal; upon detecting execution of the conferencing program, generating a monitoring event to enable a disruption factor blocking function; monitoring packets transmitted and received by the user terminal and an internal process running on the same, in response to the monitoring event; determining whether to allow the transmitted and received packets and the internal process based on a preset blocklist; and blocking the transmitted and received packets or terminating the internal process, based on the determination.

Abstract: Systems and methods of an integrated technology platform create a marketplace providing dashboards configured to allow brands and social media influencers to directly connect with each other. The system includes an integrated platform that enables an advertising party to find social media influencers who are most suited to the brands' contexts, market appeal, and demographic targets, build and manage relationships with the influencers, and identify fake influencers using machine learning models.

Abstract: A method is provided for a device participating in a data aggregation service. The device receives, from at least one requesting server, a participant homomorphic encryption key, and a request for data to perform a computation. The device encrypts requested data, including a location identifier, with the participant homomorphic encryption key, and sends, to an aggregation service, the encrypted requested data.

Abstract: Methods, apparatus, computer program products for tracking sensitive data are provided. A method for tracking sensitive data comprises identifying, by one or more processing units, for a type of sensitive data, at least one key interface that carries the type of sensitive data and recording the at least one key interface. The method further comprises generating, by one or more processing units, for the type of sensitive data, for each type of sensitive data, a series of service nodes based on the at least one key interface, and monitoring, by one or more processing units, for the type of sensitive data, corresponding data traffic flowing through corresponding series of service nodes, based on the identified at least one key interface.

Abstract: Systems and methods for facilitating payment application provisioning and transacting are disclosed. According to one embodiment, a method for provisioning a token to a third party payment application on a mobile device may include (1) receiving a logon from a customer using a mobile application for a financial institution executed on a mobile device and a device identifier for the mobile device; (2) receiving a request to provision a token for a third party payment application; (3) authenticating the customer using the logon information and the device identifier; (4) provisioning a token for a payment device associated with the customer; and (5) providing the token to the third party payment application for transaction processing.

Abstract: Protecting membership in secure multi-party computation and communication is provided. A method of protecting membership includes generating a padding dataset, up-sampling a first dataset with the padding dataset, transforming and dispatching the first dataset, receiving a second dataset, and performing a private set intersection operation based on the first dataset and the second dataset to generate a third dataset. Each of the first dataset, the padding dataset, and/or the second dataset includes one or more personal identification information for each user or member in the dataset.

Abstract: Systems and methods for verifying requests for personal information are described. A server computing system may receive a request for personal information associated with a requester, the request sent based on a government regulation related to consumer privacy rights, the request including a first identifier provided by the requester, the personal information stored in one or more databases based on one or more past transactions engaged between the requester and an entity associated with the one or more databases. The server computing system may search the one or more databases using the first identifier to identify a second identifier related to the first identifier, the second identifier stored in the one or more databases by the entity based on the one or more past transactions. The server computing system may verify identity of the requester using at least the second identifier.

Abstract: An example implementation may involve a computing system receiving, from a media playback system, a request to initiate playback of a cloud queue. The cloud queue may currently have a first access status that authorizes a first set of queue operations, which may include playback of the cloud queue. After receiving the request to initiate playback, the computing system may cause audio tracks of the cloud queue to be queued in a local queue of the media playback system such that the media playback system may playback audio tracks of the cloud queue via the local queue. The computing system may modify the access status of the cloud queue to a second access status. This second access status may authorize a second set of queue operations on the cloud queue. The computing system may cause access to the local queue to be restricted to the second set of queue operations.

Abstract: A system automatically manages data through a declarative client that retrieves data and caches data in response to a transmission of an auto-generated query from an end-user interface. The declarative client is served by a cloud services platform. A serverless engine receives images as a template in which a secure container is generated and receives multiple tasks that process the image within the secure container. An application programming interface extracts data in response to the auto-generated query. The declarative client includes a cache that breaks up results of the auto-generated queries into individual objects that are associated with a unique identifier across and a unique name to speed up the execution of the auto-generated queries. A scalable domain name system routes requests to access an instance of a cloud application and caches the name of the domain in response to the request.

Abstract: Aspects of the disclosure provides a secure key management and data transmission system that includes a transmission system, a data consumer network device, a user network device, and a data transmission network. The transmission management system is configured to receive user-specific data from the user network device via the data transmission network and receive a request for a service corresponding to processing the user-specific data according to a proprietary process provided by the data consumer network device. The transmission management system is also configured to generate service response data based on processing the user-specific data according to the proprietary process in response to the received request, encrypt the service response data to become single-encrypted service response data, transmit the single-encrypted service response data to the data consumer network device, and receive and store double-encrypted service response data from the user network device.

Abstract: Implementations of the present disclosure include providing, by a security platform, graph data defining a graph that is representative of an enterprise network, the graph including nodes and edges between nodes, a set of nodes representing respective assets within the enterprise network, and a node representing a process executed within a system of the enterprise, each edge representing at least a portion of one or more lateral paths between assets in the enterprise network, determining, for each asset, a contribution value indicating a contribution of a respective asset to operation of the process, determining, for each asset, an impact value based on a total value of the process and a respective contribution value of the asset, and implementing one or more remediations based on a set of impact values determined for the assets, each remediation mitigating a cyber-security risk within the enterprise network.

Abstract: A method, with the aid of which an installation-wide security consideration may be carried out, that is not limited only to automation components of a single manufacturer, but that functions across all manufacturers, is provided. Through suitable user guidance and automated support in process-conforming execution of assessments, incident handling and the definition of security measures as well as corresponding tracking, the method has a high level of user-friendliness. A rule generator uses security criteria in order to develop user-specific analysis rules from a complex rulebook with a number of input values. All the installation-relevant data is automatically compiled in an inventory. The machine security auditor applies the user-specific rulebook to the collected installation data from the asset inventory, and from that, prepares the audit trail.

Abstract: A cardholder authentication method includes receiving, at an authentication network, an authentication request involving an account. The method further includes determining, based at least in part on a portion of an account identifier associated with said account, an authentication service. In addition, the method includes determining, based at least on said authentication service and a portion of said account identifier, an authentication response. The method also includes transmitting, to a merchant associated with a transaction involving said account, said authentication response.

Abstract: A method and apparatus for executing code in a container are described. In one embodiment, the method comprises generating code on a host computer system using a user interface; and executing the code inside a container on the host computer system, including performing access control based on one or more properties of the host computer system.

Abstract: Systems and methods are disclosed for establishing controlled remote access to debug logs. An example method may comprise: receiving, by a first computing device, from a second computing device, an encrypted file comprising a debug log; running, within a trusted execution environment of the first computing device, a log access application; sending, to the second computing device, a request for access to the debug log by the log access application, wherein the request comprises a validation measurement generated by the trusted execution environment with respect to the log access application; receiving, from the second computing device, an access key; and accessing the debug log using the access key.

Abstract: The disclosed computer-implemented method for protecting user privacy may include (i) receiving an indication to protect a photo with privacy-protecting blurring, (ii) generating a blurred version of the photo, (iii) generating, based on the blurred version of the photo, a video that progressively de-blurs the photo, (iv) linking through metadata the blurred version of the photo and the video that progressively de-blurs the photo as a combined motion-photo-object, and (v) storing the combined motion-photo-object in a configured location such that a photo display program uses the blurred version of the photo as a preview of the motion-photo-object when browsing but plays the video that progressively de-blurs the photo in response to additional user input selecting the preview. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A multi-country data pipeline keeps all of the PII received from a user that is in a first country in the first country. The data pipeline allows the non-personal data received from the user to be transmitted and analyzed in a second country. The method further allows the results of the analysis in the second country to be transmitted back to the first country where the PII is added to the results of the analysis. The data pipeline allows the results of the analysis in the second country to be used to take a desired action for the user in the first country, all while the PII of the user never leaves the first country.

Abstract: A method, computer system, and computer program product are provided for controlling data access and visibility using a context-based security policy. A request from an endpoint device to receive data is received at a server, wherein the request includes one or more contextual attributes of the endpoint device including an identity of a user of the endpoint device. The one or more contextual attributes are processed to determine that the endpoint device is authorized to receive the data. A security policy is determined for the data based on the one or more contextual attributes. The data is transmitted, including the security policy, to the endpoint device, wherein the endpoint devices enforces the security policy to selectively permit access to the data by preventing the endpoint device from displaying the data to an unauthorized individual.

Abstract: Provided is dynamic and flexible authentication based on an interaction over a communications link between a user device and a financial entity. A set of interactions enabled at the user device are categorized into different levels, each level comprises a different authentication policy. At about the same time as an interaction is initiated at the device, an authentication policy assigned to the interaction is accessed and a security challenge is activated at the device. Based upon a successful response to the security challenge, an enablement of the communications link is continued. Based upon an unsuccessful response to the security challenge, the communications link is disabled.

Abstract: A method for detection of tampering in an executable code including one or more code blocks. The method includes monitoring execution of the executable code with a call stack data structure associated therewith, the execution involving accessing one or more address spaces; receiving information about the one or more address spaces, as accessed; comparing the received information about one or more accessed address spaces with information about one or more allowed address spaces defined in the call stack data structure of the executable code; raising a flag upon detection that the one or more accessed address spaces are different from the one or more allowed address spaces, based on the comparison; and executing an action based on the raised flag.

Abstract: The present disclosure relates to a method for analysis on interim result data in a de-identification procedure, an apparatus for the same, a computer program for the same, and a recording medium storing computer program thereof. A method for de-identification according to an example of the present disclosure may include: generating a first interim result data by applying a first de-identification process to an initial data; generating a first analysis metric for the first interim result data; and generating a final result data based on the first interim result data, when the first analysis metric satisfies a first de-identification criterion.

Abstract: In accordance with at least some aspects of the present disclosure, an illustrative method for authenticating a user is disclosed. A plurality of biometric modalities are displayed for authenticating the user. A selection of one or more of the biometric authentication modalities may be received. User authentication data may be received for each of the one or more selected authentication modalities. The user authentication data may be compared with previously-determined biometric data. An authentication score may be determined based on the comparison of the user authentication data with the previously-determined biometric data. A determination may be made whether to authenticate the user based on the authentication score.

Abstract: Systems and methods for efficient and secure management of encrypted “snapshots” for a remote provider substrate extension (“PSE”) of a cloud provider network substrate are provided. The PSE may request and obtain a snapshot from the cloud provider network substrate, restore a volume from the snapshot, make changes to data in the restored volume, and/or initiate the creation and storage of a new snapshot that includes incremental updates to the original snapshot to reflect the changes made to data in the volume. An encrypted snapshot stored within the cloud provider network substrate may be decrypted using a cloud provider key designed for internal use only, and then re-encrypted using a PSE-specific key before providing the snapshot to the PSE, thereby avoiding the sharing of the cloud provider internal use only key outside the cloud provider network substrate.

Abstract: The disclosed embodiments include computerized systems and methods for generating secured blockchain-based ledger data structures that track occurrences of events across fragmented and geographically dispersed lines-of-business of an enterprise. In one instance, an apparatus associated with a rules authority of the secured blockchain-based ledger may detect an occurrence of a triggering event, and may access and decrypt a set of rules hashed into the secured blockchain-based ledger using a confidentially-held master cryptographic key. The apparatus may identify a rule associated with the detected event, and perform one or more operations consistent with the rule, including a disbursement of various rewards to employees in response to customer-specific interactions with the enterprise. The disclosed embodiments provide a rules process for aggregating mutually incompatible enterprise data that specifies the events, and for tracking the events in uniform data structures accessible across the enterprise.

Abstract: The disclosed embodiments include computerized systems and methods for generating secured block-chain-based ledger data structures that track subdivide ownership and usage of one or more assets, such as Internet-connected devices. In one instance, an apparatus associated with a rules authority of the secured block-chain-based ledger may detect an occurrence of a triggering event related to at least one of partial ownership interests in the assets, and may access and decrypt a set of rules hashed into the secured block-chain-based ledger using a confidentially-held master cryptographic key. The apparatus may identify a rule associated with the detected event, and perform one or more operations consistent with the rule, including a generation of additional data blocks reflecting a change in at least one of the partial ownership interests, and additionally or alternatively, processes that adaptively monitor a compliance of one or more partial owners with an imposed usage restriction.

Abstract: An information processing apparatus includes: at least one device; a first processor configured to control the at least one device; a second processor configured to verify validity of a program to be executed by the first processor, and to allow the first processor to execute the program when the program is determined to be valid; and a control circuit configured to control supply of power to the at least one device. The second processor starts the verification of the program in response to the information processing apparatus being powered on. The first processor starts the execution of the program at least based on a first control signal indicating that the program is determined to be valid. The control circuit starts the supply of the power to the at least one device before the determination that the program is valid.