Abstract: Various examples are directed to system and methods for authenticating a first computing system and a second computing system. The first computing system may receive second system sending data from the second computing system. The first computing system may generate first composite data based at least in part on the second system sending data and first system receiving data. The first computing system may determine that the first composite data is consistent with first composite reference data. The first computing system may generate first tag data based at least in part on the first composite data and send a request message comprising the first tag data to the second computing system. The first computing system may also receive a reply message comprising second tag data from the second computing system and determine that the second tag data is consistent with reference tag data.

Abstract: An item is encrypted to create a unique hash-value for the item. From this hash-value, an item can be uniquely identified. The hash-value for the item is stored in a first blockchain. When the item is included in a transaction, a transaction entry is stored in a block of the first blockchain. When an item participates in a group of items, a group of items is formed. The group of items is encrypted to create a unique hash-value for the group of items. The hash-value for the group of items may be based on hash-values from the items included in the group of items. The hash-value for the group of items is stored in a second blockchain that is distinct from the first blockchain. When the group of items is included in a transaction, a transaction entry is stored in a block of a second blockchain.

Abstract: Examples of techniques for location validation for authentication are disclosed. In one example implementation according to aspects of the present disclosure, a computer-implemented method includes presenting, by a processing device, a location-based security challenge to a user. The method further includes responsive to presenting the location-based security challenge to the user, receiving, by the processing device, media from the user. The method further includes validating, by the processing device, the media received from the user against the location-based security challenge to determine whether the user is located at an authorized location. The method further includes responsive to determining that the user is located at an authorized location, authenticating, by the processing device, the user to grant access for the user to a resource.

Abstract: Disclosed is a method for continuously authenticating a user based on motion input data. The method includes recording motion input data from a keyboard such as starting coordinates, ending coordinates, and timestamps of key-up actions to determine that a key has been pressed, recording a timestamp of motion input at the starting coordinate, mapping the timestamp of said motion input at the starting coordinate to a key-down action for the key press, determining which key of said virtual keyboard said key-down action refers to, and granting or denying access to a device if the timing of the key which was pressed and released in the key-down action and the corresponding key-up action matches the press and flight timing of a key which was pressed and released in a previously-recorded key-down action and a previously-recorded key-up action.

Abstract: Priority scanning of files written by malicious users in a data storage system is described herein. A data storage system as described herein can include a user lookup component that obtains identities of users that have made at least one modification to a first file stored on the data storage system, resulting in a set of modifying users; a comparison component that compares respective modifying users of the set of modifying users to respective malicious users of a set of malicious users; and a scan priority component that, in response to the comparison component identifying at least one match between a modifying user of the set of modifying users and a malicious user of the set of malicious users, assigns a first scan priority to the first file that is higher than a second scan priority assigned to a second, different file stored on the data storage system.

Abstract: An agent device is registered in a first device registry maintained by a first registry apparatus for authenticating agent devices for communicating with application providing apparatuses. The agent device can be assigned to a second device registry maintained by second registry apparatus. The method of assignment comprises the first registry apparatus receiving from a requestor device a device assignment request. In response to the device assignment request, the first registry apparatus checks whether the agent device is allowed to be assigned to the second device registry, and if so, the agent device transmits second authentication information for authenticating the identity of the agent device to the second registry apparatus which registers this in the second device registry.

Abstract: A signal processor including a Pulse Width Modulation (PWM) encoder configured to encode data into a data PWM pattern; and a block encoder coupled to the PWM encoder, and configured to determine a checksum of the data PWM pattern, wherein the PWM encoder is further configured to encode the checksum into a checksum PWM pattern, and append the checksum PWM pattern on the data PWM pattern for transmission as a PWM signal.

Abstract: Poisoning attacks by spoofing location beacons in a WLAN are detected using silence periods. A location beacon identifier is received from a mobile device allegedly within range of a location device transmitting location beacons, along with a timestamp of transmission for each of the location beacons. Also silence periods associated with the location device, during which transmissions of location beacons are temporarily discontinued, and which are unknown to the public, are determined or retrieved. The location beacon transmission time is compared to the silence periods. Responsive to the location beacon transmission time corresponding to at least one of the silence periods, the location device flagged as poisoned.

Abstract: A set of hardware security modules (HSMs) in a database system may implement a key management system with a database storing encryption keys or other secrets. The set of HSMs may identify a first key encryption key (KEK) and a second KEK stored in the set of HSMs. The set of HSMs may retrieve, from the database, a set of encryption keys encrypted by the first KEK and decrypt each encryption key of the set of encryption keys using the first KEK. The set of HSMs may re-encrypt each encryption key of the set of encryption keys with the second KEK and transmit, to the database, the set of encrypted encryption keys encrypted by the second KEK for storage. Then, the set of HSMs may delete the first KEK from the set of HSMs.

Abstract: A computerized method of reducing a probability for falsely classifying a legitimate authentication process conducted by a legitimate user as a password guessing attack, comprising estimating a password guessing attack risk for an authentication process conducted by a user for accessing a secure service by performing the following for each of a plurality of failed access attempts in which the user provides incorrect authentication credentials: (1) calculate a risk score for a respective failed access attempt based on analysis of the incorrect authentication credentials provided during the respective failed access attempt and (2) update an authentication session score of the authentication process according to the calculated risk score and initiate one or more actions in case the updated authentication session value exceeds one or more threshold values extracted from a security policy predefined for the secure service.

Abstract: Systems and methods for implementing content, streaming, and network security inside a chip or inside a computing device are disclosed. In exemplary embodiments, a system comprises a communication chip and a second processor. The communication chip comprises a router and security instructions. The router is configured to intercept untrusted data between a network, and a first router. The second processor is configured to receive the untrusted data from the router, process the untrusted data with the security instructions to produce trusted data, and provide the trusted data to the router.

Abstract: The computer-implemented method for authenticating secret information according to an aspect of the present disclosure, comprises receiving, by an authentication server, Q{right arrow over (X)} from a terminal for registering secret information; storing, by the authentication server, the received Q{right arrow over (X)}; receiving, by the authentication server, a vector {right arrow over (Z)} from a terminal for requesting authentication of secret information; calculating, by the authentication server, the inner product of Q{right arrow over (X)} and {right arrow over (Z)}; calculating, by the authentication server, ½(n?the inner product); and determining, by the authentication server, that the authentication is successful if ½(n?the inner product) is within a predetermined value and that the authentication fails otherwise.

Abstract: In a first embodiment, the “one tap” operation of this disclosure enables a user having a mobile device “one tap” mobile application (or “app”) to log-in to the user's desktop or laptop computer by bringing the user's device in physical proximity to the computer and, while in such proximity, accepting a push notification that is received on the mobile device. In a second embodiment, the user uses the “one tap” functionality to access a cloud-based account that has been set up for the user on a third party web application (e.g., SalesForce.com). The technique seamlessly integrates with third party websites using well-known protocols (e.g., SAML2), and it enables secure cross-origin resource sharing in a highly secure, reliable and available manner. Still another aspect of this disclosure is an enhanced proximity detection routine that is used to facilitate the one tap function when the user's mobile device is moved into proximity with the computer.

Abstract: Disclosed are a system, method, and computer readable storage medium having instructions for applying a plurality of interconnected filters to protect a computing device from a DDoS attack. The method includes, responsive to detecting the computing device is subject to the DDoS attack, intercepting data from a network node to the computing device, determining data transmission parameters, assigning an initial danger rating to the network node, identifying a subset of the plurality of the interconnected filters which are concurrently triggered, changing the danger rating of the network node based on an application of the subset of the plurality of interconnected filters that are triggered and the data transmission parameters, and responsive to determining that the danger rating of the network node exceeds a threshold value, limiting a transmittal of data from the network node to the computing device by limiting channel capacity between the network node and the computing device.

Abstract: In one implementation, a method for providing security on controllers includes detecting computer-readable code running on a controller, the computer-readable code including code portions that each include instructions to be performed by the controller; identifying a current code portion of the computer-readable code; accessing an in-memory graph that models an operational flow of the computer-readable code, wherein the in-memory graph includes a plurality of nodes, each of the nodes corresponding to one of the code portions and each of the nodes having a risk value for the associated code portion that is a measure of security risk for the associated code portion; identifying the risk value for the current code portion; selecting, from a plurality of available flow control integrity (IMV) schemes, an IMV scheme based on the identified risk value; and applying, to the code portion as the code portion is running on the controller, the selected IMV scheme.

Abstract: Examples of the present disclosure describe systems and methods of automatic inline detection based on static data. In aspects, a file being received by a recipient device may be analyzed using an inline parser. The inline parser may identify sections of the file and feature vectors may be created for the identified sections. The feature vectors may be used to calculate a score corresponding to the malicious status of the file as the information is being analyzed. If a score is determined to exceed a predetermined threshold, the file download process may be terminated. In aspects, the received files, file fragments, feature vectors and/or additional data may be collected and analyzed to build a probabilistic model used to identify potentially malicious files.

Abstract: The disclosure relates to wireless authentication method and device of recyclable logistics apparatus. The recyclable logistics apparatus includes a wireless beacon unit which periodically transmits a broadcast frame. The broadcast frame includes a unique identity of the wireless beacon unit. The method includes first mobile terminal receiving the broadcast frame and uploading collected first frame information as first upload information to a cloud server, the cloud server generating authentication information according to an authentication rule; the cloud server associating the first upload information with the authentication information and storing them in a database; and the cloud server transmitting the authentication information to second mobile terminal, the second mobile terminal receiving the broadcast frame and through the authentication information, collected second frame information being compared with the first frame information which is associated with the authentication information.

Abstract: Various techniques provide systems and methods for facilitating data encryption/decryption and almost immediate erasure of associated information. In one example, a method includes receiving first data in a first memory. The method further includes receiving a first key in a second memory. The method further includes generating, by a logic circuit, second data based on the first data and the first key. The method further includes providing the second data for transmission. The method further includes erasing the first data and/or the first key in one-half clock cycle of generating the second data. Related methods and devices are also provided.

Abstract: In an embodiment, a method comprises receiving a request that is configured to cause a transfer of a combined asset from a sender to a recipient, the combined asset including a first asset and a second asset. The method includes generating and sending to a self-executing code segment on a distributed ledger-based network (DLN) a zero-knowledge proof (ZKP) that a plurality of leaf nodes of a hierarchical tree structure representing the combined asset includes the plurality of leaf nodes of the hierarchical tree structure representing the first asset and the plurality of leaf nodes of the hierarchical tree structure representing the second asset. The method also includes receiving, in response to verification of the ZKP by the self-executing code segment, a confirmation confirming a representation of the combined asset on the DLN by a third token associated with the root node of the third hierarchical tree structure.

Abstract: An improved coherent communication scheme is provided. The coherent communication scheme encodes both classical and quantum information simultaneously using isolated groups of states: classical information is represented by different groups and can be decoded deterministically; and quantum information is represented by highly overlapped states within the same group, thus guaranteeing security. Decoding includes projecting the detection results at the receiver to one of the distinguishable encoding groups first, which allows the classical information to be read out, and then generating a quantum key from the residual randomness. This communications scheme enables simultaneous classical communication and QKD over the same communication channel using the same transmitter and receiver, opening the door to operate QKD in the background of classical communication and at negligible costs.