Abstract: Aspects of the disclosure relate to dynamic crypto key management for mobility in a cloud environment. A computing platform may receive a request to generate a new tenant master key and a new server recovery key. Subsequently, the computing platform may send to a cloud-based key vault server, the new tenant master key and the new server recovery key. The computing platform may send to a tenant database, the encrypted server recovery key. As a result, the computing platform may provision the enrollment servers with the encrypted server recovery key. In some embodiments, the enrollment servers are configured to manage enrollment of policy-managed devices in a policy enforcement scheme and to authenticate with the key update service based on the encrypted server recovery key.

Abstract: A solution for controlling access to a resource such as a digital wallet implemented using a blockchain. Use of the invention during set-up of the wallet can enable subsequent operations to be handled in a secure manner over an insecure channel. An example method comprises splitting a verification element into multiple shares; determining a common secret at multiple nodes in a network; and using the common secret to transmit a share of the verification element between nodes. The shares can be split such that no share is sufficient to determine the verification element and can be stored at separate locations. Upon share unavailability, the share can be retrieved a location accessibility. For safe transmission of the share(s), the common secret is generated at two different nodes independently and used to generate an encryption key for encrypting at least one share of the verification element to be transmitted securely.

Abstract: A terminal device includes an authentication information acquirer acquiring pieces of authentication information, an authentication determiner determining whether authentication is successful based on, among the pieces of authentication information acquired by the authentication information acquirer, at least one piece, and an authentication information updater, when the authentication determiner determines that authentication is successful, updating pieces of saved authentication information with pieces of authentication information acquired by the authentication information acquirer.

Abstract: A network isolation device includes an internal network interface to connect the network isolation device to an internal network and an external network interface to connect the network isolation device to an external network. The network isolation device further includes an airgap device that operates to (i) close an air gap to connect the internal network to the external network, (ii) open the air gap to disconnect the internal network from the external network. The device further includes a signal receiver that receives a signal from a signal source, and based on the signal, performs an authentication process to determine whether the signal or the signal source are authorized. In response to determining that the signal or the signal source is authorized, the receiver operates the airgap device to close the air gap and connect the internal network to the external network.

Abstract: An information processing device includes: a storage that stores determination criterion information indicating a determination criterion for determining whether or not a behavior of an application operating on a device provided to a vehicle is normal; and a detector that obtains behavior information indicating the behavior of the application, and detects an anomaly in the behavior of the application, based on (i) state information that indicates a state of the mobility and is obtained via the mobility network and (ii) the behavior information obtained and the determination criterion information stored in the storage.

Abstract: In various embodiments, once the client registers onto the system, a third party (a “requestor”) may transmit a request to the client for the client to provide the requestor with access to the client data. In at least one embodiment, a requestor may be an entity or person that desires to utilize client data for the requestor's business purposes. In one embodiment, upon registration with the application, the system generates and assigns the requestor a requestor key. In one or more embodiments, the system transmits the requestor key along with each requestor request. In some embodiments, the client may accept or reject the requestor's request. In many embodiments, if the client accepts the requestor's request, the system grants the requestor access to the client data.

Abstract: A method and system for anonymizing data are disclosed. The method and system include receiving, at the wrapper, a request to store data in a data source. The wrapper includes a dispatcher and at least one service. The dispatcher receives the communication and is data agnostic. The method and system also include providing the request from the dispatcher to the at least one service and anonymizing, at the service(s), the data to provide anonymized data.

Abstract: An information processing method implemented by a computer, the method includes the steps of transmitting authentication information to a destination specified by a first user, receiving, from a terminal used by a second user corresponding to the destination, the authentication information and a second identification information for identifying the terminal, authenticating the terminal if the authentication information from the terminal is received, and storing the second identification information received from the terminal in association with a first identification information for identifying the first user, if the terminal has been authenticated.

Abstract: A rights-based system is described in which vouchers are employed for creating, managing, distributing, and redeeming rights in digital contexts. A voucher is a digital, possession-based rights representation. An authorization component of the system validates the vouchers and issues corresponding tokens. Access to digital resources is provided in response to presentation of the tokens which are validated by matching voucher refresh values to corresponding values maintained by the system. New refresh values are generated and inserted in the vouchers each time they are redeemed.

Abstract: The automated collection of online data is enhanced by generating and saving a context between a document and a related named entity, as well as a credibility level of the online source. The context, credibility level, and quality and quantity of collected data are used to enhance the use of the collected data in automated decision-making. Both the quality and the quantity may be continuously updated and honed through machine learning. Three new algorithms—DUPES, CORRAL, and ONTO—have been introduced to support the above, improving current state-of-the-art engineering practice by sharpening the strategy for named-entity searching, for ensuring that topic modeling produces relevant topic tags, and for handling sentiment which may be NEGATIVE, POSITIVE, and NEUTRAL (which includes MISSING and INCONCLUSIVE).

Abstract: Techniques for adaptive re-keying of encrypted data are provided. For example, a method comprises the following steps. Utilization information associated with a storage system is obtained, wherein the storage system comprises a set of storage devices. The method dynamically selects a re-keying process from a plurality of different re-keying processes based on at least a portion of the obtained utilization information. At least a portion of the set of storage devices are re-keyed in accordance with the selected re-keying process.

Abstract: A model-based industrial security policy configuration system implements a plant-wide industrial asset security policy in accordance with security policy definitions provided by a user. The configuration system models the collection of industrial assets for which diverse security policies are to be implemented. An interface allows the user to define zone-specific security configuration and event management policies for a plant environment at a high-level based on a security model that groups the industrial assets into security zones. When new industrial devices are subsequently installed on the plant floor, the system determines whether a security policy defined by the model is applicable to the new device and commissions the new device to comply with any relevant security policies. This mitigates the necessity for a system administrator to manually configure individual devices to comply with plant-wide security policies.

Abstract: Disclosed is a method of providing information including obtaining input information of a user, wherein the input information is related to a service, determining whether an account corresponding to the user exists in the service, obtaining characteristic information of the user based on the result of the determination, providing response information corresponding to the input information based on the characteristic information and the result of the determination, and storing activity information of the user based on at least one of the input information, the response information, and the characteristic information.

Abstract: An integrated third-party API data visualization process (ITPDVP) provides the ability to gather information from multiple different sources into a single view without a user of the device having to navigate to each source from which information is gathered. ITPDVP is a process that allows a user to visualize data from one or more third party API sources from within a context view client.

Abstract: Systems and methods of the present disclosure enable operation authorization using a dynamic code. Embodiments includes a computing system for receiving, from an access control server, an operation authorization request to authorize an operation by an initiator, where the operation authorization request includes a user identifier associated with the operation authorization request, and a dynamic code. The computing system accesses a dynamic key embedded in a user credential associated with the user identifier and generates a recalculated dynamic code using a cryptographic algorithm and the dynamic key. The computing system authenticates the operation authorization request based on the dynamic code being equivalent to the recalculated dynamic code and returns the authentication to the access control server to authorize the operation.

Abstract: An endpoint determines whether a client is authorized to access data. A database stores separate authorizations of a permission model in a data table along with the data. Mapping templates of the endpoint convert a client request for data into a database query for client authorization and the requested data. In response to the query, the database returns to the endpoint the requested data as well as an indication of authorization from the data table. The mapping templates of the endpoint are then used to generate an appropriate response to the client. When the database response indicates the client is authorized, the endpoint can return the requested data to the client. When the database response indicates the client is not authorized, the endpoint can return an error. In some embodiments, the endpoint is an application programming interface (API) gateway that conforms to representational state transfer (REST) software architecture.

Abstract: A computer-implemented method includes receiving a request for one of a network session and a virtual network function, wherein the request includes a single packet authorization request. The method further includes classifying the single packet authorization request at a first service classifier. The method further includes routing the request, via a service function forwarder, to a single packet authorization service function for validation. The method further includes instantiating a security virtual function in response to the request, wherein instantiating the security virtual function occurs after validation of the single packet authorization request. The method further includes configuring the security virtual function to apply at least one connection policy to allow or deny traffic in a data session. The method further includes, in response to allowing the data session, terminating the security virtual function after the data session has concluded.

Abstract: A method is provided for preparing a plurality of distributed nodes to perform a protocol to establish a consensus on an order of received requests. The plurality of distributed nodes includes a plurality of active nodes, the plurality of active nodes including a primary node, each of the plurality of distributed nodes including a processor and computer readable media. The method includes preparing a set of random numbers, each being a share of an initial secret. Each share of the initial secret corresponds to one of the plurality of active nodes. The method further includes encrypting each respective share of the initial secret, binding the initial secret to a last counter value to provide a commitment and a signature for the last counter value, and generating shares of a second and of a plurality of subsequent additional secrets by iteratively applying a hash function to shares of each preceding secret.

Abstract: Embodiments are directed to credential management for distributed services. A plurality of mesh agents for an overlay network may be provided such that the overlay network may be employed to provide a secure tunnel between a client and a resource server. If client request that requires user credentials is provided to a mesh agent associated with the resource server, credential instructions may be provided to the mesh agent and the credential instructions may be employed to determine credential information that enables access to the resource server. The mesh agent may be employed to communicate the client request and the credential information to the resource server; determining a response to the client request from the resource server; employing the mesh agent to receive a response to the client request from the resource server and forwarded to the client over the overlay network.

Abstract: Systems and methods are provided for implementing an authentication key-based DLL service. For example, the system can expose a list of functionalities and request format, and a byte string denotes a functionality corresponding to the API. Output is received by the user after loading a DLL library maintained by a DLL provider. The system can generate a key corresponding to the functionality and transmit the key to the user. The invocation of the functionality can be performed using the keys. The shared memory space may be used for inputs from the user and outputs of the DLL. The system can perform an action based on the authentication of the keys. During any functionality advancement, the system can notify the user to unload and reload the new DLL in order to make use of the advancements.