Abstract: An access analysis system obtains data about user requests to access particular applications, such as identifiers of the particular user and application involved, the time of the request, and (optionally) additional contextual data, and uses that data to generate user access distributions that quantify the distribution of a given user's requests to access applications over time. After one or more distributions have been generated for a particular user, when that user submits a new access request for an application, the access analysis system can compare the request to the previously-generated access distributions to determine whether (or to what degree) the request is anomalous. If the request is sufficiently non-anomalous, it can be granted with little or no additional actions required by the user or the user's device; if, however, the request is sufficiently anomalous, it can be denied, or additional information—such as additional user authentication factors—can be required.

Abstract: A system and method for investigating trust scores. A trust score is calculated based on peer transfers, a graphical user interface displays actuatable elements associated with a first peer transfer from the peer transfers, in response to receiving an indication the first actuatable element has been actuated, recalculating the trust score without the first peer transfer.

Abstract: Systems and methods are provided for authenticating image files when network connections should not or cannot be used to transfer image files. A user device application may capture an image at a user device, generate an image file, and generate a hash file based on the image file. Instead of sending the image file to an authentication server for authentication, the application may send the hash file. If desired, the application may transfer the image file when a desirable network connection is available. Any alteration to the image file in the meantime will result in a different hash file for the altered image file, thus allowing detection of altered image files. This approach offers decreases the amount of data that is required to be transmitted in low or undesirable signal conditions, while maintaining an ability to detect alterations to image files that may have been made in the meantime.

Abstract: A method may include receiving, from a user device, a registration request that includes a subscription concealed identifier (SUCI), identifying a network element to decode the SUCI and forwarding the SUCI to the identified network element. The method may also include decoding the SUCI to identify a subscription permanent identifier (SUPI), identifying a unified data management (UDM) device associated with the SUPI and transmitting an authentication request to the identified UDM device to obtain authentication information associated with the user device. The method may further include receiving the authentication information and authenticating the user device based on the received authentication information.

Abstract: Methods, systems, and computer-readable storage media for receiving, by an AMS, a policy definition file defining policies to be enforced during execution of an instance of an application within the cloud platform, providing, by the AMS, an enhanced policy definition file indicating authorizations for roles for a policy of the policy definition file, providing an authentication bundle for execution of policy decisions at the instance, the authentication bundle provided based on the enhanced policy definition file, the authentication bundle distributed to application containers within the cloud platform, and during execution of the instance: transmitting, by the instance, an authorization request from the instance to an ADC, the ADC including an OPA and being executed within the container and executing policy decisions based on the authentication bundle, receiving, by the instance, a policy decision from the ADC and enforcing the policy based on the policy decision.

Abstract: In one embodiment, a method includes determining a secure path through a first plurality of network nodes within a network and determining an alternate secure path through a second plurality of network nodes within the network. The method also includes routing network traffic through the first plurality of network nodes of the secure path and detecting a failure in the secure path using single-hop BFD authentication. The method further includes rerouting the network traffic through the second plurality of network nodes of the alternate secure path.

Abstract: Implementations of the present disclosure are directed to providing remote access to electronic documents stored in a server system using a virtual secure room, and include actions of authenticating a user at least partially based on credentials the user, at least partially in response to authenticating the user, providing a secure connection between a computing device of the user and the server system, transmitting at least one electronic document for display to the user on the computing device, monitoring the user, while the at least one electronic document is displayed to the user on the computing device, and selectively closing the secure connection in response to one or more of at least one activity and at least one state of the user.

Abstract: Techniques for providing network slice-based security in mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for network slice-based security in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network; extracting network slice information for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the network slice information.

Abstract: A method including determining, by a first device having an established virtual private network (VPN) connection with a VPN server and an established meshnet connection with a second device in a mesh network, that a destination associated with a transmission packet to be transmitted by the device is the second device in the mesh network; and transmitting, by the first device, the transmission packet utilizing the meshnet connection based at least in part on determining that the destination is the second device in the mesh network. Various other aspects are contemplated.

Abstract: A key management method serves as an electronic control unit (ECU) in an onboard network system having a plurality of ECUs that perform communication by frames via a network. The method includes storing a shared key and executing encryption processing based on the shared key. The method further includes executing inspection of a security state of the shared key stored in a case where a vehicle is in at least one of the following particular states: the vehicle is not driving and is an accessory-on state; a fuel cap of the vehicle is open, and the vehicle is not driving and is fueling; the vehicle is parked, which is indicated by the gearshift; the vehicle is in a stopped state before driving, which is indicated by the gearshift; and a charging plug is connected to the vehicle, and the vehicle is electrically charging.

Abstract: A network device may receive, via a single port of the network device, a connection request from a user device and may obtain, based on the connection request, information related to an authentication history of the user device. The network device may determine, based on the information related to the authentication history of the user device, an authentication method to be used by the network device to authenticate the user device and may determine, using the authentication method, that the user device is authenticated. The network device may establish, based on determining that the user device is authenticated, an authenticated communication session with the user device on the single port of the network device. The network device may determine, using an additional authentication method, that an additional user device is authenticated and may establish an additional authenticated communication session with the additional user device on the single port.

Abstract: Techniques are described to provide efficient protection for a virtual private network. In one example, a method is provided that includes obtaining a packet at a first network entity; determining that the packet is a packet type of an authentication type; determining whether authentication content for the packet matches known good criteria for the packet type of the authentication type; based on determining that the authentication content for the packet does not match the known good criteria, performing at least one of dropping the packet and generating an alarm; and based on determining that the authentication content for the packet does match the known good criteria, processing the packet at the first network entity or forwarding the packet toward a second network entity.

Abstract: A machine and its modules assist in steganography for an animal. A steganography module applies behavioral sequencing to create a cover message and a hidden message to covertly pass information from one animal to another animal, with the information embedded in an individual's brain. A visual module references the steganography module to cause a sequence of visual images on a display screen to guide a motor sequence of an individual as the cover message as well as detect and communicate a timing of the individual's motor sequence, relative in timing, to visual images in the sequence of visual images being displayed on the display screen, in order to train in the cover message and hidden message. The hidden message is then extracted at a destination from a sensor monitoring the individual's sequence of motor actions.

Abstract: Techniques and systems for detecting malicious activity within a network are provided herein. A method for detecting malicious activity within a network may include receiving, by a network-based authentication system, a network transaction. The network-based authentication system may identify a first attribute of the network transaction. The method may also include selecting, by the network-based authentication system, a first learning statistical model and a second learning statistical model from a plurality of models for handling the network transaction. Each of the first learning statistical model and the second learning statistical model may create a likelihood that the network transaction is authentic. The first learning statistical model may calculate a first score and the second learning statistical score may calculate a second score. Based on a comparison of the first score to a first threshold and the second score to a second threshold, the network transaction may be authenticated.

Abstract: An on-vehicle communication system includes: a plurality of function units; and one or a plurality of switch devices, each switch device being configured to perform a relay process of relaying communication data between the function units. When unauthorized communication by a function unit has been detected, the switch device performs a validation process of validating a function unit other than an unauthorized-communication function unit that is the function unit for which the unauthorized communication has been detected.

Abstract: Methods, apparatuses, and computer programs products for connection parameter awareness in an authenticated link-layer network session are disclosed. A client sends, to a network access server (NAS), an initiation packet announcing the initiation of an authentication session. The client establishes an authenticated link-layer session with the NAS. The client receives, from the NAS, a network policy packet including a network policy defined by one or more connection parameters for the link-layer session. The client then enforces the network policy.

Abstract: Systems for dynamically detecting and controlling unauthorized events are presented. In some examples, data may be received from one or more computing systems. In some examples, the computing systems may each be associated with an enterprise unit within an enterprise organization. The data may include, in some examples, processed unauthorized activity event data, such as account takeover event data. The data received may be aggregated and analyzed (e.g., using machine learning) to identify potential threats and threat outputs. In some examples, the threat output may include a user interface indicating the threat or potential threat, systems or applications potentially impacted, enterprise units impacted, and the like. Based on the threat output, one or more mitigation actions may be identified and executed. The mitigation actions may include modifying operation of one or more systems, modifying authentication requirements, and the like.

Abstract: A method for joining an association that includes receiving, by a first cluster, an association access credential and a unique address of an association manager, generating, based on the association access credential, an association access request, sending, to the unique address, the association access request, receiving, in response to the sending, association information, and initiating, based on the association information, a connection to a second cluster in the association.

Abstract: Disclosed are various examples for enrolling a device in a management service. An enrollment wizard can include a series of user interfaces to facilitate enrollment of a device in the management service. Enrollment data can be obtained from the user and sent to the management service for authentication of the user and device. A user interface object can be instantiated to access a webpage within a user interface of the enrollment wizard for downloading a configuration profile provided by the management service. A user can be redirected to a settings application to install the configuration profile.

Abstract: A method including operating, by an infrastructure device, a port associated with a server in a deactivated mode; receiving, by the infrastructure device, a communication from a user device in association with obtaining communication services from the server; pre-authenticating, by the infrastructure device, the user device for obtaining the communication services based at least in part on information indicated in the communication; and operating, by the infrastructure device, the port associated with the server in an activated mode to enable the user device to establish a connection with the server based at least in part on pre-authenticating the user device. Various other aspects are contemplated.