Abstract: A computer implemented method for managing the scope of permissions granted by users to application that includes collecting a set of permissions for an application from an application provider publication; and collecting a process flow for functional steps of the application from a review of the application that is published on a product review type publication. The computer implemented method further includes dividing the functional steps of the application into a plurality of journeys, each of said plurality of journeys having a function associated with a stage of a functional step from a perspective of a user; and matching permissions from the set of permissions for each journey of said plurality of journeys to provide matched permissible permissions to journeys stored in a customer journey store.

Abstract: A generalized localization system based on a physical layer aided spoofing signal attacks detection and an identification verification for hybrid heterogeneous networks including aerial and terrestrial communication systems is provided. The generalized localization system includes: a data preprocessing and separation block, a parameter extraction block, a local localization engine, a reliability assessment and trust management block, a location based anomaly detector block and a global fusion center.

Abstract: A user permission system manages and regulates access to secure data at one or more third-party data sites. The system may provide access to one or more databases or other data structures based on user authentication and access rules that have been established, such as by a user associated with the data being accessed at the third party data store. Access may be provided via an API to the third-party data site, along with access credentials of a user with data stored with the third-party data site, allowing the system to access data on behalf of the user.

Abstract: The invention relates to a device and a method for authenticating a user utilizing an internet access client (10) for accessing remote resources of a computer infrastructure, said access comprising a first authentication (130) of the internet access client (10) and a second authentication (140) of the user of the internet access client (10). The method includes sending (132), to a token security module (21), by the internet access client (10), a client certificate (220), said client certificate (220) being associated with items of identification information of the internet access client (10); and receiving (133), by the internet access client (10), an authentication token (210) generated by the token security module when the client certificate (220) sent has been verified by the token security module.

Abstract: A service processing method includes receiving, by a mobile phone, a first identifier from a head device of a vehicle after the head device receives a trigger request to perform a vehicle door opening service, determining, by the mobile phone based on the first identifier, to perform authentication, indicating, by the mobile phone, the head device to perform the vehicle door opening service when the authentication succeeds, or determining, by the mobile phone based on the first identifier, not to perform the authentication, and sending, by the mobile phone, location information of the mobile phone, and an indication that indicating a location of the mobile phone and a location of the head device are normal to the head device.

Abstract: A method for creating a heuristic rule to identify Business Email Compromise (BEC) attacks includes filtering text of received email messages, using a first classifier, to extract one or more terms indicative of a BEC attack from the text of the received email messages. One or more n-grams are generated, using the first classifier, based on the extracted terms. A vector representation of the extracted terms is generated, using a second classifier, based on the generated one or more n-grams. The second classifier includes a logit model. A weight coefficient is assigned to each of the one or more extracted terms based on an output of the trained logit model. A higher weight coefficient indicates higher relevancy to BEC attack of the corresponding term. A heuristic rule associated with the BEC attack is generated by combining the weight coefficients of a combination of the one or more extracted terms.

Abstract: Application-initiated network traffic is intercepted and analyzed by an application firewall in order to identify streams of traffic for a target application. An application signature generator preprocesses the raw data packets from the intercepted network traffic by tokenizing the data packets and then weighting each token according to its importance for application identification. The weighted features for each data packet are clustered using an unsupervised learning model, and the resulting clusters are iteratively refined and re-clustered using a proximity score between the clusters and feature vectors for key tokens for the target application. The application signature generator generates a signature for the clusters corresponding to the target application which the application firewall implements for filtering network traffic.

Abstract: The disclosed technology is generally directed to web authentication. In one example of the technology, authentication of a broker is obtained with an identity provider. Obtaining the authentication includes at least communication between the broker and a top-level frame and communication between the broker and the identity provider. The broker is executing in a descendant frame of the top-level frame. The top-level frame and the broker are hosted on different domains. At the broker, from an embedded application that is executing on another descendant frame of the top-level frame, a token request is received. Via the broker, a token is requested from the identity provider. The token is associated with an authorization of secure delegated remote access of at least one resource by the embedded application. At the broker, from the identity provider, the token is received. Via the broker, the token is provided to the embedded application.

Abstract: A request for a transaction between a client system and a server system may be processed. The transaction may be associated with transmission of data between the client system and the server system. The data may be encrypted using a transient encryption key to form encrypted data. The transient encryption key may be a synced-clock random number configured to automatically change when a designated time interval elapses. The encrypted data may be transmitted between the client system and the server system.

Abstract: A computer-implemented method includes: receiving a request for associating a first index of privileges and permissions with an identity token, the first index specifically encoding the privileges and permissions of a first subscriber in accessing transactional data of the requester, the request including the identity token that identifies a person and has been issued to the requester by a trusted entity through a vetting process; in response to determining that the identity token is valid and verifying that the requester is the person identified by the identity token, associating the first index of privileges and permissions of the first subscriber with the identity token; and providing the identity token associated with the first index of privileges and permissions of the first subscriber, the identity token enabling the first subscriber to access transactional data of the requester in accordance with the first index of privileges and permissions.

Abstract: A system and method for analyzing integrated operational technology and information technology systems with sufficient granularity to predict their behavior with a high degree of accuracy. The system and method involve creating high-fidelity models of the operational technology and information technology systems using one or more cyber-physical graphs, performing parametric analyses of the models to identify key components, scaling the parametric analyses of the models to analyze the key components at a greater level of granularity, and iteratively improving the models testing them against in-situ data from the real-world systems represented by the high-fidelity models.

Abstract: According to an exemplary embodiment of the present disclosure, a computer program stored in a computer readable storage medium is disclosed. The computer program includes commands which cause a processor of a control device to execute steps below, the steps including: acquiring International Mobile Station Identity (IMSI) related to a Subscriber Identity Module (SIM) and location information of a controlled device from the controlled device; calculating a hash value obtained by hashing the IMSI by using a hash function; generating first signature data in which the hash value and the location information are encrypted with a private key of the control device by using an asymmetric key algorithm; generating first encryption data obtained by encrypting the first signature data with a public key of a home subscriber server by using the asymmetric key algorithm; and transmitting a connection request message including the first encryption data to the home subscriber server.

Abstract: A mechanism to share cryptographic material across entities that may not have a direct trust relationship between or among each other, or no network connectivity, or some combination thereof, but where participating entities do share a trust relationship (or trusted connection(s)) with a common entity, sometimes referred to herein as a “conduit” entity. This technique enables such entities to leverage their trust relationship with a common “conduit” entity to share cryptographic material between or among themselves.

Abstract: A system and method for a highly scalable distributed connection interface for data capture from multiple network service sources. The connection interface is designed to enable simple to initiate, performant and highly available input/output from a large plurality of external networked service's and application's application programming interfaces (API) to the modules of an integrated predictive business operating system. To handle the high volume of information exchange, the connection interface is distributed and designed to be scalable and self-load-balancing. The connection interface possesses robust expressive scripting capabilities that allow highly specific handling rules to be generated for the routing, transformation, and output of data within the business operating system.

Abstract: Embodiments of the present disclosure may provide a data clean room allowing secure data analysis across multiple accounts, without the use of third parties. Each account may be associated with a different company or party. The data clean room may provide security functions to safeguard sensitive information. For example, the data clean room may restrict access to data in other accounts. The data clean room may also restrict which data may be used in the analysis and may restrict the output. The overlap data may be anonymized to prevent sensitive information from being revealed.

Abstract: When a failure occurs in a counterpart company network, the cause of the failure is specified. A failure detection apparatus 1 that detects a failure in a counterpart company network includes a hierarchy level detection unit 11 detecting the number of hierarchy levels indicating a depth of hierarchy levels of the counterpart company network by transmitting a request including the maximum number of transfers to the counterpart company network, a failure location specifying unit 13 specifying a hierarchy level of a failure location in the counterpart company network by transmitting the request to the counterpart company network in a case where the failure in the counterpart company network has been detected, and a determination unit 14 determining that the failure is present in a network core apparatus of the counterpart company network in a case where the hierarchy level of the failure location is a hierarchy level at a depth less than the number of hierarchy levels of the counterpart company network.

Abstract: In embodiments for authorized use of personal controlled-environment facility resident communication and/or media devices by device location eligibility within a controlled-environment facility, each resident device, itself, determines whether the device is authorized to operate within a particular area within the facility that the device is entering or attempting to operate in, and/or whether the device is authorized to operate one or more particular application programs (apps) and/or device functions within the particular area. The device, itself, allows operation of the device, and/or allows operation of the particular app(s) and/or device functions, in response to a determination that the device is authorized to do so within the particular area.

Abstract: A system and method for automated cybersecurity defensive strategy analysis that predicts the evolution of new cybersecurity attack strategies and makes recommendations for cybersecurity improvements to networked systems based on a cost/benefit analysis. The system and method use machine learning algorithms to run simulated attack and defense strategies against a model of the networked system created using a directed graph. Recommendations are generated based on an analysis of the simulation results against a variety of cost/benefit indicators.

Abstract: In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.

Abstract: Systems and methods for managing digital identities. In some embodiments, a method is provided, comprising acts of: receiving a request to validate at least one statement about a user; identifying, from the request, a reference to a distributed ledger, the reference comprising an identifier for the distributed ledger and an identifier for a transaction recorded on the distributed ledger; identifying, based at least in part on the identifier for the distributed ledger, at least one node of a network of nodes managing the distributed ledger; and communicating with the at least one node to validate the at least one statement about the user.