Abstract: An example method includes enabling, by the user processing system, a user to associate a color with at least one of the plurality of pixels of a graphic, and generating a passcode. The passcode is based at least in part on the color associated with the at least one of the plurality of pixels. The method further includes transmitting, by the user processing system, the passcode to a host processing system. The method further includes determining, by the host processing system, whether the passcode matches an expected passcode that is based at least in part on a reference graphic comprising a plurality of reference pixels, each of the plurality of reference pixels having a color or a null value associated therewith. The method further includes, responsive to determining that the passcode matches the expected passcode, authorizing, by the host processing system, the user processing system to access a restricted resource.

Abstract: This disclosure relates generally to authenticating humans based on behavioral pattern. The method and system proposed provides a continuous/seamless monitoring platform for authenticating humans by continuously monitoring routine activities of subjects (Activities of Daily Living (ADL)) in a smart environment using plurality of passive, unobtrusive, binary, unobtrusive non-intrusive sensors embedded in living infrastructure. The proposed method and system for authenticating humans based on behavioral pattern is provided. The daily routine activities of humans/subjects, housed in a smart environment is continuous monitored by plurality of non-intrusive sensors embedded in living infrastructure. Further the collected sensor data is processed in several stages, which includes pre-processing of sensor data, behavioral pattern prediction, error detection based on predicted behavioral pattern and so on for authenticating humans based on behavioral pattern.

Abstract: An access gateway may control access of user devices to remote computer resource systems in a multi-resource computing environment. The access gateway may determine an assurance level associated with a user of the multi-resource environment, where the assurance level is based on multiple authentication factors included in multiple previous access requests. The access gateway may receive, from a user device, an additional access request to access an additional resource system in the multi-resource environment. Based on a comparison of the assurance level with a threshold authentication level for the additional resource system, the access gateway may allow or deny access to the additional resource system. In addition, based on the comparison, the access system may request additional authentication data from the user device.

Abstract: Techniques are described herein for authenticating a personal voice assistant using an out-of-band speakable credential. In various embodiments, a user of a mobile application (112) executing on a first client device (104) may be authenticated (302) with a service (110) that executes on server(s) (108) and is configured to interact with personal voice assistant(s). Based on the authenticating, a speakable credential may be provided (304) to the first client device. The providing may trigger the first client device to provide, as output using output device(s) of the first client device, the speakable credential. Data generated in response to an utterance of the speakable credential received at a second client device may be received (306), from a personal voice assistant (106) associated with the second client device (102). The data may be matched (308) to the speakable to authenticate (310) the personal voice assistant with the service.

Abstract: Techniques for verifying the integrity of application data using secure hardware enclaves are provided. In one set of embodiments, a client system can create a secure hardware enclave on the client system and load program code for an integrity verifier into the secure hardware enclave. The client system can further receive a dataset from a server system and store the dataset at a local storage or memory location, and receive, via the integrity verifier, a cryptographic hash of the dataset from the server system and store the received cryptographic hash at a memory location within the secure hardware enclave. Then, on a periodic basis, the integrity verifier can compute a cryptographic hash of the stored dataset, compare the computed cryptographic hash against the stored cryptographic hash, and if the computed cryptographic hash does not match the stored cryptographic hash, determine that the stored dataset has been modified.

Abstract: Techniques are disclosed for rendering a watermark on content in a manner as to not obfuscate or otherwise cause visual defects to data elements in the content. An example methodology implementing the techniques includes segmenting a watermark to be rendered on the content into multiple watermark pieces. Then, prior to rendering a particular watermark piece, a check is made to determine whether there is a data element at the location in the content at which the particular watermark piece is to be rendered. If a data element is detected at that location, the particular watermark piece is rendered such that the data element overlays the particular watermark piece to render the watermark as a masked watermark. Otherwise, if no data element is detected at that location, the watermark piece is rendered on the content to be visible. The process is repeated to render the remaining watermark pieces.

Abstract: In some embodiments, a behavioral computer security system protects clients and networks against threats such as malicious software and intrusion. A set of client profiles is constructed according to a training corpus of events occurring on clients, wherein each client profile represents a subset of protected machines, and each client profile is indicative of a normal or baseline pattern of using the machines assigned to the client respective profile. A client profile may group together machines having a similar event statistic. Following training, events detected on a client are selectively analyzed against a client profile associated with the respective client, to detect anomalous behavior. In some embodiments, individual events are analyzed in the context of other events, using a multi-dimensional event embedding space.

Abstract: Login authentication in a cloud storage platform includes: receiving, in a cloud storage platform, a user identifier for a user; extracting, based on the user identifier, a domain registered with the cloud storage platform, where each domain registered with the cloud storage platform is associated with an identity authentication endpoint and one or more groups to which users from the domain may be assigned; determining an identity authentication endpoint associated with the extracted domain; providing, to the identity authentication endpoint associated with the extracted domain, login credentials for the user; receiving an identity authorization from the identity authentication endpoint associated with the extracted domain, where the identity authorization includes a plurality of groups for the user; and filtering any groups included in the identity authorization that are not registered with the cloud storage platform.

Abstract: A computing device includes a face detection module coupled to a webcam. The face detection module detects faces of viewers within a field of view of the webcam, provides images of the detected faces to a face identification service, and receives user IDs on the detected faces that have been identified. A document viewer module retrieves a document for display, with the document being retrieved based on a link to the document. A policy enforcement module receives the user IDs on the detected faces that have been identified, uses the link to the document to query metadata associated with the document to determine an access control list for the document, and compares the user IDs of the detected faces that have been identified to user IDs on the access control list to determine authorized viewers of the document. The policy enforcement module obscures display of the document if one of the identified faces is not authorized to view the document.

Abstract: To improve the security performance of a computer system, a retrieval component executing on at least one hardware processor obtains a list of known compromised passwords. A validation component executing on the at least one hardware processor obtains a specification of a putative password and risk-scores the putative password based at least in part on presence of the putative password in the list of known compromised passwords. The system obtains a specification of an actual password chosen in accordance with the risk score of the putative password. Access to at least one aspect of the computer system is controlled based on the actual chosen password.

Abstract: This application discloses a distributed denial of service attack detection method. The method includes: obtaining a data stream sent to a protection object device in each detection period, obtaining total duration of each data stream; dividing each data stream into a long data stream or a short data stream based on the total duration of each data stream; adding, based on a detection period through which the long data stream goes, total data traffic of the long data stream to statistical traffic; adding data traffic of a short data stream in each detection period to the data traffic, of the long data stream, that is added to a corresponding detection period, to determine statistical traffic in each detection period; and if there is a detection period in which the statistical traffic exceeds a preset traffic threshold, determining that the protection object device undergoes a DDoS attack in the detection period.

Abstract: A computer system detects an action corresponding to a resource page being rendered within a web view of an application. In response to the detecting the action corresponding to a resource page being rendered within the web view of the application, the computer system identifies information associated with the resource page and determines if one or more risk indications correspond to the identified information. In response to determining that one or more risk indications correspond to the identified information, the computer system implements one or more security measures.

Abstract: Data is frequently protected by securing the data within containers that are only accessible using a specific security application. Once such data is transferred, all protections provided by the security application are lost. Methods and systems provide secured access to data by intercepting requests for access to a data files accessed via an IHS (Information Handling System) by applications operating within the operating system of the IHS. Based on condition settings stored in the data files, access privileges are determined for applications. The conditions settings include environmental conditions required for providing access to the data. If the IHS satisfies the environmental conditions specified by a data file, access to the data file may be granted. The data requests may be intercepted by a kernel process of the operating system of the IHS. The environmental conditions may specify requirements on the networks, display devices and/or software utilized by the IHS.

Abstract: A computer system determines that authentication information has been requested from a user device by a requesting device. In response to determining that authentication information has been requested by the requesting device, the computer system identifies information corresponding to the requesting device and determines if one or more risk indications correspond to the identified information corresponding to the requesting device. In response to determining that one or more risk indications correspond to the identified information corresponding to the requesting device, the computer system implements one or more security measures.

Abstract: Methods and systems for secure cloud provider communication are disclosed. A method may include receiving a request to transmit data from one of a first cloud provider, an entity network, and a second cloud provider to another of the first cloud provider, the entity network, and the second cloud provider. The method may further include determining levels of trust associated with the one of the first cloud provider, the entity network, and the second cloud provider and the another of the first cloud provider, the entity network, and the second cloud provider, wherein the levels of trust are based on endpoint control by the entity network. The method may also include transmitting the data from the one of the first cloud provider, the entity network, and the second cloud provider to a cloud security stack based on the determined levels of trust.

Abstract: A plurality of attributes associated with a user of an account making a request is determined based on the received request. One or more operations to grant the user access to the one or more resources of the second account are determined based on the attributes. Access is provided to one or more resources of the second account according to the one or more operations to fulfill the request.

Abstract: The disclosed computer-implemented method for protecting website visitors may include (i) retrieving an instance of a website that was dynamically generated by aggregating multiple website subcomponents, (ii) decomposing the instance of the website into the multiple website subcomponents, (iii) checking whether a website subcomponent has been previously scanned by a security scanner, (iv) accelerating a review of the instance of the website by reusing results of a previous scan of the website subcomponent that was performed in response to retrieving a different instance of the website subcomponent rather than performing an original scan of the website subcomponent, and (v) protecting a visitor of the website by modifying a display of the instance of the website based on the accelerated review of the instance of the website that reused results of the previous scan of the website subcomponent. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A secure text having an authentication code is efficiently created. A key generation part 12 generates secure texts ([x], [?], [?]) of “x”, “?” and “?” that are values satisfying x?=?. A secure text generation part 13 generates secure texts [ai] of random values “ai” for i=1, . . . , N. An authentication code generation part 14 generates authentication codes [?(ai)] by multiplying the secure texts [ai] by the secure text [?] for i=1, . . . , N. A verification value generation part 15 generates a secure text [w] of a verification value “w” using the secure texts ([x], [?], [?]), the secure text [ai] and the authentication code [?(ai)]. A verification value determination part 16 determines whether the verification value “w” is equal to zero or not.

Abstract: Methods, systems, and devices for user device authentication are described. In some systems, an application server may host a secure application utilizing user device verification. A proxy server may perform a certificate challenge with a user device to determine whether the user device is authorized to access the application, and may transmit a login request and authentication information to the application server based on the result of the challenge. The application server may determine whether the certificate challenge was successful, and may verify whether the proxy server is a valid proxy for the application. If these validations are successful, the application server may transmit an authorization message (e.g., an encrypted ticket) to the user device for a login procedure. The user device may send a login request with the authorization message directly to the application server (e.g., without further tunneling through the proxy) to initiate a login procedure.

Abstract: The present disclosure is directed to a novel system for using unique device and user identifiers to perform authentication of a user, device, and/or transaction. In particular, the system may use device biometric profiles and/or user identifiers to generate a unique identifiable signature for each user and/or device. The unique signature may then be used to authenticate devices as well as transactions submitted by said devices. In this way, the system increases the security of device authentication by helping to prevent the use of device hijacking methods that circumvent conventional authentication practices.