Abstract: Described herein are systems and methods for abstracted analysis system design for a dynamic API scanning service. The disclosure provides a simplified API scanning service by abstracting underlining security scanning techniques and configurations. This presents a normalized view to users of the service. Both input parameters and scan output data is abstracted from users, and is driven based on logic in the service. By providing this simplified view, users can quickly, and without prior security scanning knowledge, use this service to measure their security exposure and mitigate as needed.

Abstract: Facilitate configuration of authentication information for a service provided over IP network when there is no shared authentication information between IoT device and service provider device for a service used by IoT device, an intermediary device capable of authenticating legitimate access mediates between devices. An example: a cipher key CK stored in intermediary device and IoT device, as a result of SIM authentication of the SIM of the IoT device, is used as master key for services used by IoT device. By generating unique application key for a service used by IoT device on the intermediary device and IoT device on the basis of master key, and sending it to service provider apparatus from intermediary device by secure connection, common keys are set as authentication information to IoT device and service provider apparatus. A SIM authentication process for generating cipher key can suppress SQN attack based on a bad request.

Abstract: Transmitting node (120) and receiving node (121) for handling LLDP messages in a communication network (100). The transmitting node (120) transmits a LLDP message to the receiving node (121), which LLDP message comprises security related information enabling to verify authenticity of the transmitting node (120). The receiving node (121) receives one or more LLDP messages, at least one comprising security related information enabling to verify authenticity of the transmitting node (120; 124) that transmitted the LLDP message.

Abstract: Systems and techniques to enable message routing among multiple devices and device domains, via end-to-end tunneling techniques, are disclosed. In an example, techniques and device configurations involving the use of RESTful protocols that communicate OSCORE (Object Security for Constrained RESTful Environments) payloads over OSCORE tunnels, involve receiving an OSCORE message having an encrypted COSE (Concise Binary Object Representation (CBOR) Object Signing and Encryption) object payload and inserting the OSCORE message into an OSCORE tunnel message to implement a tunneled communication with a receiving device. Here, the tunnel message includes the OSCORE message within an envelope encrypted COSE object payload. The OSCORE tunnel message may then be transmitted to the receiving device. Further techniques and device configurations for the receipt, processing, conversion, and decryption of such tunneled messages are also disclosed.

Abstract: The present embodiments relate to establishing secure data communication using an Elliptic-curve Diffie-Hellman ephemeral (ECDHE) key agreement procedure. Devices in a network environment can utilize a key agreement procedure to establish secure communication between multiple application layers in a micro service architecture. Particularly, a tunnel can be established between a mobile device and an encryption service by transmitting key information between the mobile device and the encryption service. This can allow for encryption keys to only be accurately generated by the mobile device and encryption service. Accordingly, intermediary nodes may be unable to decrypt the data, allowing for safe and secure transport of sensitive data.

Abstract: A policy-controlled authorization system for managing tokens used to access services in a cloud based multi-tenant system. The policy-controlled authorization system includes a local application that executes on a client device, a policy component including a plurality of policies, and a mid-link server, coupled to the client device. A request for access to a service on a remote application running on a remote instance of a web server is provided by the local application. A token is required to access the service. A correlator correlates the token with the plurality of tokens for identifying a policy from the plurality of policies associated with the token. A token inspector authorizes the token for accessing the service based on the correlation. Based on the authorization, either the token is authorized for access to the service via the remote application, or the token is blocked when unauthorized to prevent access to the service.

Abstract: In an embodiment, a request for hosting a blockchain may be obtained from a client device. A node device to host the blockchain may be determined. Information associated with the node device may be provided to the client device, where the information is used for creating the blockchain on the node device. First data may be obtained from the client device and second data may be obtained from the node device for verifying that the node device hosting the blockchain complies with a hosting verification condition. Based on the first data, the second data, and the hosting verification condition, hosting information associated with the node device may be determined. Based on the hosting information, the node device may be removed from a set of node devices for hosting the blockchain.

Abstract: The present invention discloses a system and a method for detecting anomalous patterns in a network such as a LAN, WAN, MAN, internet of things (Iot), cloud networks, or any other network. In operation, the system and method of the present invention determines a generic pattern of behavior associated with a plurality of anomaly classes based on a plurality of feature values using reinforcement learning technique. The generic pattern is fixed as a boundary for each of the plurality of anomaly classes and is representative of behavior which substantially simulates the network behavior on attack by any of the plurality of anomaly classes. Further, the present invention, provides for updating the generic pattern using reinforcement learning. The updated generic pattern is implemented to analyze and detect anomalous behavior in the incoming network traffic in real time.

Abstract: Systems and methods include, responsive to a Wi-Fi client device providing a password for a zone of a Wi-Fi network, determining a status of the Wi-Fi client device; when the status is unknown, placing the client device in a holding area associated with the zone, wherein the client device is connected to the Wi-Fi network while in the holding area and has restricted access that is less than full access to the zone in an allowed zone; responsive to placing the client device in the holding area, causing a notification to an administrator that the client device is in the holding area; and with the client device in the holding area, one of moving the Wi-Fi client device to the allowed area, moving the client device to a rejected area for the zone, and leaving the client device in the holding zone, based on any input or lack thereof.

Abstract: Protecting PII submitted through a browser. In some embodiments, a method may include detecting multiple PII of a user submitted to multiple organization websites through a browser. The method may also include encrypting each of the PII. The method may further include storing each of the encrypted PII along with an identifier of the organization website to which the PII was submitted. The method may also include receiving a request to view the PII along with an indicator of the organization website to which the PII was submitted. The method may further include retrieving each of the encrypted PII along with the identifier of the organization website to which the PII was submitted. The method may also include decrypting each of the encrypted PII. The method may further include displaying each of the PII along with the indicator of the organization website to which the PII was submitted.

Abstract: A computer system identifies malicious Uniform Resource Locator (URL) data items from a plurality of unscreened data items that have not been previously identified as associated with malicious URLs. The system can execute a number of pre-filters to identify a subset of URLs in the plurality of data items that are likely to be malicious. A scoring processor can score the subset of URLs based on a plurality of input vectors using a suitable machine learning model. Optionally, the system can execute one or more post-filters on the score data to identify data items of interest. Such data items can be fed back into the system to improve machine learning or can be used to provide a notification that a particular resource within a local network is infected with malicious software.

Abstract: A method of registering biometric information according to an embodiment includes generating a registration target biometric template based on biometric information of a user, transmitting a biometric information registration request including the registration target biometric template to a server, acquiring transaction information based on the biometric information registration request from the server through one or more communication interfaces, generating an electronic signature for the transaction information using a private key, transmitting the electronic signature for the transaction information to the server through the one or more communication interfaces, and acquiring a registration result for the registration target biometric template based on a verification result for the electronic signature from the server through the one or more communication interface.

Abstract: Aspects of the invention include receiving a request from a responder channel on a responder node to initiate a secure communication with an initiator channel on an initiator node. The request includes an identifier of a shared key, and a nonce and security parameter index generated by the initiator node for the secure communication. The receiving is at a local key manager (LKM) executing on the responder node. A security association is created at the LKM between the initiator node and the responder node. The shared key is obtained based at least in part on the identifier of the shared key. Based on obtaining the shared key, a message requesting initialization of the secure communication between the responder channel and the initiator channel is built. The message includes an initiator nonce and an initiator security parameter index generated by the LKM for the secure communication.

Abstract: Technologies for processing network packets a compute device with a network interface controller (NIC) that includes a host interface, a packet processor, and a network interface. The host interface is configured to receive a transaction from the compute engine, wherein the transaction includes latency-sensitive data, determine a context of the latency-sensitive data, and verify the latency-sensitive data against one or more server policies as a function of the determined context. The packet processor is configured to identify a trust associated with the latency-sensitive data, determine whether to verify the latency-sensitive data against one or more network policies as a function of the identified trust, apply the one or more network policies, and encapsulate the latency-sensitive data into a network packet. The network interface is configured to transmit the network packet via an associated Ethernet port of the NIC. Other embodiments are described herein.

Abstract: A system is configured for determining an API to perform a task includes a processor configured to receive a request from a user to determine an API to perform the task. The input and output parameters of the API are determined. A set of APIs is determined from an API library that is capable of providing the output parameter given the input parameter. Each API from among the set of APIs is evaluated by determining a quality value; a security value, and a performance value of the API. An API score value is determined based on a combination of the quality value, the security value, and the performance value of the API. A particular API having an API score value that is the highest compared to other APIs from among the set of APIs is determined. The particular API is hosted on a web application to perform the task.

Abstract: Methods and systems are provided for providing a secure connection to a medical device for remote servicing of the medical device. In one embodiment, a computing device is in communication with a medical device, the computing device comprising non-transitory memory including executable instructions for: communicating with the medical device via a first protocol; and communicating with a remote computing device via an encrypted, second protocol. The computing device also includes a processor for executing said executable instructions.

Abstract: An electronic device, system, and method are disclosed. The electronic device operates within a system of multiple devices. The electronic device, in response to the request of the information owner requesting the provision of personal information to the information requester, requests the authentication server to verify the validity of the information owner's request and the validity of the information requester's identity. If the verification is successful, the electronic device obtains the personal information corresponding to the request and provides it directly to the information requester.

Abstract: Apparatuses, methods, systems, and program products are disclosed for distributed trust authentication. An apparatus includes a processor and a memory that stores code executable by the processor. The code is executable by the processor to receive content for a recipient from a content provider. The code is executable by the processor to receive an indicator of the veracity of the received content from the recipient of the content. The indicator of veracity may attest to an authenticity of the received content and an identity of the content provider. The code is executable by the processor to create an entry for the recipient in a public data store to validate that the recipient received the content. The entry may include a digital signature for the recipient and the indicator of the veracity of the received content.

Abstract: Some embodiments provide a method for a first device to join a group of related devices. The method receives input of a password for an account with a centralized entity and a code generated by a second device in the group. When the second device determines that the code input on the first device matches the generated code, the method receives an authentication code from the second device for authorizing the first device with the entity as a valid device for the account. The method uses the password and information regarding the first device to generate an application to the group. After sending the application to the second device, the method receives information from the second device that enables the first device to add itself to the group. The second device verifies the generated application, and the method uses the information received from the second device to join the group.

Abstract: The invention relates to a method of managing commitments between entities forming the nodes of a network, each entity being housed in a computer processing unit, characterized in that it comprises the following steps: establishing commitments (ENij) between commitment provider entities (Ei) and commitment beneficiary entities (Ej), one and the same entity being able to be both a commitment provider in relation to one or more other commitment beneficiary entities and a commitment beneficiary in relation to other commitment provider entities, upon the default of an commitment on the part of a defaulting commitment provider entity, noted from a beneficiary entity benefiting from this same commitment, communicating to the provider entity from said beneficiary entity, and at least one other entity (upstream entity) whose defaulting provider entity is beneficiary, an indication of default of a commitment, and, in response to this communication, altering at least one commitment whose defaulting provider entity is b