Abstract: Disclosed herein is a technique for securely provisioning access control entities (e.g., electronic Subscriber Identity Module (eSIM) components) to a user equipment (UE) device. In one embodiment, a UE device is assigned a unique key and an endorsement certificate that can be used to provide updates or new eSIMs to the UE device. The UE device can trust eSIM material delivered by an unknown third-party eSIM vendor, based on a secure certificate transmission with the unique key. In another aspect, an operating system (OS) is partitioned into various sandboxes. During operation, the UE device can activate and execute the OS in the sandbox corresponding to a current wireless network. Personalization packages received while connected to the network only apply to that sandbox. Similarly, when loading an eSIM, the OS need only load the list of software necessary for the current run-time environment. Unused software can be subsequently activated.

Abstract: Presented herein are vulnerability assessment techniques for highlighting an organization's information technology (IT) infrastructure security vulnerabilities. For example, a vulnerability assessment system obtains application metadata for each of a plurality of executable applications observed at one or more devices forming part of an organization's IT infrastructure. The application metadata includes unique software identifiers for each of the plurality of executable applications. The vulnerability assessment system obtains global security risk metadata for executable applications observed at the one or more devices. The vulnerability assessment system maps one or more unique software identifiers in the application metadata to global security risk metadata that corresponds to applications identified by the one or more unique software identifiers, thereby generating a vulnerable application dataset.

Abstract: A method of assessing a risk level of an enterprise using cloud-based services from one or more cloud service providers includes assessing provider risk scores associated with the one or more cloud service providers; assessing cloud service usage behavior and pattern of the enterprise; and generating a risk score for the enterprise based on the provider risk scores and on the cloud service usage behavior and pattern of the enterprise. The risk score is indicative of the risk of the enterprise relating to the use of the cloud-based services from the one or more cloud service providers.

Abstract: A dynamic notary system having one or more processors, and one or more non-transitory computer readable medium coupled to the one or more processors with at least one of the computer readable medium being local to the one or more processors. The one or more non-transitory computer readable medium stores computer executable instructions, that when executed by the one or more processors cause the one or more processors to: (1) verify a notary with user identification information stored on the at least one computer readable medium local to the one or more processors, (2) retrieve a document to be notarized from the one or more non-transitory computer readable medium, (3) receive a signatory's electronic signature, (4) receive the notary's electronic signature, (5) apply a notary seal to the document, and (6) lock the document in an unchangeable format.

Abstract: A permission management method, apparatus, and terminal. The permission management method includes obtaining an installation package of a first application program, where the installation package carries a first certificate and permission request information of the first application program, determining, according to the permission request information, a first permission that the first application program requires during running, where the first permission is a system administrator permission of a system, and granting the first permission to the first application program according to the first certificate of the first application program. In this way, the first permission that the first application program requires during running is granted to the first application program.

Abstract: A system for collaborating on a component a first multi-user CAx environment including a data module. The first multi-user CAx environment corresponds to a first profile. The data module is configured to access data relating to a component design in a database. The database relates to a group of function-based commands. A synchronization module is configured to cause the data module to access at least one work area relating to the component design according to one of at least three access levels when at least one predetermined criterion is met, and another one of the at least three access levels when the at least one predetermined criterion is not met. A method for designing a component is also disclosed.

Abstract: A method for detecting intrusions on a set of virtual resources in a computer system including at least one physical machine hosting the set of virtual resources. The method includes: calculating an intrusion detection itinerary defined by a sequence of virtual resources from the set, the virtual resources being integrated and arranged in the sequence on the basis of respective vulnerability criticality levels assigned to the virtual resources of the set; and carrying out an intrusion detection operation, following the calculated itinerary.

Abstract: A computer-implemented method includes receiving, from a remote communication device and at a server system, information that indicates a unique identifier for a physical item that corresponds to media content, the identifier differing from identifiers for other physical items that correspond to the same content; associating the received information with an account of a first user of a hosted internet service; and subsequently providing, by the hosted internet service, content that matches the content that corresponds to the physical item, based on a determination that the received information authorizes the first user to obtain the content provided by the hosted internet service.

Abstract: A system and method for granting permission for a machine action may receive a machine generated request, associated with a source, where the machine generated request comprises request parameters that include a requested machine action, a target recipient of the requested machine action, and the source of the requested machine action. Accessing a stored set of capabilities where each of the one or more capabilities comprises permission parameters that include a permissible action, a specified recipient of the permissible action, and a specified source of the permissible action. Examining the one or more capabilities in the stored set of capabilities and determining whether the request parameters associated with the machine generated request match the permission parameters associated with a capability of the one or more capabilities. Granting permission to apply the machine generated request to the target recipient when a match is determined.

Abstract: A computer system, serves as a first platform, provides a user with a first user account on the first platform. The user has a second user account on a second platform; the second user account includes a second contact identification associated with a contact of the user on the second platform; and the contact has a first contact account on the first platform associated with a first contact identification. The computer system also acquires the second contact identification from the second platform; acquires account information of the first contact account based on the second contact identification; and provides the account information of the first contact account to the user.

Abstract: Provided is a classifier training method, including: acquiring a training sample set; determining a classification condition at a root node according to a preset classification condition feature, performing classification on training samples in the training sample set according to the classification condition at the root node, and acquiring a classification subset corresponding to a child node of the root node; using the child node of the root node as a current node, circularly implementing the step of determining a classification condition at the current node according to another preset classification condition feature, performing classification on training samples in a classification subset corresponding to the current node according to the classification condition at the current node, and acquiring a classification subset of a child node of the current node, till a leaf node; and determining a user identity classification result at the current node, and obtaining a decision tree classifier.

Abstract: End-to-end file transfer security for file transfer is provided over a network such as the Internet between a client, using a secure communication protocol which is pervasively available, such as HTTPS, to a secure file server which is accessible only through a secure file transfer protocol which is not pervasively available by using a secure proxy for accessing the secure file server rather than providing a protocol break merely for traversing a firewall. The secure proxy is arranged to provide a protocol conversion between the pervasively available secure protocol and the communication protocol through which the server is accessible and which is not pervasively available. By doing so, the secure proxy inherits secure functions of the secure server which thus need not be separately or independently provided in the secure proxy.

Abstract: Methods, non-transitory computer readable media, and network traffic management apparatuses that receive a request from a client device to access an application. The request comprises an original certificate. A determination is made when the certificate is valid. Data is extracted from one or more fields of the certificate, when the determining indicates that the user certificate is valid. A delegate certificate comprising the data and signed by a certificate authority trusted by a server device hosting the application is generated. The delegate certificate is sent to the server device. With this technology, network traffic management apparatuses can secure SSL connections using PFS-capable ciphers, while also inspecting payload data in network traffic exchanged between client and server devices in order to provide intelligent services in the network.

Abstract: The disclosure comprises a method, an apparatus, and instructions for controlling a computer to implement a security labeling service (SLS) to tag an electronic record or data stream with security labels to ensure compliance with access restriction requirements. The SLS tags a record or data stream with security labels according to constraints including jurisdictional (government regulation), organizational policy, and authorization of a subject of record (e.g. patient consent). The SLS consumes a vocabulary dictionary to interpret the record and the constraints to generate rules for tagging the data. The original record or data stream is then tagged according to the rules. The tagged output is used to ensure compliance with the security labels.

Abstract: A method of providing robust and secure fingerprints including, at an enrollment stage, the steps of providing a content x for which a fingerprint is to be provided, assigning an ID number to the content x, providing a secret key k, generating a fingerprint bx based on content x and secret key k, storing the generated fingerprint bx together with the assigned ID in a database, as well as, at an identification stage, the steps of extracting, for a given query content y which might result either from the enrolled content x or an unrelated content x?, an estimate fingerprint by based on content y, and secret key k, producing an estimated I{hacek over (D)} number based on the estimate fingerprint by for identifying the content x using said ID number stored in the database, or else rejecting the query.

Abstract: A method for controlling an access point in a wireless local area network (WLAN) and a communication system, the method includes: authenticating an access point; after the authentication succeeds, delivering an access controller list to the access point; the access point selecting an access controller from the access controller list according to a preset rule, and communicating with the selected access controller. Only in the case that the access point is successfully authenticated is the access controller list sent to the successfully-authenticated access point, thus solving the problem that the information of the access controller is leaked out because of delivering the access controller list to an illegitimately-set access point, and ensuring the security of network device information.

Abstract: An apparatus for sharing information between entities includes a processor and a trusted execution module executing on the processor. The trusted execution module is configured to receive first confidential information from a first client device associated with a first entity, seal the first confidential information within a trusted execution environment, receive second confidential information from a second client device associated with a second entity, seal the second confidential information within the trusted execution environment, and execute code within the trusted execution environment. The code is configured to compute a confidential result based upon the first confidential information and the second confidential information.

Abstract: A method for detecting an eavesdropping activity and a terminal device. The method includes determining whether a terminal device is in a conversation; when the terminal device is in a conversation, determining whether the terminal device has an application that starts a recording function; and when the terminal device has an application that starts a recording function, sending out an eavesdropping alarm prompt. By adopting the technical solutions of the present invention, an eavesdropping activity in a manner of recording may be detected.

Abstract: According to one embodiment, techniques are provided to enable secure communication among devices in a mesh network using a group temporal key. An authenticator device associated with a mesh network stores a pairwise master key for each of a plurality of devices in a mesh network upon authentication of the respective devices. Using the pairwise master key, the authenticator device initiates a handshake procedure with a particular device in the mesh network to mutually derive a pairwise temporal key from the pairwise master key. The authenticator device encrypts and signs a group temporal key using the pairwise temporal key for the particular device and sends the group temporal key encrypted and signed with the pairwise temporal key to the particular device.

Abstract: To enhance the convenience of authentication when executing an application, an application server: acquires, from a terminal, context information indicating the status of the terminal; generates, on the basis of the acquired context information, information (an authentication necessity table) pertaining to the necessity for authentication when executing the application; and transmits to the terminal the authentication necessity table and an authentication module described in the table. Then, the terminal, on the basis of the authentication necessity table and an authentication table, determines whether or not authentication is necessary before executing the application, and when it has been determined that authentication is necessary, prior to executing the application, changes the authentication module read destination to the application read destination and executes the authentication module.