Abstract: A system and methods for detecting and mitigating golden SAML attacks against federated services is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to create a security cookie for each valid authentication session; wherein subsequent access requests accompanied by authentication objects are validated by checking for a valid security cookie.

Abstract: The invention relates to a system for transmitting encoded information over radio channels and wired communication lines, including the Internet. The system includes a transmitting side and a receiving side each comprising various software/hardware modules for generating/displaying the output/received information of the transmitting side, cryptographic calculations of the transmitting side, service information of the transmitting side, a module for generating a set key of the transmitting side, a module for generating a computed key of the transmitting/receiving side, a module of transmitting side communication channel, macroblocks for blocking computer brute-force search including at least three software/hardware modules for information encoding/cryptographic transformations, a module for random numbers generation, and modules for a degree of the setting polynomial.

Abstract: The present disclosure relates to computer-implemented methods, software, and systems for securely generating a new access token based on relatively long-lasting refresh tokens in self-contained format. A first request to generate a new access token for authorization of a client application with an application server is received and includes a first protected version of a refresh token. The first protected version of the refresh token is an encrypted version of the refresh token based on a first client identifier. The first protected version of the refresh token is decrypted to determine content of the refresh token based on a second client identifier of the client application that is externally invoked for validating the authorization. In response to successfully decrypting the first protected version, performing a validation of the refresh token. In response to successfully validating the refresh token, generating the new access token and providing it to the client application.

Abstract: A client node (CN) requests content from an access node (AN). Rule set ACR_CN is provided to CN and AN and ACR_AN is used by AN. A request sent by CN in violation of ACR_CN may be blocked and cause AN to block subsequent requests from CN that would be allowed per ACR_CN. A request blocked according to ACR_AN but not ACR_CN is blocked but subsequent requests may still be allowed according to ACR_CN and ACR_AN. Authenticated distribution of the ACR_CN and ACR_AN may be performed in cooperation with a controller using authenticated tokens (AT).

Abstract: Systems, methods, and computer-readable media for on-demand security provisioning using whitelist and blacklist rules. In some examples, a system in a network including a plurality of pods can configure security policies for a first endpoint group (EPG) in a first pod, the security policies including blacklist and whitelist rules defining traffic security enforcement rules for communications between the first EPG and a second EPG in a second pods in the network. The system can assign respective implicit priorities to the one or more security policies based on a respective specificity of each policy, wherein more specific policies are assigned higher priorities than less specific policies. The system can respond to a detected move of a virtual machine associated with the first EPG to a second pod in the network by dynamically provisioning security policies for the first EPG in the second pod and removing security policies from the first pod.

Abstract: There is provided an authentication system for validating identity credentials of a user attempting to access a resource provided by a remote resource provision system. The authentication system includes an input configured to receive, from the resource provision system, an authentication request comprising a cryptographic representation of digital identity data of the user and an associated token identifier, where the digital identity data comprises at least one image of an identity credential of the user. The system also includes a processor configured to: determine a pre-stored cryptographic identifier corresponding to the token identifier; and compare the received cryptographic representation with the pre-stored cryptographic identifier.

Abstract: An example method includes detecting, using sensors, packets throughout a datacenter. The sensors can then send packet logs to various collectors which can then identify and summarize data flows in the datacenter. The collectors can then send flow logs to an analytics module which can identify the status of the datacenter and detect an attack.

Abstract: Systems and methods are described for onboarding a new device to a blockchain secured network. A trusted device that is already enrolled on the blockchain can receive information from a new device. The new device can send an onboarding request to a server through a non-blockchain secured Application Programming Interface (“API”). The trusted device can send an onboarding request for the new device through a blockchain secured API. The server can receive the requests and match them. The server can authenticate the two devices and send a request to a blockchain consensus to add the new device to the blockchain with the trusted device as a referral. The blockchain consensus can add the new device to the blockchain and notify the server. The server can notify the new device, and the new device can begin communicating through the blockchain secured API or directly with other devices on the blockchain.

Abstract: An approach is provided in which an information handling system performs multiple tests on a memory device using different supply voltage levels. The information handling system identifies a set of memory cells in the memory that produce a same set of results during each of the memory tests at the different supply voltage levels, and generates a random number based on a set of data values collected from the set of memory cells. In turn, the information handling system uses the random number generator in one or more processes executed by the information handling system.

Abstract: The invention resides in a method of placing a code, having a plurality of digits, in original data having media data including audio data, such as a music video, piece of music or music track, to produce coded data. The method determining an area of original data where a digit of the code can be placed to inhibit detection using a placement criteria. A coding strategy determines at least one of the format or location of a digit of the code in coded data. The or each digit of the code has a melodic or sympathetic relationship with a characteristic, such as an audio characteristic, of the corresponding original data in the at the location in which it is placed. Digits are added to the original data and outputting coded data. Similarly, the invention resides in a method for decoding and devices and systems for implementing said methods.

Abstract: A system for controlling access includes a computing device, configured to: determine a first identifier associated with a first access point being used by the computing device to access a network; determine first access control data associated with the first identifier and a first application executing on the computing device; and control access to data over the network by the first application based on the first access control data.

Abstract: Embodiments of this application provide a registration method and apparatus based on a service-based architecture. In this method, a management network element determines configuration information of a function network element, where the configuration information includes a security parameter; and the management network element sends the configuration information to the function network element. The function network element receives the configuration information sent by the management network element; and the function network element sends a registration request to a control network element based on the configuration information, where the registration request includes the security parameter.

Abstract: Systems and techniques are described to facilitate using secure tokens for stateless software defined networking. An initial configuration may be created for deploying a network device at a deployment site. A cryptographically secure certificate may be created that includes the initial configuration for deploying the network device at the deployment site. The cryptographically secure certificate may be stored in a secure token that can be inserted into a secure token reader that is located at the deployment site and communicatively coupled to the device at the deployment site. The network device may then be configured at the deployment site by using the secure token.

Abstract: An accessory device receives authentication information from a host computing device connected thereto and determines whether the authentication information is valid. If the authentication information is valid, the accessory device applies a first access policy that specifies whether the accessory device can provide the host computing device with access to none, some, or all of various computing resources of the accessory device. If the authentication information is not valid, the accessory device applies a second access policy that is different than the first access policy. The accessory device can also be provisioned with access policies by a host computing device if the host computing device successfully authenticates with the accessory device. In either case, authenticating the host computing device may include verifying a digital signature of a certificate provided by the host computing device using a public key of a certificate authority that has been provisioned to the accessory device.

Abstract: A system is provided for de-identifying electronic records. The system may be configured to tokenize an electronic record to produce a plurality of tokens including a first token. The system may determine whether the first token is part of one of a plurality of expressions known to include protected health information. In response to determining that the first token is not part of any one of the plurality of expressions, the system may determine, based on a blacklist of tokens known to include protected health information, whether the first token includes protected health information. In response to determining that the first token includes protected health information, the system may generate a de-identified electronic record by replacing the first token with a second token obfuscating the protected health information. Related methods and computer program products are also provided.

Abstract: A system for authenticating an individual's location activity includes a mobile communications device connected to a network and in electronic communication with at least one other computer. The mobile communications device is configured to authenticate the individual's presence at a location using biometric data entered by the individual. The mobile communications device has applications stored thereon to access location information for the mobile communications device using a GPS application stored on the mobile communications device and to access time information for the mobile communications device from a clock application stored on the mobile communications device. The mobile communications devices creates a digital signature that authenticates an individual's location activity by storing an encrypted digital certificate comprising a hash calculation using the biometric data, a validation key generated by authenticating the biometric data, the location information, and the time information.

Abstract: An embodiment encryption method, implemented by an electronic circuit including a first non-volatile memory, comprises the creation of one or more first pairs of asymmetrical keys, the first pair or each of the first pairs comprising first private and public keys, and, for the or at least one of the first pairs, storing the first public key in the first memory, receiving a second public key during a communication session, and forming a first symmetrical key from the first private key and the second public key, the first public key staying stored in the first memory after the communication session.

Abstract: Resources can be secured by a resource security system. The resource security system can determine whether to grant or deny access to resources using authorization information in an access request. The resource security system can also determine whether the access request is legitimate or fraudulent using risk scoring models. A score transformation table can be used to provide consistency in the risk level for a particular score over time. The score transformation table can be based on a target score profile and a precision format (e.g., integer or floating point). The score transformation table can dynamically adapt based on the trending top percent of risk and can account for changes in the distribution of scores over time or by weekday. The scores can be used to determine an access request outcome. Access to the resource can be accepted or rejected based on the outcome.

Abstract: The present disclosure relates to a pre-5th-Generation (5G) or 5G communication system to be provided for supporting higher data rates Beyond 4th-Generation (4G) communication system such as Long Term Evolution (LTE). Disclosed is method of refreshing a security key in a secondary cell group (SCG) controlled by a secondary node (SN) of a wireless communication system, wherein the network is configured to operate in dual connectivity (DC) mode and further comprises a master cell group (MCG) controlled by a master node (MN) the method comprising: the SN indicating in a first message to a user equipment (UE) that security key refresh is to be performed; the UE generating the refreshed security key and transmitting a second message to the SN, wherein the second message indicates that the security key has been refreshed.

Abstract: A method for authenticating an origin of a network device. The method includes reading one or more encrypted parameters from a memory of the network device, decoding the one or more encrypted parameters, and determining whether one or more of the decoded parameters match parameters obtained from a trusted platform module (TPM) installed in the network device and/or a read only memory (ROM) of the network device. In response to a mismatch between the decoded parameters and the parameters obtained from the TPM or the ROM, at least one of suspending operation of the device or transmitting a report of an authentication failure across a network on which the device is operating.