Abstract: The disclosure discloses a method for detecting an intrusion in parallel based on an unbalanced data Deep Belief Network, which reads an unbalanced data set DS; under-samples the unbalanced data set using the improved NCR algorithm to reduce the ratio of the majority type samples and make the data distribution of the data set balanced; the improved differential evolution algorithm is used on the distributed memory computing platform Spark to optimize the parameters of the deep belief network model to obtain the optimal model parameters; extract the feature of data of the data set, and then classify the intrusion detection by the weighted nuclear extreme learning machine, and finally train multiple weighted nuclear extreme learning machines of different structures in parallel by multithreading as the base classifier, and establish a multi-classifier intrusion detection model based on adaptive weighted voting for detecting the intrusion in parallel.

Abstract: Disclosed herein are embodiments of systems, methods, and products comprise a computing device, which allows in-network and network-border protection for Internet of things (IoT) devices by securely partitioning network space and defining service-based access to IoT devices. The disclosed segmented attack prevention system for IoT networks (SAPSIN) segments the IoT network into two virtual networks: a service network and a control network; and define access control rules for each virtual network. In the service network, SAPSIN utilizes a service-based approach to control device access, allowing only configured protocol, applications, network ports, or address groups to enter or exit the network. In control network, the SAPSIN provides the access control rules by defining a threshold for the number of configuration requests within a predetermined time. As a result, SAPSIN protects IoT devices against intrusion and misuse, without the need for device-specific software or device-specific security hardening.

Abstract: A middleware, for providing an interconnection between heterogeneous applications, receives a first HTTP POST request that includes a header and a body. Then, the middleware creates a HTTP GET request using the header. The middleware establishes a secure connection with an authorization server, and submits the HTTP GET request to the authorization server asynchronously. The middleware receives a response to the HTTP GET request regarding a validation of identifiers in a query string of the HTTP GET request, and decrypts a username and a password using the identifiers in response to the identifiers located in the authorization server. The middleware serializes an output of the decrypted username and the decrypted password in a Java Script Object Notation (JSON) format, and places the output in a body of a second HTTP POST request. The middleware responds the second HTTP POST request to a data server.

Abstract: Techniques are provided for controlling access entitlement for networking device data. In one example, a geographic location of a networking device is determined. A request to access data associated with the networking device is obtained from a user device. A user parameter of a user associated with the user device is determined. An access policy that controls access to the data based on the geographic location of the networking device and the user parameter is identified. The request to access the data is permitted or denied based on the geographic location of the networking device, the user parameter, and the access policy.

Abstract: Systems and techniques are provided for a resource transfer setup and verification. A request for transfer conditions for a transfer of resources may be received from a first computing device. A set of transfer conditions may be generated in response to the request for transfer conditions and sent to the first computing device. The set of transfer conditions and an indication of an acceptance of the set of transfer conditions by a second computing device may be received from the first computing device. A transfer identifier for the set of transfer conditions may be generated from data from the set of transfer conditions which may specify a first sub-transfer. Transfer instructions may be sent to a third computing device, including instructions for a sub-transfer specified in the set of transfer conditions. The set of transfer conditions may be stored with the transfer identifier as a transfer record in non-volatile storage.

Abstract: A device receives first transaction information associated with a first transaction, and a first transaction account utilized for the first transaction and associated with a first financial institution. The device determines, based on a fraud model, that the first transaction is to be denied due to potential fraud associated with the first transaction account and receives second transaction information associated with a second transaction, and a second transaction account utilized for the second transaction and associated with a second financial institution. The device processes the first transaction information and the second transaction information, with a matching model, to determine whether the first transaction information matches the second transaction information and determines that the first transaction was incorrectly denied when the first transaction information matches the second transaction information within a predetermined threshold.

Abstract: An electronic device for controlling access to a device resource, and an operation method thereof, are disclosed. The electronic device may include a memory; and a processor configured to execute at least one operating system executed in a first region allowing an operation based on a first authority; execute at least one application executed in a second region allowing an operation based on a second authority; and in response to detection of access to at least one device resource by the at least one application, determine authority of access to the at least one device resource by using an authority determination module executed in a third region allowing an operation based on a third authority.

Abstract: A system and method that provides the ability for users to select, create, and upload a collection of graphical images whereby a web site login process presents the user with an array of graphical images including the graphical images designated for an authentication pattern, the graphical image authentication system then determines that the graphical images chosen by the user are correct or incorrect without notifying the user until the process is complete.

Abstract: Methods and systems, including computer programs encoded on a computer storage medium, implement compliance testing to evaluate controls used to protect assets of a target system. A respective first score is generated for each control based on compliance tests performed to detect each of the controls at the target system. A compliance model is generated that integrates machine-learning algorithms to classify inputs corresponding to a compliance test and to enable predictive analytics of the compliance model using the classified inputs. The compliance model derives a negative compliance test (nCT) for each of the compliance tests by applying the predictive analytics to a data set that includes the first score for each control. An nCT is performed for each control detected at the target system and a second score is generated for each nCT. An assurance score characterizing effectiveness of the control is generated based on the first and second scores.

Abstract: Improved optical network security (e.g., using a computerized tool) is enabled. Various embodiments herein can send (e.g., via a network) to a group of network devices comprising a first network device and a second network device, a first encrypted data stream, a second encrypted data stream, a first hash code, and a second hash code, wherein the first network device deletes the second encrypted data stream after the first network device hashes the second encrypted data stream, and in response to the second network device being determined not to have received the second hash code within a defined threshold time, determine that the first network device is unauthorized to use the network.

Abstract: A system to create a stacked classifier model combination or classifier ensemble has been designed for identification of undisclosed flaws in software components on a large-scale. This classifier ensemble is capable of at least a 54.55% improvement in precision. The system uses a K-folding cross validation algorithm to partition a sample dataset and then train and test a set of N classifiers with the dataset folds. At each test iteration, trained models of the set of classifiers generate probabilities that a sample has a flaw, resulting in a set of N probabilities or predictions for each sample in the test data. With a sample size of S, the system passes the S sets of N predictions to a logistic regressor along with “ground truth” for the sample dataset to train a logistic regression model. The trained classifiers and the logistic regression model are stored as the classifier ensemble.

Abstract: A method for preventing transmission of malicious data may include receiving transaction data including at least one packet associated with a payment transaction; extracting at least one of network layer data or transport layer data from a header of the at least one packet; determining a first probability indicating that the at least one packet is in a first class based on the at least one of the network layer data or the transport layer data using a classifier. The method may also include determining a second probability indicating that the at least one packet is in a second class based on the at least one of the network layer data or the transport layer data using the classifier; and blocking the at least one packet. A system and a computer program product are also disclosed.

Abstract: Systems and methods for adaptive attack resistant distributed symmetric cryptography are disclosed. A client computer may communicate with a number of cryptographic devices in order to encrypt or decrypt data. Each cryptographic device may possess multiple secret shares corresponding to distinct secret values, which may be used in the process of encrypting or decrypting data. The client computer may generate multiple commitments and transmit those commitments to the cryptographic devices. Each cryptographic device may generate a partial computation based on the commitments and their respective secret shares. The partial computations may be transmitted to the client computer. The client computer may use the partial computations to generate a cryptographic key. The client computer may use the cryptographic key to encrypt a message or decrypt ciphertext.

Abstract: A processing device is configured to process an initial set of command types. A command extension module and a digital signature are received. The digital signature is generated based on the command extension module using a private key of a key pair. The command extension module, once installed by the processing device, enables the processing device to process a new command type that is not included in the initial set of command types. The digital signature is verified using a public key of the key pair. Based on a successful verification of the digital signature, the command extension module is temporarily installed by loading the command extension module in a volatile memory device.

Abstract: A method and a control circuit for managing information of an electronic device are provided, where the electronic device includes the control chip. The method includes: utilizing a static entropy source of the control circuit to provide static entropy data; utilizing a cryptographic circuit of the control circuit to generate a public key and a private key according to the static entropy data, where the public key is to be registered into a blockchain by an identifier (ID) management device; and utilizing a signature generating circuit to generate a digital signature at least according to the private key, where the information of the electronic device is to be uploaded to the blockchain in conjunction with the digital signature.

Abstract: Systems and methods for enrolling and authenticating a user in an authentication system via a user's camera of camera equipped mobile device include capturing and storing enrollment biometric information from at least one first image of the user taken via the camera of the mobile device, capturing authentication biometric information from at least one second image of the user, capturing, during imaging of the at least one second image, path parameters via at least one movement detecting sensor indicating an authentication movement of the mobile device, comparing the authentication biometric information to the stored enrollment biometric information, and comparing the authentication movement of the mobile device to an expected movement of the mobile device to determine whether the authentication movement sufficiently corresponds to the expected movement.

Abstract: Various systems and methods are described for correlating technology choices with the risk of system vulnerabilities. A system captures and quantifies both observations of technology choices as well as the outputs certain outputs of internal choices and processes across a number of different organizations. A Bayesian estimate of vulnerability is imputed from the choices and observed use of vulnerable technology, further segmented by business type, revenue, and size. Differences between the observation of a particular organization and Bayesian expected value are measured and converted to vulnerability score, the vulnerability score embodying a point-in-time and longitudinal measure of organizational performance, including the likelihood of future compromise due to software vulnerabilities. The vulnerability score can then be further used to price risk, for example in a cyber insurance context.

Abstract: Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or data isolation. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a rootkit defense mechanism (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it), inter alia, for detection and/or prevention of malicious code, for example, in a manner/context that is isolated and not able to be corrupted, detected, prevented, bypassed, and/or otherwise affected by the malicious code.

Abstract: A transport stack may control identity information that may be owned by a user. An information record of the identity information may be stored on a distributed ledger. Transactors may request a viewing-share for the identity information to support transactions with the user. The transport stack may generate a grant record when a transactor is provided with a viewing-share of the identity information. The grant record may be stored on the distributed ledger. The distributed ledger may provide a verifiable record of the identity information content and history of viewing-share grants.

Abstract: A system for data encryption includes any or all of: a set of items, a set of keys, and a server. A method for data encryption includes any or all of: encrypting items, sharing items, and reading items. The method can optionally additionally or alternatively include any or all of: performing a registration process, creating items, restricting access of users and/or supplementary systems to items, and/or any other suitable processes.