Abstract: Systems and procedures are provided for validating an IHS (Information Handling System) as operating using only factory-provisioned lockable devices. During factory provisioning of the IHS, a signed inventory certificate is uploaded to the IHS that includes an inventory of factory-provisioned lockable devices and also includes encrypted code(s) for accessing the lockable devices. Upon delivery and initialization of the IHS, the inventory certificate is retrieved by a pre-boot validation process. An inventory of detected lockable devices of the IHS is then collected. The validation process compares the collected inventory of detected lockable devices against the inventory of factory-provisioned lockable devices from the inventory certificate in order to validate the IHS is operating using only factory-provisioned lockable devices.

Abstract: A system and method for enabling secure device-to-device (D2D) communication between a plurality of user devices. The method includes providing public and private keys for each of the user devices, the private key arranged to decrypt data encrypted by the corresponding public key. A sender user device creates a digital signature using its private key. The sender double-encrypts a transmission using both the public keys of a recipient user device and a first relay user device. The transmission is transmitted from the sender to the recipient through a plurality of relay user devices. Each relay user device receives the transmission, decrypts a first layer of encryption with its private key, encrypts the transmission with the public key of a subsequent user device; and forwards the data transmission to the subsequent user device. The recipient authenticates the digital signature of the sender using the public key of the sender.

Abstract: A first request to send a message via a communication channel of the plurality of communication channels is received via a first application programming interface (API) call. The first request is received from a client device associated with a client account and includes an identifier of a content resource having message content for the message. The content resource is obtained based on the identifier. The message is prepared based on the first request and the content resource. The prepared message is sent to a recipient device via the communication channel.

Abstract: According to one embodiment, a server device includes a memory and a processor. The memory stores verification information. The processor accepts a request to transmit a certificate number, generates information in which identification information of one of storage devices from which data is to be erased, a public key, a secret key, and the certificate number are associated with one another, transmits the certificate number, performs verification using an authenticator transmitted by the one storage device and verification information, generates, based on a result of the verification, an erasure certificate that includes the identification information and the certificate number and is signed using the secret key, and transmits the erasure certificate.

Abstract: Various embodiments relate to a method for multiplying a first and a second polynomial in a ring q [X]/(Xn+1) where q is a positive integer.

Abstract: Disclosed are systems, methods, and non-transitory computer-readable media for distributed DCP over internet. A client-side digital content delivery device receives a digital cinema package (DCP) for a digital movie from a remote digital content delivery system. The DCP includes a unique digital watermark applied by the content delivery system. In response to receiving an input to cause playback of the digital movie, the client-side digital content delivery device compares a unique device identifier for a display device paired to the client-side digital content delivery device to an authorized unique identifier. If the unique device identifier matches the authorized unique identifier, the client-side digital content delivery device uses the DCP to causes presentation of the digital movie by the display device paired to the client-side digital content delivery device.

Abstract: This application describes methods, mediums, and systems for verifying a device for use in a messaging system. Using the device verification procedures described, a messaging system can securely authorize new devices to send and receive encrypted messages on behalf of a user, preferably without the need to share a private encryption key between the users' different devices. The application describes several techniques that can be used to provide such a system, including distributing a computer-perceptible code that encodes encryption information between a secondary device and a primary device. This allows the information to be distributed without intervention by a server. Other techniques provide unique ways to build and reverify authorized device lists, distribute encryption keys in chat channels, ensure that lists of authorized devices are distributed in the correct order and remain valid for an appropriate amount of time, add new devices to an ongoing or new conversation, and more.

Abstract: A method includes establishing a first funds transfer account associated with a first device and a second funds transfer account with a second device, funding at least the first fund account, and selecting the second device as the recipient of a funds transfer from the first device. The method further includes sending a communications link request from the first device to the second device and receiving acceptance of the communications link request from the second device. The method then establishes a communications link between the first device and the second device, initiates a funds transfer from the first device to the second device, wherein the amount is designated at the first device, and verifies the funds transfer amount, the first funds transfer account, and the second funds transfer account. Then, the method transfers the amount to the second funds transfer account associated with second device.

Abstract: Disclosed are systems and methods for improving interactions with and between computers in content providing, searching and/or hosting systems supported by or configured with devices, servers and/or platforms. The disclosed systems and methods provide a framework for delivering electronic messages to a recipient in an optimized manner based on current real-world and digital activities associated with the recipient. Once a message sent by a sender is received by the message platform, the message and information related to a user's activity is analyzed, and a delivery condition is determined by the messaging platform. The platform then sends the message according to that delivery condition, such that it is delivered to the user only upon the platform relaying the message thereon when the condition is satisfied or occurs.

Abstract: Embodiments of this application disclose a cell access method and a device, to provide a network slice service area identifier and network slice configuration information for a terminal device, so that the terminal device accesses a target cell. The method in the embodiments of this application includes: obtaining, by a terminal device, a network slice service area identifier from a serving access network device corresponding to a serving cell in which the terminal device is located, where the network slice service area identifier is used to indicate an area served by a network slice; determining, by the terminal device, a target cell based on network slice configuration information and the network slice service area identifier, where the network slice configuration information includes a correspondence among a network slice, an area, and a service; and accessing, by the terminal device, the target cell.

Abstract: A technique for verifying an origin of a digital object in a digital object architecture is described. The technique includes the steps of receiving, from a handle registry, handle information for a digital object that includes an attestation that references the handle identification value for the handle and origin identification information; verifying the authenticity of the attestation; after verifying the authenticity of the attestation, using the origin information in determining authorizations applicable to the digital object.

Abstract: Embodiments are directed to protection of privacy and data on smart edge devices. An embodiment of an apparatus includes a sensor to produce a stream of sensor data; an analytics mechanism; and a trusted execution environment (TEE) including multiple keys for data security, the apparatus to exchange keys with a host server to establish one or more secure communication channels between the apparatus and a TEE on a host server, process the stream of sensor data utilizing the analytics mechanism to generate metadata, perform encryption and integrity protection of the metadata utilizing a key from the TEE for the sensor, sign the metadata utilizing a private key for the analytics mechanism, and transfer the encrypted and integrity protected metadata and the signature to the host server via the one or more secure communication channels in a manner that prevents privileged users on the host from accessing the data.

Abstract: An information processing apparatus generates a public key pair in accordance with a certificate issuance request, generates a certificate signing request based on the public key pair and transmits an electronic certificate issuance request to an external apparatus. The information processing apparatus receives a response transmitted from the external apparatus as a response to the electronic certificate issuance request, obtains an electronic certificate included in the received response and causes an application to enable its use of the obtained electronic certificate.

Abstract: A method of obtaining digitally signed data is disclosed. The method comprises sending first data (e2) from at least one of a plurality of first participants to at least one second participant, wherein the first data is based on second data (e) accessible to at least one said first participant, and the second data is inaccessible to the or each said second participant. A digital signature (s1) of the first data is received from at least one said second participant, and the digital signature of the first data is processed, by a plurality of the first participants, to provide shares of a digital signature(s) of the second data, wherein the digital signature of said second data is accessible by means of a threshold number of said shares and is inaccessible to less than said threshold number of shares.

Abstract: The invention provides a computer-implemented control method and corresponding system. The method may control or influence a device, system or other resource such as a technical process. The invention can provide a mechanism for emulating or otherwise executing the functionality of a logic gate via a computer-based distributed ledger (blockchain). This may be the Bitcoin blockchain or an alternative network/protocol. The invention provides logic embedded within a redeem script such that it determines which particular private keys have been used to sign an unlocking script, and then interprets the provision of those keys in accordance with a predetermined function.

Abstract: A federation link is used to facilitate bi-directional identity federation between software applications. The federation link is created to include user and account identity information for software applications having respective authentication providers. The federation link is created by one of the software applications and shared, for example, with the authentication provider of the other software application. The federation link can be utilized by both software applications to facilitate automated user authentication when navigating in either direction between the software applications.

Abstract: A URL collecting method includes accessing, by a URL collecting apparatus, a web server of a first URL; receiving, by the URL collecting apparatus, a first web page from the web server; and a URL dynamic collecting step of collecting, by the URL collecting apparatus, one or more URLs invoked while performing some or all of source codes of the first web page.

Abstract: Techniques described herein can be utilized to implement a protocol for performing an unbiased selection of a particular worker node among a plurality of worker nodes to execute a computational task. Nodes of a distributed network may register to join a group membership by generating quantities derived at least in part from a hierarchical data structure, such as an accumulation tree, whose parameters are defined by a manager node. The manager node may utilise the quantities provided by the plurality of worker nodes to perform an unbiased selection of a worker node from among the plurality of worker nodes to perform a computational task. The invention is particularly suited, but not limited to, for use in a blockchain network such as Bitcoin. In at least some cases, the manager node cannot determine, based on quantities supplied by the worker nodes, whether a particular worker node was selected to perform the computational task.

Abstract: Embodiments describe systems and methods for analyzing digital certificates. A computer-implemented can include identifying a plurality of digital certificates, individual digital certificates of the plurality of digital certificates including respective internal information. External information associated with the individual digital certificates can be determined, the external information not contained within the respective digital certificate. The external information can be updated in a database with additional external information that is collected on a periodic basis. A query can be run against the database to identify one or more vulnerable digital certificates associated with a client based on the internal information and the external information. A notification can be sent to the client regarding the one or more vulnerable digital certificates.

Abstract: A print management service facilitates the secure exchange of print job information between a client who requests a print job and multiple candidates who may wish to bid on the job. The service generates a smart contract that includes some information about the print job but that omits other information, such as the content to be printed. When a print service provider submits a qualifying bid to a processor that executes the smart contract, the smart contract will award the job to that provider, and the print service provider will then receive access to the full content of the print job. The smart contract may require proof of work to trigger payment from the client to the service provider upon completion of the print job.

Abstract: A method for generating a digital identity is provided, including: extracting a first preset number of short tandem repeat STRs and relevant information of each STR from whole genome data; generating a single STR digital code corresponding to each STR according to the relevant information of each STR, to obtain a plurality of single STR digital codes; performing sequence transformation on each single STR digital code with a preset rule, and generating a target STR digital code according to the single STR digital code after the sequence transformation; generating summary information of the target STR digital code, and determining the summary information as summary information of the STR to which the target STR digital code belongs; and determining the summary information of the STR as the generated digital identity.

Abstract: The exemplary embodiments are related to a device, a system, and a method for implementing a mechanism that is configured to prevent the unauthorized execution of software. A user device is configured to execute a feature access function corresponding to an application feature included in an application. The feature access function is configured to receive one of a plurality of values each time the application is launched. During operation, the feature access function receives a value and determines whether a condition is satisfied. When the condition is satisfied, the value is returned which indicates that execution of the application feature is permitted.

Abstract: Mechanisms are provided to detect phishing exfiltration communications. The mechanisms receive an input electronic communication from a data network and process the input electronic communication to extract a structure token that represents the content structure of the input electronic communication. The structure token is input to a machine learning model that is trained to identify phishing exfiltration communication grammars, and relationships between phishing exfiltration communication grammars, in structure tokens. The machine learning model processes the structure token to generate a vector output indicating computed values for processing by classification logic. The classification logic processes the vector output from the machine learning model to classify the input electronic communication as either a phishing exfiltration communication or a non-phishing exfiltration communication, and outputs a corresponding classification output.

Abstract: A device detects a communication involving a user associated with an account and a service representative, and sends, to a user device associated with the account, an authentication notification that causes the user device to display an authentication field for the user. The device sends, to a service representative device associated with the service representative, a message that indicates that the service representative is to request, via the communication, the user to enter personal information associated with the user into the authentication field, where the user device is configured to generate a first authentication code based on a user input received from the user device in the authentication field. The device generates a second authentication code based on personal information associated with the account from a data structure, receives the first authentication code, and performs an action based on the first authentication code and the second authentication code.

Abstract: Systems, methods, and computer storage media are provided for determining a patient's severity of illness score (pSIS) for a patient admitted to an acute care facility. Data corresponding to physiologic components is received from an electronic medical record associated with a patient admitted to an acute care healthcare facility. The physiologic components include vital sign measurements and laboratory tests. Weights are assigned to a minimum, median, and maximum measured values for each vital sign. Weights are assigned to minimum and maximum values for each laboratory test. The weights are derived based on a deviation from normal within a time period. A pSIS is determined by summing the weights. Additional data corresponding to physiologic components may be received from the electronic medical record. The additional data may be utilized to update the weights and determine a patient's updated pSIS that may be utilized to track a progress of the patient.

Abstract: Access is provided to a variable data printing app and a code detection app on a computer server. The variable data printing app is adapted to add machine-readable code to printable items and create a decoder app capable of decoding the machine-readable code. The code detection app is adapted to receive user identification information and transmit the user identification information to designer devices. The printable items are printed as printed products. The designer devices validate a user device based on the validity of the user identification information. In response, the variable data printing app is adapted to transmit the decoder app to validated user devices. The code detection app, operating on the user device, is adapted to decode the machine-readable code in user-acquired images into an optional secure link with the designer devices.

Abstract: A client forensic watermarking device, system, and method. A forensic watermarking device capable of communicating with a content server selecting a watermark mask area in which a watermark mask is displayed from video content and storing watermark area information about the watermark mask area in a storage unit according to the present disclosure may provide: a downloading unit requesting the video content to be played from the content server and receiving the video content and the watermark area information from the content server; a watermark mask generation unit outputting the watermark mask using the watermark area information inputted from the downloading unit; and an overlay unit superimposing the watermark mask inputted from the watermark mask generation unit on the watermark mask area of the video content inputted from the downloading unit, thereby enabling a client to display a forensic watermark so as to deal with a collusion attack.

Abstract: A system and method for electronic signature validation is provided. Embodiments may include analyzing at least one government identification document, wherein analyzing includes authenticating the at least one government identification document. Embodiments may further include extracting personally identifiable information pertaining to a user from the at least one government identification document and displaying a digital copy of a document to be signed to the user. Embodiments may also include capturing an electronic signature of the document by the user and receiving personally identifiable information, wherein the personally identifiable information pertains to the user and enables the user to be uniquely identified. Embodiments may further transmitting a document signing transaction session.

Abstract: Systems and methods for ensuring data privacy in a data sharing system are provided. A computer implemented method carried out at a host computing system includes: accessing a set of data from a data source including a true element and at least one spurious element so that the host computing system cannot differentiate between the elements to obfuscate the true element from the host computing system. The method includes: accessing a code which is executable on the set of data so as to output multiple results for the elements of the set of data; processing the set of data, including for each element: executing the code on the element to generate a result; computing a hash value of the element; and outputting the result in association with the hash value to a third-party computing system. A third-party computing system has access to the true hash value of the true element for identification of the result generated by execution of the code on the true element.

Abstract: According to one embodiment, a DP accelerator includes one or more execution units (EUs) configured to perform data processing operations in response to an instruction received from a host system coupled over a bus. The DP accelerator includes a time unit (TU) coupled to the security unit to provide timestamp services. The DP accelerator includes a security unit (SU) configured to establish and maintain a secure channel with the host system to exchange commands and data associated with the data processing operations, where the security unit includes a secure storage area to store a private root key associated with the DP accelerator, where the private root key is utilized for authentication. The SU includes a random number generator to generate a random number, and a cryptographic engine to perform cryptographic operations on data exchanged with the host system over the bus using a session key derived based on the random number.

Abstract: Aspects of the disclosure relate to digital check processing. A computing platform may receive, from a first recipient, a request to transfer a first portion of funds, corresponding to the first digital check image, to a second recipient account and a second portion of the funds, corresponding to the first digital check image, to a third recipient account. The computing platform may generate second and third digital check images representative of the first and second portions of the funds respectively. Based on successful validation of the second digital check image and the third digital check image, the computing platform may embed, into the second and third digital check images, a digital chip that indicates the successful validation. The computing platform may send, to the second recipient account and the third recipient account, the second and third digital check images respectively.

Abstract: Systems and methods are provided herein for monitoring and identifying potential security vulnerabilities in hardware and/or firmware of host devices. In an example, a client system includes a data interface, a processor, and a storage device storing instructions executable by the processor to collect firmware and/or hardware information relating to the client system and transmit, via the data interface, data associated with the firmware and/or hardware information to a remote device.

Abstract: An example virtual signing even can include to establish a first video connection with the celebrity; establish a second video connection with a customer; connect the first video connection to the second video connection to facilitate a virtual face-to-face interaction between the celebrity and the customer; confirm signing of at least one item by the celebrity during the virtual face-to-face interaction; and facilitate shipping of the at least one item to the customer.

Abstract: In one embodiment, a method includes receiving user behavior data and contextual information associated with the user behavior data, the contextual information including a first data portion associated with a first context type. The method includes generating, from the user behavior data and the contextual information using a hashing algorithm, a first heterogeneous hash code including a first portion representing the user behavior data and a second hash code portion representing the first data portion associated with the first context type. The method includes accessing a second heterogeneous hash code including a third hash code portion representing a second data portion associated with the first context type. The method includes comparing the first heterogeneous hash code with the second heterogeneous hash code including determining similarity between the second hash code portion of the first heterogeneous hash code and the third hash code portion of the second heterogenous hash code.

Abstract: A technique allows a smart meter to receive a mask. The smart meter may receive the mask from a utility company or an escrow service. The smart meter may apply the mask to original metered data on a continuous schedule, on a periodic schedule, or on a determined schedule, or on a randomized schedule to conceal the original metered data. The smart meter may apply different masks at different times. The smart meter transmits the concealed metered data as augmented metered data remotely to an electric utility via a communication network.

Abstract: Method of certification including receiving user data at a device of a certifying entity. The method includes generating a salt that is unique. The method includes hashing the data combined with the salt to create a generated hashed data. The method includes generating a certification record based on signing the generated hashed data using a private key of the certifying entity to create a signed certification of the data. The method includes hashing the certification record. The method includes transmitting the hashed certification record to a blockchain for storing. The method includes receiving a certification tx-ID of the hashed certification record. The method includes generating a certification data block including the certification record and the certification tx-ID. The method includes storing the certification data block to a side chain.

Abstract: In some embodiments, an electronic device displays suggested routes based on the characteristics of respective vehicles. In some embodiments, an electronic device receives data for respective vehicles from a source external to the electronic device. In some embodiments, an electronic device anonymizes a vehicle identifier and determines customized suggested routes using the anonymized vehicle identifier.

Abstract: Methods and systems described in this disclosure electronically notarize a document. The system can receive biometric information from a user, extract characteristics from the biometric information, and compare the characteristics of the biometric information with previously stored characteristics of the user's biometric information. When the characteristics of the biometric information match the previously stored characteristics to a threshold, the system can create an identity of the user using the characteristics of the biometric information. The system can send a document to the user for cryptographic signature and receive an indication that the document has been signed. The cryptographic signature can be generated with a digest of the document, the identity, and a cryptographic key associated with the user. The system can inspect the digest of the document, the cryptographic key, and the identity associated with the document to verify authenticity of the document and the identity of the user.

Abstract: A system to manage multiple-account access using a master key is disclosed. The system includes a master key obtaining subsystem to obtain a master key encoded in a predefined format; a child key generation subsystem to generate one or more child keys corresponding to one or more accounts associated with a user from the master key using a parent-child relationship function; a password generation subsystem to generate one or more passwords regenerative in nature corresponding to the one or more child keys by using a transformation function; a credential association subsystem to associate the one or more passwords with one or more user identifiers corresponding to the one or more accounts; a credential management subsystem to access each of the one or more accounts by using each corresponding the one or more passwords and each corresponding the one or more user identifiers.

Abstract: A GM acquires a first certificate revocation list designating revoked public key certificates and distributed from a certificate authority server. The GM generates a second certificate revocation list produced by extracting information on a plurality of home electric appliances from the first certificate revocation list. The GM restricts communication with a device for which the public key certificate is revoked, by distributing the second certificate revocation list generated to the plurality of home electric appliances.

Abstract: An electronic device includes a first communication device operable across a first medium of communication and a second communication device operable across a second medium of communication that is different from the first medium of communication. One or more processors operable with the first communication device and the second communication device obtain a client certificate digest from a prospective client device using the first communication device. Thereafter, the one or more processors receive a client certificate from a remote electronic device using the second communication device. The one or more processors then verifying that the prospective client device and the remote electronic device are the same device prior to establishing a secure communication session.

Abstract: A computer-implement method for exchanging data between a blockchain system and a non-blockchain system is provided. The method includes: adding, by endorser nodes, periodically a plurality of status information of the endorser nodes to a smart contract of a blockchain ledger; receiving, by a first peer node, a transaction from an application; sending, by the first peer node, the received transaction to all endorser nodes; processing, by the endorser nodes, the transaction via the smart contract to obtain a plurality of endorsements; electing, by the endorser nodes, one of the endorser nodes as a target endorser node according to the status information of the endorser nodes; and transferring, by the target endorser node, the endorsed transaction to the non-blockchain system via an API corresponding to the non-blockchain system.

Abstract: An unauthorized use detection system includes apparatuses and a hash chain that records, for each piece of data, a data structure that includes a hash value of entire data and hash values calculated with respect to a plurality of partial areas obtained from a specific procedure using the hash value of the entire data. One of the apparatuses reads out the data structure associated with the data of one of comparison targets from the hash chain. The apparatus calculates, regarding data of the other one of the comparison targets, hash values of the plurality of partial areas obtained from the specific procedure using the hash value of the entire data included in the read data structure. The apparatus compares the hash values of the plurality of partial areas included in the read data structure with the calculated hash values of the plurality of partial areas related to the other one.

Abstract: Systems and methods for vehicle message signing are provided. A method includes obtaining, by a vehicle computing system of an autonomous vehicle, a computing system state associated with the vehicle computing system and a message from at least one remote process running a computing device remote from the vehicle computing system. The message is associated with an intended recipient process running on the vehicle computing system. The method includes determining an originating sender for the message. The originating sender is indicative of a remote process that generated the message. The method includes determining a routing action for the message based on a comparison of the originating sender and the computing system state. The routing action includes at least one of a discarding action or a forwarding action to the intended recipient process. The method includes performing the routing action for the message.

Abstract: A method is provided for secure provisioning of a device. In the method, a plurality of integrated circuit (IC) devices is manufactured by a first entity for use in the device. The first entity provides signed provisioning software and stores in at least one provisioning IC device one or more keys used for provisioning the plurality of ICs. The provisioning device with the signed provisioning software is provided to a second entity. The second entity verifies the provisioning software using a stored key. The provisioning software encrypts provisioning assets provided by the second entity and provides the encrypted provisioning assets to the third entity. The signed provisioning software is provided to a third entity by the first entity. During manufacturing of the manufactured products by the third entity, the provisioning software verifies and decrypts the encrypted provisioning assets of the second entity to provision all the plurality of IC devices.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, devices, and processes that securely distribute and manage cryptographic keys within a computing environment using permissioned distributed ledgers. By way of example, an apparatus may receive a registration request and a first digital signature applied to the registration request from a device. Based on a validation of the first digital signature, the apparatus may approve the registration request and apply a second digital signature to the registration request and the first digital signature. In some examples, the second digital signature may be indicative of the approval of the registration request by the apparatus. The apparatus may also transmit the registration request and the first and second digital signatures to a computing system, which may validate the first and second digital signatures and perform operations that record a public cryptographic key of an application program executed at the device onto a distributed ledger.

Abstract: A recording medium storing a program for causing a computer to execute processing including: creating first and second partial certificate information from certificate information that includes attribute information of a signer and certification information used to certify the attribute information, based on a data amount of an electronic document, in response to a signing request for the electronic document; generating an electronic signature for the electronic document and the first partial certificate information; attaching the generated electronic signature to the electronic document and the first partial certificate information, and transmitting the electronic document and the first partial certificate information with the electronic signature attached to a submission source of the electronic document; and transmitting the second partial certificate information to a verification device that verifies authenticity of the certificate information, using another route different from a route that connects the

Abstract: The disclosure relates to systems and methods for managing state using relatively small assistance from protected hardware. Obfuscated code segments may communicate with supporting protected hardware, store encrypted state values in main memory, and/or communicate via secure channels to secure platform hardware components. In various embodiments, consistent state may be achieved, at least in part, by computing secure tag information and storing the secure tag information in a secure and/or otherwise protected device register. Consistent with embodiments disclosed herein, the tag information may be used to derive keys used to encrypt and/or decrypt stored state information. Tag information may further be used in connection with verification operations prior to using the information to derive associated keys.

Abstract: A system and method for securing virtual cloud assets in a cloud computing environment against cyber threats. The method includes: determining a location of a snapshot of at least one virtual disk of a protected virtual cloud asset, wherein the virtual cloud asset is instantiated in the cloud computing environment; accessing the snapshot of the virtual disk based on the determined location; analyzing the snapshot of the protected virtual cloud asset to detect potential cyber threats risking the protected virtual cloud asset; and alerting detected potential cyber threats based on a determined priority.

Abstract: Embodiments of the present invention are directed to facilitating detection of suspicious access to resources. In accordance with aspects of the present disclosure, an access graph is generated. The access graph contains access data that includes observed accesses between entities and resources. Access scores can be determined for entity-resource pairs in the access graph by applying a set of access rules to the entity-resource pairs in the access graph. The access scores indicate an extent of relatedness between the corresponding entity and resource. Thereafter, the access scores can be used to train a probabilistic prediction model that predicts suspiciousness of accesses between entities and resources.