Abstract: Aspects described herein may allow for authenticating a user by generating a customized set of authentication questions based on spending patterns that are automatically detected and extracted from user data. The user data may include transaction data collected over a period of time that may indicate the types of merchants that a user frequently transacts with. By automatically detecting user patterns that correspond to user behavior over a period of time, an authentication system may be able to generate authentication questions about those spending patterns that are easily answerable to an authentic user but difficult to guess or circumvent for any other user.

Abstract: Disclosed are methods, systems, and non-transitory computer-readable media for determining a trust score associated with a user, comprising detecting entities near a user device operated by the user; calculating the trust score for the user based on a policy that incorporates data about the entities near the user device, the trust score being a score that is indicative of a trust worthiness of data received from the user device, wherein trusted entities near the user device result in an increased trust score, and untrusted entities near the user device result in a decreased trust score; and permitting access to a resource when the trust score is above a threshold.

Abstract: Systems and methods to create a customized watch face and retrieve the watch face to be displayed are disclosed. Exemplary implementations may effectuate presentation of a selection interface; receive a mint request to mint the watch face in accordance with a watch face design; effectuate a transfer of consideration from a user wallet to an administrative wallet; mint the watch face; transfer a non-fungible token to the user wallet; receive a display request to display the watch face on a watch screen; determine whether the user wallet holds a non-fungible token associated with the watch face; responsive to the user wallet holding the non-fungible token, facilitate display of the watch face on the watch screen; responsive to the user wallet not holding the non-fungible token, take no action to facilitate display of the watch face on the watch screen; and/or perform other operations.

Abstract: A method including transmitting, by an infrastructure device to a user device, an invitation link to enable the user device to receive network services from the infrastructure device; transmitting, by the infrastructure device to the user device based on verifying that the invitation link was activated by the user device, seed information to enable the user device to determine authentication information; determining, by the user device, the authentication information based on utilizing the seed information; transmitting, by the user device to the infrastructure device during a communication session, a user request related to an action to be performed regarding receiving the network services, the user request being signed based on utilizing a first portion of the authentication information; and authorizing, by the infrastructure device, the user request based on verifying that the communication session is currently active. Various other aspects are contemplated.

Abstract: A communication system includes an information processing terminal, a first electronic device of which setup to connect to an access point of a wireless network, and a second electronic device. The information processing terminal transmit a transmission request of connection information to the first electronic device, and the first electronic device obtains authentication information based on the transmission request and determine whether to permit transmission of the connection information. The first electronic device transmit the connection information to the information processing terminal when determining to permit the transmission, but not transmit the connection information when determining not to permit the transmission. When receiving the connection information, the information processing terminal transmit the connection information to the second electronic device, and the second electronic device completes the setup using the received connection information.

Abstract: Deep learning training service framework mechanisms are provided. The mechanisms receive encrypted training datasets for training a deep learning model, execute a FrontNet subnet model of the deep learning model in a trusted execution environment, and execute a BackNet subnet model of the deep learning model external to the trusted execution environment. The mechanisms decrypt, within the trusted execution environment, the encrypted training datasets and train the FrontNet subnet model and BackNet subnet model of the deep learning model based on the decrypted training datasets. The FrontNet subnet model is trained within the trusted execution environment and provides intermediate representations to the BackNet subnet model which is trained external to the trusted execution environment using the intermediate representations. The mechanisms release a trained deep learning model comprising a trained FrontNet subnet model and a trained BackNet subnet model, to the one or more client computing devices.

Abstract: Multi-RAT UEs currently have 2 independent paths to authenticate with HSS (e.g., via the MME or the 3GPP AAA Server causing repeated authentication messages to HSS). The use of one unified authentication path between the UE and HSS for Small Cell and Wi-Fi authentication is described. First, a new 3GPP EPC-TWAN interworking architecture has the MME manage all the authentication requests from multi-RAT UEs. Second, new unified authentication procedures are added, which allow the ISWN-based multi-RAT UE to be authenticated directly with the HSS, irrespective of its current access network (TWAN or HeNB). Third, new fast re-authentication procedures for Inter-RAT handover scenarios are done. Finally, the needed extensions to the various standard protocol messages to execute the authentication procedures are described.

Abstract: Embodiments of the present disclosure relate to network gateway based messaging systems and methods. Some methods include transparent message processing that includes receiving a message from a first party that includes a payload and a token. The token is associated with sensitive information. Next, the method includes replacing the token with the sensitive information within the message and forwarding the message with the sensitive information to a second party. The payload is unaffected by the token exchange process.

Abstract: For connection establishment, a system allocates memory that will be occupied by the data and handshake sub-protocol infrastructure that facilitates establishing a TLS connection. After connection establishment, the system allocates memory space for the data and record sub-protocol infrastructure that facilitates the asynchronous communication of application traffic. The memory space for the TLS session (i.e., the communication information separate from the handshake) has a substantially smaller footprint than the memory space for the TLS handshake. The TLS handshake memory space can be released and recycled for other connections while application communications use the smaller memory space allocated and populated with the TLS session data and infrastructure.

Abstract: Aspects of the disclosure relate to using machine-learning models to determine graduated levels of access to secured data for remote devices. In some embodiments, a computing platform may establish a connection with a mobile device. Subsequently, based on establishing the connection, the platform may identify initial device information, device features, and user information. The platform may input the identified information into an authentication model to compute a baseline authentication score and then may identify an initial level of access to secured resources for the mobile device. Thereafter, the platform may receive from the mobile device, AR/VR device information captured by the mobile device. The platform may input the AR/VR device information into the authentication model to compute an augmented authentication score. Based on the augmented score, the platform may identify an augmented level of access to secured resources for the mobile device.

Abstract: Existing approaches to security within network, for instance oneM2M networks, are limited. For example, content might only be protected while the content is in transit between entities that trust each other. Here, the integrity and the confidentiality of content in an M2M network are protected. Such content may be “at rest,” such that the content is stored at a hosting node. Only authorized entities may store and retrieve the data that is stored at the hosting node, and the data may be protected from a confidentiality perspective and an integrity perspective.

Abstract: Systems and methods for embodiments of artificial intelligence systems for identity management are disclosed. Embodiments of the identity management systems disclosed herein may support the creation, association, searching, or visualization of any relevant context to identity management assets for a variety of purposes, including the creation of nested identity management artifacts in a search index and search syntaxes for querying such nested artifacts.

Abstract: Systems, methods, and computer readable media for performing mobile interactions using a mobile communication device and an access device without a connection to a data network. An access device can provide the mobile communication device with a value request message requesting access tokens for an interaction. The mobile communication device provides access data including a plurality of access tokens to the access device. The access device can use the access tokens to gain access to value elements stored in data lockers of the mobile communication device. Upon receipt of the value elements, the access device may provide the mobile communication device with access to a resource.

Abstract: Provided is a method, system, and apparatus for authenticating a user device. The method includes registering a device identifier with at least one transformation rule, receiving a request for authentication comprising a device identifier associated with a user device, obtaining a one-time password (OTP) in response to receiving the request, communicating the OTP to the user device, receiving a transformed OTP from the user device, and authenticating the user device based on the OTP, the transformed OTP, and the at least one transformation rule.

Abstract: The present invention relates to the field of communication technologies, and particularly, to a resource access method and apparatus. In the solution, even if a client cannot directly communicate with an authorization server, the client can still initiate authorization verification to the authorization server by using a resource server. Then, the resource server returns a resource access response to the client when receiving an authorization response returned by the authorization server.

Abstract: Systems and methods for enhanced OTP messaging, comprising: receiving a request from an application executing on a computing device of a user; generating the supplemental information based on the request; segmenting the supplemental information into a first part of the supplemental information and a second part of the supplemental information; transmitting the first part of the supplemental information to the computing device of the user via a first communication channel to another app executing on the computing device of the user; instructing the another app to allow the user to utilize one or more graphical user interface (GUI) elements of a GUI of the another app to transfer the first part of the supplemental information to the app; and transmitting the second part of the supplemental information to the computing device of the user via a second communication channel so as to provide the supplemental information to the app.

Abstract: A method implemented in a Software as a Service (SaaS) management platform (SMP) is provided, including: providing, over a network, a user interface for rendering by a client device to an employee of a customer of the SMP; receiving, over the network, input from the client device via the user interface, said input identifying a request by the employee for a SaaS application that is one of a portfolio of SaaS applications used by the customer and managed by the SMP; accessing an approval setting stored in association with the SaaS application, the approval setting configured to authorize automated approval of the employee for the SaaS application; responsive to receiving the input, and based on the approval setting, then triggering a single sign-on (SSO) service to provision the employee as a user of the SaaS application.

Abstract: A gesture access system includes a mobile device having a processor, an electronic storage medium, an environment detector system, and a software-based application. The application is stored in the storage medium and executed by the processor for generating a determination that a user of the mobile device has performed an intentional motion indicative of an intent to gain access. The environment detector system is adapted to generate and output information relative to a location of the mobile device with respect to the user and to the processor to assist in the determination.

Abstract: A DNS server receives from a receiving email system, a DNS query for an email domain stored at the DNS server, the DNS query including identifying information of a sender of an email. The DNS server extracts the identifying information of the email sender from the DNS query and identifies one of a plurality of delivering organizations from the information. The DNS server determines whether the identified delivering organization is authorized to deliver email on behalf of the email domain. In response to determining that the identified delivering organization is authorized to deliver email on behalf of the email domain, the DNS server generates a target validation record based on the identity of the authorized delivering organization and the email domain, the target validation record including one or more rules indicating to the receiving email system whether the delivering organization is an authorized sender of email for the email domain.

Abstract: In some implementations, an authentication system may receive a user authentication request identifying a primary device. The authentication system may generate a challenge associated with a user profile mapped to the primary device. The authentication system may transmit a challenge message including the challenge. The authentication system may receive a challenge response including a response to the challenge, wherein the response to the challenge includes identification information regarding the user profile. The authentication system may determine a set of primary services associated with the user profile mapped to the primary device and a set of secondary services associated with a set of secondary devices. The authentication system may generate a set of security keys mapped to the set of primary services and the set of secondary services. The authentication system may provision the primary device and the set of secondary devices with the set of security keys.

Abstract: Systems and methods for embodiments of a graph based artificial intelligence systems for identity management are disclosed. Embodiments of the identity management systems disclosed herein may utilize a network graph approach to analyzing identities, roles, entitlements or other identity management artifacts of a distributed networked enterprise computing environment. Specifically, embodiments of an artificial intelligence based identity management systems may perform predictive modeling for entitlement diffusion or role evolution or other aspects of identity management artifact using network identity graphs.

Abstract: Targeted lockdown of a computer system for an identified vulnerability is provided. The targeted lockdown includes configuring a vulnerability lockdown module implemented on a computer system to perform targeted actions to change a configuration of the computer system. The targeted actions may be configured based at least in part on a type of data stored on the computer system and a potential severity of an impact on the computer system if the vulnerability is exploited. The vulnerability lockdown module may implement a vulnerability lockdown mode by causing the computer system to perform the targeted actions to change the configuration of the computer system by restricting functionality of portions of the computer system affected by the identified vulnerability. The targeted actions performed by the computer system may include altering a way in which a user interacts with the computer system.

Abstract: Systems and methods described herein provide selective synchronization of DNS records. A synchronization data store is synchronized by: obtaining a complete set of domain name system (DNS) records for a first data center; and copying the complete set of DNS records to the synchronization data store. After the synchronization data store is initialized, at a particular time interval, a snapshot of the complete set of DNS records is repeatedly collected. Differences between the copied complete set of DNS records of the synchronization data store and the snapshot of the complete set of DNS records are identified. The synchronization data store is updated with the differences and a determination is made as to whether the differences should be implemented at a second data center. When the differences should be implemented at the second data center, the differences are propagated to the second data center, otherwise they are not.

Abstract: Embodiments use electronic speech samples of detainees and automatically scan electronic speech sample databases to detect when a detainee has a criminal record and to alert controlled-environment facility personnel to that record. An electronic speech sample of the detainee is captured during booking or at another time. The electronic speech sample is compared to a database of electronic speech samples of individuals with criminal records. If the electronic speech sample matches an existing electronic speech sample in the database, then information associated with the matching electronic speech sample is provided to the controlled-environment facility personnel. The information is analyzed to identify key issues, such as active warrants. The controlled-environment facility personnel are alerted to any such key information.

Abstract: The present disclosure relates to a system and methods for providing user authorization via a computer network, particularly, by using mobile authorization, wherein a user can be granted access in a variety of mobile channels. The preferred embodiment of the claimed disclosure presents a user authorization system comprising a user device associated with a data source via a data channel, while the data source is associated with an authentication system, in which there are: the user device configured to form an authorization request to the data source via at least one mobile channel associated with said device; the data source configured to receive the user authorization request and transmit the corresponding request to the authentication system; and the authentication system providing user authorization on said resource via at least one mobile channel associated with the user device.

Abstract: A system and method for backing up critical data of edge devices includes originator, surrogate, and target edge devices as well as a vault-broker server. The critical data, encrypted, is transmitted to and stored by a surrogate. The association of originator and surrogate is managed by the vault-broker server. Encryption protects the data from recovery by unauthorized parties while allowing surrogate edge devices to determine if recovery attempts are made by authorized parties.

Abstract: Systems and methods for maintaining voice assistant persistence across multiple network microphone devices are described. In one example, first and second NMDs each identify a wake word based on detected sound, and are each transitioned from an inactive state to an active state in which the NMD captures and transmits sound data over a network interface. The first NMD is selected over the second NMD to output a first response, and both NMDs remain in the active state to further capture and transmit sound data. After further capturing and transmitting of sound data, the second NMD is selected over the first NMD to output a second response. After a predetermined time, one or both of the NMDs are transitioned back to the inactive state. The selection of one NMD over another for outputting a response can be based at least in part on user location information.

Abstract: A vehicle information remote retrieval method includes an emergency personnel or first responder vehicle (FRV) establishing a vehicle connection between an infotainment system of a vehicle and the FRV. The FRV sends a vehicle information request to the infotainment system of the vehicle, via the vehicle connection, seeking release of vehicle information. The FRV obtains authentication of the vehicle information received in response to the vehicle information request. The FRV determines occupant status based on the vehicle information. The FRV communicates the passenger status to a first responder.

Abstract: Systems, methods, and computer program products to provide neural embeddings of transaction data. A network graph of transaction data based on a plurality of transactions may be received. The network graph of transaction data may define relationships between the transactions, each transaction associated with at least a merchant and an account. A neural network may be trained based on training data comprising a plurality of positive entity pairs and a plurality of negative entity pairs. An embedding function may then encode transaction data for a first new transaction. An embeddings layer of the neural network may determine a vector for the first new transaction based on the encoded transaction data for the first new transaction. A similarity between the vectors for the transactions may be determined. The first new transaction may be determined to be related to the second transaction based on the similarity.

Abstract: Aspects of the disclosure relate to dynamically generating activity prompts to build and refine machine learning authentication models. A computing platform may process a first set of login events associated with a first user account and may build a first user-specific authentication model for the first user account. Then, the computing platform may process a second set of login events associated with a second user account and may build a second user-specific authentication model for the second user account. The computing platform also may build a population-level authentication model for a plurality of user accounts. Thereafter, the computing platform may identify one or more activity parameters associated with at least one authentication model for refinement. Subsequently, the computing platform may generate and send one or more activity prompts to one or more client computing devices to request at least one user response.

Abstract: An authentication system, a user information extraction apparatus, and a user information migration method. The authentication system acquires user information for authenticating a user who uses a device and transmits the acquired user information to the information processing system and the information processing system stores in one or more memory common user information for authenticating a common user who uses the device and another device different from the device, receives the user information from the user information extraction apparatus, and adds the received user information to the common user information stored in the one or more memory.

Abstract: Described embodiments provide systems and methods performing header protection. A device can receive from a client, a request relating to a first resource, for a second resource. The device can determine, using an identifier for the session, whether an address of the first resource has been previously accessed by the client during the session. The device can verify, using an address of the second resource, whether the address of the second resource is mapped to the address of the first resource for the session between the client and the device. The device can determine whether to provide access to the second resource responsive to the address of the first resource being previously accessed by the client during the session and the address of the second resource being mapped to the address of the first resource for the session.

Abstract: An aircraft includes a video display, first and second wireless pairing transmitters, and a media distribution processor. The video display is associated with an audio content stream and a seating location in the aircraft. The first wireless pairing transmitter is associated with the video display and has a first wireless coverage volume. The second wireless pairing transmitter has a second wireless coverage volume that overlaps the first wireless coverage volume. The media distribution processor is programmed and configured to: associate a wireless speaker device with the seating location; pair the first wireless pairing transmitter with the wireless speaker device in response to associating the wireless speaker device with the seating location; and direct the audio content stream through the first wireless pairing transmitter to the wireless speaker device in response to connecting the first wireless pairing transmitter with the wireless speaker device.

Abstract: A data security method, including creating an interaction graph, by analyzing collected interaction events between users and between users and files and/or records, where a respective node of the interaction graph represents a specific one of a user, a record, and a file, where a respective edge indicates an interaction between respective users or between a respective user and a respective file and/or record, where an interaction weight assigned to the respective edge indicates an amount of the interaction, monitoring an attempt by a target user to access a target file and/or record, computing a target interaction weight between the target user and the target file and/or record from the interaction graph, and in response to the target interaction weight being below a target threshold, at least one of filtering security alerts, and blocking access by the target user to the target file and/or record.

Abstract: A method of providing interactive media including receiving an operator input of metadata tags and transmitting a network call to social media platform servers. The network call includes a query for user posts to the social media platform server that include the metadata tags. In response to the query for users posts, the method includes receiving user post data associated with user posts that include the metadata tags. The method includes comparing a timestamp included in the received user post data with timestamps of prior user post timestamps in a stored list of prior user post data. Upon determining that the timestamp included in the received user post data is more recent than prior user post timestamps, the method includes transmitting commands to hardware devices based on the user post data. The commands are configured to activate actions of the hardware devices.

Abstract: A permissions management service may allow a large number of user to access database objects of a database service in a scalable manner. After a data owner on-boards a database of a database service with the permissions management service, the data owner may create a data catalog for a user or user group that indicates the database objects (e.g., tables, views) that are available for the user to request access to. A request from a user may be authenticated by the permissions management service using federation/single sign-on. The user may select database objects from a data catalog of objects that are available for the user to request access to. The permissions management service sends an access request to the database service, indicating the selected database objects. The database service may then grant to the user permission to access the selected objects (e.g., via grant commands).

Abstract: A method for privacy preserving data processing in a linked data operating environment wherein applications have secure and permissioned access in an interoperable manner to data that is stored in one or more online data stores. The method begins by creating a privacy preserving data processing (PPDP) agent for use by an entity to process the data in association with the online data stores. The PPDP agent is then subjected to a certification process that ensures that the PPDP agent does not exfiltrate any data from the online data stores. After a successful certification, and following registration of the agent with an agent repository, a secure PPDP environment is instantiated in association with the data stores and in which the PPDP agent is then configured to execute. The PPDP agent is then executed within the secure PPDP environment over a configured security context and life-cycle of the PPDP agent.

Abstract: Examples are disclosed for remote management of a computing device. In some examples, a secure communication link may be established between a network input/output device for a computing device and a remote management application. Commands may be received from the remote management application and management functions may be implemented at the network input/output device. Implementation of the management functions may enable the remote management application to manage or control at least some operating parameters of the computing device. Other examples are described and claimed.

Abstract: An example method of enforcing granular access policy for embedded artifacts comprises: detecting an association of an embedded artifact with a resource container; associating the embedded artifact with at least a subset of an access control policy associated with the resource container; and responsive to receiving an access request to access the embedded artifact, applying the access control policy associated with the resource container for determining whether the access request is grantable.

Abstract: This application provides an identity management method, a device, a communications network, and a storage medium. The method includes generating, by a first control plane node, a first identification, a first public key, and a first private key for user equipment. The method also includes signing the first identification and the first public key based on a second private key of the first control plane node, to obtain first transaction data. The method further includes broadcasting the first transaction data in a blockchain network, where the first transaction data is to be used for consensus calculation in the blockchain network.

Abstract: Techniques for network layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for network layer signaling security with next generation firewall includes monitoring a network layer signaling protocol traffic on a service provider network at a security platform; and filtering the network layer signaling protocol traffic at the security platform based on a security policy.

Abstract: Techniques for Diameter security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for Diameter security with next generation firewall includes monitoring Diameter protocol traffic on a service provider network at a security platform; and filtering the Diameter protocol traffic at the security platform based on a security policy.

Abstract: To ensure that an electronic device is a secure electronic device, a communication device transmits a request to authenticate the electronic device to a remote electronic device across a network. The communication device receives a security challenge. One or more processors of the electronic device obtain a response to the security challenge using a secret key stored in an encrypted memory of the electronic device. The communication device then transmits the response to the response to the security challenge to the remote electronic device. If the remote electronic device recognizes the response, it transmits a shared secret content marker, which can optionally be presented at a user interface of the electronic device. The request can be automatically initiated by a companion electronic device.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, devices, and processes that securely manage transfers of digital assets between computing devices using permissioned distributed ledgers. By way of example, an apparatus may receive, from a first device, a request to transfer a digital asset to a second device and a first digital signature applied to the request. Based on a validation of the first digital signature, the apparatus may approve the request and apply a second digital signature to the request and the first digital signature indicative of the approval of the request by the apparatus. The apparatus may also transmit the request, the first digital signature, and the second digital signature to a computing system, which may validate the first and second digital signatures and perform operations that record the first public key and asset data identifying the digital asset within at least one element of a distributed ledger.

Abstract: Techniques for application layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for application layer signaling security with next generation firewall includes monitoring application layer signaling traffic on a service provider network at a security platform; and filtering the application layer signaling traffic at the security platform based on a security policy.

Abstract: Authentication management by receiving a request to initiate an authentication from a computing device of a user, directing the request to a selected authentication service of a plurality of authentication services, wherein the selected authentication service is determined dynamically based on respective authentication metrics of the plurality of authentication services, receiving authentication information via the selected authentication service, and authenticating the user based on the received authentication information.

Abstract: An online software platform (OSP) produces, by applying resource digital rules to previous relationship instance data of a primary entity data associated with one or more secondary entities of the domain, a domain resource regarding the domain. The OSP may then determine, by applying an alignment digital rule of the domain to the relationship instance data and the domain resource, whether or not an alignment condition of the domain is met, which indicates whether resources for relationship instances of the primary entity should have been remitted to the domain. If the alignment condition is not met, then the OSP may assemble proposal components, and communicate some of them to the domain on behalf of the primary entity to remit the resources, without initially communicating those proposal components that would reveal the identity of the primary entity.

Abstract: The invention relates to a method for securely providing a personalized electronic identity on a terminal (2) which can be used by a user (1) for identification purposes when claiming an online service. In the method, an identification application is ran on a terminal (2), which is assigned to a user (1), in a system comprising data processing devices (9; 10; 11; 12) and said terminal (2), and additionally a personalization application and an identity provider application are ran.

Abstract: Systems and methods for management and configuration of personal digital privacy and security. A list of protected accounts is received, where each protected account is an online user account associated with a user. For each protected account of the list, a privacy configuration is generated, based at least in part on one or more user-specific privacy rules. A login session for the protected account is accessed, without transmitting or receiving the user's password for the protected account. Based on the accessed login session for the protected account, a plurality of current status indicators are determined for a plurality of privacy settings associated with the protected account. The current status indicators are analyzed to generate updated configuration settings for one or more of the privacy settings of the protected account, and the updated configuration settings are applied to the protected account.

Abstract: Techniques are provided for anomaly-based ransomware detection of encrypted files. One exemplary method comprises obtaining metadata for an encrypted file; applying an anomaly detection technique to the metadata to compare at least one attribute in the metadata to one or more corresponding historical baseline values for the at least one attribute; and determining whether the encrypted file comprises a ransomware encryption based on the comparison. In some embodiments, one or more of file extension attributes, file size attributes and file name attributes in the metadata are compared to the one or more corresponding historical baseline values to identify a ransomware attack.