Abstract: A dynamic privileged access governance system and associated processes are disclosed. The dynamic privileged access governance system and processes are cloud-native and adapt to the dynamic nature of the cloud systems.

Abstract: Various disclosed embodiments include illustrative systems, structures, and methods for performing authenticated access to a structure. An illustrative system includes a connector configured to be operably connected to a personal electronics device and to receive an electric charge from the personal electronics device, a controller couplable to an electromechanical locking device and the connector, and a memory. The memory is configured to store computer-executable instructions configured to cause the controller to receive first authentication information, receive second authentication information from the personal electronics device, authenticate the personal electronics device responsive to the first authentication information and the received second authentication information, and activate an electromechanical locking device to unlock responsive to the electric charge and a successful authentication.

Abstract: A method of managing file permissions in a remote file storage system includes defining permissions for the remote file storage system and controlling access to objects on the remote file storage system according to the permissions of the remote file storage system. The permissions are transferred to a client file storage system remote from the remote file storage system, and access to objects on the client file storage system is controlled according to the permissions of the remote file storage system. A remote file storage system includes a permissions file generator operative to generate a permissions file, which is transmitted to a client file storage system for enforcement at the client file storage system.

Abstract: Various systems and methods of establishing and utilizing device management (DM) services in Internet of Things (IoT) networks and similar distributed network architectures, are described herein. In an example, a Cloud-To-OCF Device mediator service may be established from OCF services definition; this mediator service may be used to establish connectivity between a cloud-capable device and a cloud-based service. Further systems and methods to provide a proxy access service (PAS) hosted on a cloud service provider, that enable a PAS to coordinate and preserve device-to-device interactions from end-to-end, are also disclosed.

Abstract: A system for credential authentication includes an interface and a processor. The interface is configured to receive a request from an application for authorization to access. Access to the application is requested by a user using a user device. The processor is configured to provide an authentication request to the user device, receive a device credential, wherein the device credential is backed by data stored in a distributed ledger, determine a user identifier and an authentication device associated with the user based at least in part on the device credential, provide a proof request to the authentication device, receive a proof response, determine that the proof response is valid, generate a token, and provide the token to the application authorizing access for the user.

Abstract: The present disclosure relates to systems and methods for facilitating trusted handling of genomic and/or other sensitive information. Certain embodiments may use a virtualized execution environment to execute code and/or programs that wish to access and/or otherwise use genomic and/or other sensitive information. In some embodiments, data requests from the code and/or programs may be routed through a transparent data access proxy configured to transform requests and/or associated responses to protect the integrity of the genomic and/or other sensitive information.

Abstract: Various exemplary embodiments relate to an anonymous database system. The system includes a plurality of biometric nodes in communication with one another. Each of the plurality of biometric nodes includes a biometric input that receives biometric data from a user. The system also includes at least one central database in communication with the plurality of biometric nodes; and a plurality of institution databases in communication with the plurality of biometric nodes. A first node of the plurality of biometric nodes is configured to receive a message from a second node of the plurality of biometric nodes, the message requesting authorization of data access by the second node. Various embodiments relate to a method for performing an action requiring multiple levels of authentication using an anonymous database system.

Abstract: The present invention provides methods, systems and computer program products (software) for the reliable, attack-resistant authentication of a network-connected user to a network-connected service provider.

Abstract: Techniques are disclosed relating to installing and operating applications in a server-based application workspace. A computer system, while operating the server-based application workspace, may store subscription information indicating a user that is a developer for a particular application package, and one or more users that are subscribers for the particular application package. The computer system may further store lock data for the particular application package that indicates user permissions to edit at least one application component for the particular application package. Based on the lock data, the computer system may permit the developer to edit the at least one application component of the particular application package, and deny requests from the one or more users to edit the at least one application component.

Abstract: A system for accepting the input of a PIN comprises a first device receiving a randomized PIN layout derived on a fourth device. The randomized PIN layout is displayed on a display of the first device. A second device comprises an input for accepting a series of key presses to produce a PIN token. The PIN token indicating each of the series of key presses. A third device is in communication with the second device. The third device derives the randomized PIN layout and receives the PIN token from the second device without the PIN token being present on the first device. The third device combines the PIN layout and the PIN token to produce a PIN. The PIN is used to authenticate a transaction. The fourth and third devices each store a shared secret used to independently derive the randomized PIN layout on the fourth and third devices.

Abstract: A method for unlocking the lock using real-time wireless power supply includes proceeding with authentication identification of a powerless lock by an electronic key after pairing. Power is wirelessly supplied from the electronic key to the lock when the authentication identification starts or the authentication identification passes. The lock obtains the power wirelessly supplied from the lock to operate. When the authentication identification is identified as being successful, the electronic key outputs an unlocking command to the lock. The lock receiving the unlocking command proceeds with an unlocking operation using the power supplied wirelessly.

Abstract: Certain aspects of the present disclosure provide techniques and systems for screening chat attachments. A chat attachment screening system monitors a chat window of a first computing device associated with a first user during an interaction session between the first user and a second user. An upload of an attachment is detected based on the monitoring. Access to the attachment from a second computing device associated with the second user is blocked, in response to detecting the upload. Content from the attachment is identified and extracted. A type of the attachment is determined based on the content. A determination is made as to whether the second user is authorized to access the type of the attachment. An indication of the determination is presented on at least one of the first computing device or the second computing device during the interaction session.

Abstract: Provided is a system for blockchain-based multi-factor security authentication between a mobile terminal and an IoT device, the system including: the IoT device; a user terminal remotely controlling operation of the IoT device; and an authentication server approving control of the IoT device by the user terminal, wherein the authentication server has: a first function of recording information related to a registration hash value in a blockchain; a second function of receiving an authentication hash value generated by the user terminal when approval for control of the IoT device is requested, and determining validity of the authentication hash value by using the information related to the registration hash value recorded in the blockchain; and a third function of approving control of the IoT device by the user terminal when the authentication hash value has validity as a result of the determination.

Abstract: A system can include a processor having a secure mode and a non-secure mode, and a secure module configured to respond to tokens posted by the processor in the secure mode. Each token can identify a secure asset, and source and destination addresses within secure and public address spaces. The secure module can include a memory storing secure assets identifiable by the tokens and a memory access circuit to read data from source addresses and write processed data to destination addresses. The system can further include a cryptography engine configured to process the read data using identified secure assets. The secure module can respond to tokens posted in the non-secure mode. The memory can store, with each secure asset, a respective rule defining the address spaces where the memory access circuit may read and write data. The secure module can ignore tokens that do not satisfy respective rules.

Abstract: In a server configured to operate on a network. secured access to shared digital content is implemented in response to a request from a first user to access one or more content items belonging to a second user. Information about the first and second users is analyzed with a machine learning algorithm to determine a relationship between the first user and the second user. The first user is granted or denied access to the one or more content items based on the determined relationship.

Abstract: Disclosed embodiments relate to systems and methods for securely handling secrets by securing development and operations pipelines. Techniques include identifying a network access request for a process within the development and operations pipeline; accessing a result of at least one investigation of the process and the network access request, wherein the at least one investigation includes one of monitoring the process behavior, performing a process attestation, or performing an inspection of the network access request; determining whether to authorize the network access request; and conditional on whether the network access request is authorized, dynamically injecting a secret into the network access request, wherein the secret is not made available to the process itself.

Abstract: A device, mobile operator, network, and a device controller can exchange messages for EAP-TLS authentication. The network can include an authentication server function (AUSF). A device and device controller can record both a device certificate and a device controller certificate. The device controller can receive a subscriber concealed identity (SUCI) for the device from the AUSF. The device controller can decrypt the SUCI and send the network the certificates with a device SUPI. The network can send at least a TLS ephemeral public key to the device controller. The device controller can generate a digital signature for at least the ephemeral public key with a private key for the device controller certificate. The AUSF can complete an EAP-TLS authentication with the device using at least (i) the device certificate for the device, (ii) the device controller certificate for the server, (iii) the digital signature, and (iv) the ephemeral public key.

Abstract: Sharing data in a data exchange across multiple cloud computing platforms and/or cloud computing platform regions is described. An example method can include generating a consumer account corresponding to a first cloud entity and receiving, by the first cloud entity, a copy of a data set from a provider account corresponding to a second cloud computing entity, wherein the first cloud computing entity and the second cloud computing entity represent different regions of a cloud computing platform. The method may also include accessing, by the consumer account, the copy of the data set.

Abstract: A method includes providing, on a computing device, when a user of the device is authorized, a user interface including respective representations of first medication administration functions and second medication administration functions associated with storage of the one or more medications and, in response to determining that the computing device is within the first predetermined area, enabling the computing device to perform the one or more first medication administration functions associated with the first predetermined area to cause, responsive to a selection of a displayed representation of the one or more first medication administration functions, a respective electronic medication storage cabinet associated with the selected displayed representation to perform an operation regarding a physical storage of a medication associated with a patient of the one or more patients, and preventing the computing device from performing the one or more second medication administration functions not associated with

Abstract: Methods and systems are described for the detection and identification of a cellular device that crosses a perimeter associated with a premises that is installed with a monitoring system. Subsequently, a determination of an intruder crossing the perimeter and/or entering a building within the premises may be made based on receiving unique identification values for the cellular device and/or information associated with a user of the cellular device. One or more sensors present within or near the premises may be configured to send alert information when tripped. The monitoring system may be configured to determine a location of the cellular device, an identity of the user of the cellular device, additional information stored, transmitted or received by the cellular device, and safe escape routes that may be sent to one or more user devices registered with the monitoring system.

Abstract: An air-conditioning device control method includes receiving an instruction sent by a terminal device, judging whether the instruction comes from a preset local area network, identifying a user identity according to the instruction in response to the instruction coming from the preset local area network, acquiring an operation mode of an air-conditioning device that is adapted to the user identity, and executing the operation mode of the air-conditioning device.

Abstract: Methods, apparatus, systems and articles of manufacture to provide resource security are disclosed. Example methods and apparatus manage a benchmark specific to a resource, the benchmark created during development of the resource and including a collection of rules to constrain behavior of the resource, enable a rule of the benchmark that corresponds with a type of the resource, disable a rule of the benchmark that does not correspond with the type of the resource, test the enabled rule of the benchmark against the resource, identify an insufficiency of the resource based on the enabled rule of the benchmark, and remediate the insufficiency of the resource to comply with the enabled rule of the benchmark.

Abstract: A computer-implemented method uses a context node to identify sister nodes. The method includes receiving, by a processor, input data. The input data includes a plurality of messages, each message containing a set of message data. The method further includes, generating, by a pattern detector, and based on the input data, a network graph, where the network graph includes a plurality of nodes. The method also includes selecting a first context node. The method includes determining a first pattern for the first context node. The method further includes identifying, based on the first pattern, a first sister node. The method also includes outputting, by a network interface, the first sister node and the network graph.

Abstract: Techniques are described for providing session management functionalities using an access token (e.g., an Open Authorization (OAuth) access token). Upon successful user authentication, a session (e.g., a single sign-on session) is created for the user along with a user identity token that includes information identifying the session. The user identity token is presentable in an access token request sent to an access token issuer authority (e.g., an OAuth server). Upon receiving the access token request, the user identity token is parsed to identify and validate the session against information stored for the session. The validation can include various session management-related checks. If the validation is successful, the token issuer authority generates the access token. In this manner, the access token that is generated is linked to the session. The access token can then be used by an application to gain access to a protected resource.

Abstract: A processing device of a memory sub-system can receive a first address from a host and can provide the first address to a memory management unit (MMU) for translation. The processing device can also receive a second address from the MMU wherein the second address is translated from the first address. The processing device can further access the memory device utilizing the second address.

Abstract: A method for determining a misconfiguration of components in an Information Technology (IT) infrastructure includes decomposing one or more components into sub parts, creating one or more synthetic objects, each synthetic object being associated with a sub part of a respective component, and including the components and the synthetic objects in a model of the IT infrastructure. The method further determines a relationship between a first component and a first synthetic object based on attributes of the first component and attributes of the first synthetic object, includes the determined relationship in the model of the IT infrastructure, and loads a graph of the IT infrastructure in a graph database with the first component and the synthetic object as nodes and the determined relationship as an edge in the graph. The method further determines the misconfiguration of components in the IT infrastructure by identifying components having improper relationships in the graph.

Abstract: Systems and methods involving a user authentication system for granting access to digital systems and content, computing systems and devices and physical locations. The authentication system granting access to digital systems and content involves a mobile device, a computing device and a server. The authentication system granting access to computing systems and devices and physical locations involves a mobile device, an interface device, a secure system and a server. The authentication systems described permit a user to access digital systems and content, computing systems and devices and physical locations using only the user's mobile device. The mobile device runs mobile application that performs the authentication functionality using biometric data obtained on the mobile device. The authentication data is stored on the mobile device in an encrypted format and is not shared with the other devices in the authentication system.

Abstract: A computer-implemented method for selectively monitoring devices may include (i) identifying a set of characteristics of a device-usage session of a device, (ii) calculating, based on the set of characteristics, a privacy score for the device-usage session, (iii) selecting, for the device, a device monitoring profile that is correlated with the privacy score and that defines an intensity level of monitoring actions to be performed on the device, and (iv) monitoring activity performed on the device during the device-usage session in accordance with the device monitoring profile that is correlated with the privacy score for the device-usage session. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A server includes one or more processors configured to: perform bidirectional communication with the software update device using a first communication method; transmit information to the software update device using a second communication method different from the first communication method; and determine whether the one or more processors have received a specific request from the software update device using the first communication method, wherein the one or more processors are configured to provide a notification to the software update device using the second communication method when determining that the one or more processors have not received the specific request from the software update device.

Abstract: Various embodiments disclosed herein are related to a non-transitory computer readable storage medium. In some embodiments, the medium includes instructions stored thereon that, when executed by a processor, cause the processor to receive, at a node of a cluster on an edge network, an indication that the cluster received a configuration update, compare a first parameter of a configuration state of the node to a second parameter of the configuration update, determine if the first parameter matches the second parameter, in response to determining that the first parameter matches the second parameter, apply the configuration update, and collect data in accordance with the configuration update.

Abstract: A “scannable logo” image contains encoded identity data for the logo brand owner, encoded visual identification characteristics for the logo brand, an encoded GPS data corresponding to manufacturing location for a manufactured item or assembled item, plus additional embodiment dependent data. The image is scanned with the image scanning function of a mobile communication device and the encoded logo brand owner identity data, the encoded visually identifying characteristics for the logo brand, and the encoded GPS location information are decoded with a decoding function. The GPS location information is captured for the mobile communication device with the GPS function of the mobile communication device and compared to the decoded GPS location information. If the decoded information is a geo-proximal match, an authentication application is launched in the computer function of the mobile communication device.

Abstract: Methods and systems for monitoring network activity. Various embodiments may deploy virtual security appliances to a certain location or with a specific configuration based on data regarding previous attacks and attacker activity. Accordingly, the deployed virtual security appliance(s) are better suited to gather more useful behavior regarding threat actor behavior and attacks.

Abstract: A system and method for determining human keystrokes in a secure shell (SSH) session from SSH session data traffic provides insight and evidence of an intrusion into a computer network. In one embodiment, the presence of human keystroke(s) in an SSH session may be inferred using a sensor appliance. In one embodiment, the SSH data traffic is encoded in a vector, one or more communication patterns are identified in the vector and the presence of human keystrokes may be inferred from the one or more communication patterns.

Abstract: Embodiments of the invention include an entity, such as ePDG or TWAN entity, capable of serving a User Equipment for WLAN access to a Packet Core such as EPC of a mobile network, said entity configured to: provide at least one of: an indication whether IMEI checking is requested, an indication whether IMEI checking by a visited EIR or by a home EIR is requested, an indication of an action to be taken upon IMEI check result.

Abstract: Introduced here are technologies for securely booting a network access device or a satellite device. A network-accessible server system may receive a boot request that includes a boot certificate to identify the network access device. The network-accessible server system may determine that the boot certificate corresponds with a verified boot certificate listed on a boot certificate registry. The network-accessible server system may determine that a geographical location of the network access device and a user electronic application executing on an electronic device are within a predetermined range.

Abstract: According to aspects of the present disclosures, when receiving an enabling request of a cloud cooperation function, a controller of an MFP notifies a user using an LCD module and change its state to an approval waiting state. When an approval operation by a user is confirmed, the MFP shifts access permission state and notifies a mobile terminal of the fact. When a constant connection between the MFP and a server is established, the MFP transmits a creation request for creating a server access token to the server. Then, the MFP receives the server access toke and transmits the same to the mobile terminal.

Abstract: Embodiments for securing fine timing measurement (FTM) communications are described. FTM communications include FTM frames sent and received from an initiating station (ISTA) and a responding station (RSTA). The RSTA records a plurality of parameters associated with the FTM frames and uses the plurality of parameters to learn and identify a device profile for the ISTA. The device profile is used to determine a behavior filter for the FTM from the ISTA and the RSTA filters FTM traffic according to the behavior filter to prevent malicious attacks in the FTM communications.

Abstract: Systems and methods are described herein to enable the automated and/or user-guided creation, collection, and curating of digital content items that represent a user's experiences, personality, interactions, and legacy. A digital trustee may be assigned to control access to the content after the death of the user. A user may create a death file with content items to be handled in a specific (e.g., user specified) manner after the death of the user. For example, the contents of the death file may be released to a family member or deleted by the system entirely.

Abstract: Systems and methods for account access/identity verification based on access to a third party account. In various embodiments, the disclosed system facilitates access to a particular account via verification of the identity of the accessing user through control of a third party account. That is, in one embodiment, the system allows a user to access an account if the user can prove that he/she also has access to another account (e.g., via providing a code to the system that was transmitted to the other account).

Abstract: Some embodiments provide a method, executable by a network device, that receives a first set of commands instructing the network device to allow network traffic to egress out of an authentication port of the network device. The authentication port is configured to belong to a first virtual local area network (VLAN). An unauthenticated device is connected to the authentication port. The method further receives a second set of commands instructing the network device to add ports belonging to the first VLAN to a broadcast domain of a second VLAN. The method also broadcasts an address request to the broadcast domain of the second VLAN. The method further receives, from the unauthenticated device, a response to the address request.

Abstract: An apparatus includes a non-volatile memory (NVM) device coupled to a host, the NVM device including a processing device to: receive a communication packet from a server via the host computing system that is coupled to the NVM device and communicatively coupled to the server, the communication packet comprising clear text data that requests to initiate secure communications; perform a secure handshake with the server, via communication through the host computing system, using a secure protocol that generates a session key; receive data, via the host computing system, from the server within a secure protocol packet, wherein the data is inaccessible to the host computing system; authenticate the data using secure protocol metadata of the secure protocol packet; optionally decrypt, using the session key, the data to generate plaintext data; and store the plaintext data in NVM storage elements of the NVM device.

Abstract: Telemetry associated with an Exec( ) Event denoting that a program has been invoked via a process is received. A determination is made that the process is a shell. Subsequent to determining that the invoked program is a shell, additional information comprising information that the program has attempted to obtain terminal information is received. Based at least in part on the received additional information, a determination is made that the program is an interactive shell. An action is taken in response to the determination that the program is an interactive shell.

Abstract: The invention relates to systems and methods that implement an interactive contractor dashboard. An embodiment of the present invention is directed to aggregating contingent labor data (firm-wide and globally) into a single consolidated infrastructure from multiple data feeds and systems. Once the data is aggregated, an embodiment of the present invention may apply entitlements, reduce the dataset accordingly and dynamically provide a customized interactive interface where the user may generate reports and access analytics for one or more contractors associated with the user.

Abstract: A method may include receiving a registration request at a server of a consent management platform from a content-presentation device, and using an authentication certificate in the request to establish a secure communicative connection. The server may generate: a global ID (GID) from information received over the secure connection; a device-based device record for the device, and including the GID and a unique address indicator; and a cryptographically-signed token. The GID, device record, and token may be transmitted to the device. The unique address indicator may be associated with consent packages having features of a media distribution system that require user consent to associated agreements for activation on the device. The server may generate a server-based device record duplicating the device-based device record, and including the consent packages and indicators of consent agreement status initialized to undeclared. The server may store the server-based device record in a flat database.

Abstract: A system for detecting phishing events is provided. A data receiver is configured to receive datasets representative of web traffic associated with access to or on-going usage of an application hosted on a server of a production environment by a user. A machine learning engine is configured to generate a score based at least on the datasets representative of the web traffic indicative of whether the user is a malicious user or a non-malicious user. A routing modification engine is configured to route downstream web traffic associated with access to or on-going usage of the application by the user if the score is greater than a threshold to a server of a sandbox environment that is configured to emulate a graphic user interface of the production environment.

Abstract: In one embodiment, a network security device is configured to monitor data traffic between a first device and a second device. The network security device may be configured to intercept a first initial message of a first encrypted handshaking procedure for a first secure communication session between the first device and the second device, the first initial message specifying a hostname that has been encrypted using first key information associated with the network security device, decrypt at least a portion of the first initial message using the first key information to determine the hostname, re-encrypt the hostname using second key information associated with the second device, and send, to the second device, a second initial message of a second encrypted handshaking procedure for a second secure communication session between the network security device and the second device, the second initial message specifying the hostname re-encrypted using the second key information.

Abstract: A network and a device can support secure sessions with both (i) a post-quantum cryptography (PQC) key encapsulation mechanism (KEM) and (ii) forward secrecy. The device can generate (i) an ephemeral public key (ePK.device) and private key (eSK.device) and (ii) send ePK.device with first KEM parameters to the network. The network can (i) conduct a first KEM with ePK.device to derive a first asymmetric ciphertext and first shared secret, and (ii) generate a first symmetric ciphertext for PK.server and second KEM parameters using the first shared secret. The network can send the first asymmetric ciphertext and the first symmetric ciphertext to the device. The network can receive (i) a second symmetric ciphertext comprising “double encrypted” second asymmetric ciphertext for a second KEM with SK.server, and (ii) a third symmetric ciphertext. The network can decrypt the third symmetric ciphertext using the second asymmetric ciphertext.

Abstract: A security key device, a security authentication system, and a security authentication method are provided. The security key device includes a communication module, a security processing unit, and a processing unit. The security processing unit executes an authentication module, a bridge module, and a management module. The authentication module is configured to operate according to a Fast IDentity Online protocol. The management module is configured to operate according to a Public Key Infrastructure protocol. The authentication module receives through the communication module an input command provided based on the Fast IDentity Online protocol by a web authentication module of a browser executed by an electronic device. According to a header of the input command, the authentication module determines that the input command is used to be executed by the authentication module or used to access the management module through the bridge module.

Abstract: A network device queue manager receives a request to execute a workload on a node of a cloud computing environment, where the cloud computing environment comprises a plurality of nodes; determines that the workload is to be executed by a dedicated processor resource; identifies a set of one or more shared processor resources associated with the node, wherein each shared processor resource of the set of shared processor resources processes device interrupts; selects a processor resource from the set of one or more shared processor resources to execute the first workload on the first node; bans the selected processor resource from processing device interrupts while executing the workload; and executes the workload with the selected processor resource.

Abstract: A security object management system may include a management module including a device processor and a non-transitory computer readable medium including instructions stored thereon, and executable by the processor, for performing the following steps: accessing a database having stored therein data regarding a plurality of security objects, wherein the data includes ownership data regarding the assignment of rights associated with the security objects; and receiving user input to certify the accuracy of data associated with at least one of the security objects; wherein the computer readable medium further includes instructions for, in response to a change in data associated with a security object, executing a write back function whereby the change in the data is stored in a database that is accessible by a third party having access rights exclusive of ownership and administrator rights of the security object in the database.