Abstract: Embodiments of the present invention provide a system for monitoring a cybersecurity mesh network comprising a distributed sensor grid and a plurality of devices for detection of one or more security incidents. In response to determining that one of the one or more security incidents has occurred, and in response to receiving the request from an identified device that requires the first level of authentication, transmitting to the identified device a request for authentication credentials that meet a second level of authentication, wherein the second level of authentication is more strict than the first level of authentication.

Abstract: The present disclosure relate to a method performed by a UE (102) for handling an invalid SI signature in a communication system. The UE obtains SI and an associated SI signature for a cell. The UE (102) determines if the obtained SI signature is valid or invalid. If the signature is valid, the UE (102) determines to use the cell. If the SI signature is invalid, the UE (102) determines if the UE (102) is configured to bar cells or not. If the SI signature is invalid and if the UE (102) is not configured to bar cells with invalid SI signature, the UE (102) determines to use the cell. If the SI signature is invalid and the UE (102) is configured to bar cells with invalid SI signature, the UE (102) determines to bar the cell and select another cell to use.

Abstract: A method for authenticating a mobile device of a user versus a third-party such that instead of a mobile phone number MSISDN of the mobile device, a Universal Unique User Identifier, U3I, assigned to the mobile device is used, in combination with a secure routing service server constructed to communicate with a third-party server and with an MNO server. The secure routing service server and the MNO server interact to translate the Universal Unique User Identifier, U3I, to the mobile phone number MSISDN so as to enable sending the token to the mobile device.

Abstract: Systems and methods are provided for authenticating image files when network connections should not or cannot be used to transfer image files. A user device application may capture an image at a user device, generate an image file, and generate a hash file based on the image file. Instead of sending the image file to an authentication server for authentication, the application may send the hash file. If desired, the application may transfer the image file when a desirable network connection is available. Any alteration to the image file in the meantime will result in a different hash file for the altered image file, thus allowing detection of altered image files. This approach offers decreases the amount of data that is required to be transmitted in low or undesirable signal conditions, while maintaining an ability to detect alterations to image files that may have been made in the meantime.

Abstract: According to an embodiment, a device sends, to an access point device, a network access authentication request issued with respect to a first network. An authentication server device includes a first device-authentication processing unit that, in response to the network access authentication request, performs an authentication operation based on first-type authentication information. The access point device includes a transfer processing unit and a second device-authentication processing unit. When second-type authentication information is not included in the network access authentication request, the transfer processing unit transfers the network access authentication request to the authentication server device.

Abstract: Systems for item validation and image evaluation are provided. In some examples, a system may receive an instrument and associated data. The instrument may be received and at least one of a bill pay profile and a user profile may be retrieved. The bill pay profile and user profile may each include a plurality of previously processed instruments that have been determined to be valid and/or authentic. The instrument may be compared to the plurality of previously processed instruments to determine whether one or more elements of the instrument being evaluated match one or more corresponding elements of the plurality of previously processed instruments. Matching or non-matching elements may be identified. In some examples, one or more user interfaces may be generated displaying the instruments and including any highlighting or enhancements identifying matching or non-matching elements.

Abstract: A request is received from a user at a client to access a file of a set of files backed up to a backup server. Upon verifying a password provided by the user, the client is issued another request for authentication. A first data structure is received responsive to the request. The first data structure is generated using identifiers corresponding to a set of files at the client of which at least some presumably have been backed up to the server. A second data structure is generated. The second data structure is generated using identifiers corresponding to the set of files backed up to the server. The first and second data structures are compared to assess a degree of similarity between the files at the client and the files backed up to the backup server. The user is denied access when the degree of similarity is below a threshold.

Abstract: A system includes an external apparatus, a server having an authentication function, and an image processing apparatus that communicate with each other via a network. The system performs user authentication in the server, for a user using the system, acquires apparatus information of the external apparatus from a printing request received from the external apparatus, verifies the apparatus information in the server, and executes printing in the image processing apparatus, based on the printing request from an external apparatus corresponding to the successfully verified apparatus information, in a case where the user authentication and the verification for the external apparatus are successful.

Abstract: Systems, computer program products, and methods are described herein for intrusion detection using resource activity analysis. The present invention is configured to receive, from a computing device of a user, an indication that the user has accessed a resource allocation portfolio of a customer; determine a geographic information of the user; retrieve a geographic information of the customer; determine that the geographic information of the user does not match the geographic information of the customer; determine an exposure level associated with the user access of the resource allocation portfolio of the customer; determine that the exposure level is greater than a predetermined threshold; and automatically trigger a transmission of a notification to a computing device of an administrator indicating that the exposure level associated with the user access of the resource allocation portfolio of the customer is greater than the predetermined threshold.

Abstract: A method may include receiving, from a user device, a registration request that includes a subscription concealed identifier (SUCI), identifying a network element to decode the SUCI and forwarding the SUCI to the identified network element. The method may also include decoding the SUCI to identify a subscription permanent identifier (SUPI), identifying a unified data management (UDM) device associated with the SUPI and transmitting an authentication request to the identified UDM device to obtain authentication information associated with the user device. The method may further include receiving the authentication information and authenticating the user device based on the received authentication information.

Abstract: Firmware passwords, such as BIOS passwords can be managed by a remotely executed management service. A password reset command can be generated and transmitted to a client device. A management agent can execute the command and provide confirmation to a management service that the password has been updated.

Abstract: A method for enhanced access control is provided that includes the steps of displaying buttons, by an electronic device, where each button corresponds to a different service. Moreover, the method includes receiving, by the electronic device, input regarding a selected service, transmitting at least one credential for the selected service to a computer, and capturing, by a camera in communication with the computer, facial image data of a user. The method also includes determining whether the facial image data was taken of a live person. In response to determining the facial image data was taken of a live person, a verification transaction is conducted based on the at least one credential and facial image data. In response to verifying the identity of the user as true, the user is granted access to the selected service.

Abstract: An automated computer operating software system for automatically generating user profiles is disclosed. The system is configured to automatically creates a profile or a number profiles based on biometric methods but also stores the profile(s) information along with an associated device(s) information and user generated data locally and remotely through various hardware modules and can also retrieve this information to any other device based on biometric authentication on the other device and auto adjust the operating parameters according to that other device and its operational parameters and again continue this same kind of auto creating, backing up and retrieving of both the profile of the user and device as well in a continuous loop of infinite number devices and user profiles.

Abstract: A method, system, and computer program product to provide a synthetic device ID for a device is provided herein. The method includes receiving a request from the device to obtain a service from a vendor, where the device is associated with an internal device ID. The method further includes generating the synthetic device ID for the device and associating the device, the internal device ID, the vendor, and the synthetic device ID. The method also includes transmitting the synthetic device ID to the vendor, and internally tracking the request based on the association.

Abstract: A security platform architecture is described herein. The security platform architecture includes multiple layers and utilizes a combination of encryption and other security features to generate a secure environment.

Abstract: Systems and methods for multi-factor authentication are based on validation of an inherence factor and a possession factor obtained in a “frictionless” or almost frictionless manner. A method conducted at a software application executing on a user device associated with a user and connected to a server computer, includes obtaining signing or encryption of a set of data elements using a cryptographic key securely stored for exclusive use by the software application and transmitting the signed or encrypted data elements to the server computer. The method includes transmitting, to the server computer, a payload including contextual data which includes behavioural data collected via one or more contextual data sources. The signed data elements represent a possession factor and the payload including contextual data represents an inherence factor for validation and multi-factor authentication by the server computer.

Abstract: A computerized method produces an identity code to identify each subject stored in the computer systems connected to a computer network while protecting the privacy and confidentiality of the subject. A central computer system receives an identity code of a suspect of a financial crime and sends the identity code to all computer systems connected to the computer network. The computer systems that have the matched identity code send the requested information to the central computer system. As a result, law enforcement organizations can eliminate crimes and financial institutions can recover the money stolen from them. In addition, law enforcement organizations and financial institutions can identify money launderers that are missed by their anti-money laundering transactional monitoring systems.

Abstract: Devices, systems, and methods with behavioral one-time-passcode (OTP) generation. In one example, a server includes a memory and an electronic processor communicatively connected to the memory. The memory includes a behavioral one-time-passcode (OTP) program and a user profile repository. The electronic processor, when executing the behavioral OTP program, is configured to receive a one-time-passcode (OTP) request, generate a behavioral one-time-passcode (OTP) based on a user profile stored in the user profile repository in response to receiving the OTP request, and output the behavioral OTP that is generated.

Abstract: Aspects of the disclosure relate to processing external messages using a secure email relay. A computing platform may receive, from a message source server associated with a first domain, a first email message and a first set of authentication credentials. Based on validating the first set of authentication credentials, the computing platform may inject, into the first email message, a DomainKeys Identified Mail (DKIM) signature of a second domain different from the first domain, which may produce a signed message that identifies itself as originating from the second domain. Based on scanning and validating content of the signed message, the computing platform may send the signed message to a message recipient server, which may cause the message recipient server to validate the DKIM signature of the signed message and determine that the signed message passes Domain-based Message Authentication, Reporting and Conformance (DMARC) with respect to the second domain.

Abstract: Techniques are disclosed relating to facilitating secure communication of private user data between different entities for a verification process conducted during an electronic interaction between the user and a verifier entity. In disclosed embodiments, a verification service executing on a server computer system for a verification session for verifying a holder entity on behalf of a verifier entity receives a verification request from a remote computer system. The verification request includes an attestation proof generated from one or more credentials and the verification service communicates with a holder service that manages an identity storage storing credentials for the holder entity. The verification service transmits, to the verifier service, the attestation proof and then receives, from the verifier service based on the proof, verification results that are usable by the verifier to determine whether to process an action requested by the holder prior to requesting verification.

Abstract: The present disclosure provides methods and systems for secure logon. One or more method includes: determining, via authentication information provided by a user of an electronic device, that the user is authorized to access an online account provided by the online account provider; providing the user with a selectable option to enable an expedited logon process by which the user can access the online account by solely providing a particular authentication item of the user; receiving a verification credential in response to a next logon attempt using the expedited logon process; and verifying that the received verification credential matches an assigned verification credential provided to the user for use in conjunction with the next logon attempt using the expedited logon process.

Abstract: Disclosed embodiments provide a framework to enable automatic identification and authentication of users to allow for multichannel communications in an authenticated state. In response to an authentication request from an end agent engaged in a communications session with a user, a current authentication state associated with the user is determined. Based on the current authentication state and a set of authentication rules associated with the end agent, a set of authentication challenges are identified and executed by an application implemented on the user's computing device. Data corresponding to completion of these authentication challenges is used to determine a new authentication state, which can be used to update the communications session.

Abstract: Aspects of this disclosure relate to rewarding users of an electronic game for real-world physical activity. Further aspects relate to altering virtual items based upon physical activity. An electronic game may comprise or otherwise relate to an online world (such as a “Virtual World”). Users may be represented through customized graphical representations, such as avatars. An account of a user (or entity) may be associated a “virtual region.” A threshold level of real-world physical activity may result in obtaining a reward that may be associated with a virtual item. A reward may be configured to result in: (1) altering visual appearance of a virtual item within a virtual region; (2) altering a virtual characteristic of a virtual item, such that the first user may engage in at least one additional virtual activity using that virtual item; and/or (3) acquiring a new virtual item for a virtual region.

Abstract: An allowed client server, that is authorized to access a resource server over a given port, receives a client request, from a client computing system, to access the resource server. The allowed client server authenticates and authorizes the request, using an authentication and authorization mechanism, and selects a port with which to communicate with the client computing system. The identity of that port is provided to the client computing system, and a port forwarding mechanism forwards traffic between the client computing system and the resource server, through the client-facing port and to the given port on the resource server.

Abstract: A host operable to provide an over-the-top (OTT) service is disclosed. The host is configured to provide and initiate transmission of user data to a network node for transmission to a user equipment (UE). To transmit the user data, the network node determines a PDSCH-to-HARQ timing for an upcoming downlink transmission of the user data to the UE. The network node also determines that HARQ feedback for the upcoming transmission should be delayed by the UE until further notification from the network node; transmits, to the UE, a first DCI associated with the upcoming transmission, the first DCI including a first PDSCH-to-HARQ timing-indicator value for indicating to the UE that the HARQ feedback for the upcoming transmission should be delayed until further notification from the network node; and transmit the user data from the host to the UE in the upcoming transmission to provide the OTT service.

Abstract: This disclosure is directed to automated processes for attesting to trustworthiness of a host considered for connection to a data center network. The attestation process is performed in two attestation phases. In the first phase, attestation is performed on a smart network interface controller (“SNIC”) connected to an internal bus of the host using a first trusted platform module (“TPM”) of the SNIC. In the second phase, attestation is performed on the host by the SNIC using a second TPM connected to the internal bus of the host in response to a determination that the SNIC is trustworthy. The host is connected to the data center network in response to a determination by the SNIC that the host is trustworthy.

Abstract: Data transfer in a secure processing environment is provided. A digital assistant can receive audio input detected by a microphone of a computing device. The digital assistant can determine, based on the audio input, to invoke a third-party application associated with the computing device. The digital assistant can generate, responsive to the determination to invoke the third-party application, a packaged data object. The digital assistant can forward, to the third-party application invoked by the digital assistant component to execute in a secure processing environment on the computing device, the packaged data object. The third-party application can transmit, responsive to a digital component request triggered in the third-party application, the packaged data object to a digital component selector to execute a real-time selection process based on the packaged data object.

Abstract: Embodiments of systems and methods are provided to enhance network security by providing secure, multi-path user authentication, while also providing a more convenient login experience to the user. In the present disclosure, a cloud-based user authentication and threat detection system is provided with an artificial intelligence (AI) engine and a training dataset. Utilizing a cloud-based system enables the AI engine to collect data from multiple devices located within different physical locations or environments (such as, for example, the user's home and office). The collected data is stored within the training dataset and used to create a personalized user profile for each user. Each time a user initiates login to a system or network from a particular location, the AI engine collects data from multiple devices within that location and utilizes the user profile data previously stored within the training dataset to securely authenticate the user or detect potential security threats.

Abstract: Various implementations disclosed herein include devices, systems, and methods that authenticate user identities based on input/sensor data received from remote workstations and/or during remote communication sessions. The input/sensor data may correspond to timing and patterns from which user identities may be authenticated. Some implementations disclosed herein communicate input/sensor data in a way that preserves the timing and pattern information of the data and/or in a way that allows such information to be used for authentication in real-time. Some implementations enable continuous provision of input/sensor data and/or enable continuous authentication of user identities during remote communication sessions.

Abstract: Systems and methods enable secure service-based communications in networks that use a Services Communications Proxy (SCP). A Network Function (NF) producer receives a service request including an authorization token and a signed service request object, wherein the service request originates from an NF consumer of the wireless core network and is forwarded to the NF producer via the SCP. The NF producer verifies the signed service request object and generates, after the verifying, a service response. The service response includes a signed service response object. The NF producer sends, to the NF consumer and via the SCP, the service response with the signed service response object.

Abstract: A computer readable medium, a system, and a method for providing data security through identity access management using a transaction classifier to classify transactions according to a set of transaction data associated with the transaction and mitigate abnormal transactions. The transaction classifier is trained using a set of training data and updated after each transaction. The identity access management may also include a mitigation policy that is used to determine a mitigation technique for each transaction.

Abstract: A method—for biometric based person recognition systems is provided. The method provides an identification of a personalized bioelectric code and a personal ID code by identifying persons and gestures of a person with a benefit of behavioral biometric data of Electromyography (EMG) signals. The method includes the steps of: making the person wishing to create a password to wear a wristband, simultaneously recording of hand movements in eight bioelectric signals from eight EMG sensors in recordings of up to 10 seconds, repeating each selected movement type by the person at least ten times, clearing a recorded raw signal group from noise signals with a bandpass filter, separating a signal cleaned from the noise signals into to windows, creating a customized behavioral biometric data set with generated attributes for each transaction, obtaining the personalized bioelectrical code and the personal ID code.

Abstract: A computer-implemented method for team-sourced anomaly vetting via automatically-delegated role definition. The method may include automatically determining that an event of the computing system corresponding to activity of an end user is anomalous. Based on the anomalous event, a permission store of the computing system may automatically be edited to include an access restriction on the end user, and a notification may be automatically generated and transmitted to one or both of the end user and another end user. The notification may provide access to an executable statement including code configured to be executed to remove the access restriction. A call to the executable statement by the other end user may be automatically received. Further, the permission store may be automatically edited to remove the access restriction on the end user.

Abstract: A messaging system for exchanging messages between nodes in a network via a broker that uses a publish-subscribe message protocol, which nodes have object identifications (IDs). Messages between the nodes are routed using the object IDs of the nodes. Secure communication is provided using authentication according to digital certificates being used as first and second tiers by a commissioning broker and a data broker, respectively, in which the second tier certificate used by the data broker has a shorter lived expiration time.

Abstract: A system and method for automated remote payments between a vehicle and a refueling station is disclosed. The system may enable the vehicle to initiate an automated remote payment to the refueling station without needing the user to manually input transaction account information, or to manually prepay for the transaction. The refueling station may detect when the vehicle is in proximity, and the vehicle and the refueling station may open communications to transmit data. The vehicle may transmit vehicle identifying data to the refueling station, and the refueling station may communicate the vehicle identifying data to a payment network to authorize the transaction. In response to authorizing the transaction, the vehicle may proceed with refueling at the refueling station.

Abstract: Methods, systems, and devices for security descriptor generation are described. An end device may be authenticated based on a certificate and a device key based on a security descriptor. The security descriptor may be generated based on publicly-available information such as time of day information, geographical information, or a default set of information. The security descriptor may be used for generation of a certificate accessible by a server used for authenticating the device and also may be used by an end device to generate a device key for verification by the server authenticating the device.

Abstract: Computerized apparatus and methods useful for authentication and/or handling and tracking of users and objects such as e.g., items being shipped or baggage associated with a user during travel. In one embodiment, a computerized apparatus located at a departure location (e.g., a kiosk) includes digital imaging and scanning apparatus to enable biometric user authentication, imaging of chattel associated with the user, as well as networked access to a computerized travel reservation system, so as to enable authentication of the user (and/or the item being shipped) as well as other aspects of the shipment transaction. The kiosk may further enable computerized control and operation of an item shipment receptable so as to allow or deny access based on the authentication processing.

Abstract: Techniques disclosed herein relate to the authentication of a first user in a communication session between the first user using a user device and a second user using a remote computer system. The computer system sends an authentication request in the session, and the user device receives the authentication request in the session via a messaging program. The user device then causes a different program to access an authentication token received from an authentication computer system. The user device sends an indication of the authentication token to the remote computer system which the remote computer system verifies to authenticate the first user within the session.

Abstract: In an example, a provider system receives from a client device a request for client sign-on access. The provider system sends to the client device a request for identification information of the client. The provider system receives client information associated with a first mobile identification credential (MIC) which the client device received from an authorizing party system (APS), the client having consented to release the client information to the provider system, and the client information having been verified by the APS. The provider system uses the verified client information associated with the first MIC to verify or not verify the identity of the client. The provider system verifies the identity of the client before granting the client the request for client sign-on access.

Abstract: A system for utilizing behavioral features to authenticate a user entering login credentials. The system includes an electronic processor configured to receive a request to access a user account and compare behavioral features included in the request to behavioral features included in a user behavior profile associated with the user account. The electronic processor is also configured to, based on the comparison, generate one or more scores. The electronic processor is further configured to, for each of the one or more scores, compare the score to a predetermined threshold and, based on the comparison of the score to the predetermined threshold, adjust a match value. The electronic processor is also configured to compare the match value to one or more predetermined thresholds to determine whether the behavioral features included in the request to access the user account authenticates the user, does not authenticate the user, or is inconclusive.

Abstract: An anomalous action security assessor is disclosed. An anomaly is received from a set of anomalies. A series of linked queries associated with the anomaly is presented to the user. The series of linked queries includes a base query and a subquery. The base query tests an attribute of the anomaly and resolves to a plurality of outcomes of the base query. The subquery is associated with an outcome of the plurality of outcomes of the base query. The series of linked queries finally resolve to one of tag the anomaly and dismiss the anomaly. A security alert is issued if the series of linked queries finally resolves to tag the anomaly.

Abstract: An information processing apparatus configured to authenticate a user in first authentication processing and second authentication processing and permit the user who is authenticated to use at least one of a plurality of functions includes a control unit configured to, at a time of authentication of the user in the first authentication processing, perform control to prompt the user to select an authentication method to be used in the first authentication processing.

Abstract: A method for providing connection between applications and a data repository is described. The method includes receiving a communication from an application for the data repository. The application is authenticated. In response to the application being authenticated, the credentials for the data repository are obtained from a data vault. The credentials are used to access the data repository while the application is free of the credentials.

Abstract: A peripheral device package for use in a host computing device has a plurality of compute elements and a plurality of resources shared by the plurality of compute elements. A datastructure is stored in a hidden memory of the peripheral device package. The data structure holds metadata about ownership of resources of the peripheral device package by a plurality of user runtime processes of the host computing device which use the compute elements. At least one of the user runtime processes is a secure user runtime process. The peripheral device package has a command processor configured to use the datastructure to enforce isolation of the resources used by the secure user runtime process.

Abstract: Disclosed are various embodiments for extending cloud-based virtual private networks to radio-based networks. In one embodiment, a request from a client device to connect to a radio-based network is received. A virtual private cloud network of a cloud provider network to which the client device is permitted access is determined. The client device is provided with access to the virtual private cloud network through the radio-based network.

Abstract: Briefly, example methods, apparatuses, and/or articles of manufacture may be implemented, in whole or in part, to prove possession of a communications device, such as a mobile communications device. In a particular method, proving possession of a communications device may include receiving, from a client server, an indicator to indicate a communication services carrier servicing the communications device. The method may continue with generating a session identifier and a resource locator to direct the communications device to establish communications with an identity verifier at an address corresponding to the resource locator. The resource locator may be determined based, at least in part, on the indicator received from the client server. The method may additionally include the communications device transmitting one or more identifiers, determined, at least in part, from content stored within, or data derived from, memory of the communications device.

Abstract: The disclosure relates to methods and systems for provisioning a network-connectable device. A communication tunnel is formed for transmitting data between the network-connectable device, a mobile terminal and a remote server. The communication tunnel includes a first link initiated using a webview embedded in an application on the mobile terminal and a second link initiated using a library attached to the webview. The first link connects the mobile terminal with the remote server. The second link connects the network-connectable device with the remote server through the mobile terminal. A data packet indicating that the network-connectable device is ready to be provisioned is received through the communication tunnel. A request for providing provisioning data is sent through the communication tunnel based on the data packet. Provisioning data are transmitted through the communication tunnel in response to sending the request. The network-connectable device is provisioned using the provisioning data.

Abstract: Systems, methods, and devices are described for performing scalable data processing operations. A queue that includes a translatable portion comprising indications of data processing operations translatable to data queries and a non-translatable portion comprising indications of non-translatable data processing operations is maintained. A determination that a first data processing operation of a first code block statement is translatable to a database query is made. An indication of the first data processing operation is included in the translatable portion of the queue. Responsive to a determination that a second data processing operation of a second code block statement is undeferrable, the translatable portion of the queue is compiled into a database query. An execution of the database query to be executed by a database engine to generate a query result is caused. A result dataset corresponding to the query result is transmitted to an application configured to analyze the result dataset.

Abstract: An authentication method of a prover by a verifier includes: performing at least once, an enrollment process by an enrollment center computer; and subsequent to performing the enrollment process, performing an on demand authentication process including: receiving at a verifier computer from the prover, a prover authentication request sent from the prover computer device which includes the prover identity and a preferred ZKP protocol identifier; looking up a prover's public key in the database via the identity; the verifier sending a selected ZKP protocol identifier to the prover computer device; commencing a round of authentication by receiving a commitment generated according to the selected ZKP protocol; and repeating the step of commencing a round of authentication until the verifier computer accepts or rejects the prover's identity. A zkMFA method of authentication and an authentication system for authenticating a prover by a verifier are also described.

Abstract: Systems and methods for managing a user-selected card verification code (CVC2) value for a payment card are disclosed. A sever is coupled to a payment card database and a hardware security module. The server is programmed to receive a request from a user to change the CVC2 value of the payment card to the user-selected CVC2 value. Based upon the request, the server retrieves from a payment card table stored on the database a payment card record associated with the payment card. The server transmits the user-selected CVC2 value, and, from the payment card record, a primary account number, a payment card expiry date, and a first service code to a hardware security module. The server subsequently receives from the hardware security module a second service code associated with the user-selected CVC2 value. The server updates the first service code in the payment card record to the second service code.