Abstract: A method and a system for controlling tracking of web-browsing activities of a user in a browser application are provided. The method comprises: receiving, from a given web server, data representative of a web page to be displayed in the browser application; identifying, based on the data, elements of the web page linked to at least one in-use third-party web resource; obtaining in-use data including at least data of past user interactions of the user with the at least one in-use third-party web resource; feeding the in-use data to an MLA to determine a probability value of the user allowing sharing a respective third-party cookie of the at least one in-use third-party web resource therewith while browsing the web page; in response to the probability value being lower than a threshold value, determining that the user is unlikely to allow sharing the respective third-party cookie while browsing the web page.

Abstract: Key derivation for account management is disclosed, including: generating an account private key associated with a new account; generating a compute key associated with the new account based at least in part on the account private key, wherein the compute key is usable to verify a new transaction to be confirmed on a blockchain, and wherein the new transaction is initiated by the new account; and generating a view key associated with the new account based at least in part on the account private key, wherein the view key is usable to decrypt a portion of a confirmed transaction on the blockchain that belongs to the new account.

Abstract: A method, computer system, and a computer program product for smart SDN is provided. The present invention may include recording and clustering a pod's behavior to generate a behavior transition model for the pod. The present invention may include watching a behavior of the pod and comparing the behavior to the generated behavior transition model. The present invention may include triggering a network policy change based on determining that the behavior of the pod is a misbehavior.

Abstract: A vehicle diagnostic device includes: a communication unit that communicates with a vehicle which drives autonomously; and a diagnostic unit that performs, via the communication unit, diagnosis as to whether the vehicle is being hacked. The diagnostic unit performs the diagnosis by checking resilience of software which runs a travel system provided in the vehicle.

Abstract: An enterprise owned multi-function device (MFD) is disclosed. For example, the MFD includes, a communication interface to establish a communication session with an authentication server, a re-activation timer, a processor and a non-transitory computer readable medium storing instructions, which when executed by the processor, cause the processor to authenticate the enterprise owned MFD over the communication session when the enterprise owned MFD is activated at a remote location of an employee, create a local account of the employee for local authentication, and authorize access to the employee via the local account of the employee until the re-activation timer expires.

Abstract: A system for analyzing a computing system for potential breach points, the system comprising a memory device having executable instructions stored therein, and a processing device, in response to the executable instructions, configured to parse a breach scenario file, the breach scenario file comprising a graph including action component nodes connected by edges, determine a root node from the action component nodes, execute the root node with breach point data, generate a root node return value based on the execution of the root node, the root node return value including a modified copy of the breach point data, determine children nodes from the action component nodes connected to the root node, execute the children nodes wherein each execution of the children nodes produces children node return values for a subsequent one of the children nodes, and return a final return value from the execution of the children nodes.

Abstract: A client computing device includes an entropy driver and a volume driver for protecting the client computing device against potential ransomware. The entropy driver is configured to determine one or more entropy values for a file in response to a determination that the file has been modified or changed. The determined entropy value may then be compared with a known entropy value for a filetype of the changed or modified file. Where the known entropy value and the determined entropy value differ, the volume driver may engage one or more protection operations to secure the client computing device from further corruption and/or modifications by potential ransomware and/or malware. The protection operations may include revoking and/or restricting one or more permissions on one or more storage volumes of the client computing device and backing up one or more files of the client computing device to secondary storage.

Abstract: A system that provides responses to requests obtains a key that is used to digitally sign the request. The key is derived from information that is shared with a requestor to which the response is sent. The requestor derives, using the shared information, derives a key usable to verify the digital signature of the response, thereby enabling the requestor to operate in accordance with whether the digital signature of the response matches the response.

Abstract: According to at least one aspect, a hardware system include a host processor, a policy engine, and an interlock is provided. These components can interoperate to enforce security policies. The host processor can execute an instruction and provide instruction information to the policy engine and the result of the executed instruction to the interlock. The policy engine can determine whether the executed instruction is allowable according to one or more security policies using the instruction information. The interlock can buffer the result of the executed instruction until an indication is received from the policy engine that the instruction was allowable. The interlock can then release the result of the executed instruction. The policy engine can be configured to transform instructions received from the host processor or add inserted instructions to the policy evaluation pipeline to increase the flexibility of the policy engine and enable enforcement of the security policies.

Abstract: An improved authentication, identification, and/or verification system is provided in various embodiments. The system is provided for use in relation to provisioning access or establishing identity in relation to one or more human users, and may be used in a single site/scenario/system, or across multiple sites/scenarios/systems. A combination of biometric modalities and authentication mechanisms having diverse characteristics are utilized to establish identity, the diverse characteristics being utilized to modify aspects of identity management and access provisioning.

Abstract: Systems and methods for power system switching element (PSSE) anomaly detection are disclosed. An example PSSE anomaly detection unit may include a power system switching element position estimator (PSSEPE) and a comparison unit. The PSSEPE may be configured to receive a set of measurements and a set of control commands associated with a PSSE, calculate an anomaly confidence score based on the set of measurements and the set of control commands, and estimate a calculated PSSE position based on the set of measurements and the set of control commands. The comparison unit may be configured to receive the calculated PSSE position from the PSSEPE, receive the set of measurements and the set of control commands from the PSSEPE, receive a reported PSSE position associated with the PSSE, and determine a PSSE anomaly decision based on a difference between the reported PSSE position and the calculated PSSE position.

Abstract: Disclosed are a service server capable of performing Internet access management services according to grades and the operating method thereof, which when a request for permission to access a web page is received from a client terminal, confirm an access authority degree set in the client terminal based on unique identification information of the client terminal, determine whether the client terminal is a terminal having an authority capable of accessing the web page based on access authority degree, and control whether the client terminal accesses the web page based on a determination result.

Abstract: Methods and systems for identity-based firewall policy evaluation and for encoding entity identifiers for use in identity-based firewall policy evaluation. A packet from a sender entity to a recipient entity is intercepted. A determination is made whether the sender entity is permitted to communicate with the recipient entity according to a firewall policy, wherein the firewall policy indicates a plurality of entity identifiers, and each entity identifier is unique among the plurality of entity identifiers. Rules for communications among the plurality of entities include a list of pairs of entities which are permitted to communicate with each other. The packet is forwarded to the recipient entity when it is determined that the sender entity is permitted to communicate with the recipient entity. At least one mitigation action is performed when it is determined that the recipient entity is not permitted to communicate with the sender entity.

Abstract: An authentication device includes an authentication unit, a history information generator and a communication unit. The authentication unit executes, when a user terminal accesses a service provider system, an authentication process based on an authentication request that includes a description pertaining to an authentication condition and an authentication method that correspond to the service provider system. The history information generator generates history information. The history information includes information indicating whether the authentication condition is satisfied and information indicating a result of executing the authentication process by using the authentication method. The communication unit transmits the history information to the user terminal.

Abstract: A method for encoding/decoding a message with One Time Pad (OTP) process, includes receiving a message to be encoded and an ordered dataset. A PRNG is parameterized with an initial seed that is used in a harvesting operation, which selects data from the dataset to create a current entropy plane of the selected data. In an encoding operation a portion of the received message is selected. The current entropy plane is scanned and data from which data is selected. The location of the selected data from the entropy plane is determined and marked as used and then assembled in an encoded message. This operation is repeated until no unmarked data is present in the current entropy plane. A new entropy plane is generated, and the scanning operation repeated until all portions of the received message have been processed. The process is reversed for a decoding operation.

Abstract: An example method includes receiving an encrypted biometric enrollment data and user identifier data. The encrypted biometric enrollment data includes at least one biometric enrollment sample from a user encrypted using an encryption key. The encryption key is generated based on a user secret and the user identifier is associated with the user. The user identifier is matched with a stored user secret. A decryption key is generated based on the stored user secret. The encrypted biometric enrollment data is decrypted using the decryption key. The at least one biometric enrollment sample is retrieved from the decrypted biometric enrollment data. The at least one biometric enrollment sample is processed using a biometric processing algorithm to generate a biometric reference template. A biometric reference template identifier uniquely identifying the biometric reference template is generated. An encryption key is generated based on the stored user secret and encrypts an enrollment confirmation message.

Abstract: A method for securing network communication between containers by a terminal, includes: a step of installing an HSI (Hyperion Secure Interface) for communication with a secure bridge included in an NIC (Network Interface Chip) in a secure container through a manager module; a step of changing a source address of a transmission packet to a specific token on the basis of a map of the HSI through the manager module; a step of delivering the transmission packet to the secure bridge through the HSI; a step of determining whether the specific token of the transmission packet is valid; and a step of changing the specific token to the source address and delivering the transmission packet to a target container when the specific token is valid.

Abstract: Various implementations disclosed herein include devices, systems, and methods that authenticate user identities based on input/sensor data received from remote workstations and/or during remote communication sessions. The input/sensor data may correspond to timing and patterns from which user identities may be authenticated. Some implementations disclosed herein communicate input/sensor data in a way that preserves the timing and pattern information of the data and/or in a way that allows such information to be used for authentication in real-time. Some implementations enable continuous provision of input/sensor data and/or enable continuous authentication of user identities during remote communication sessions.

Abstract: The present disclosure discloses configuring a transmitting device to determine verification information including a current fingerprint associated with a first instance of a source application stored on the transmitting device, the current fingerprint (i) being determined based on utilizing one or more connection parameters associated with an external device communicating with the first instance of the source application, and (ii) uniquely identifying the first instance of the source application; configuring the transmitting device to transmit verification information including the current fingerprint; configuring the transmitting device to receive a determination result determined by the receiving device based on a comparison of the current fingerprint with a verification fingerprint that uniquely identifies a second instance of the source application stored on another device; and configuring the transmitting device to selectively transmit transmission data utilizing the first instance of the source applica

Abstract: Examples of the present disclosure describe systems and methods for configuring and executing per-service TLS settings in a forward proxy. In examples, a proxy device receives a connection request from a client device to access a service. The proxy device identifies service connection information included in the connection request and selects a connection scheme for connecting to the service. The service connection information is compared to a static mapping of connection data in the connection scheme. If the service connection information matches the static mapping of connection data, a TLS type is determined for the connection request. If the service connection information does not match the static mapping of connection information, the service connection information is compared to a dynamic mapping of session information. Based on the comparison of the service connection information to the dynamic mapping of session information, a TLS type is determined for the connection request.