Abstract: Method, system, and programs provide automatic anonymization of protected data items when a request is associated with authentication via a ticket. Ticket authentication includes sending a ticket to a recipient address. The ticket is included in a request for information. Responsive to receiving a request with a ticket, an example system may determine if the ticket is still valid and, if so, generate mock identifiers for any identifiers in information provided back to the requestor, replace the identifiers with their corresponding mock identifiers, as well as delete any protected information from the information provided back to the requestor. The system may store a mapping of the identifiers with their mock identifiers by session id. These mappings may be deleted after a predetermined time, so that the mapping is valid only for a particular session for a limited time.

Abstract: Systems, apparatuses and methods include technology that generates a signature based on one or more characteristics of an artificial intelligence (AI) model. The AI model is in a source code. The technology generates a compiled blob based on the AI model and embeds an identifier based on the signature into a metadata field of the compiled blob.

Abstract: A method of providing a data disclosure to a requester can include: receiving a data subject request from a requester, the data subject request including a request for stored personal data; categorizing the element data into one of a plurality of tiers based on a sensitivity level of the element data; assigning an assigned tier to the element data and associated data values; determining a level of detail of the associated data values for each of the element data to provide based on the assigned tier; and providing a data disclosure report to the requester, wherein the data disclosure report includes the level of detail of data values for each of the element data based on the assigned tier.

Abstract: Use of embedded metadata for data privacy compliance is provided. In a data store, self-managed data is maintained including metadata specifying retention policy data. Responsive to a self-update to scrub PII from the self-managed data being indicated by the retention policy data, the PII is removed from the self-managed data maintained by the data store. Responsive to a self-update to delete the self-managed data from the self-managed data being indicated by the retention policy data, the self-managed data is removed from the data store.

Abstract: The present disclosure relates to a system, method, and computer program for graph-based multi-stage attack detection in which alerts are displayed in the context of tactics in an attack framework, such as the MITRE ATT&CK framework. The method enables the detection of cybersecurity threats that span multiple users and sessions and provides for the display of threat information in the context of a framework of attack tactics. Alerts spanning an analysis window are grouped into tactic blocks. Each tactic block is associated with an attack tactic and a time window. A graph is created of the tactic blocks, and threat scenarios are identified from independent clusters of directionally connected tactic blocks in the graph. The threat information is presented in the context of a sequence of attack tactics in the attack framework.

Abstract: Methods, systems, and devices for wireless communications are described. In some examples, a wireless device may modify a cyclic redundancy check (CRC) generation and attachment operation based on a secret key to support enhanced security. In some examples, a first device may identify a set of data to transmit to a second device and prior to transmitting the set of data, the first device and the second device may obtain a set of key bits for data protection. The first device may generate a bit vector based on a subset of the set of key bits and a cyclic redundancy check polynomial. The transmitting device may then generate an encoded codeword based on the bit vector and transmit the encoded codeword to the second wireless device. The second device may decode the encoded codeword and obtain the set of data based on the set of key bits.

Abstract: Ad-hoc network comprising a configurator device and a plurality of nodes, wherein each node is an electronic device, wherein each node is connected by a communication connection with at least one of the other nodes and/or with the configurator device, wherein each node can be in different states comprising at least a non-commissioned state (NC), a commissioned state and a trust ring member state (TR) wherein a first node of the plurality of nodes being in the non-commissioned state (NC) is configured to send an non-commissioned advertisement message to the configurator device comprising an identifier of the first node, wherein the configurator device is configured to send an automated commissioning initialization (ACI) message to the first node containing a token, wherein the token is encrypted by a symmetric network key, wherein the first node is configured to send out a commissioning request message containing the received encrypted token, wherein the first node is configured to change its state, when it re

Abstract: This document describes techniques and apparatuses for distributed network cellular identity management. In particular, a distributed-network cellular-identity-management (DNCIM) server includes a lookup table that stores and relates together a user-equipment (UE) public key associated with a UE private key, a core-network (CN) public key associated with a CN private key, and a subscriber identity. Using the DNCIM server, the UE and an authentication server respectively generate two different (e.g., asymmetric) cipher keys based on the UE private key and the CN public key, and the UE public key and the CN private key. The UE and the authentication server can also authenticate one another by referencing information in the lookup table of the DNCIM server. Using these cipher keys, the UE and the authentication server can establish secure communications with each other.

Abstract: A system and method are provided which include receiving, by a server computer from a trusted entity computer, user data corresponding to a user. Based on the user data, the server computer determines a set of assertions for the user. The server computer receives, from a relying entity, an assertion request for the user. Responsive to the assertion request, the server computer provides, to the relying entity, an assertion, of the set of assertions. The relying entity thereby grants the user a particular type of account based on the assertion.

Abstract: A tokenization system receives a request for data anonymization, the request referencing unstructured/semi-structured content containing values of interest. The tokenization system performs a tokenization operation on the unstructured/semi-structured content, generates self-describing tokens for the values of interest, each self-describing token having a preconfigured pattern, an indication of a protection strategy, and a token value, and stores the values of interest in a secure data vault. The tokenization system may receive a request to reveal the self-describing tokens in the unstructured/semi-structured content. In response, the tokenization system searches the anonymized version of the unstructured or semi-structured content for the preconfigured pattern, identifies self-describing tokens, uses the self-describing tokens to retrieve the values of interest from the secure data vault, and produces a detokenized version of the unstructured/semi-structured content containing the values of interest.

Abstract: Disclosed herein are embodiments providing coordinated privacy for targeted communications and reporting. In particular, the embodiments provide a source user querying an information system to generally identify target users for a communication campaign. A privacy controller alters a first dataset of a query response by a first alteration quantity for transmission to the source user. The source user then generally identifies target users within the first dataset for development of a communication campaign of targeted communications directed to the target users. Subsequently, a reporting system generates a report with a second dataset detailing viewership by target users. The privacy controller alters a second dataset of a report by a second alteration quantity for transmission to the source user. The second alteration quantity is based on the first alteration quantity.

Abstract: Proxied multi-factor authentication using credential and authentication management in scalable data networks is described, including initiating a request by an extension to authenticate a browser to access a data network, the request being associated with an address and transmitted over HTTP, receiving at a proxy browser a first message from the data network in response to the request, the first message comprising authentication data, the authentication data being forwarded to a server in data communication with the proxy browser and the browser, sending a second message from the server to the extension, the second message comprising the authentication data, and transferring authentication data to the data network from the browser and the extension in response to an query from the data network.

Abstract: An automated system tracks digital service providers (DSP) data management agreements, and user behavior, individually and in aggregate, to determine potential changes for a personal/corporate privacy charter. The personal/corporate privacy charter is thus dynamically adaptable to permit users to continue to engage seamlessly in accordance with user/corporate target goals with digital service providers (DSPs) and similar entities.

Abstract: Multiple types of tokens can be generated and utilized in a highly structured document with freeform text. For example, a tokenization system may receive a request for tokenizing a document with a first portion having structured content and a second portion having unstructured or semi-structured content. In response, the tokenization system identifies sensitive information in the first portion of the document, generates format-preserving tokens for the sensitive information in the first portion of the document, identifies sensitive information in the second portion of the document, and generates self-describing tokens for the sensitive information in the second portion of the document. The self-describing tokens reference the sensitive information in the first portion of the document. The tokenization system may then communicate the format-preserving tokens and the self-describing tokens to the first client computing system or to a second client computing system.

Abstract: A blockchain network includes a service sub-network, a consensus sub-network, and a routing layer configured to isolate the service sub-network from the consensus sub-network. A data processing method in the blockchain network includes: receiving a data processing request transmitted by a service node in the service sub-network; performing identity verification on the service node according to the data processing request; obtaining a running load of each consensus node in the consensus sub-network when the verification succeeds; determining, from the consensus sub-network according to the running load, a target consensus node configured to process the data processing request; and forwarding the data processing request to the target consensus node, and performing corresponding data processing on the data processing request by using the target consensus node.

Abstract: Systems, methods, apparatuses, and computer program products directed to next generation (e.g., 5G systems) key set identifier(s) are provided. One method includes requesting, by a network node, authentication of a user equipment with an authentication server, receiving a master key and authentication parameters/vectors from the authentication server when authorization is successful, and verifying validity of the authentication request. When the verification is successful, the method may further include instantiating a security context for the user equipment and assigning a security context identifier for next generation system security context to the user equipment, and then sending a security mode command message to instruct the user equipment to instantiate security context using the security context identifier.

Abstract: The present invention provides a method for packet processing according to a access control list table, comprising: receiving a packet, wherein the packet includes a packet information and match items for matching; providing an access control list (ACL) codeword table; providing a mask table, wherein the ACL codeword table corresponds to the mask table; obtaining a hash key by performing a multiplexing logic operation, wherein the hash key is made by combining a multiplex result of the packet information and the mask table; obtaining a hash value by performing a hash function based on the hash key, wherein the hash value is composed of X+Y, wherein X is a signature table (hash table) index and Y is a key digest; performing a hash table indexing, based on the signature table index, wherein the signature table index is the index to an address of signature table; performing a fast pattern match, wherein the signature table contains signature fields, and if any second signature field in the signature table is mat

Abstract: A subscription system and method of facilitating permission-based access to a subset of vehicle sensor data in a vehicle electronic control unit (ECU) to augment an information application. The system includes a vehicle subscription server. The method includes generating, by the vehicle subscription server, a sensor key and a subscription key, installing in a memory of the vehicle ECU the vehicle sensor key. In response to a request for a subscription by a mobile device, transmitting by the vehicle subscription server the subscription key. The vehicle ECU uses the subscription key to authenticate the mobile device as having a current subscription, and augments the information application with the subset of vehicle sensor data accessed based on the sensor subscription key.

Abstract: A system validates the establishment and/or continuation of a connection between two applications over a network. The system uses network application security rules to allow or disallow connections between the two applications. Those rules include definitions of the source and destination applications to which the rules apply. The system automatically updates the application definitions over time to encompass new versions of the applications covered by the security rules, but without encompassing other applications. The system is then capable of applying the updated rules both to the original applications and to the updated versions of those applications. This process enables the security rules to maintain security over time in a way that is consistent with the original intent of the rules even as applications on the network evolve.

Abstract: A key generation method includes a user plane network function and a terminal device obtain key update information sent by each other. The user plane network function updates, by using the obtained key update information, a sub-key derived from a permanent key, to obtain a new protection key. The terminal device updates, by using the obtained key update information, a sub-key derived from the permanent key, to obtain a new protection key. The terminal device and the user plane network function perform, by using the new protection key, security protection on user plane data transmitted between the terminal device and the user plane network function.