Abstract: A method of identifying a person, the method comprising: acquiring spatiotemporal data for each of a plurality of anatomical landmarks associated with an activity engaged in by a person that defines a spatiotemporal trajectory of the anatomical landmark during the activity; modeling the acquired spatiotemporal data as a spatiotemporal graph (ST-Graph); and processing the ST-Graph using at least one non-local graph convolution neural network (NLGCN) to provide an identity for the person.

Abstract: The present disclosure relates to a system, method, and computer program for graph-based multi-stage attack detection in which alerts are graphically visualized in the context of tactics in an attack framework. The method enables the detection of cybersecurity threats that span multiple users and sessions and provides for the display of threat information in the context of a framework of attack tactics. Alerts spanning an analysis window are grouped into tactic blocks. Each tactic block is associated with an attack tactic and a time window. A graph is created of the tactic blocks, and threat scenarios are identified from independent clusters of directionally connected tactic blocks in the graph. The threat information is visualized graphically in the context of a sequence of attack tactics in the attack framework. A user can toggle between graphical visualizations of a cluster as a whole and the individual threat scenario paths in the cluster.

Abstract: A prover chip uses a key multiplier value generated by a proof-of-work function from a challenge value, a random number, and elliptic curve cryptography (ECC) techniques to generate a one-time (or ephemeral) use private key. Similarly, a verifier chip uses the key multiplier value generated by an equivalent proof-of-work function, a public key received from the prover, and ECC techniques to derive a one-time use public key that corresponds to the ephemeral private key generated by the prover chip. The prover chip uses the ephemeral private key to sign the second challenge value and send this signed second challenge value to the verifier chip. The verifier verifies the value it receives using the one-time use public key and if the signature on the second challenge value is valid, authenticates the prover chip to a system.

Abstract: Disclosed is an electronic device comprising: a memory in which instructions are stored; and a processor electrically connected to the memory. The processor, when the instructions stored in the memory are executed: acquires a command for installation of a first application signed with a first key; checks information relating to the first key in a key storage of the electronic device; if the first key is determined to be valid, installs the first application; and if the first key is determined to have been revoked, controls to prohibit installation of the first application.

Abstract: A computerized method for restricting communications between virtual private cloud networks comprises creating a plurality of security domains. Each of the plurality of security domains identifies gateways associated with one or more virtual private cloud networks. Also, the method features generating transit routing data stores in accordance with each of the plurality of security domains; determining whether a connection policy exists between at least a first security domain and a second security domain of the plurality of security domains; and precluding communications between gateways associated with the first security domain and gateways associated with the second security domain in response to determining that no connection policy exists between the first security domain and the second security domain.

Abstract: In some embodiments, the present disclosure provides an exemplary method that may include steps of obtaining a trained spam upsurge detection machine learning model that determines when a current frequency associated with spam communications received by a current user exceeds a baseline frequency associated with the current user; receiving a permission indicator identifying a permission by the user to detect communications being received by the computing device; receiving an indication of at least one communication being received; determining the at least one communication as a particular spam communication; updating a frequency at which spam communications have been received by the user based at least in part on the particular spam communication; utilizing the trained spam upsurge detection machine learning model to determine that the frequency exceeds a baseline frequency associated with the user; and initiating a scan of one or more dark web resources.

Abstract: Disclosed in the present invention is an intelligent photo album sorting and privacy protection method. The method is applied to an image recognition model, and includes the following steps: obtaining shooting time and shooting locations of images, and acquiring latitude and longitude information of a shooting device; extracting feature information in the images; performing classification and sorting based on the shooting time and the shooting locations of the images and the extracted feature information in the images, and when a designated classified photo album exists in the shooting device, moving the images into the designated classified photo album; otherwise, creating a designated classified photo album, and moving the images into the designated classified photo album; after moving the images to the designated classified photo album, determining whether the recognition model has been stored in a model.

Abstract: Methods, devices and systems are disclosed for inter-app communications between software applications on a mobile communications device. In one aspect, a computer-readable medium on a mobile computing device comprising an inter-application communication data structure to facilitate transitioning and distributing data between software applications in a shared app group for an operating system of the mobile computing device includes a scheme field of the data structure providing a scheme id associated with a target software app to transition to from a source software app, wherein the scheme id is listed on a scheme list stored with the source software app; and a payload field of the data structure providing data and/or an identification where to access data in a shared file system accessible to the software applications in the shared app group, wherein the payload field is encrypted.

Abstract: Systems and methods are disclosed for securely executing user-defined functions within a cloud data platform. A method involves receiving, via hardware processors, a request to execute a user-defined function (UDF) contained within a sandbox process. The UDF comprises code for performing specified operations that necessitate access to external resources. To facilitate this access, a secure egress path is established using an overlay network designed to isolate the UDF's network traffic from other processes. Authentication and authorization details for the UDF are managed externally to the sandbox process, ensuring that the UDF's functionality remains orthogonal to the cloud data platform's operations. This approach enables the secure and controlled execution of UDFs, allowing them to interact with external systems while maintaining the integrity and security of the cloud data platform environment.

Abstract: A data platform for developing and deploying a user application within a unified security context. The data platform authorizes a first user to use an editor to access source code of a user application based on security policies of a security context and authorizes the first user to use an application and data manager to set usage privileges for a second user to use the user application based on the security policies of the security context. To provide the user application to the second user, the data platform deploys the user application by instantiating a User Defined Function (UDF) server and an application engine of the UDF server within the security context, instantiating the user application as an application of the application engine within the security context, and authorizing access by the user application to databased on the security policies of the security context.

Abstract: A device includes a processor coupled to a memory that stores instructions that when executed by the processor cause the processor to provide access to at least one of a product or a service via a digital channel; provide initial information to an authorizer via the digital channel; receive an enrollment token, the enrollment token including identifying information that identifies the device and defining a level of authorization with respect to the digital channel utilized by the device; provide the enrollment token to an institution computing system associated with an institution; and access a product or service provided by the institution based on the level of authorization defined by the enrollment token.

Abstract: Systems and methods for dynamically mitigating a DDOS attack. In an aspect, the technology relates to a computer-implemented method for dynamically mitigating a distributed-denial-of-service (DDOS) attack. The computer-implemented method may include detecting a DDOS attack directing malicious traffic to a target, identifying one or more source locations of the malicious traffic, and in response to detecting the DDOS attack, activating one or more scrub clusters in the identified one or more source locations of the malicious traffic. The method may further include directing traffic intended for the target to the to the activated one or more scrub clusters, detecting an end of the DDOS attack, and in response to detecting the end of the DDOS attack, deactivating the one or more scrub clusters to release hardware resources.

Abstract: Systems, computer program products, and methods are described herein for dynamic communication channel switching based on preconfigured network security protocols.

Abstract: Disclosed methods and systems employ an agent to identify data paths between first and second networking devices, such that a data path connects an interface of the first networking device with an interface of the second networking device, each interface being uniquely identified by an associated Internet Protocol (IP) address. The agent establishes a secure connection as follows. First a connection is established between the first and second networking devices using respective first and second IP addresses. Next, security keys are negotiated to establish the secure connection, the security keys including encryption keys and decryption keys. Next, inbound and outbound security associations are established for each of the plurality of data paths, inbound and outbound security associations including IP addresses associated with respective data paths and respective decryption keys. Finally, the inbound and outbound security associations are established in a data plane of the first networking device.

Abstract: A network intrusion system for a protected network includes a ruleset module configured to receive metadata for rules. The metadata describes, for each of the rules, a set of associated network vulnerabilities. The ruleset module is configured to access vulnerability information describing a set of cumulative vulnerabilities that each is present in at least one network device within the protected network. The network intrusion system includes a rule management module configured to, for each rule of the plurality of rules: identify the set of associated network vulnerabilities described by the metadata for the rule, determine whether there is a match between any of the set of associated network vulnerabilities and the set of cumulative vulnerabilities, and, in response to determining that there is no match, transmit a first command signal to a network security module. The first command signal instructs the network security module to disable the rule.

Abstract: This disclosure describes techniques including, by a domain name service (DNS), receiving a name resolution request from a client computing device and, by the DNS, providing a nonce to the client computing device, wherein a service is configured to authorize a connection request from the client computing device based at least in part on processing the nonce. This disclosure further describes techniques include a method of validating a connection request from a client computing device, including receiving the connection request, the connection request including a nonce. The techniques further include determining that the nonce is a valid nonce. The techniques further include, based at least in part on determining that the nonce is a valid nonce, authorizing the connection request and disabling the nonce.

Abstract: Techniques for providing innocent until proven guilty (IUPG) solutions for building and using adversary resistant and false positive resistant deep learning models are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of content associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the content associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

Abstract: Systems and methods may provide for receiving web content and determining a trust level associated with the web content. Additionally, the web content may be mapped to an execution environment based at least in part on the trust level. In one example, the web content is stored to a trust level specific data container.

Abstract: A method of creating secure endpoints on a network includes registering by a node using a random selection algorithm to choose which server to register to; receiving by the node a property set ID of a property set that the node is a member of; and authorizing by the node using the property set ID to look up its authorization details in the property set. A method of creating secure endpoints on a secure network having at least one community of interest, includes registering by a node using a random selection algorithm to choose which server to register to; receiving by the node a property set ID of a property set that the node is a member of; and authorizing by the node through an authorization server using the property set ID to look up its authorization details in the property set; wherein the node and the authorization server are a member of the at least one community of interest.

Abstract: A computer system for verifying vehicle software configuration may be provided. The computer system may include a processor and a non-transitory, tangible, computer-readable storage medium having instructions stored thereon that, in response to execution by the processor, cause the processor to: (1) transmit, to a vehicle computing system, an authentication request including a hash algorithm specification; (2) receive, from the vehicle computing system, a current configuration hash value and a vehicle identifier; (3) retrieve a trusted data block from a memory based upon the vehicle identifier, the trusted data block including a stored configuration hash value and a smart contract code segment; (4) execute the smart contract code segment, the smart contract code segment including a failsafe code segment; and/or (5) transmit the authentication response to the vehicle computing system, and cause the vehicle computing system to execute the failsafe code segment.