Abstract: A system that uses an enriched token to dynamically authorize and/or manage access to endpoint(s). The enriched token defines a scope of access with respect to the endpoint(s) and may be generated based at least in part on user context information obtained from an identity provider.

Abstract: A secure digital network environment is provided by integrating OTP keys as part of quantum-safe data systems solutions (QPN Solutions), including the use of one-time-pad (OTP) keys to encrypt data, support multi-factor authentication and secure all communications between devices in the secure digital network environment. The OTP keys are “pre-loaded” to endpoint (EP) devices to render them quantum-safe (QS) when connected into the secure digital network environment, or are otherwise provided through removable media to be loaded into user supplied appliances, devices and accessories to render them QS when connected into the secure digital network environment. The application of QPN Solutions refers to the application of QPN enabled technologies to provide a secure digital network environment includes risk assessment and management solutions for establishing and managing cyber security insurable risks and policies.

Abstract: A computer-implemented method is disclosed. The method includes: authenticating a user for login to a service for a first authenticated user session; in response to authenticating the user, sending, to a client device associated with the user, a first data string associated with a first validity period; receiving, from the client device after expiry of the first authenticated user session, a data access request to access protected data, the data access request including the first data string; validating the first data string based on checking the first validity period; and in response to determining that the first data string is valid, transmitting, to the client device, a data access response including at least a subset of the requested protected data.

Abstract: A method for a computer to execute an item of software including, the software including one or more security modules. At at least one point during execution of the item of software at which a predetermined function is to be performed, a request is sent to an address system for carrying out the predetermined function, the request including an identifier of the predetermined function. In response to the request, an address generated by the address system based, at least in part, on (a) the identifier and (b) verification data provided to the address system from at least one of the one or more security modules is received from the address system. The address is based, at least in part, on the identifier and verification data provided to the address system from at least one of the security modules. Execution of the item of software is then continued at the address received from the address system.

Abstract: Some implementations of the disclosed systems, apparatus, methods and computer program products may provide for chatbots configured to perform tasks requiring end user identification on behalf of users. Such a chatbot may be authenticated through tokens with custom claims. The custom claims may include identifying or authenticating tokens received by the chatbot or server system and the chatbot may create and/or provide such tokens for authentication. The custom claim may be configured to provide user identifying data, allowing for the chatbot to be provided with end user credentials. Accordingly, chatbots may be utilized to perform sensitive tasks that require user credentials while continuing to provide security for users.

Abstract: The invention provides a rules engine that evaluates, modifies, and dynamically routes inputs to AI models based on provider restrictions and management rules. Provider restrictions are stored. Based on management rules and the detected provider restrictions, the input can be modified with contextual placeholders and prompts can be injected for input into the destination model. Reversal of the modifications can occur to the outputs. The system can notify the user, an administrator, and a supervisor regarding the security evaluation and remedial actions. The evaluations can be logged for auditing purposes.

Abstract: A system and method for a computer to execute an item of software. The computer executes security modules, each performing a respective security-related operation. The computer executes the item of software and, at a point during execution of the item of software at which a predetermined function is to be performed, the computer attempts to perform the predetermined function by sending, to an address system, a request message, including and identifier of the predetermined function, for an address of instructions for carrying out the predetermined function. In response to the request message, the computer receives, from the address system, an address generated by the address system based, at least in part, on (a) the identifier and (b) verification data provided to the address system from at least one of the plurality of security modules. Execution is the continued at the address received from the address system.

Abstract: This disclosure relates to, among other things, scalable data processing, storage, and/or management systems and methods. Certain embodiments disclosed herein provide for a data management architecture that allows for more secure storage of enterprise data, making it more secure, usable, and/or interoperable, facilitating data usage across information silos. Further embodiments provide for comprehensive data access authentication and/or authorization functionality between various services included in embodiments of the disclosed architecture.

Abstract: Systems, methods, and storage media for assessment of identity resources in an identity infrastructure are disclosed. Exemplary implementations may: assess the identity infrastructure with at least one discovery agent element; identify, by the at least one discovery agent element, one or more infrastructure elements within the identity infrastructure; intercept, by the at least one discovery agent element, first network traffic in the identity infrastructure; assess, by the at least one discovery agent element, at least one of a status and a structure of the identity infrastructure; and report, by the at least one discovery agent element, at least one of the status and the structure of the identity infrastructure to one or more of an administrator and a centralized server.

Abstract: There is provided a method of determining an order of encrypted inputs, including a first encrypted input and a second encrypted input, using at least one processor, the first encrypted input including a first encrypted data and the second encrypted input including a second encrypted data, each of the first and second encrypted data being encrypted based on a homomorphic encryption scheme, the method including: generating a first series of encrypted blocks from the first encrypted data and a second series of encrypted blocks from the second encrypted data; performing a first block-wise operation between the first series of encrypted blocks and the second series of encrypted blocks to obtain a first series of block-wise outputs; performing a second block-wise operation between the first series of encrypted blocks and the second series of encrypted blocks to obtain a second series of block-wise outputs; and determining an order of the first and second encrypted data based on the first series of block-wise outpu

Abstract: A system and method is provided to allow access to centralised patient data captured from a medical device across an open network to a third party. The system and method receives the request based upon patient-specific information, checks the request and allows access if the request matches stored information.

Abstract: A method, system, and computer program product for frictionless mutual authentication of unsolicited communications may detect an incoming communication. A verification interface may be displayed on a consumer device. On the consumer device, a first valid verification may be received via the verification interface. In response to receiving the first valid verification, a challenge interface may be presented to an enterprise device. On the enterprise device, a second valid verification may be received via the challenge interface. In response to receiving the second valid verification, a verification credential may be presented to both the consumer device and the enterprise device. A connection for the incoming communication may be established between the consumer device and the enterprise device.

Abstract: Methods and system for managing partial private keys for cryptography-based, storage applications used in blockchain operations and/or facilitating secure authentication when conducting blockchain operations using cryptography-based, storage applications. For example, the methods and system may perform a plurality of blockchain operations for digital assets stored in a first cryptography-based, storage application, wherein the first cryptography-based, storage application corresponds to a first partial private key, and wherein the first partial private key is stored on a first user device, and wherein the second partial private key is not accessible to platform service facilitating the first cryptography-based, storage application.

Abstract: Systems and methods for periodically modifying data privacy elements are provided. The systems and methods may identify a set of data privacy elements. A data privacy element can characterizes a feature of a computing device and can be detectable by a network host. A first artificial profile can be generated by modifying a first data privacy element based on an artificial profile model that defines a relationship associated with one or more constraints between the set of data privacy elements. Subsequent to generating the first artificial profile, a second artificial profile can be generated by periodically modifying a second data privacy element in accordance with the relationship defined by the artificial profile model. The computer device can be masked from being identified by the network host by sending the second artificial profile including the second data privacy element to a requested network location.

Abstract: Methods of referencing row access policy (RAP) protected mapping tables in a RAP for a data table are disclosed herein. An example method of referencing a mapping table in a data table using nested RAP includes defining, by a processing device, a first access policy for the mapping table to control access by specific users or under specific conditions. The processing device further defines a second access policy attached to the data table referencing the mapping table. The processing device in response to a query, executes the second access policy of the data table to provide a response or operation of data associated with the data table and the mapping table. Executing the second access policy invokes executing the first access policy of the mapping table. The executing of both the second access policy of the data table and the first access policy of the mapping table are recorded.

Abstract: Aspects of a storage device are provided that perform partial decryption of host encrypted data and encryption of host provided data using received or generated keys for data targeted for compute services. The storage device may include a non-volatile memory and a controller. The controller may receive encrypted data, receive a key associated with a portion of the encrypted data, and decrypt the portion of the encrypted data based on the key without decrypting a remainder of the encrypted data. The controller may also receive data, receive or generate a key associated with a portion of the data, encrypt the portion of the data based on the key without encrypting a remainder of the data based on the key, and store the encrypted portion of the data in the non-volatile memory for subsequent decryption. As a result, a balance between encrypted data storage and decrypted data security may be achieved.

Abstract: Embodiments of this application provide a face recognition method and apparatus, including: obtaining TOF data; processing the TOF data into a TOF image in a TEE; and performing face recognition by using the TOF image, to obtain a recognition result. Because the TOF data is used for face recognition, higher security is achieved. Implementation in the TEE can further improve the security.

Abstract: Systems and methods of dynamic management of private data during communication between a remote server and a user's device, including receipt of a request for retrieval of at least one data packet from the user's device, wherein the user's device is configured to provide a response corresponding to the received request, determination of at least one communication data type of the at least one data packet corresponding to the received request, receipt of a privacy preference for the user's device, wherein the privacy preference comprises a list of allowed data packet communication types for sharing during communication, modification of data packets corresponding to requests for sharing of responses that are not compatible with the received privacy preference and maintenance of communication between the remote server and the user's device, with sharing of the modified data packet.

Abstract: The present invention provides an integrated, context-aware, security system that provides an adaptive endpoint security agent architecture model for a continuously monitoring and recording activity across an enterprise, specifically monitoring activity on endpoints, and subsequently detecting and blocking any malicious processes that may otherwise invade the enterprise and cause issues. The endpoint security agent architecture exposes a well-defined, public interface to the event data generated by the endpoint security agent in the form of a custom programming language by which a user can define the logic that the endpoint security agent executes in response to event data to perform detection of and response to suspicious activity.

Abstract: A method for communicating over a wireless network includes broadcasting, by a Multi-Link Device (MLD) device, service data indicative of one or more services for wireless communication with a client device; wherein the service data indicates that a service type is differentiated based on a type of the client device; establishing a security association with the client device; and in response to establishing a security association with the client device, granting access by the client device to a subset of the one or more services based on the type of the client device.