Abstract: A system and method provide access to a remote resource locally by requesting content from an original address and receiving a first requested content and a first redirect uniform resource locator in response. The first redirect uniform resource locator reroutes the navigation from the original address requested to a redirect destination address that serves an access token. The system and method unlock access to a second application programming interface in response to validating the access token served by the redirect destination address and receives a second requested content and a second redirect uniform resource locator in response to transmitting the access token to the original address. The second redirect uniform resource locator transfers a user to an environment residing at an address different from the original address and the redirect destination address.

Abstract: Code injection is a type of security vulnerability in which an attacker injects client-side scripts modifying the content being delivered. A sanitizer function may provide defense against such attacks by removing certain characters (e.g., characters causing state transitions in HTML). A string sanitizer may be modeled in order to determine its effectiveness by obtaining data flow information indicating string operations that used an input string or information derived therefrom, including a string sanitizer function. A deterministic finite automata representing string values of the output parameter may be generated based on a graph generated from the data flow information, where the automata accepts possible output string values of the sanitizer. It can be determined whether there is a non-empty intersection between the automata for the sanitizer output and an automata representing a security exploit, which would indicate that the sanitizer function is vulnerable to the exploit.

Abstract: A method for detecting security based on machine learning in combination with rule matching is provided, including: establishing a machine learning model; training the machine learning model by using a labeled legal traffic and a labeled malicious traffic; collecting a network traffic; preprocessing the collected network traffic; detecting a malicious traffic from the preprocessed network traffic by using a rule-matching-based method; identifying a malicious traffic from the preprocessed network traffic by using the trained machine learning model, including: extracting a feature of the preprocessed network traffic, and identifying the malicious traffic based on the extracted feature by using the trained machine learning model; and integrating the malicious traffic detected by the rule-matching-based method and the malicious traffic identified by the trained machine learning model.

Abstract: Systems, methods, and processing devices for aiding with cyber intrusion investigations that includes capabilities for extracting data from a specified range of a volatile memory of a target processing device, reconstructing data structures and artifacts from the extracted data; and generating and presenting a visualization of the reconstructed data structures and the reconstructed artifacts.

Abstract: The present disclosure provides an identity authentication method, a personal security kernel node, a device, and a medium. The personal security kernel node is part of an identity authentication system, the identity authentication system further comprising a relying party node and a user identity credential certifier node. The method includes: obtaining an identity authentication assurance level corresponding to a service provided by a relying party; determining, according to the identity authentication assurance level, a user identity credential used by a user for the service; transmitting the user identity credential to a user identity credential certifier node through a relying party node, so that the user identity credential certifier node performs user identity credential authentication; and performing the service with the relying party node. According to the embodiments of the present disclosure, security of user identity assets can be improved during identity authentication.

Abstract: Aspects of the subject disclosure may include, for example, receiving, from a computing device, a validation request for validating an individual associated with a mobile device equipped with an authentication app communicatively coupled with an authentication system, obtaining request data from a user validation system, enabling, using the request data, the computing device to communicate with the user validation system to facilitate the validation, wherein the validation involves the user validation system triggering the authentication system to provide access information to the computing device, the authentication system authenticating the individual/mobile device, the authentication system providing, to the user validation system, identification information of the individual based on the authenticating, and the user validation system determining a validation result based on data relating to the identification information.

Abstract: A method includes receiving, from a user device, a request to store data in a computer storage medium. The method includes generating a local encryption key for a user of the user device. The method includes providing the local encryption key to the user of the user device. The user maintains the local encryption key separate from the user device. The method includes generating a storage encryption key for encrypting the data for storage in the computer storage medium. The method includes encrypting the data with the storage encryption key to generate encrypted data. The method includes encrypting the storage encryption key with the local encryption key to generate an encrypted storage encryption key. The method includes transmitting the encrypted data and the encrypted storage encryption key to the computer storage medium. The method includes removing the storage encryption key and the encrypted storage encryption key from the user device.

Abstract: According to various embodiments, a data processing device is described comprising a memory configured to store data words in the form of at least two respective shares, a logic circuit configured to receive the at least two shares of at least one of the data words and to process the shares to generate at least two shares of a result data word, a remasking circuit configured to receive at least two shares of at least one of the data words and refresh the shares and an output circuit configured to store the at least two shares of the result data word or to store the refreshed at least two shares depending on a control sequence specifying a sequence of real operations and dummy operations.

Abstract: Embodiments of PUF systems are disclosed. Embodiments of such PUFs may be operated in the classical domain or the quantum domain, and moreover, may comprise substantially the same circuitry, and operate substantially the same, when operating in the classical domain or the quantum domain. Additionally, embodiments of such PUF systems may be effectively utilized to generate uniquely identifying signatures for electronic devices based on electronic circuity, photonic circuitry or some combination of electronic and photonic circuitry and may be utilized to generate such signatures for such electronic devices regardless of whether such electronic device themselves operate in the classical or quantum domain.

Abstract: There is provided a computer implemented method of operating a security interface deployed within a target computing environment for controlling access to email-data, comprising: receiving, via the security interface deployed within the target computing environment, a request from a service computing environment for accessing email-data of the target computing environment, accessing, by the security interface, email-data of the target computing environment obtained from an email provider interface providing email services to the target computing environment, applying a filter to the email-data to generated filtered email-data, and providing the filtered email-data, by the security interface, to the service computing environment, wherein access to the email-data prior to application of the filter by the service computing environment, is blocked.

Abstract: A node configured as any of a proxy, a Secure Web Gateway, and a Secure Internet Gateway is configured to perform steps of, responsive to establishing a connection with a user device having a user associated with a tenant and obtaining policy for the user, monitoring traffic between the user device and the Internet where the monitoring is at a middle location, inline between the user device and an endpoint; responsive to the traffic being encrypted as a tunnel, performing one or more operations to enable accessing the encrypted traffic; analyzing the traffic based on the policy, including at least checking for malicious traffic and Data Loss Prevention (DLP) for the tenant; and one of allowing, blocking, or limiting the traffic based on the analyzing.

Abstract: Directly accessing and organizing data sets from a data warehouse including receiving, by a data analyzer, a request from a service provider client instructing the data analyzer to retrieve a data set from a service provider data warehouse, wherein the service provider client is a client of a service provider, wherein the service provider data warehouse stores data sets for the service provider, and wherein the service provider client accesses the data analyzer and the service provider data warehouse without providing credentials; retrieving, by the data analyzer, the data set directly from the service provider data warehouse using credentials provided by the service provider; organizing, by the data analyzer, the data set into a worksheet; and presenting, by the data analyzer to the service provider client, the worksheet comprising the data set.

Abstract: A method of authenticating User Equipment (UE) to a wireless telecommunications network, wherein the UE is subscribed to a first wireless telecommunications network, and authenticating being performed so as to subscribe the UE to a second wireless telecommunications network, and wherein there is an absence of a roaming capability between the first wireless telecommunications network and the second wireless telecommunications network for the UE, the method including generating, at the first wireless telecommunications network, a network key for authenticating the UE at the second wireless telecommunications network; loading the generated network key to the second wireless telecommunications network; subsequently communicating the generated network key to the UE from the first wireless telecommunications network; and authenticating the UE at the second wireless telecommunications network by communicating the network key from the UE to the second wireless telecommunications network, thereby to permit the UE to s

Abstract: A method includes generating, by a computing device, SSID aliases; propagating, by the computing device, the SSID aliases to access points; receiving, by the computing device, data from an access point, the data including a selected SSID alias and a media access control (MAC) address of a user device; creating, by the computing device, a record containing the selected SSID alias and the MAC address of the user device; propagating, by the computing device, the selected SSID alias to remaining access points; and sending, by the computing device, a message to the access points to delete the selected SSID alias after a time period.

Abstract: A vehicle communication system, including plural control devices configured to carry out communication with one another, wherein a transmitting device and a receiving device each include a memory and a processor. The processor at the transmitting device generates first authentication information based on a message and the encryption key, and in a case in which there is an abnormality at the encryption key, transmits the predetermined authentication information and the message to the receiving device. The processor at the receiving device generates second authentication information based on the encryption key and the received message, collates the first authentication information and the second authentication information, and authenticates the message, and in a case in which, after starting-up of the receiving device, authentication has not succeeded even once, and the received first authentication information and the predetermined authentication information match, accepts the received message.

Abstract: Various embodiments are disclosed for self-authorized identification and services, and applications therefor. A computing device may generate a public-private key pair and a self-authorizing identifier (SAID), a byte string that is globally unique and immutable to the computing device. A remote service implementing a blockchain protocol may store a public key of the public-private key pair in a distributed blockchain ledger, which is used to authenticate the computing device in various network-based communications, and encrypt or decrypt such communications. An enclave service may be employed to asynchronously send messages between computing devices. The computing device may have an isolated environment that permits collaboration applications to execute therein, as well as an actallet that permits distribution applications not executing in the isolated environment to access the SAID or data pertaining thereto.

Abstract: A rootkit detection system and method analyzes memory dumps to determine connections between intercepted system driver operations requested by unknown files and changes in system memory before and after those operations. Memory dump differences and I/O buffers are analyzed with machine learning models to identify clustered features associated with rootkits.

Abstract: A method used in an on-board network system, having electronic controllers that exchange messages and a fraud-detecting electronic controller. The method includes receiving an inquiry for a vehicle status indicating whether a vehicle in which the fraud-detecting electronic controller is installed is running from an external device, transmitting the vehicle status to the external device, and determining whether a message transmitted conforms to fraud detection rules. The method also includes receiving from the external device the delivery data, including updated fraud detection rules and network type information indicating a network type that the updated fraud detection rules are to be applied. The method further includes determining whether the vehicle is running, and whether the network type information indicates a drive network that is connected to an electronic controller related to travel of the vehicle.

Abstract: Techniques are described for providing session management functionalities using an access token (e.g., an Open Authorization (OAuth) access token). Upon successful user authentication, a session (e.g., a single sign-on session) is created for the user along with a user identity token that includes information identifying the session. The user identity token is presentable in an access token request sent to an access token issuer authority (e.g., an OAuth server). Upon receiving the access token request, the user identity token is parsed to identify and validate the session against information stored for the session. The validation can include various session management-related checks. If the validation is successful, the token issuer authority generates the access token. In this manner, the access token that is generated is linked to the session. The access token can then be used by an application to gain access to a protected resource.

Abstract: Embodiments of the invention relate to methods, apparatus and systems for biometric processes. The methods include updating stored ear model data for a user following successful authentication of the user. The ear model data may be acquired using a personal audio device that generates an acoustic stimulus and detects a measured response. The acquisition of the ear model data may be responsive to a determination that the personal audio device is inserted into or placed adjacent to the user's ear. The acquisition of the ear model data may also be responsive to the determination that the personal audio device has not been removed from or moved away from the user's ear.