Abstract: Methods, systems, and media for secure authentication of users using one or more biometric recognition systems are provided. In some embodiments, the method comprises: receiving an indication that a biometric identifier is to be used to authenticate a user to a service; receiving (i) the biometric identifier of the user from a capture device and (ii) knowledge-based secondary information associated with the user from an input device; determining a Voronoi cell identifier that corresponds to the biometric identifier; calculating a hash of the Voronoi cell identifier and the knowledge-based secondary information; transmitting the hash to a server device for verification; in response to transmitting the hash to the server device, receiving a response indicating whether the hash matches a previously stored hash that was stored in the server device; and determining whether to automatically authenticate the user to the service based on the response from the server device.

Abstract: An authorization method and an authorization system are provided. The authorization method includes displaying, by a service device, authorization information on an e-paper arranged on the service device; obtaining, by a user device, the authorization information from the e-paper; and using, by the user device, the authorization information displayed on the e-paper to perform an authorization operation between the user device and the service device.

Abstract: Various techniques for split tunneling based on content type to exclude certain network traffic from a tunnel (e.g., VPN tunnel) are disclosed. In some embodiments, a system, process, and/or computer program product for split tunneling based on content type to exclude certain network traffic from a tunnel includes monitoring session traffic received at a data appliance; determining if the session traffic is associated with a first content type; and redirecting the session traffic if the session traffic is associated with the first content type based on a policy.

Abstract: Novel tools and techniques for an IoT shell are provided. A system includes an internet of things (IoT) device, a database, and a license manager. The database may include one or more sets of authorized licenses, each set of authorized licenses associated with a respective vendor software. The license manager may be in communication with the IoT device and the database, and further include a processor and a non-transitory computer readable medium comprising instructions executable by the processor. The license manager may be configured to receive a request to reserve a license for a first vendor software, determine an availability of the license associated with the first vendor software, register a unique identifier of the IoT device in association with the license, and grant the license to the IoT device.

Abstract: A device for processing data, including at least two data interfaces, a first data interface of the at least two data interfaces being designed to at least temporarily exchange first data with at least one first external unit according to a first communication protocol, in particular CAN and/or FlexRay and/or LIN and/or MOST and/or Ethernet, a second data interface of the at least two data interfaces being designed to at least temporarily exchange data with a second external unit and/or the first external unit according to a second communication protocol, which is different than the first communication protocol, the device including a security unit, which is designed to at least temporarily carry out at least one security function with regard to at least one of the at least two data interfaces.

Abstract: Techniques for process privilege escalation protection in a computing environment are disclosed. For example, the disclosure describes a system/process/computer program product for process privilege escalation protection in a computing environment that includes monitoring a process executed on a computing device, detecting an unauthorized change in a token value associated with the process, and performing an action based on a policy (e.g., a kernel protection security policy/rule(s), which can include a whitelisted set of processes and/or configured actions/responses to perform for other/non-whitelisted processes) in response to an unauthorized change in the token value associated with the process.

Abstract: Systems and methods, in a lightweight connector including a processor communicatively coupled to a network interface, include connecting to a cloud-based system, via the network interface; connecting to one or more of a file share and an application, via the network interface; and providing access to a user device to the one or more of the file share and the application via a stitched connection between the network interface and the user device through the cloud-based system. The systems and methods can further include receiving a query for discovery; and responding to the query based on the one or more of the file share and the application connected thereto.

Abstract: A system and method for network cybersecurity analysis that uses user and entity behavioral analysis combined with network topology information to provide improved cybersecurity. The system and method involve gathering network entity information, establishing baseline behaviors for each entity, and monitoring each entity for behavioral anomalies that might indicate cybersecurity concerns. Further, the system and method involve incorporating network topology information into the analysis by generating a model of the network, annotating the model with risk and criticality information for each entity in the model and with a vulnerability level between entities, and using the model to evaluate cybersecurity risks to the network. Risks and vulnerabilities associated with user entities may be represented, in part or in whole, by the behavioral analyses and monitoring of those user entities.

Abstract: A system and method for protocol independent multi-flow table routing includes a first flow table, a second flow table, and a shared hash table accessible by both the first flow table and the second flow table. Upon receipt of a packet, a first secure signature of a first lookup key is generated for the first flow table, and a second secure signature of a second lookup key is generated for the second flow table. The shared hash table stores both the first secure signature in association with a first value corresponding to the first secure signature, and the second secure signature along with a second value corresponding to the second secure signature. The first and second values indicate destination information for the packet.

Abstract: A method comprises detecting a removable media device being coupled to an external device port of a digital device having an operating system and a file system, authenticating a password to access the removable media device, causing redirection code to be temporarily generated on the digital device, intercepting with the redirection code a data request, determining to allow the data request based on a security policy, allowing the operating system or file system to provide the data based on the determination, detecting the removable media device being removed from the digital device; and terminating the at least a portion of the redirection code.

Abstract: This disclosure describes methods, non-transitory computer readable storage media, and systems that provide secure password sharing across a plurality of users and client devices via a shared folder. For example, in one or more embodiments, the disclosed system retrieves a public key set including public encryption keys for client devices having access to the shared folder. The disclosed system provides the public key set to a client device requesting to share the shared folder. The disclosed system receives an encrypted payload for the shared folder and a shared encryption key that is utilized to encrypt the payload and is encrypted in the shared folder utilizing the public key set. The disclosed system also detects key rotation events and notifies one or more client devices to generate a modified shared encryption key and re-encrypt the payload for storage within the shared folder.

Abstract: A method and an apparatus for controlling a data access right are disclosed. The method includes: receiving, by a first proxy node, a first request message from a request node, where the first request message includes an identity of the request node and an identifier of to-be-accessed data; determining a first encrypted ciphertext on a blockchain based on the identifier; determining, based on the identity, whether the request node has a right to read the first encrypted ciphertext; and if yes, initiating a right verification request for the request node to at least one second proxy node, and determining, based on a feedback result of the at least one second proxy node, provisioning of the first encrypted ciphertext. A proxy node is added to the blockchain network, so that a data source can freely grant or revoke the right of the request node without modifying a ciphertext, ensuring information security.

Abstract: Provided is a method for changing, by a user equipment (UE), packet data convergence protocol (PDCP) version. The method may include: receiving a security mode command message, which includes a first security algorithm configuration for a PDCP of a first system and a second security algorithm configuration for a PDCP of a second system, from a base station (BS); deriving a first security key for the PDCP of the first system, based on the first security algorithm configuration; when the security mode command message passes an integrity protection check based on the first security key, changing the PDCP version from the PDCP of the first system to the PDCP of the second system; deriving a second security key for the PDCP of the second system, based on the second security algorithm configuration; and transmitting a security mode complete message, based on the second security key, to the BS.

Abstract: A first connected message broadcast from a first vehicle and a second connected message broadcast from a second vehicle is received, each of the first and second connected messages including proof-of-work computed from connected vehicle data regarding a third vehicle. The first and second connected messages are authenticated, responsive to a comparison of the proof-of-work for the third vehicle included in the first connected message and the proof-of-work for the third vehicle included in the second connected message. The connected vehicle data in the first connected message broadcast or second connected message broadcast is utilized for autonomous vehicle operations or driver-assistance vehicle operations, responsive to the proof-of-work being a match.

Abstract: A media exfiltration authorization system is provided. A computer device receives a request from an application on a remote device, wherein the request is to store data on an external storage device. The computing device validates that the application is running in protected space on the remote device and includes an established unique identifier. The computing device generates an encryption key for the external storage device based, at least in part, on the validating. The computing device sends the encryption key to the application with authorization for the application to reformat the external storage device, store the requested data on the external storage device, and encrypt the external storage device using the encryption key.

Abstract: Systems and methods for accessing digital content using electronic tickets and ticket tokens are disclosed. A system can include a user device includes a processor, a network interface, and memory configured to store an electronic ticket, and a ticket token. A processor can be configured by an application to send a request for digital content and receive a ticket token from a merchant server. A ticket token can be generated by a DRM server and associated with an electronic ticket that enables playback of the requested digital content. A ticket token can be sent to a DRM server. An electronic ticket that enables playback of requested digital content can be received. Digital content associated with the electronic ticket can be requested. Requested digital content can be played back in association with an electronic ticket.

Abstract: A system for classifying a data item to communicate to authorized users extracts features from the data item, where the features comprise a responsibility feature and a sensitivity feature. The responsibility feature indicates a job responsibility associated with the data item. The sensitivity feature indicates a sensitivity level of the data item. The system determines, based on the responsibility feature, that the data item belongs to a particular responsibility class. The system determines, based on the sensitivity feature, that the data item belongs to a particular sensitivity class. The system determines whether a user to whom the data item is directed belongs to the particular responsibility class and sensitivity class to which the data item belongs. The system sends the data item to the user, if is it determined that the user belongs to the particular responsibility class and sensitivity class to which the data item belongs.

Abstract: A secured communication method for a V2X communication device is disclosed. The secured communication method for a V2X communication device comprises the steps of; receiving at least one message on the basis of V2X communication; extracting adaptive certificate pre-distribution (ACPD) target information when the at least one message includes the ACPD target information; pre-authenticating at least one short-term certificate acquired from the ACPD target information; collecting at least one pre-authenticated short-term certificate to be broadcasted at a specific predicted time at a specific predicted location; and broadcasting an ACPD group (ACPDG) message including the collected at least one pre-authenticated short-term certificate at the specific predicted location at the specific predicted time.

Abstract: This disclosure describes systems and methods for protecting commercial off-the-shelf software program code from piracy. A software program may include multiple image files having code and data. A platform may modify the executable file such that the data may be placed at a location in memory that is an arbitrary distance from the code. The platform may encrypt the code and provide it to a computing device comprising a hardware enclave. The computing device may load the encrypted code into the hardware enclave but load the data into memory outside the hardware enclave. The computing device may request a decryption key from an authentication server using a hash of the hardware enclave signed by a processor. The authentication server may provide the decryption key if it verifies the signature and the hash. The computing device may decrypt the code and mark the hardware enclave as non-readable.

Abstract: A computerized method of managing a computer remote session operation, comprising providing a server for hosting application execution; configuring a number of predefined user accounts with low security permissions on said server, where said user accounts are not tied to any specific real user; Whenever a remote user requests to start a remote session, finding an available user account not currently in use on said computer, allocating it for the remote session and marking it as unavailable for subsequent session requests; Generating a one-time password for said user account; Communicating the assigned user account identifier and temporary password to client component on the user's side, either directly or through an intermediate broker; causing the client component to connect to the server using said user account identifier and temporary password; and, upon termination of the remote session, deleting the assigned user account's data and marking it as available again.