Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for proximity-based access. In some implementations, a computing device detects an attempt to access the computing device while the computing device is in a secured state. In response to detecting the attempt to access the computing device, the computing device sends a first message to a server system over a network. After sending the message, the computing device receives a second message from the server system over the network, the second message comprising authentication data for the computing device. The computing device determines that a mobile device that was previously designated as an authentication factor for accessing the computing device is located within a predetermined level of proximity of the computing device, and the computing device grants access to the computing device.

Abstract: When a client requests a data import job, a remote storage service provider provisions a shippable storage device that will be used to transfer client data from the client to the service provider for import. The service provider generates security information for the data import job, provisions the shippable storage device with the security information, and sends the shippable storage device to the client. The service provider also sends client-keys to the client, separate from the shippable storage device (e.g., via a network). The client receives the device, encrypts the client data and keys, transfers the encrypted data and keys onto the device, and ships it back to the service provider. The remote storage service provider authenticates the storage device, decrypts client-generated keys using the client-keys stored at the storage service provider, decrypts the data using the decrypted client-side generated keys, and imports the decrypted data.

Abstract: A method includes providing an initial communication, by an access device to a user device. The access device can receive the user identifier and the access token and receive a secret associated with the user. The access device can determine, using the user identifier and/or the access token, if the transaction is authorized by an authorizing entity computer associated with the access device or by an authorizing entity not associated with the access device. If the transaction is authorized by the authorizing entity computer associated with the access device, the access device can transmit an authorization request message comprising the user identifier, the secret, and the access token to the authorizing entity computer. The authorizing entity computer validates the secret, retrieves a real credential of the user using the user identifier, and authorizes the transaction.

Abstract: A computer-implemented method includes identifying behavioral characteristics of a user related to operation of a computing device prior to an online account session. The method includes comparing the behavioral characteristics to a behavioral profile previously developed based on prior behavioral characteristics of the user, and determining an appropriate mark difficulty level based on a variation between the behavioral characteristics and the behavioral profile. The method includes selecting, from a plurality of prompts stored in a prompt database, a prompt that comprises instructions to draw a mark having the appropriate mark difficulty level, where other prompts of the plurality of prompts comprise instructions to draw other marks different from the mark, and providing the prompt to the user as part of a logon process for the online account session.

Abstract: Disclosed herein is a system for predicting, given a pattern of triggered alerts, a next alert in order to identify malicious activity that is about to occur on resource(s) being monitored by a security operations center. A resource can include a server, a storage device, a user device (e.g., a personal computer, a tablet computer, a smartphone, etc.), a virtual machine, networking equipment, etc. Accordingly, the next alert is speculatively triggered in advance and a security analyst can be notified of a pattern of activity that is likely to be malicious. The security analyst can then investigate the pattern of triggered alerts and the speculatively triggered alert to determine whether steps to mitigate the malicious activity before it occurs should be taken.

Abstract: A sender device can determine that data associated with an application is to be sent to a service via a network. The sender device can generate resource queries directed to at least two participant devices and receive responses indicating whether each of the participant devices has a resource available to host a virtual network function (“VNF”). The sender device can generate commands directed to security interface applications executed by the participant devices. The commands can instruct the participant devices to instantiate the VNFs. The sender device can partition the data into data partitions directed to the participant devices. The sender device can send the data partitions to the VNFs of the participant devices. The VNFs can forward the data partitions to a network access device that can combine the data partitions and send the data to the service via the network.

Abstract: Systems and methods for device registration and authentication are disclosed. In one embodiment, a method for authentication of a device may include (1) receiving, at a mobile device, a first credential; (2) transmitting, over a network, the first credential to a server; (3) receiving, from the server, a first key and a first value, the first value comprising a receipt for the first credential; (4) receiving, at the mobile device, a data entry for a second credential; (5) generating, by a processor, a second key from the data entry; (6) retrieving, by the mobile device, a third credential using the first key and the second key; (7) signing, by the mobile device, the first value with the third credential; and (8) transmitting, over the network, the signed third value to the server.

Abstract: A method for securing transmission of digital data in a communication network comprising a central station or a terminal and at least one device monitored by the central station via the communication network. The at least one device is configured to produce and to transmit a digital data stream to the central station or terminal. The at least one device further comprises a secure non-volatile memory for storing at least device specific information. The at least one device forms a data block based on at least the device specific information stored in the secure memory. The data block thus formed may compose additional data to be merged with the digital data stream produced by the at least one device. A modified digital data stream results from this merging operation and is transmitted by the at least one device to the central station or terminal.

Abstract: Described herein are improved systems and methods for provisioning of private computer networks and application software as well as providing private SaaS.

Abstract: Some embodiments use text and/or image processing methods to determine whether a child is transmitting confidential information to a conversation partner via an electronic messaging service. Some embodiments detect whether an image transmitted as part of an electronic message shows a bank card, a social security card, or an identity document, among others. When detecting such a situation, some embodiments automatically send a notification to a third party (e.g., parent, teacher, etc.

Abstract: A privacy filter for internet of things (IOT) devices and can include a processor, a profile resource, a device interface, an external network interface, and a storage having instructions for filtering processes and encoding processes (e.g., appropriate processes of a software development kit (SDK)). The privacy filter can receive a payload comprising audio content from a connected device; obtain filter criteria for the connected device; identify portions of the payload satisfying the filter criteria; and affect audio of the audio content corresponding to the identified portions of the payload. after affecting the audio, the privacy filter can reassemble the payload according to an IOT provider SDK and can communicate the reassembled payload to an IOT provider service.

Abstract: Systems, devices, methods, and computer readable media are provided in various embodiments relating to generating a dynamic challenge passphrase data object. The method includes establishing, a plurality of data record clusters, representing a mutually exclusive set of structured data records of an individual, ranking the plurality of feature data fields based on a determined contribution value of each feature data field relative to the establishing of the data record cluster, and identifying, using the ranked plurality of feature data fields, a first and a second feature data field of the plurality of feature data fields. The method includes generating the dynamic challenge passphrase data object, wherein the first or the second feature data field is used to establish a statement string portion, and a remaining one of the first or the second feature data field is used to establish a question string portion and a correct response string.

Abstract: The embodiments of the present disclosure relate to information processing technology and provide a method for identity authentication, capable of effectively improving security and accuracy in identity authentication. The method includes: receiving an authentication request transmitted from a client, the authentication request carrying identity authentication information of a user; authenticating the identity authentication information; collecting behavior characteristic information related to the user in a number of dimensions when the identity authentication information is determined to be valid; matching and recognizing an identity of the user by comparing the collected behavior characteristic information with original characteristic information in the respective dimensions. The embodiments of the present disclosure can be applied in a process for user identity authentication.

Abstract: This document describes techniques (400, 500, 600) and apparatuses (100, 700) for implementing sensor-based near-field communication (NFC) authentication. These techniques (400, 500, 600) and apparatuses (100, 700) enable a computing device (102) to detect, in a low-power state, environmental variances indicating proximity with an NFC-enabled device (104) with which to authenticate. In some embodiments, various components of a computing device (102) in a sleep state are activated to process environmental variance(s), perform authentication operations, and/or an indicate initiation of authentication operations to a user.

Abstract: A system for securing a content processing pipeline includes a computing platform having a hardware processor and a memory storing a software code. The hardware processor executes the software code to insert a synthesized test image configured to activate one or more neurons of a malicious neural network into a content stream, provide the content stream as an input stream to a first processing node of the pipeline, and receive an output stream including a post-processed test image. The hardware processor further executes the software code to compare the post-processed test image in the output with an expected image corresponding to the synthesized test image, and to validate at least one portion of the pipeline as secure when the post-processed test image in the output matches the expected image.

Abstract: A method of communicating with a remote server via a client, the method comprises the steps of: allowing encapsulated data to be transmitted from the client and towards a remote server via a VPN; attempting to gain access to, or to increase access to, a private network with unencapsulated data and outside of the VPN; identifying a captive portal that restricts access to the private network; allowing receipt of signaling with unencapsulated data outside of the VPN that causes an authentication server associated with the captive portal to permit access or increase access to the private network; and transmitting encapsulated data from the client to the remote server via the VPN and over the private network after the authentication server grants access to the private network.

Abstract: A set of distance measurable encrypted feature vectors can be derived from any biometric data and/or physical or logical user behavioral data, and then using an associated deep neural network (“DNN”) on the output (i.e., biometric feature vector and/or behavioral feature vectors, etc.) an authentication system can determine matches or execute searches on encrypted data. Behavioral or biometric encrypted feature vectors can be stored and/or used in conjunction with respective classifications, or in subsequent comparisons without fear of compromising the original data. In various embodiments, the original behavioral and/or biometric data is discarded responsive to generating the encrypted vectors. In another embodiment, distance measurable or homomorphic encryption enables computations and comparisons on cypher-text without decryption of the encrypted feature vectors. Security of such privacy enabled embeddings can be increased by implementing an assurance factor (e.g.

Abstract: An example computing device includes a processor to establish a secure connection with a companion device via a companion service application executable by the processor. The processor is also to receive a local credential and a remote credential from the companion device via the companion service application. The processor is further to monitor an aspect of the computing device via an agent application executable by the processor. In response to detecting a non-compliance event via the agent application, the processor is to transmit a notification to the companion device via the agent application using the local credential, the remote credential, or a combination thereof.

Abstract: The least-privilege permission needed for an identity, such as a user account, application, user group, or process, to access a resource of a tenant of a cloud service is determined from a predicted future resource usage. The predicted future resource usage is based on the resource usage history of an identity, the resource usage history of similar identities and the resource usage history of its peers. Similar identities are determined from node embeddings of a graph that represents the assigned permissions of an identity to a resource and the usage activity at a resource. The permissions needed to perform the predicted future resource usage is compared with the current permission assignments to determine the bare minimum permission that an identity needs for its ongoing and future workflow.

Abstract: Methods, systems, and computer-readable media for processing policy variance requests in an enterprise computing environment are presented. A computing platform may receive, from a first endpoint computing device, a request for a first policy variance. In response to receiving the request, the computing platform may authenticate the first endpoint computing device based on enrollment information and may validate contents of the request. Subsequently, the computing platform may generate a policy variance result message based on approval or rejection of the request for the first policy variance. Then, the computing platform may send, to the first endpoint computing device, the policy variance result message. By sending the policy variance result message to the first endpoint computing device, the computing platform may cause the first endpoint computing device to execute a policy action corresponding to the approval or rejection of the request for the first policy variance.