Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for storing blockchain data. One method includes receiving a request from an application component of a blockchain node to execute one or more software instructions in a trusted execution environment (TEE); determining one or more blockchain node blocks for executing the one or more software instructions; performing error correction coding of the one or more blocks in the TEE to generate one or more encoded blocks; dividing each of the one or more encoded blocks into a plurality of datasets; selecting one or more datasets from each of the one or more encoded blocks; and hashing the one or more datasets to generate one or more hash values corresponding to the one or more datasets for use in replacing the one or more datasets to save storage space of the blockchain node.

Abstract: A computer-implemented method is provided. The method may include determining a behavioral pattern of a user based on historical data access events and historical data access conditions corresponding to the historical data access events, wherein the data access events are associated with a computer enterprise system. A data access request from the user with respect to a secure resource may be received from a computing node connected to the computer enterprise system. A behavioral state of the user may be determined with respect to the data access request and data access conditions corresponding to the data access request. A discrepancy between the behavioral pattern and the behavioral state of the user may be detected. A security risk level may be determined based on the discrepancy. In response to determining that the security risk level exceeds a predetermined threshold, a security action may be performed with respect to the secure resource.

Abstract: Systems and methods of detecting an unauthorized data insertion into a stream of data segments extending between electronic modules or between electronic components within a module, wherein a Secret embedded into the data stream is compared to a Replica Secret upon receipt to confirm data transmission integrity.

Abstract: Systems and methods for providing one or more services to a device are disclosed. The device may be remote from a first network. The one or more services may be associated with the first network.

Abstract: An authentication device that uses biometric authentication includes an acquisition unit configured to acquire first biometric information of a user, a storage unit configured to store second biometric information which is preregistered, a processing unit configured to obtain an authentication determination value based on similarity between the first biometric information acquired by the acquisition unit and the second biometric information stored in the storage unit, and a decision unit configured to decide a service providable to the user based on the authentication determination value and a plurality of thresholds to which different services are respectively assigned.

Abstract: Aspects of the disclosure relate to processing authentication requests to secured information systems using machine-learned user-account behavior profiles. A computing platform may receive an authentication request corresponding to a request for a user of a client computing device to access one or more secured information resources associated with a user account. The computing platform may capture one or more behavioral parameters and activity data associated with one or more interactions with one or more non-authenticated pages. Then, the computing platform may evaluate the one or more behavioral parameters and the activity data using a behavioral profile associated with the user account. Based on this evaluation, the computing platform may identify the authentication request as malicious and may generate and send one or more denial-of-access commands to prevent the client computing device from accessing the one or more secured information resources associated with the user account.

Abstract: Embodiments described herein may be directed to systems, methods, apparatuses, devices, computer program products, computer-executable instructions, and/or applications for providing a remote cloud browsing session. A remote cloud browsing session may receive a request for Internet content from a user device, access the Internet content from an Internet content source, and transmit second Internet content to the user device based on the requested Internet content.

Abstract: A method for generating device identifiers, including: receiving an identifier assignment request; in response to the received identifier assignment request, assigning a device identifier to a device, the device identifier being a unique identifier, wherein the device is to be assigned with the device identifier; and transmitting the device identifier to an identifier recording apparatus, wherein the identifier recording apparatus records the device identifier into the device.

Abstract: In an example system for private key recovery performed by a processor of a key recovery computing system, a key recovery computing system is configured to provide an original private key. The original private key is associated with a storage location of a blockchain-based asset. The key recovery computing system is configured to receive supplemental recovery information provided by a user via a user computing device. A recovery seed is derived from at least a subset of the supplemental recovery information, wherein the recovery seed is non-invertible. The original private key and the recovery seed are stored relationally to the supplemental recovery information. In some embodiments, the processor is further configured to cryptographically protect at least one of the original private key and the recovery seed via a universal second-factor authentication (U2F) device.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for storing blockchain data. One method includes receiving a request from an application component of a blockchain node to execute one or more software instructions in a trusted execution environment (TEE); determining one or more blockchain node blocks for executing the one or more software instructions; performing error correction coding of the one or more blocks in the TEE to generate one or more encoded blocks; dividing each of the one or more encoded blocks into a plurality of datasets; selecting one or more datasets from each of the one or more encoded blocks; and hashing the one or more datasets to generate one or more hash values corresponding to the one or more datasets for use in replacing the one or more datasets to save storage space of the blockchain node.

Abstract: An identity profile of a user is tracked using previous message communications of the user. A message identified as potentially from the user is received. The identity profile of the user is identified and obtained. Information is extracted from a header of the received message. A security risk assessment of the received message is determined at least in part by comparing the extracted information with one or more corresponding entries of the identity profile of the user. A security action is performed based on the determined security risk assessment.

Abstract: A novel method for stateful packet classification that uses hardware resources for performing stateless lookups and software resources for performing stateful connection flow handshaking is provided. To classify an incoming packet from a network, some embodiments perform stateless look up operations for the incoming packet in hardware and forward the result of the stateless look up to the software. The software in turn uses the result of the stateless look up to perform the stateful connection flow handshaking and to determine the result of the stateful packet classification.

Abstract: A method includes generating a core record identification (ID) associated with an electronic document. A processor sets one or more access rules indicative of whether the electronic document may be edited after saving the document. The one or more access rules are associated with at least one administrator ID of an administrative user. The method further includes determining, based on a core record ID, whether or not to obtain the electronic consent of a consenting party. The processor evaluates whether the first consenting party ID must provide an electronic consent to the electronic document based on one or more organization consent rules indicative of i) whether consent is required for each access of the computing resource, and ii) whether per-user consent or organizational consent is required. The processor provides access to the computing resource based at least in part on the first consenting party and the core record ID.

Abstract: The disclosed embodiments relate to systems and methods for secure and efficient resource access using distributed directory caching techniques. Techniques include obtaining, from a directory service, client directory data associated with a client; providing the client directory data to a computing device associated with the client for caching on the computing device; identifying a request from the client; receiving, from the computing device, the client directory data that was cached on the computing device; and evaluating the request based on the received client directory data.

Abstract: A set of certificates are received at a gateway device from a management server, where each one of the certificates was generated by the management server upon determination that the gateway device is associated with a respective wireless sensing device (WSD). The gateway device receives from a first WSD an advertisement message indicating it is available for connecting to a gateway device. In response to confirming based on a first certificate of the set of certificates associated with the first WSD, that it is authorized to connect to the WSD, the gateway device transmits to the first WSD the first certificate and an identifier of the gateway device for enabling authentication of the gateway device at the WSD. The gateway device receives data from the first WSD, upon confirmation at the WSD that it is authorized to connect with the gateway device.

Abstract: A system and method are provided for setting access controls for a content item, the method comprising receiving a content item generated in association with a first online profile, determining contextual information associated with the content item, identifying, based on the determined contextual information, a second online profile associated with the content item, obtaining a first access control policy of the first online profile and a second access control policy of the second online profile, wherein each of the first access control policy and the second access control policy is associated with controlling access to the content item, determining, based on the obtained first access control policy and the second access control policy, a third access control policy for controlling access to the content item, and controlling access to the content item based on the determined third access control policy.

Abstract: Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has a set of one or more servers that acts as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The server set in some embodiments also enforces these API-authorizing policies. Conjunctively, or alternatively, the server set in some embodiments distributes the defined policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media for program execution and data proof scheme to prove that sub-logic code that was expected to be executed within a TEE was indeed executed, and that the resulting data is trustworthy. In some implementations, each sub-logic code of a plurality of sub-logic code is registered, and stored within the TEE, and a key pair (private key, public key) corresponding to the sub-logic code is generated. The client receives and stores the public key, sends requests to the TEE with an identifier of the sub-logic that is to be executed. The sub-logic code corresponding to the identifier is executed within the TEE, which signs the result using a digital signature that is generated using the private key of the sub-logic code. The client verifies the result based on the digital signature and the public key of the sub-logic code.

Abstract: A method and system for automatically terminating access or initiating a logout session for a restricted access system by determining that an authorized user has left the vicinity of the restricted access system. The authorized user preferably carries a wireless transmitter which transmits an authorization signal. When the authorized user leaves the vicinity of the restricted access system after logging in, the signal is no longer received by a wireless receiver or too weak of a signal, such that an access control system in communication with the wireless receiver automatically causes the restricted access system to initiate a logout action in order to prevent or reduce the chance of an unauthorized user gaining access to the restricted access system. In one embodiment the signal strength from the authorization signal at the time of logon is used as a baseline signal strength for future calculations that determine when to initiate an automatic termination of access to the restricted access system.

Abstract: Example methods, apparatus, systems and articles of manufacture (e.g., physical storage media) to implement contextual key management for data encryption are disclosed. Example apparatus disclosed herein to perform contextual encryption key management, which are also referred to herein as contextual key managers, include an example context discoverer to discover context information associated with a request to access first encrypted data. Such disclosed example apparatus also include an example contextual key mapper to identify a combination of context rules associated with a key that is to provide access to the first encrypted data, validate the context information associated with the request based on the combination of context rules associated with the key to determine whether the request to access the first encrypted data is valid, and obtain the key from a key management service when the request to access the first encrypted data is valid.