Abstract: A secure mobile financial transaction is provided by receiving, over a communication network, a list of protection mechanisms available for implementation by an external terminal. Security-related data is received from one or more sensors and an attack signature is computed based on the security-related data. An appropriate security policy is selected from multiple security policies stored in a database based on the list of protection mechanisms and the attack signature. A secure communication session is established between the external terminal and an internal network component according to the selected security policy. A data message associated with a mobile financial transaction is communicated over the communication network during the communication session.

Abstract: A method of using a digital notary in distributed ledger technology for block construction and verification is disclosed that comprises creating, via a birth block creator server in a network, a birth block comprising electronic device information associated with an electronic device and an instruction set. The method also comprises confirming, by a digital notary server in the network, that the instruction set was built in trust and adding, by the digital notary server, a digital notary component to the birth block in response to the confirmation. The method further comprises creating a subsequent block for the electronic device that comprises the instruction set and the digital notary component, validating the subsequent block based on the digital notary component without consensus from a plurality of consensus servers in the network, and storing the subsequent block in response to the validation.

Abstract: Apparatus and methods are described to provision a compute node in a plurality of compute nodes to a requestor, comprising receiving an anonymised access token from a provider of the compute nodes, requesting identities of a subset of compute nodes in the plurality of compute nodes, selecting at least one compute node in the subset of compute notes, providing the anonymised access token to a secure enclave of the selected at least one compute node, providing an anonymised identity of the requestor to the secure enclave and validating use of the anonymised identity with the access token.

Abstract: Embodiments disclose a method and a device for controlling access to data in a network service provider system. In the embodiments, when a received access request of accessing data in the network service provider system is a user access instruction, data requested by the user access instruction may be acquired from network service provider-usable data or network service provider-unusable data in the network service provider system, or when a received access request of accessing data in the network service provider system is a non-user access instruction sent by the network service provider system, data requested by the non-user access instruction is acquired from only network service provider-usable data in the network service provider system.

Abstract: A terminal management apparatus includes a connection unit that connects, through a network, to a terminal apparatus to be managed, an authentication unit that authenticates the terminal apparatus using predetermined authentication information, a specific state determination unit that determines whether a predetermined specific state, in which a normal connection is not established, has occurred in relation to the terminal apparatus, and a connection controller that controls data communication with the terminal apparatus on a basis of a result of the authentication performed by the authentication unit and a result of the determination made by the specific state determination unit.

Abstract: Anonymizing systems and methods comprising a native configurations database including a set of configurations, a key management database including a plurality of private keys, a processor in communication with the native configurations database and the key management database, and a memory coupled to the processor. The set of configurations includes one or more ranges, wherein each range includes a contiguous sequence comprised of IP addresses, port numbers, or IP addresses and port numbers. The processor is configured to retrieve the set of configurations from the native configurations database, wherein the set of configurations includes a plurality of objects; retrieve a private key from the key management database; assign a unique cryptographically secure identity to each object; and anonymize the plurality of objects based on the cryptographically secure identities and the private key.

Abstract: Described is a system for enforcing software policies. The system transforms an original software by inserting additional instructions into the original software. The additional instructions have the effect of determining, at run-time, whether proceeding with execution of the original software is in accordance with a predefined policy. Transforming the original software relies on software analysis to determine whether any run-time checks normally inserted into the original software can be safely omitted. The transformed software prevents unauthorized information from passing to the network.

Abstract: The disclosed computer-implemented method for improving performance of cascade classifiers for protecting against computer malware may include receiving a training dataset usable to train a cascade classifier of a machine-learning classification system. A sample to add to the training dataset may be received. A weight for the sample may be calculated. The training dataset may be modified using the sample and the weight. A weighted training for the cascade classifier of the machine-learning classification system may be performed using the modified training dataset. Computer malware may be identified using the cascade classifier. In response to identifying the computer malware, a security action may be performed to protect the one or more computing devices from the computer malware. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented system and method for pool-based identity authentication for service access without use of stored credentials is disclosed. The method in an example embodiment includes providing provisioning information for storage in a provisioning repository; receiving a service request from a service consumer, the service request including requestor identifying information; generating an authentication request to send to an authentication authority, the authentication request including requestor identifying information; receiving validation of an authenticated service request from the authentication authority; and providing the requested service to the service consumer.

Abstract: In some embodiments, a processor can receive an input string associated with a potentially malicious artifact and convert each character in the input string into a vector of values to define a character matrix. The processor can apply a convolution matrix to a first window of the character matrix to define a first subscore, apply the convolution matrix to a second window of the character matrix to define a second subscore and combine the first subscore and the second subscore to define a score for the convolution matrix. The processor can provide the score for the convolution matrix as an input to a machine learning threat model, identify the potentially malicious artifact as malicious based on an output of the machine learning threat model, and perform a remedial action on the potentially malicious artifact based on identifying the potentially malicious artifact as malicious.

Abstract: Embodiments of this disclosure provide techniques for securely communicating an IMSI over the air from a UE to an SeAN, as well as for securely validating an unencrypted IMSI that the SeAN receives from the home network, during authentication protocols. In particular, the UE may either encrypt the IMSI assigned to the UE using an IMSI encryption key (KIMSIenc) or compute a hash of the IMSI assigned to the UE using an IMSI integrity key (KIMSIint), and then send the encrypted IMSI or the hash of the IMSI to the serving network. The encrypted IMSI or hash of the encrypted IMSI may then be used by the SeAN to validate an unencrypted IMSI that was previously received from an HSS in the home network of the UE.

Abstract: A computer based method of protecting sensitive documents is provided, the method comprising identifying a first document, generating a registration key associated with the first document, identifying a second document, generating a production key associated with the second document, and producing an alert if a segment of the production key is identical to a segment of the registration key. For example, the registration key may comprise a digital fingerprint and registration metadata and the production key may comprise a digital fingerprint and production metadata, and the method may produce an alert of the digital fingerprint of the production key matches the digital fingerprint of the registration key.

Abstract: This document describes techniques and apparatuses for securely transferring a single sign-on session between a browser session and a client application. Responsive to a launch request from the browser session, a server sends a launch command to launch the application on the client to transfer the single sign-on session from the browser session to the application. The launch command includes a first security credential and a second security credential. The application then initiates a registration process by sending to the server the first security credential and a client identification unique to the client. The server passes the client identification to the browser session which confirms to the server that the client identification matches the client identification unique to the client. The server then sends the application a third security credential, and the application returns the client identification and an encrypted version of the second security credential relative to the third security credential.

Abstract: A method of generating a protected item of software, there being an execution path within code for the protected item of software that causes code for one or more second functions to be executed before executing code for a first function, wherein execution of the code for the one or more second functions causes data to be stored at one or more memory locations, the data satisfying a set of one or more predetermined properties, wherein, in the absence of an attack against the protected item of software when the code for the protected item of software is being executed, the first function is arranged to provide first functionality, the method comprising: configuring the code for the first function so that execution, by one or more processors, of the code for the first function provides the first functionality only if the set of one or more predetermined properties is satisfied by data being stored, when the first function is executed, at the one or more memory locations.

Abstract: Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

Abstract: A system for receiving and indexing files transmitted on a network, comprising one or more intermediate agents, each connecting a network sensor to a source collection subsystem, an analysis subsystem, an indexing subsystem, and one or more databases. The system detects that a file has been transmitted via the network, offers transmission from an intermediate agent to the source collection subsystem after a deduplication process at the intermediate agent, transmits the file from the intermediate agent to the source collection subsystem after another deduplication process at the source collection subsystem, transmits the file from the source collection subsystem to the analysis subsystem, performs structural analysis of characteristics of the file within the analysis subsystem; and stores the file and results of the structural analysis in an indexed form in the one or more databases.

Abstract: An authentication device that includes an authentication engine configured to detect devices proximate to a terminal and to identify a user profile based on the detected one or more devices. The user profile identifies at least one of the detected devices in a device registry. The authentication engine is further configured to receive a data access request for a data resource and to identify authentication requirements for a multifactor authentication process for the user based on the detected devices. Identifying the authentication requirements includes setting types of authentication and a number of authentication levels that are used for performing multifactor authentication with the user. The authentication engine is further configured to execute the multifactor authentication process for the user, to determine whether the user has satisfied the authentication requirements, and to provide access to the data resource in response to determining the user has satisfied the authentication requirements.

Abstract: A security agent is described herein. The security agent is configured to observe events, filter the observed events using configurable filters, route the filtered events to one or more event consumers, and utilize the one or more event consumers to take action based at least on one of the filtered events. In some implementations, the security agent detects a first action associated with malicious code, gathers data about the malicious code, and in response to detecting subsequent action(s) of the malicious code, performs a preventative action. The security agent may also deceive an adversary associated with malicious code. Further, the security agent may utilize a model representing chains of execution activities and may take action based on those chains of execution activities.

Abstract: Examples of the present disclosure describe systems and methods relating to a zero-knowledge architecture between multiple systems. In an example, multiple systems may provide an application. User data of the application may be encrypted using a cryptographic key to restrict access to the user data. In some examples, the cryptographic key may not be provided to the multiple systems, thereby providing a zero-knowledge architecture. In order to ensure a user may access the cryptographic key, the cryptographic key may be encrypted using a second cryptographic key. The encrypted representation of the cryptographic key may be provided to a first system, while the second cryptographic key may be provided to a second system. As a result, a user computing device may retrieve both the encrypted representation of the cryptographic key and the second cryptographic key from the first and second systems, respectively, in order to encrypt/decrypt user data.

Abstract: An authentication method is disclosed. To authenticate a user, a mobile device may request identification and verification from the user. Upon receiving a positive identification and verification response from the user, the mobile device may generate a cryptogram using a user identification (ID) associated with the user, a timestamp, a device ID associated with the mobile device, a service provider application ID associated with the service provider application, and a service provider device ID. The mobile device may transmit the generated cryptogram, the user ID, the timestamp, the device ID, the service provider application ID, and the service provider device ID, to a service provider computer associated with the service provider application. The service provider computer may decrypt the cryptogram and compare the decrypted data elements to the received data elements to validate and authenticate the user.