Abstract: An access policy analysis system may use stored policy summaries to efficiently perform access analysis. A request that causes an access analysis of an entity in a cloud service provider with respect to a resource hosted in the cloud service provider may be received. An access policy summary generated for the entity based on a set of access policies applied by an access management system of the cloud service provider may be obtained. An access policy summary generated for the resource based on the set of access policies may be obtained. A tree structure that describes a hierarchy of entities in the cloud service provider may be traversed to identify a parent node of the entity in the hierarchy of entities. The access analysis may then be generated based on the access policy summaries for the identified node in the tree structure, for the entity and for the resource.

Abstract: Dynamic supply of trusted certificates to a containerized environment by mounting a directory into a container image can be implemented as computer-readable methods, media and systems. The directory stores trusted certificates related to a tenant account at a platform system. The trusted certificates include user specific trusted certificates relevant for authentication at an external system and default certificates relevant for an operating system running at a containerized runtime environment of the tenant account. The trusted certificates are used during execution of functions requested by a user of the tenant account. A function that is defined for a tenant account is executed at a container instantiated at the containerized runtime environment of the platform system. The function dynamically uses the trusted certificates maintained at the directory that is mounted at the containerized runtime environment, where at least one of the trusted certificates is used for authentication at the external system.

Abstract: A method (300) for registering with a serving network (104). The method is performed by a UE (102). The method includes the UE transmitting (s302) to the serving network (104) a message (212) indicating a UE capability that is relevant for a home network (106), wherein the 5 serving network (104) is configured to send to the home network (106) a message (216) indicating the UE capability.

Abstract: TLB poisoning attacks take advantage of security issues of translation lookaside buffer (TLB) management on SEV processors in Secure Encrypted Virtualization (SEV) virtual machines (VMs). In various embodiments, a hypervisor may poison TLB entries between two processes of a SEV VM to compromise the integrity and confidentiality of the SEV VM. Variants of TLB poisoning attacks and end-to-end attacks are shown to be successful on both Advanced Micro Devices (AMD) SEV and SEV-Encrypted State (SEV-ES). Countermeasures for thwarting TLB poisoning attacks include hardware-enforced TLB flush processes and re-exec schemes that, among other things, prevent attackers from manipulating TLB entries and causing a privileged victim process to execute malicious code in an attempt to bypass a password authentication.

Abstract: Computer technology for combining an encryption/decryption (e/d) key with additional information to obtain a specialized e/d key. The additional information one or more of the following types of additional information: client UUID (universally unique identifier), FQDN (fully qualified domain name), database hardware information, data physical position on the hard disk and/or stored data creation date. By combining the basic key with these kind(s) of operational information and/or software/hardware identifier information, the security of the underlying encrypted data can be meaningfully enhanced.

Abstract: A first network node operating in a telecommunications network can receive an authentication request associated with a communication device requesting registration with the telecommunications network. The authentication request can include first subscriber information. The first network node can determine that the first subscriber information includes an anonymous identifier. Responsive to determining that the first subscriber information includes the anonymous identifier, the network node can determine an authentication procedure to be performed. The network node can receive information associated with the communication device as part of the authentication procedure. The network node can generate second subscriber information based on the information associated with the communication device.

Abstract: Examples relate to configuring dynamic user roles that can be managed and distributed by a cloud-based user role service. In this way, dynamic user roles may be distributed in a more scalable manner than has been previously possible. Upon associating or connecting to an access point (AP), for example, a user device can be authenticated and assigned a user role. The AP can request the user role configuration from the cloud-based user role service. The cloud-based user role service can additionally distribute the same user role configuration/details to all neighboring APs. In this way, a user device can move, roam, or otherwise associate to another AP that post-distribution, already has the (dynamic) user role configuration, which can simply be applied to the user device.

Abstract: A wireless communication system enables one-sided authentication of a responder device (120) by an initiator device (110) and mutual authentication of both devices. Embodiments of the initiator may have a message unit (116) and a state machine (117). The initiator starts by acquiring a responder public key via an out-of-band action and sends an authentication request. The responder sends an authentication response comprising responder authentication data based on a responder private key and a mutual progress status indicative of the mutual authentication being in progress for enabling the responder device to acquire an initiator public key via a responder out-of-band action. The initiator state machine is arranged to provide a mutual authenticating state, engaged upon receiving the mutual progress status, for awaiting mutual authentication. Thereby long time-out periods during wireless communication are avoided, while also enabling the initiator to report communication errors to the user within a short time.

Abstract: In one aspect, a computerized method for implementing a text messaging application, database, and system for automated verification of product authenticity includes the step providing an item for sale. The method includes the step of representing the item with a unique identifier (ID) code. The method includes the step of detecting that the item is purchased. The method includes the step of assigning an owner of the item to that unique ID code. The method includes the step of storing an owner identifier, the unique ID code, and a mobile-device number of the owner into a database. The method includes the step of providing an item ownership verification application. The item ownership verification application accesses the database. The method includes the step of, with item ownership verification application, providing an interface to the item ownership verification application in a purchaser's mobile device.

Abstract: Computer-readable media, methods, and systems are disclosed for providing purpose-based processing of data. A purpose agent assigns one or more purposes to a set of data such that access to the set of data may be restricted to a select few specifically authorized entities based on an assigned purpose. A retention period for storing the data is determined based on the assigned purpose. When the retention period expires the data is deleted from a data store.

Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising at least one processing core, at least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processing core, cause the apparatus at least to transmit, by a user equipment, a concealed identifier of the user equipment to an onboarding network, wherein the concealed identifier of the user equipment indicates that the user equipment is requesting unauthenticated access to the onboarding network and execute, by the user equipment, a key generating authentication protocol to access the onboarding network without performing authentication of the user equipment.

Abstract: An encrypted message comprising a DNS request may be received from a client device. The DNS request may be decrypted to determine an IP address and a port associated with the client device. A security token may be determined based on the IP address and the port. A message comprising an indication of the DNS request and the security token may be sent to a DNS server. A reply comprising a payload and the security token may be received from the DNS server. Based on the security token, an indication of the payload of the reply may be sent to the client device.

Abstract: A system and method for detection of cyber threats embedded in cloud applications are provided. The method includes inspecting a plurality of computing resources to detect code of at least one cloud application executed in a cloud environment; filtering the detected code to remove a portion of the code that is non-unique for the at least one cloud application; performing static analysis on the unique portion of the code to identify a mismatch between the unique portions of the code and its verified version stored in a code repository; and comparing each identified mismatch with at least a vulnerability tool, wherein a mismatch is a potential cyber threat embedded in the code.

Abstract: An authentication system includes processing circuitry that is configured to receive an indication of a number of interconnected devices that are in communication with a user device, compare the number of interconnected devices that are in communication with the user device to a threshold, and grant access to an application on the user device in response to the number of interconnected devices meeting or exceeding the threshold.

Abstract: In one embodiment, a profiling engine analyzes DNS transaction data that is logged by a recursive resolver to generate profiling results that are used to manage network activity. In operation, the profiling engine computes scores based on the DNS transaction data and scoring criteria. The profiling engine may compute any number of scores at any level of granularity. For example, the profiling engine may compute a score for each source IP address that is associated with the DNS transaction data. Subsequently, the profiling engine generates profiling results based on the scores and profiling criteria. Notably, DNS queries are typically the first step of longer transaction chains that result in the transfer of data to and from the network. Consequently, the profiling engine may provide more timely and comprehensive insight into network activities than conventional network management tools that analyze data at layers that are further down transaction chains.

Abstract: Examples of the present disclosure describe systems and methods of providing real-time scanning of IP addresses. In aspects, input may be received by a real-time IP scanning system. The system may generate one or more work orders based on the input. A scanner associated with the system may access a work order and attempt to communicate with one or more devices identified by the work order. If the attempted communication with a device is successful, a protocol analyzer may be used to provide a predefined payload to the device. If the response from the device matches an expected string, the device may be determined to be a safe and/or legitimate device. If the response from the device does not match an expected string, the device may be determined to be a malicious device.

Abstract: Techniques and computer-implemented methods are presented to be implemented on a distributed mempool network (DMP) implementing a distributed hash table (DHT). The method includes: receiving, at a mempool node of a DMP, a request to update routing information of the mempool node; initializing a set of random walks within a key space of the DHT, the set of random walks used for generating a set of key-value records; selecting a particular iteration of a long-distance table of a set of long-distance tables; selecting, from the particular iteration of the long-distance table, a pointer within a range between identification information and a key; and transmitting a query to another mempool node associated with the pointer, wherein the other mempool node maintains a set of weight associated connections to a set of mempool nodes, wherein the weight is proportional to the level of trust in the connection.

Abstract: Processing network requests includes receiving a request for a target media element available at a requested location. The request can identify a media repository that stores the target media element. A substitute media element that has content approximately equivalent to content of the target media element can be determined. The substitute media element can be stored on a sub-network connected to the network. A selection page having a link to the location of the substitute media element on the sub-network can be generated. A response to the request for the target media element can include the selection page, so as to offer a user a choice of media source.

Abstract: Devices, systems, and techniques for automatic network configuration based on biometric authentication are described herein. In one example, one or more processors may obtain first biometric data derived from one or more sensor signals generated by one or more sensors of a first device coupled to a user. The one or more processors may obtain second biometric data derived from one or more sensor signals generated by one or more sensors of a second device. The one or more processors may compare the first biometric data and the second biometric data, determine that the second device is coupled to the user based on the comparison, and establish a communication link with the second device based on the determination that the second device is coupled to the user.

Abstract: In one embodiment, a device obtains characteristics of a first anomaly detection model executed by a first distributed learning agent in a network. The device receives a query from a second distributed learning agent in the network that requests identification of a similar anomaly detection to that of a second anomaly detection model executed by the second distributed learning agent. The device identifies, after receiving the query from the second distributed learning agent, the first anomaly detection model as being similar to that of the second anomaly detection model, based on the characteristics of the first anomaly detection model. The device causes the first anomaly detection model to be sent to the second distributed learning agent for execution.