Abstract: Techniques are disclosed relating to signing and authentication of network messages such as API calls. A server system and a client system may collaboratively establish a shared secret key, which is then usable to sign such messages. These techniques may be useful in various situations, such as for integrations between different systems.

Abstract: The present disclosure relates to enabling users to logging access information associated with their license via a virtual network. In one example of the present disclosure, user data associated with a user having an account on a virtual network is obtained. Access control list associated with an identified application pid from an application database is then obtained, the identified application pid having been previously purchased by the user and the identified application being selected by the user from a user device. An application programming interface of the virtual network is then invoked to publish the transaction associated with the identified application pid to a central log storage.

Abstract: Deferred verification of the integrity of data operations over a set of data that is hosted at an untrusted module (UM) is controlled. The controlling includes generating a request for a data operation on the set of data. The request includes an authentication portion. The request is sent to the UM. A response to the request is received from the UM. The response includes cryptographic verification information attesting the integrity of the data operation with respect to prior data operations on the set of data. The response includes results from deferred verification at a trusted module (TM).

Abstract: The invention relates to digital data processing systems that use a microphone and/or a camera as a means of inputting information. More particularly, the invention relates to the security and protection of computers or computer systems from unauthorized actions by controlling access to a microphone and/or a camera from software applications that request access to the function of a microphone and/or camera.

Abstract: A system, method, and computer program product are provided for detecting regular and irregular events associated with various entities. In operation, an event detection system detects at least one event associated with at least one entity. The event detection system identifies the at least one entity. Additionally, the event detection system identifies one or more historical patterns associated with the at least one event. Further, the event detection system determines whether the at least one event is anomalous based on the one or more historical patterns and details associated with the at least one event. Moreover, the event detection system performs at least one action based on whether the at least one event is determined to be anomalous.

Abstract: An apparatus and method for operating a relational database (DB) are provided. The method includes determining a sensitivity classification for a column of a table in the DB, performing encryption, using a data encryption key (DEK), of sensitive data when writing the sensitive data to the column determined to be sensitive, performing decryption, using the DEK, of the encrypted sensitive data when reading the sensitive data from the column determined to be sensitive, and performing writing to the column and reading from the column of unencrypted non-sensitive data when the column is determined to be non-sensitive.

Abstract: An access control system is provided for controlling access to multiple target servers in a networked environment. The access control system includes an access control user interface accessible to the target servers and a computer memory storing an access control database providing information to the access control user interface. The access control system additionally includes a management server including an access control processor, the access control processor implementing a discovery engine for discovering user rights stored at the target server and delivering the user rights stored at the target server over the network to the access control database.

Abstract: Example implementations relate to encrypted capabilities stored in global memory. For example, in an implementation, a capability protection system may store an encrypted capability into global memory, where the encrypted capability is encrypted based on a condition. The capability protection system may receive, from a node in communication with the global memory, a request to access the encrypted capability stored in the global memory. The capability protection system may provide to the node a decrypted form of the encrypted capability upon satisfaction of the condition by the node.

Abstract: Systems, methods, and computer-readable media for using an online resource to manage credentials on an electronic device are provided. In one example embodiment, a method, at an electronic device, includes, inter alia, receiving account data via an online resource, accessing commerce credential status data from a secure element of the electronic device, providing initial credential management option data via the online resource based on the received account data and based on the accessed commerce credential status data, in response to the providing, receiving a selection of an initial credential management option via the online resource, and changing the status of a credential on the secure element based on the received selection. Additional embodiments are also provided.

Abstract: A lock base attached to a computer housing has a controller in circuit communication with a processor of the computer. A cable socket comprising a flash memory locks onto the lock base, two ends of an internal wire of the cable form a closed electric circuit loop with the lock base through the entirety of the body of the cable, and the controller performs a handshake with the processor of the computerized device and the flash memory that generates a checksum key stored on the flash memory, the computerized device requiring access to the checksum key on the flash memory for access to data on a memory device of the computerized device. Absent a keyed unlocking, the controller erases the checksum key from the flash memory in response to a break in the circuit loop or dislocation of the cable socket from the lock base.

Abstract: A UE, a device and a Direct Communication Element. The UE is configured to establish a UE shared key with a Bootstrapping Server Function (BSF) using a Generic Bootstrapping Architecture (GBA) procedure, to discover the device through a discovery procedure after establishing the UE shared key, and to derive a direct communication key from at least the UE shared key. The device is configured to receive a transaction identifier associated with the UE shared key from the UE, to send the transaction identifier to the Direct Communication Element, and to receive the direct communication key from the Direct Communication Element. The Direct Communication Element is configured to receive the transaction identifier from the device, to obtain a shared session key from the BSF; to derive the direct communication key, and to send the direct communication key to the device.

Abstract: An asset storage server is provided herein that assigns related files to an asset name and assigns permissions to the asset name such that related files with unrelated names can be assigned permissions independent of the file naming convention and without requiring a user to individually set the permissions of each file. The asset storage server may also generate modified versions of original file names and index a distributed object store based on the modified versions such that related files with related names are not listed in the same partition of the distributed object store. Indexing the distributed object store based on the modified versions of the original file names may reduce data retrieval latency.

Abstract: Apparatus and methods for mitigating network attacks, such as by dynamically re-routing traffic. Various disclosed embodiments manipulate path-based routing of the backbone network to insert a scrubbing appliance within the backbone network topology, rather than using traditional network addressed tunnels in the edge network. In one implementation, traffic entering the backbone network ingress peer routers (from either another backbone network, or an edge network) is normally destination-address routed via the backbone to its appropriate egress router based on a path label; however, when a Distributed Denial of Service (DDoS) attack is detected, the ingress peer router inserts an additional hop into the path label that redirects dirty traffic to a substantially centralized scrubbing appliance. The benefits of the disclosed solutions include, among other things, significantly reduced attack response/recovery times without significant capital outlays.

Abstract: Distribution and management of services in virtual environments is described herein. In one or more implementations, a service distribution and management model is implemented in which system services and applications are seamlessly distributed across multiple containers which each implement a different runtime environment. In one or more implementations, a system for distributing access to services in a host operating system of a computing device includes a host operating system configured to implement a host runtime environment, and one or more services implemented by the host operating system. The system further includes a service control manager configured to enable communication between a client stub of a service implemented in a client runtime environment and a service provider of the service that is implemented in a service runtime environment that is separate from the first client runtime environment.

Abstract: A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

Abstract: A system, apparatus, method, and machine readable medium are described for performing user authentication.

Abstract: This disclosure describes methods, devices, and systems related to routing packets over enterprise network sites. A method may be disclosed for routing packets between hosts at a first site and hosts at a second site in a network using a firewall. The method may comprise receiving a request, in a first packet, from a first router to send one or more packets to two or more hosts at the second site. The method may comprise receiving a first sub-network prefix, in a route advertisement, corresponding to two or more hosts at the first site from the first router, and receiving a first community value, in a first advertisement, associated with the first sub-network prefix. The method may comprise generating a first local preference value based at least in part on the first community value. And the method may comprise sending the request, first sub-network prefix, and first local preference value to a second router, in a second advertisement.

Abstract: An operation of a facial recognition authentication process may fail to authenticate a user even if the user is an authorized user of the device. In such cases, the facial recognition authentication process may automatically re-initiate to provide another attempt to authenticate the user using additional captured images. For the new attempt (e.g., the retry) to authenticate the user, one or more criteria for the images used in the facial recognition authentication process may be adjusted. For example, criteria for distance between the camera and the user's face and/or occlusion of the user's face in the images may be adjusted before the new attempt to authenticate the user. Adjustment of these criteria may increase the likelihood that the authorized user will be successfully authenticated in the new attempt.

Abstract: Novel techniques for averting unsanctioned access to on-board vehicle networks include obtaining indications of detected stimuli and/or conditions that are external to a target computing device, and determining whether or not the detected stimuli/conditions are indicative of the target computing device being utilized, operated, held, and/or carried by a person on-board the vehicle. External stimuli/conditions may include signals transmitted by other devices on-board the vehicle, ad-hoc data received via various interfaces of the target computing device, comparisons of vehicle heuristic data with data generated by components of the target computing device, etc. A confidence score may be generated (e.g., over time) based on detected stimuli/conditions. Access of the target computing device to an on-board vehicle network may be granted or denied based on the detected stimuli/conditions and/or the confidence score. Further, the novel techniques are not required to use any user input.

Abstract: A method for operating a primary unit that exchanges information with at least one secondary unit, including the following: ascertainment by the primary unit of a first number of primary measured values, in particular measured values of an entropy source shared with the secondary unit; reconciliation by the primary unit of the first number of primary measured values, in particular with a corresponding number of secondary measured values that have been obtained by the secondary unit, to obtain reconciled primary measured values, the secondary measured values having been obtained by the secondary unit in particular from the shared entropy source; and application by the primary unit of a secret-sharing method to share secret data with the secondary unit, the secret-sharing method being executed as a function of the reconciled primary measured values.