Abstract: Generating a verifiable pairwise claim. Receiving a request for issuing a verifiable claim that is associated with a subject entity and is verifiable by one or more verifying entities. The request includes at least an encrypted portion using a particular type of encryptography. Verifying that the subject entity is associated with a subject of the verifiable claim based on decrypting the encrypted portion using the particular type of cryptography. In response to verifying that the subject entity is associated with the subject of the verifiable claim, issuing the verifiable claim that is structured to be verifiable only by the one or more verifying entities.

Abstract: A quantum key distribution system using an RFI (reference frame independent) QKD (quantum key distribution) protocol includes a quantum channel transmitter that generates a first quantum signal including quantum information and provides the first quantum signal to an external device through a quantum channel, a first public channel transceiver that generates an optical signal including first additional information related to a QKD operation, and transmits and receives the optical signal through a public channel, a second public channel transceiver that receives the optical signal through the public channel and generates a measurement result by measuring a circular polarization component of the optical signal, and a quantum channel receiver that receives the first quantum signal through the quantum channel, generates a second quantum signal by correcting a polarization distortion of the first quantum signal based on the measurement result, and demodulates the quantum information from the second quantum signal.

Abstract: A system and method for securing a device of an industrial process control and automation system comprises setting a lock code in a device index of the device and executing a monitoring software program that reads the lock code and sets the device in a locked state. An enforcement software program prevents changes to the configuration and firmware of the device when the device is in the locked state. The device is further arranged to be released from the lock state by setting an unlock code in the device index and executing the monitoring software program to read the unlock code and set the device in an unlocked state.

Abstract: Disclosed are various embodiments for authentication with network connected computing resources using a cryptographic coprocessor installed on a client device. A request can be sent to the client device to provision an asymmetric encryption key-pair using a cryptographic coprocessor installed on the client device, wherein the request comprises a key-authorization credential for the asymmetric encryption key-pair and the asymmetric encryption key-pair comprises a public key and a private key. The public key of the asymmetric encryption key-pair and an identity public key for the cryptographic coprocessor can be received. The public key, key-authorization credential, and the identity public key can then be stored in association with each other.

Abstract: A method for the detection of multi-killchain alerts is disclosed. The method includes receiving, by a computer system, a plurality of alerts indicative of activity within a computer network, wherein a given alert specifies one or more events having attributes, and extracting attributes from events included in the plurality of alerts. The method further includes determining attribute similarity for pairs of events based on whether a given pair of events has common values for one or more attributes and whether attribute values of the given pair of events indicates lateral movement within computers of the computer network. Linked pairs are then identified based on the determined attribute similarity and added to a graph data structure. The method further includes the computer system analyzing the graph data structure to find clusters of events relating to a security attack.

Abstract: Systems and methods for securely handling data traffic on local or private networks, such as by using cloud computing, are provided. A non-transitory computer-readable medium, according to one implementation, may be configured to store executable instructions enabling a processor of a user device to perform the step of discovering an origin of a source application associated with network packets bound for a private address space. The executable instructions may further enable the processor to send a tuple regarding the discovered origin to a cloud server to request an analysis of the tuple. Upon receiving an allow instruction from the cloud server, the instructions enable the processor to allow the network packets to flow normally to a destination associated with the private address space. Upon receiving a deny instruction from the cloud server, the instructions enable the processor to drop the network packets.

Abstract: Aspects of the disclosure relate to identification of confidential data, in a message, and encryption of the confidential data. A computing platform may determine, based on a knowledge base, confidential data in a first message transmitted over one or more computing networks. The computing platform may encrypt the confidential data in the message. The computing platform may generate a second message based on encrypted confidential data. Further, the computing platform may update a header, corresponding to the second message, to indicate an encryption technique used for the encrypted confidential data. The computing platform may further encrypt the header of the second message, and transmit the second message.

Abstract: The disclosed computer-implemented method for automated testing for domain blocking assessment may include performing a website analysis at least once without blocking any domains and repeatedly while blocking one domain at a time. The method may additionally include detecting discrepancies by comparing outcomes of performances of the website analysis, thereby identifying one or more domain blockages that cause one or more of the plurality of websites to be broken. The method may also include performing the website analysis repeatedly while performing and not performing the domain blockages. The method may further include comparing outcomes of performances of the website analyses for the other plurality of websites. The method may further include performing, in response to the comparison, a security action. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Security is improved when creating a remote copy pair while suppressing performance deterioration of the overall system. In a data management system 1, when a user logs in, a first storage (main site storage 20) uses an external authentication server 50 to authenticate the user's access to its own storage and retains issued authentication information. Subsequently, when a command instructing a creation of a remote copy pair of a first volume (P-VOL) of the first storage and a second volume (S-VOL) of a second storage (sub site storage 40) is issued based on the user's operation, the first storage sends a command to the second storage by appending the authentication information, and the second storage uses the authentication information and requests the external authentication server 50 to authenticate the user's access to its own storage and, when the authentication is successful, the first or second storage starts synchronization of data between the pair volume.

Abstract: In some aspects, a verification exchange system transforms consumer data (e.g., employment or income data) from different contributor computing systems to a standardized format and stores this standardized data in a consumer-status verification repository. The verification exchange system can selectively provide portions of the consumer data to authorized client system via a security portal to a public network. For example, the verification exchange system can use standardized consumer data to service verification queries requesting confirmation of employment or income level for consumers. The verification exchange system can do so by ensuring that a verifier system from which the query is received has provided a valid credential.

Abstract: Systems and methods are provided for managing electronic tokens associated with an account. A system may include a memory storing instructions and account information associated with an account, and a processor configured to executed the stored instructions to: access information associated with one or more electronic tokens associated with the account, wherein the information includes one or more token settings, receive, via a network, information for a transaction request including a first token; analyze the received information to determine whether at least one rule in the one or more token settings is violated, responsive to a determination that at least one rule is violated, transmit an indication that the transaction request is denied, and responsive to a determination that no rules are violated, detokenize the transaction request.

Abstract: In some embodiments, a method can include measuring, via a sensor disposed within an interior of a housing, an out-of-band characteristic of an electronic circuit disposed within the interior of the housing. The method can further include receiving, from the sensor and at a management circuit disposed within the interior of housing, a sensor signal indicating the out-of-band characteristic of the electronic circuit. The method can further include analyzing, at the management circuit, the out-of-band characteristic of the electronic circuit to produce an alarm signal. The method can further include sending, from the management circuit, the alarm signal to initiate a remedial action in response to receiving the alarm signal.

Abstract: Embodiments seek to protect privacy of potentially sensitive client resources in web transactions using crowd-disambiguation. Crowd-disambiguation machines can aggregate information about resources from multiple clients as resource fingerprints, and can use the fingerprints to provide crowd-sourced services in a privacy-protected manner. For example, embodiments can communicate a resource fingerprint as a fully ambiguated resource instance (FARI) and a partially disambiguated resource instance (PDRI). When one (or few) clients communicates the resource fingerprint, the identity of the resource remains obfuscated from the crowd-disambiguation machine. As more clients communicate fingerprints for the same resource (e.g., identified by the matching FARIs), respective, differently generated PDRIs of those fingerprints enable the crowd-disambiguation machine to resolve further portions of the resource, ultimately permitting the resource to be revealed and considered non-private (e.g.

Abstract: Various embodiments described herein relate to a call management system that aims to provide a more efficient, secure, and dynamic technique for authenticating a user based on a location of the user. A server of the call management system receives a phone call from a user device. The server transfers the phone call to an analyst device. When the analyst device accepts the phone call, the server starts an electronic communication session between the user device and the analyst device. The server then determines a current location of the user. The server further determines a question for authentication of the user based on the current location. The server transmits the question to the analyst device. The analyst device transmits the question to the user device via the server. In response to an answer received from the user device, the server authenticates the user.

Abstract: Systems, methods, and apparatuses for providing a central location to manage permissions provided to third-parties and devices to access and use user data and to manage accounts at multiple entities. A central portal may allow a user to manage all access to account data and personal information as well as usability and functionality of accounts. The user need not log into multiple third-party systems or customer devices to manage previously provided access to the information, provision new access to the information, and to manage financial or other accounts. A user is able to have user data and third-party accounts of the user deleted from devices, applications, and third-party systems via a central portal. The user is able to impose restrictions on how user data is used by devices, applications, and third-party systems, and control such features as recurring payments and use of rewards, via a central portal.

Abstract: Systems and methods are described that relate to authentication and/or binding of multiple devices with varying security profiles. In one aspect, a first device with a higher security profile may vouch for the authenticity of a second device with a lower security profile when the second device requests access for content from a content provider. The vouching process may be implemented by allowing the first device to overlay its digital signature on a registration request that has been signed and transmitted by the second device. The second device with the lower security profile may access content from the content provider or source for a predetermined time period, even when the second device does not access content through the first device.

Abstract: Systems, methods, and apparatuses for providing a central location to manage permissions provided to third-parties and devices to access and use user data and to manage accounts at multiple entities. A central portal may allow a user to manage all access to account data and personal information as well as usability and functionality of accounts. The user need not log into multiple third-party systems or customer devices to manage previously provided access to the information, provision new access to the information, and to manage financial or other accounts. A user is able to have user data and third-party accounts of the user deleted from devices, applications, and third-party systems via a central portal. The user is able to impose restrictions on how user data is used by devices, applications, and third-party systems, and control such features as recurring payments and use of rewards, via a central portal.

Abstract: This disclosure relates to systems, methods, and apparatuses for determining access models for applications. The access models can be determined using various techniques described herein. The access models can enable the applications to be onboarded into the enterprise system and, in some cases, can be utilized by an identity and access management (IdAM) system and/or identity and governance administration (IGA) system to facilitate ongoing identity management and access control functions for the applications in the enterprise system.

Abstract: Systems and methods include providing a user with wireless control of electronic devices associated with a multi-tenant structure to enable a user to engage in wireless control of the electronic devices associated with permissions granted to the user. Embodiments of the present disclosure relate to receiving associated permissions granting wireless control of partitioned electronic devices to the user from a central aggregation control system. The partitioned electronic devices are associated with the multi-tenant structure that are under wireless control and have the associated permissions granting wireless control to the user. The electronic devices to provide the user with wireless control of the partitioned electronic devices are determined based on the associated permissions granted to the user. Wireless control of the partitioned electronic devices is automatically activated when the associated permissions for the user grant the user with the wireless control of the partitioned electronic devices.

Abstract: A system and method for providing access to data of a first party including receiving information for identifying the first party, authenticating the first party using the received information for identifying the first party and generating a first read-only personal identification number (PIN). The first read-only PIN is associated with a first set of access rights for the data of the first party and provided to a second party. The first read-only PIN is stored with the first set of access rights in a computer database. A third party receives the first read-only PIN from the second party, authenticates the received first read-only PIN using the stored first read-only PIN and provides the second party with access to at least a portion of the data of the first party using the first set of access rights associated with the first read-only PIN if the received first read-only PIN is authenticated.