Abstract: The present invention relates to the field of networking and API/application security. In particular, the invention is directed towards methods, systems and computer program products for Application Programming Interface (API) based flow control and API based security at the application layer of the networking protocol stack. The invention additionally provides an API deception environment to protect a server backend from threats, attacks and unauthorized access.

Abstract: Methods and systems for implementing keyboard linked authentication challenges are described. A visual representation of a first string of characters is provided for display on a client computing device. In response to the providing the visual representation for display, several keystrokes on the client computing device that produces a second string of characters are received. A determination that the second string of characters matches the first string of characters is made. A determination that no unauthorized keystrokes are included in the detected plurality of keystrokes is further made. Access is provided to the client computing device upon determining that the second string of characters matches the first string of characters, and determining that no unauthorized keystrokes are included in the detected plurality of keystrokes.

Abstract: An apparatus and method are provided for controlling use of bounded pointers. The apparatus includes storage to store bounded pointers, where each bounded pointer comprises a pointer value and associated attributes, with the associated attributes including range information indicative of an allowable range of addresses when using the pointer value. Processing circuitry is used to perform a signing operation on an input bounded pointer in order to generate an output bounded pointer in which a signature generated by the signing operation is contained within the output bounded pointer in place of specified bits of the input bounded pointer. In addition, the associated attributes include signing information which is set by the processing circuitry within the output bounded pointer to identify that the output bounded pointer has been signed. Such an approach provides increase resilience to control flow integrity attack when using bounded pointers.

Abstract: Aspects herein relate to storing information concerning rights and liabilities or other records on distributed ledgers. A method disclosed can include identifying a transferor blockchain associated with rights and liabilities for transfer from a transferor to an acquirer, identifying an acquirer blockchain associated with the acquirer, creating an interim blockchain including the rights and liabilities, generating entries to the transferor blockchain removing the rights and liabilities, and generating entries to the acquirer blockchain adding the rights and liabilities. Another method disclosed can include identifying a critical record of a party, identifying a blockchain associated with the party, and generating an entry on the blockchain associated with the critical record, the entry having permissions related to at least the party.

Abstract: One embodiment provides a method for facilitating security in a system of networked components. During operation, the system constructs a configuration graph that stores a first set of relationships between configuration parameters within a component and a second set of relationships between configuration parameters across different components. A relationship corresponds to a constraint and is indicated by one or more of: a range for a configuration parameter; and a conjunction or a disjunction of logical relationships between two or more configuration parameters. The system generates a set of candidate configuration parameter values that satisfy the constraints of the relationships in the configuration graph. The system selects, from the set of candidate configuration parameter values, a first set of configuration parameter values that optimizes a security objective function.

Abstract: Classification of personal data in incoming or outgoing data files in-line or pre-firewall. The invention determines which data owners and/or data associated with the data owners requires classification (e.g., which individuals/customers and/or data is applicable to internal or external regulations) and, subsequently determines the classifications and identifies the classifications in the data file the data owners and data within the data file so that the data can be routed according to the identified classifications. In specific embodiments machine-learning processing is used to learn, determine and/or predict which data owners and/or data associated with the individual/customers requires classification and the classifications to assign to those data owners and/or data elements.

Abstract: Methods and systems are disclosed herein for a media guidance application that allows access restrictions to be modified in a flexible manner based on a deviation in a user's projected location. Specifically, the media guidance application determines at an end of a first time period whether a user is in a projected location for a second time period. If the user is in a projected location for the second time period, the media guidance application sets a second level of media access restriction. However, if the media guidance application determines that the user is not in the projected location for the second time period, the media guidance application maintains the first level of media access restriction.

Abstract: Embodiments provide systems, methods, and computer program products for enabling user authorization to perform a file level recovery from an image level backup of a virtual machine without the need for access control by an administrator. Specifically, embodiments enable an access control mechanism for controlling access to stored image level backups of a virtual machine. In an embodiment, the virtual machine includes a backup application user interface that can be used to send a restoration request to a backup server. The restoration request can include a machine identifier and a user identifier of the user logged onto the virtual machine. The backup server includes a backup application that determines whether or not the machine identifier contained in the restoration request can be matched to a machine identifier of a virtual machine present in one of the virtual machine backups stored on the backup server.

Abstract: A method for trusted measurement of a cloud computing platform includes: generating, by a third-party management and audit system, an audit report based on a current running indicator, signed by using a digital certificate, of a software and a running security indicator of the software, where the audit report indicates trustworthiness of a cloud computing platform. In this way, a process of trusted measurement of the cloud computing platform is open and transparent, so that authenticity of trusted measurement of the cloud computing platform is improved, thereby increasing a user's trust in the cloud computing platform.

Abstract: Systems, methods, and devices of the various embodiments may enable the reduction of the impact of Border Gateway Protocol (BGP) hijacks by automatically announcing more-specific route prefixes when a netblock is hijacked. In various embodiments, the more-specific route prefixes may be automatically withdrawn when the netblock hijacking stops.

Abstract: A method of processing data includes at least one processor accessing a data storage unit, the data storage unit providing at least one input data object and at least one transmutation command to be performed on the at least one input data object. The at least one transmutation command operates in a forward mode on the at least one input data object to produce at least one output data object to be stored in a data storage unit.

Abstract: Network level Moving Target Defense techniques are provided with substantially continuous access to protected applications. An exemplary method comprises identifying a first application listening to a first port or a first network address; notifying the first application to listen to a second port or a second network address; notifying at least one additional application that the first application is listening to the second port or the second network address; and notifying the first application to unlisten to the first port or the first network address, wherein the first application operates in a substantially continuous manner during a change from listening to one or more of the first port and the first network address and listening to one or more of the second port and the second network address. The first application can be a stateful application having persistent storage.

Abstract: A computer implemented method and a personal communication system (PCS) for generating and delivering an electronically signed personalized communication are provided. The PCS receives a sender composed personal signature and media content from a sender device. The PCS configures one or more parameters of the received personal signature based on sender preferences, while maintaining integrity and originality of the received personal signature. The PCS positions the personal signature with the configured parameters in a predefined section of the received media content. The PCS generates the personalized communication including the received media content with the positioned personal signature and delivers the generated personalized communication to one or more recipients via one or more delivery modes.

Abstract: A non-transitory processor-readable medium storing code representing instructions to cause a processor to perform a process includes code to cause the processor to receive a set of indications of allowed behavior associated with an application. The processor is also caused to initiate an instance of the application within a sandbox environment. The processor is further caused to receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the application in response to initiating the instance of the application within the sandbox environment. The processor is also caused to send an indication associated with an anomalous behavior if at least one indication from the set of indications of actual behavior does not correspond to an indication from the set of indications of allowed behavior.

Abstract: There are provided systems and methods for limiting device functionality based on data detection and processing. A user computing device may include sensitive or confidential data and/or processes that utilize such data that a malicious party may wish to abuse, such as an electronic transaction processing application that uses financial data of a user. The device may therefore be compromised by the malicious party if the device becomes accessible to that party. The device may utilize one or more processes to detect device data determine data proximate to the device and/or contextual data in order to determine whether limitations on application processes are required based on the potential nearby risk. If the nearby risk indicates the device application processes may be in danger, the device may impose limitations on the processes and/or wipe data. The device may also alert other devices or nearby users.

Abstract: Digital certificates are signed by a server's private key and installed at lock controllers that restrict access to physical resources. The server's public key is distributed to lock controllers and to wireless mobile devices operated by users who are given access to primary locks which secure access to physical resources, and secondary locks, which retain the primary locks within operable vicinity to the physical resources. Additionally, tertiary locks may secure access to internal components of the primary or secondary locks. When a wireless mobile device enters the vicinity of a lock controller, the digital certificate of the lock controller is used as the basis for encrypted communications between the wireless mobile device and the lock controller. Wireless mobile devices may be used to gather evidence of integrity of the locks after use. Lock controllers may be powered by energy harvesting devices.

Abstract: Methods, systems, and apparatuses for blockchain-based automated user matching are described herein. In some arrangements, a node within a decentralized peer-to-peer (e.g., P2P) network may receive match parameters from one or more computing devices associated with supply side entities and demand side entities. The node may execute one or more artificial intelligence algorithms to match the supply side entities with the demand side entities based on the received match parameters. In some instances, the artificial intelligence algorithms may be stored in a smart contract on a blockchain and the matching may be performed through execution of the smart contract by nodes of the decentralized P2P network.

Abstract: A device configured to implement multiple locks to increase security of assets associated with the device including an embedded system, a multi-lock mechanism configured to provide a plurality of locks to prevent an authorized access to the assets associated with the embedded system, each of the plurality of locks of the multi-lock mechanism having an different unlock parameters, a memory configured to securely store at least one of the lock parameters of the plurality of locks of the multi-lock mechanism, the memory further configured to securely store at least one of the unlock parameters of the multi-lock mechanism, and the embedded system further configured to provide access to the assets after each of the lock parameters of the plurality of locks of the multi-lock mechanism is provided the unlock parameters of the multi-lock mechanism.

Abstract: A computer-implemented method for authentication using a hashed fried password may include receiving a password value of a user, a salt key, a pepper key, and/or a temporary and randomly generated fry key, or otherwise modifying/appending the password with the salt key, pepper key, and/or fry key. The method may include hashing the modified password, such as performing a hash operation similar to Hash (Password, Salt Key, Pepper Key, Temporary Fry Key). The randomly generated fry key is not saved or otherwise stored, either locally or remotely. A remote server attempting to authenticate the user's password may check for each possible fry key, such as checking against a set of preapproved fry keys, that the hashed fried password may have been modified with in parallel. As a result, an online customer experience requiring a password is not impacted or impeded, while an attacker's attempts to learn the password are frustrated.

Abstract: Technology for matching “consequential-meaning hash key values” based on a sender-side text message and a corresponding receiver-side text message. In some embodiments, the hash key values will be based on a breakdown of the text into certain selected parts-of-speech categories.