Abstract: Techniques are described herein for dynamically-tiered authentication, which allows the authentication tier (AT) associated with a session to be automatically downgraded based on the session satisfying one or more downgrade criteria. Automatically downgrading a session eliminates some authentication-based privileges for the session without eliminating all privileges for the session. A session satisfies downgrade criteria based on: an explicit request for session downgrading; client interaction with the application; and/or activity on the device on which the client runs. For example, if a client authenticates to a third AT, but only performs actions in the application that are associated with the first AT during a pre-defined amount of time, the AT associated with the session is automatically downgraded. The session is either downgraded from the third AT to the first AT, or downgraded in intervals until the current or more recently accessed tiers are consistent with the current AT of the session.

Abstract: An authentication control device includes: an acquisition unit configured to acquire predetermined identification information regarding an on-vehicle device to be newly added to an on-vehicle network; and a determination unit configured to determine which of a plurality of types of authentication procedures is to be applied as an authentication process for the on-vehicle device, on the basis of the identification information acquired by the acquisition unit.

Abstract: Disclosed herein are system, method, and computer program product embodiments for issuing assets and/or asset tokens using zero-knowledge proofs (“ZKPs”). An issuance system may receive a command to issue an asset. The issuance system may determine that issuing the assets would not violate administrator-defined or network-defined rules that may govern the types of assets and/or the quantity of assets that the issuance system may issue. The issuance system may then issue the assets and generate a ZKP corresponding to the issuance and indicating adherence to the rules while concealing information related to the asset token, such as the types of assets and/or quantity of assets. The issuance system may publish the ZKP to a blockchain so that verifier nodes may confirm that the issuance system adhered to the rules while still preventing access to the underlying issuance information.

Abstract: Methods, apparatus, and processor-readable storage media for automated detection of user device security risks related to process threads and corresponding activity are provided herein. An example computer-implemented method includes obtaining information pertaining to processes running on a user device; obtaining information pertaining to images loaded into at least one memory associated with at least one of the processes running on the user device; obtaining information pertaining to threads created in connection with at least one of the processes running on the user device; automatically identifying at least one of the threads as a security risk by processing the information pertaining to the images and the information pertaining to the threads; and performing at least one automated action based on the identification of at least one of the one or more threads as a security risk.

Abstract: The present application provides methods and corresponding systems for accessing services on a gaming device which, in certain embodiments, include the step or steps of obtaining at least one item of identity verification data from a user of a gaming device; encrypting the at least one item of identity verification data; comparing the at least one item of encrypted identity verification data received and at least one item of encrypted identity verification data obtained and stored previously on an authentication device; enabling at least one service on the gaming device based on a match between the encrypted identity verification data, the at least one service comprising a wager-type game; and displaying an interface screen comprising graphic objects associated with the wager-type game and at least one selectable element for the user to submit a gaming command and a wagering command during game play.

Abstract: A data transfer process can include multiple verification features usable by a “source” device to ensure that a “destination” device is authorized to receive a requested data object. The source device and destination device can communicate via a first communication channel (which can be on a wide-area network) to exchange public keys, then use the public keys to verify their identities and establish a secure session on a second communication channel (which can be a local channel). The data object can be transferred via the secure session. Prior to sending the data object, the source device can perform secondary verification operations (in addition to the key exchange) to confirm the identity of the second device and/or the locality of the connection on the second communication channel.

Abstract: A computer-implemented method, computer program product and computing system for importing threat data from a plurality of threat data sources, thus generating a plurality of raw threat data definitions. The plurality of raw threat data definitions are processed, thus generating a plurality of processed threat data definitions. The plurality of processed threat data definitions are processed to form a master threat data definition. The master threat data definition is provided to one or more client electronic devices.

Abstract: Embodiments of the invention are directed to system structured for integration of communication channels and active cross-channel communication transmission, such that the user can utilize disparate electronic communication channels via a central user application. The system is configured to configured to construct a secure dynamic integrated interface in real-time structured for performing electronic activities associated with electronic communications. The system is also structured for dynamically transform electronic communications in response to the type of invoking communication channel and the authentication credential level of the communication channel. The system is also structured for, in response to determining a first user activity, in real-time, dynamically modifying the one or more graphical UI elements presented at the central user interface.

Abstract: A runtime application self protection (RASP) plug-in monitors for, and prevents, invocation of unacceptably weak cryptographic processing requested by an application. Since the RASP plug-in is linked to the application, the RASP plug-in has access to information regarding an execution state of the application logic, including interaction with shared libraries, to determine what component of the application requests use of unacceptable cryptographic techniques. Such enables owners/operators of an application to easily detect requests for unacceptable cryptographic techniques, even if such requests originate in a portion of the application that is not under the control of the owners/operators.

Abstract: Authenticating computing entities. A method includes at an identity provider, providing a first access token to an entity for use by the entity in obtaining resources from a resource provider. The method further includes, at the identity provider, receiving response information from the entity. The response information from the entity is provided to the entity from the resource provider as a result of the resource provider enforcing policy at the resource provider. At the identity provider, a second access token is provided to the entity. The second access token is provided based on the response information, such that the second access token can be used by the entity to obtain the resources from the resource provider.

Abstract: Systems and methods for obtaining authentication vectors issued, for use by a mobile communication terminal, by a Home Location Register (HLR) that serves a cellular communication network independently of any cooperation with the cellular network. Further to obtaining the authentication vectors, a terminal is caused to communicate over a WiFi WLAN using an encryption key derived from the obtained authentication vectors, e.g., per the EAP-SIM or EAP-AKA protocol. Since the encryption key is known, communication from the terminal is decrypted. The authentication vectors may be obtained by (i) an “impersonating” Visitor Location Register (VLR) server that does not serve the cellular network; (ii) an interrogation device which, by imitating a legitimate base station serving the cellular network, solicits the mobile communication terminal to associate with the interrogation device; or (iii) an SS7 probe, which obtains authentication vectors communicated from the HLR server to other entities on the SS7 network.

Abstract: Systems and methods provide multilevel authorization of workspaces using certificates, where all of the authorization levels may be authorized separately or may instead be authorized at once. A measurement of an IHS (Information Handling System) is calculated based on the identity of the IHS and based on firmware of the IHS. A measurement of the configuration of the IHS is calculated based on information for configuring the IHS for supporting workspaces and also based on the IHS measurement. A measurement of a workspace session is calculated based on properties of a session used to remotely support operation of the workspace by the IHS and also based on the configuration measurement. Workspace session data may by authorized at all three levels by evaluating the session measurement against a reference session measurement.

Abstract: One or more clients of a service may obtain access to resources of the service using one or more roles. A role may be used to delegate access to resources that a client normally would not otherwise have access to. A requestor may make a request to assume an intermediary role and receive a first token that enables assumption of the intermediary role. The requestor, after assuming the intermediary role, may request to assume to assume a destination role and receive a second token that enables the requestor to access one or more computing resources by assuming the destination role.

Abstract: An authentication system handles authentication requests to apply introspection and policy enforcement. A policy server obtains a client security policy and an authenticator security policy. The policy server obtains an encrypted credential request with client metadata from a client and determines whether the client metadata satisfies the client security policy. The policy server provides the encrypted credential request to an authenticator device and obtains an encrypted credential response with authenticator metadata in response. The policy server determines whether the authenticator metadata satisfies the authenticator security policy. The policy server processes the encrypted credential response, without decrypting the encrypted credential request or the encrypted credential response, based on a determination of whether the client metadata satisfies the client security policy and the authenticator metadata satisfies the authenticator security policy.

Abstract: A method and apparatus for mixed-mode cloud/on-premise secure communication. The method includes commissioning an on-premise device, and connecting to web address via a client web browser using a name and a log in credential of a user; and verifying a login credential of a user at a cloud-based service and establishing communication with the client web browser if the login credential is authenticated, then permitting communication between the client web browser and the cloud based service.

Abstract: In some embodiments, a behavioral computer security system protects clients and networks against threats such as malicious software and intrusion. A set of client profiles is constructed according to a training corpus of events occurring on clients, wherein each client profile represents a subset of protected machines, and each client profile is indicative of a normal or baseline pattern of using the machines assigned to the client respective profile. A client profile may group together machines having a similar event statistic. Following training, events detected on a client are selectively analyzed against a client profile associated with the respective client, to detect anomalous behavior. In some embodiments, individual events are analyzed in the context of other events, using a multi-dimensional event embedding space.

Abstract: The invention provides a novel and advantageous solution for controlling or influencing use of and/or access to a resource. This resource may be a device, such as an IoT (Internet of Things) device or a process. The invention is implemented via a distributed ledger (blockchain). This may be the Bitcoin blockchain or some alternative blockchain platform/protocol. In an illustrative embodiment, the controlled resource is a parking meter.

Abstract: Described embodiments provide systems and methods for resource appropriation in a multi-tenant environment using risk and value modeling. A resource server can provide a plurality of applications access to a plurality of resources in response to requests from clients based in part on risk scores and value scores. The resource server can generate and execute a risk model and a value model to determine a risk score and a value score for each of the applications. The resource server can use the risk and value scores to determine access to a particular resource for a requested application. The resource server can assign a first allocation of resource tokens to an application. The resource tokens can correspond to access privileges to plurality of resources. The resource server can dynamically modify the resource allocation for applications responsive to changes to a risk score or value score of a respective application.

Abstract: A system and method for the generation of cryptographic keys for authentication and secure communications. The invention is an improvement over other existing authentication and encryption methods because it is not susceptible to hackers who have access to previous login sessions since authentication data is unique to each session, it is not susceptible to hackers using brute force attacks to determine underlying algorithms due to the complexity of the method and the extensive ability to customize the underlying data, and it allows for a key length as large as the message and unique to each login session which is what Claude Shannon showed to achieve the so-called perfect secrecy. The disclosed invention is also an improvement over existing authentication and encryption methods because it allows for multiple valid responses in each login session.

Abstract: One or more communication interfaces of a first application may be scanned. In response to the scanning, it may be determined that at least a first component of the first application is subject to public access from any application. One or more public access features associated with the first component may be removed, wherein the first component is no longer subject to public access from any application. A first module may be added to the first application to control access to data to or from the first component via one or more security rules.