Abstract: In some embodiments, a behavioral computer security system protects clients and networks against threats such as malicious software and intrusion. A set of client profiles is constructed according to a training corpus of events occurring on clients, wherein each client profile represents a subset of protected machines, and each client profile is indicative of a normal or baseline pattern of using the machines assigned to the client respective profile. A client profile may group together machines having a similar event statistic. Following training, events detected on a client are selectively analyzed against a client profile associated with the respective client, to detect anomalous behavior. In some embodiments, individual events are analyzed in the context of other events, using a multi-dimensional event embedding space.

Abstract: A method of providing a transaction forwarding service in a blockchain includes executing a smart contract in the blockchain so as to determine whether a respective full node is eligible to execute the smart contract. The smart contract specifies eligible full nodes, a filter of a respective light client and a reward for executing the smart contract. The respective full node forwards data relating to a transaction that matches the filter of the respective light client to the respective light client with a proof that the transaction is included in the blockchain. The respective full node receives a signed acknowledgement from the respective light client verifying the transaction. Then, the respective full node claims the reward using the acknowledgement.

Abstract: Methods, systems, and apparatus for authenticating and authorizing users using quantum key distribution through segmented quantum computing environments. In one aspect, a method includes receiving a first and second plaintext data input from a first party and from a second party, respectively; applying a quantum computation translation operation to the first and second plaintext data inputs to generate a corresponding first sequence of quantum computations and a second sequence of quantum computations; implementing the first and second sequence of quantum computations in a first and second segmented quantum computing environment, respectively, to obtain a first and second sequence of measurement results; generating a first and second encryption key using the first and second sequence of measurement results, respectively, and an encrypted authorization token using the second encryption key; and sending the first encryption key to the first party, and the encrypted authorization token to the second party.

Abstract: A method of managing seamless access to locks with person/head detection is provided and includes receiving, at a mobile device, a signal from an access control device that includes a camera sensor. The signal includes an identifier of the access control device and a status of a region of interest of the camera sensor. It is determined that the mobile device includes a credential that is authorized to unlock the access control device. Based on the signal it is determined whether a person is in the region of interest of the camera sensor and moving towards the access control device. A request is transmitted to the access control device to unlock the access control device based at least in part on determining that a person is in the region of interest of the camera sensor and moving towards the access control device.

Abstract: Systems and methods for authenticating a user to access a public terminal are described. Disclosed embodiments may include reading, using the physical credential reader, a user identifier from the physical credential device. Disclosed embodiments may also include transmitting the public terminal identifier and the user identifier to a secure server. Further, disclosed embodiments may include receiving, after completing the transmission, a unique code from the secure server. Disclose embodiments may additionally include displaying the unique code on the display device. Disclosed embodiments may include receiving, after displaying the unique code, an authentication message from the secure server. Disclosed embodiments may further include, responsive to receiving the authentication message, authorizing the user to use a terminal command at the public terminal.

Abstract: A processor-implemented method records and maintains a record of browser events in a blockchain using a peer-to-peer network. One or more processors detect one or more browser events for a browser on a computer. The processor(s) transmit transactions associated with the browser event(s) to a peer-to-peer network of devices that create a blockchain, which includes one or more blocks that describe the browser event(s), where the blockchain records and maintains a record, of browser events, that includes records of uniform resource locators (URLs) browsed by a user, bookmarks added to the browser, and search terms searched by the user. The processor(s) perform a vulnerability analysis to determine how vulnerable the computer and the browser are to a malicious attack, and adjust a frequency of transmitting the transactions from the computer to the peer-to-peer network of devices according to how vulnerable the computer and the browser are to the malicious attack.

Abstract: A system for configuring and executing a secure communication network for authorizing access to safeguarded resources is provided. In particular, the system uses person-to-person (P2P) authentication technology to securely transmit resources between users. In this way, an efficient way to for users to manage resources is provided.

Abstract: A method of checking the authenticity of the content of a non-volatile memory of an electronic device including a microcontroller and an embedded secure element includes starting the microcontroller with instructions stored in a first non-reprogrammable memory area associated with the microcontroller, starting the secure element, executing, with the secure element, a signature verification on the content of a second reprogrammable non-volatile memory area associated with the microcontroller, and if the signature is verified, using the secure element to send the first key to the microcontroller.

Abstract: A method of checking the authenticity of the content of a non-volatile memory of an electronic device including a microcontroller and an embedded secure element includes starting the microcontroller with instructions stored in a first non-reprogrammable memory area associated with the microcontroller, starting the secure element, executing, with the secure element, a signature verification on the content of a second reprogrammable non-volatile memory area associated with the microcontroller, and interrupting the microcontroller power supply if the signature is not verified.

Abstract: Systems and methods for preventing software application tampering are disclosed. 1. In embodiments, a computer-implemented method includes: identifying, by a computing device, an IP related software code segment of a software application; segregating, by the computing device, the IP related software code segment into one or more native code clusters and one or more non-native code clusters; refactoring, by the computing device, the one or more non-native code clusters into one or more stand-alone portable components (SPCs); determining, by the computing device, code migration scores for the one or more SPCs; and determining, by the computing device, select SPCs from the one or more SPCs to migrate to a remote security server based on the code migration scores.

Abstract: Systems and methods detect a potential hacking attack by monitoring the number and timing of DELBA (Delete Block Acknowledgement) action frames. When the number and timing of the DELBA action frames correspond to an unauthorized access pattern, an unauthorized access is detected. The potential unauthorized access may be detected by an access point (AP) or by the AP and a backend system. When a potential unauthorized access is detected, the AP may remain in silent mode for a longer period of time and limit access to the network to only trusted devices. In addition, an alarm or other notification of the potential unauthorized access may be provided to a user or other designated contact.

Abstract: A security measure invalidation prevention device includes an acquisition unit that acquires invalidated security point information about an invalidated security point among security points each having a measure function performing a security measure on a node connected to a network. The invalidated security point has a measure function to be invalidated. The device also includes a determination unit that determines whether a security event to be addressed with the measure function of the invalidated security point is present on the basis of the invalidated security point information acquired by the acquisition unit. The device further includes an extraction unit that extracts a security point to which the measure function of the invalidated security point can be shifted when the determination unit determines that the security event is present.

Abstract: An apparatus, system, and method for gateway onboarding for the Internet of Things providing for securely controlling access to a network by a gateway through a self-service registration web portal. The method steps include entering serial number and gateway information into a self-service registration web portal by a user; submitting the registration request to network controller; attempting to connect to network by gateway by presenting the serial number; verifying, by the administrator, the serial number and user validity; if verified, approving gateway for access to network; allowing gateway on network; and issuing configuration parameters.

Abstract: Methods, systems, apparatus, and non-transitory computer readable media are described for identifying users who are likely to have unauthorized access to secure data files in an organizational network. Various aspects may include presenting the identified users on a display for a system administrator and/or security analyst to resolve. For example, the display may include a graph data structure with users represented as nodes and connections between users represented as edges. Each connection may be a pair of users belonging to the same security group. Nodes of the graph data structure may be clustered to indicate that each of the users in the cluster belong to the same security group. Moreover, the users who are connected to multiple clusters may be identified as a potential risk of having unauthorized access to secure data files. The authorized access may then be remedied or taken away.

Abstract: In virtualized environments a method of determining authorization to a resource cannot use a hardware specific identifier, such as a MAC address. As a result upgrading a virtual host may cause licenses associated with that host to be invalid, even though the upgraded virtual host should be authorized. Authentication methods and systems are disclosed such that a key may be shared with a second host along with a license file and, provided at least the second host has a key associated with its system identifier and a key associated with a license file, access to a licensed resource may be authorized.

Abstract: Techniques are provided for preventing suspicious computer operations using a multi-channel protocol. An exemplary method includes detecting an operation comprising suspicious activity on a first device of a user; in response to the detecting, providing a control signal to suspend the operation on the first device; providing a notification of the suspicious activity to an identity system, wherein the identity system (i) provides an approval request to a distinct second device of the user to verify whether the operation is an authorized operation, (ii) receives a reply from the second device comprising an indication of whether the operation is an authorized operation, and (iii) notifies the first device of whether the operation is an authorized operation; and providing a control signal to enable the operation to proceed on the first device responsive to the reply from the second device indicating that the operation was an authorized operation.

Abstract: A content item service enables users to upload media for content items to be given to others. The content item service performs operations on uploaded media content, such as transcoding. A transformed instance of content is encrypted using a cryptographic key, and an identifier for the encrypted transformed instance of content is generated. The encrypted transformed instance of content and an encrypted version of the cryptographic key are stored in association with the identifier.

Abstract: Methods and systems are provided for managing access to a client account related (CAR) resource. When a privilege-constrained (PC) application requests access to an individual client account, a single use authorization (SUA) code is created that is associated with the individual client account. The SUA code is routed to, and returned from, the privilege-constrained (PC) application to authenticate the PC application. The PC application, once authenticated, receives a permitted action token that identifies a limited set of privileges that the PC application is authorized to perform in connection with the CAR resource. The PC application provides the permitted action token to an access service. The access service limits access, by the PC application, to the CAR resource based on the permitted action token.

Abstract: Implementations of the present specification provide a method for updating a state Merkle tree, where the state Merkle tree is used to store a state of an account in a blockchain network. The method includes: accessing data related to a state Merkle tree that stores a state of an account in a blockchain network; determining to-be-updated nodes that need to be updated in the state Merkle tree due to a state change of the account; extracting one first subtree and M second subtrees from the state Merkle tree based on the to-be-updated nodes; allocating the M second subtrees to N worker threads, wherein two or more of the N worker threads process in parallel the M second subtrees to obtain each updated second subtree; and updating at least the first subtree based on hash values of root nodes of the updated second subtrees, to obtain an updated state Merkle tree.

Abstract: Systems and methods for authenticating a user to access a public terminal are described. Disclosed embodiments may include reading, using the physical credential reader, a user identifier from the physical credential device. Disclosed embodiments may also include transmitting the public terminal identifier and the user identifier to a secure server. Further, disclosed embodiments may include receiving, after completing the transmission, a unique code from the secure server. Disclose embodiments may additionally include displaying the unique code on the display device. Disclosed embodiments may include receiving, after displaying the unique code, an authentication message from the secure server. Disclosed embodiments may further include, responsive to receiving the authentication message, authorizing the user to use a terminal command at the public terminal.