Abstract: The present disclosure includes systems and methods that provide a control that enables entry of a user and a catalog item. In response to this entry, a visual representation of the categorized hierarchy of the catalog item and categories (collectively “catalog entities”) to which the catalog item belongs are displayed. Each displayed catalog entity may include a visual indication of whether the catalog entity is accessible to the user. In some embodiments, the displayed catalog entity may include a control that enables or disables access to the catalog entity. The displayed catalog entity may also include a control that displays user groupings that have access or do not have access to that displayed catalog entity. An indication of whether the user belongs to each user grouping may also be displayed. Each displayed user group may include a control that enables modification to the definition of the displayed user grouping.

Abstract: Systems and methods for securing embedded devices via both online and offline defensive strategies. One or more security software components may be injected into firmware binary to create a modified firmware binary, which is functionally- and size-equivalent to the original firmware binary. The security software components may retrieve live forensic information related to embedded devices for use in live hardening of the modified firmware binary while the embedded device is online, dynamically patching the firmware. In addition, the live forensic information may be aggregated with other analytical data identifying firmware vulnerabilities. A vulnerability identification and mitigation system can then identify and inject modifications to the original firmware binary to develop secure firmware binary, which may be imaged and loaded onto one or more embedded devices within a network.

Abstract: Aspects of the present invention disclose a method, computer program product, and system for multi-factor authentication. In response to a request for an action, the method includes one or more processors whether a first authentication credential passes validation. In response to determining that the first authentication credential does pass validation, the method further includes one or more processors determining a second authentication credential, wherein the second authentication credential includes an indication of a wireless connection between a first computing device and a second computing device. The method further includes one or more processors determining whether the second authentication credential passes validation. In response to determining that the second authentication credential passes validation, the method further includes one or more processors allowing execution of the requested response.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for identity verification are provided. One of methods, implemented by a mobile terminal device, includes: obtaining a device identifier of a service device configured to provide a service based on a digital key; uploading the device identifier to a server in communication with the service device and the mobile terminal device and storing registration information of service devices, to cause the server to perform validity verification on the device identifier; in response to receiving a result indicating the device identifier is valid, collecting identity feature information of a user; uploading the identity feature information of the user to the server, to cause the server to perform identity verification on the user based on the identity feature information; and obtaining the digital key issued by the server in response to the identity verification being successful.

Abstract: Internet-of-Things (IoT) prioritized sensor authentication management includes receiving in an IoT gateway different packets of data from different sensors over a computer communications network. For each received packet of data from a corresponding one of the different sensors, the received packet of data is compared to a pattern associated with the corresponding one of the different sensors. On the condition that the received packet of data is within a threshold of similarity to the pattern, a sensor value may be extracted from the received packet of data and transmitted to a sensor monitor. But otherwise, the received packet of data is placed into quarantine in memory of the IoT gateway, authentication of the corresponding one of the different sensors is performed, and in response to the authentication, the packet is released from quarantine, the sensor value extracted from the received packet of data and transmitted to the sensor monitor.

Abstract: Systems and methods are disclosed for an ADV to leverage pre-defined static objects along a planned route of travel to detect and counter attacks that attempt to change the destination or the planned route. The ADV may detect updates to the static objects if the planned route is changed. Based on the updated static objects, the ADV determines if there is an abnormal re-routing of the planned route or if there is a new route due to a suspicious destination change. The ADV may also leverage the static objects to detect spoofing attacks against the sensor system. The ADV may evaluate if sensors of the sensor system are able to detect and identify the static objects to identify an impaired sensor. The ADV may perform cross-check on the ability of the sensors to detect and identify dynamic objects to gain confidence that the impaired sensor is due to spoofing attacks.

Abstract: A method, implemented using an authentication monitoring (AM) computer device, for monitoring an execution of a digital authentication program is provided. The method includes receiving an authentication data file from an authenticating computer device executing the digital authentication program, wherein the authenticating computer device is associated with an authenticating entity, processing the authentication data file to extract at least one authentication value, testing the authentication value against at least one authentication rule associated with the digital authentication program, determining that a stored metric for the authenticating computer device fails to meet a predefined benchmark, wherein the stored metric is associated with the digital authentication program, and initiating an authentication remediation process, wherein the authentication remediation process causes an update to the digital authentication program used by the authenticating computer device.

Abstract: A machine-readable medium may store instructions executable by a processing resource to access log data of an enterprise and extract time-series data of an enterprise entity from the log data. The time-series data may include measured feature values of a set of selected features over a series of time periods. The instructions may be further executable to train a predictive model specific to the enterprise entity using the time-series data, wherein the predictive model is to generate, for a particular time period, a predicted feature value for each of the selected features; access actual feature values of the enterprise entity for the particular time period; apply first-level deviation criteria to the actual feature value and the predicted feature value of each selected feature to identify deviant features of the enterprise entity; and apply second-level deviation criteria to the identified deviant features to identify the enterprise entity as behaving abnormally.

Abstract: The innovation disclosed and claimed herein, in one aspect thereof, comprises systems and methods of authenticating customers and service agents. The innovation receives a connection request to connect a customer and a service agent. The customer is authenticated for the service agent by matching biometric data of the customer to previously stored biometric data using a biometric recognition algorithm. The service agent is authenticated for the customer by matching a unique identifier to a previously stored unique identifier. A confirmation notification is generated and sent to the service agent and the customer to confirm the authentications. A connection is established between the customer and the service agent according to the authentications and the connection request.

Abstract: Disclosed are various examples for configuring network security based on device management characteristics. In one example, a specification of a set of network resources on an internal network is received from an administrator client. The set of network resources are those network resources that a particular application executed in client devices on an external network should be authorized to access. A gateway from the external network to the internal network is then configured to permit the particular application to have access to the set of network resources.

Abstract: A face authentication method includes receiving, from a first user terminal, a user account and a face image, obtaining a reference image corresponding to the user account, the reference image being prestored, and determining a second user terminal for helping the first user terminal complete face authentication of the face image with the reference image, the second user terminal being in a state of waiting to receive a first authentication code for the second user terminal to complete identity authentication of the first user terminal. The method further includes generating the first authentication code, sending, to the second user terminal, the first authentication code, the face image, and the reference image, and receiving, from the second user terminal, a result of the face authentication of the face image with the reference image, the result indicating whether the face authentication succeeds.

Abstract: Concepts and technologies are described herein for sharing encrypted data with enhanced security. In some configurations, an encryption key is generated from a password by the use of a password-based key generation technology. In addition, input data is encrypted using the encryption key. The encrypted data and the generated key may be then shared with a remote computer, such as a server. The encrypted data can then be decrypted at the remote computer by the use of the key. By the use of the technologies described herein, the contents of an encrypted file may be accessed at a remote computer without requiring a user to share the actual password.

Abstract: Implementations of the present disclosure provide techniques to improve security in blockchain networks. In some implementations, a linking request is received from a node. The node requests to be linked to a blockchain network. The linking request includes a digital code. One or more consensus verification messages are received from one or more blockchain nodes of the blockchain network. Each consensus verification message indicates whether a respective blockchain node approves or denies the linking request. A consensus verification result is determined based on the one or more consensus verification messages. In response to determining that the linking request is approved by the one or more blockchain nodes, the digital code is stored into the blockchain network as a digital certificate of the node.

Abstract: Implementations of the present disclosure provide techniques to improve security in blockchain networks. In some implementations, a linking request is received from a node. The node requests to be linked to a blockchain network. The linking request includes a digital code. One or more consensus verification messages are received from one or more blockchain nodes of the blockchain network. Each consensus verification message indicates whether a respective blockchain node approves or denies the linking request. A consensus verification result is determined based on the one or more consensus verification messages. In response to determining that the linking request is approved by the one or more blockchain nodes, the digital code is stored into the blockchain network as a digital certificate of the node.

Abstract: A physically unclonable function (PUF) generator includes a first sense amplifier that has a first input terminal configured to receive a signal from a first memory cell of a plurality of memory cells, and a second input terminal configured to receive a signal from a second memory cell of the plurality of memory cells. The first sense amplifier is configured to compare accessing speeds of the first and second memory cells of the plurality of memory cells. Based on the comparison of the accessing speeds, the sense amplifier provides a first output signal for generating a PUF signature. A controller is configured to output an enable signal to the first sense amplifier, which has a first input terminal configured to receive a signal from a bit line of the first memory cell and a second input terminal configured to receive a signal from a bit line of the second memory cell.

Abstract: An anomaly detection electronic control unit (ECU) that detects unauthorized messages on a communication path is provided. An ECU that periodically transmits a first-type message including data to be monitored, and an ECU that periodically transmits a second-type message including data for comparison, are connected to the communication path. The anomaly detection ECU includes: a receiver that successively receives first-type and second-type messages; a processor that determines whether a first-type message received is normal or anomalous; and a transmitter that transmits a predetermined message in accordance with results of the determining.

Abstract: A security agent configured to initiate a security agent component as a hypervisor for a computing device is described herein. The security agent is further configured to determine a subset of memory locations in memory of the computing device to be intercepted. The security agent component may then set intercepts for the determined memory locations. Setting such intercepts may include setting privilege attributes for pages which include the determined memory locations so as to prevent specific operations in association with those memory locations. In response to one of those specific operations, the security agent component may return a false indication of success or allow the operation to enable monitoring of the actor associated with the operation. When an operation affects another memory location associated with one of the pages, the security agent component may temporarily reset the privilege attribute for that page to allow the operation.

Abstract: A system detects that a target service program is being executed by a computing device. The target service program is one of a plurality of pre-defined service programs to be suspended to complete an identity verification of a user using the target service program. Execution of the target service program is suspended on the computing device. An identity verification program is executed on the computing device. The identity verification program is configured to perform the identity verification of the user to obtain an identity verification result indicating whether an identity of the user is verified. The identity verification program is independent from the target service program.

Abstract: A device may identify a plurality of files for a multi-file malware analysis. The device may execute the plurality of files in a malware testing environment. The device may monitor the malware testing environment for behavior indicative of malware. The device may detect the behavior indicative of malware. The device may perform a first multi-file malware analysis or a second multi-file malware analysis based on detecting the behavior indicative of malware. The first multi-file malware analysis may include a partitioning technique that partitions the plurality of files into two or more segments of files to identify a file, included in the plurality of files, that includes malware. The second multi-file malware analysis may include a scoring technique that modifies a plurality of malware scores, corresponding to the plurality of files, to identify the file, included in the plurality of files, that includes malware.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for proximity-based access. In some implementations, an electronic device receives a first message over a network over a first communication channel. In response to receiving the first message, the electronic device increases a frequency that the electronic device scans for messages over the second communication channel. After increasing the frequency that the electronic device scans for messages over the second communication channel, the electronic device receives a second message from a secured resource over the second communication channel. The electronic device determines that the electronic device is located within a predetermined level of proximity to the secured resource, and in response, sends authentication data to the secured resource over the second communication channel.