Abstract: A system is described for controlling access to resources using an object model. Users can specify use cases for accessing resources. The user may be granted access if the user satisfies qualifications required for accessing the resource, selected a use case permissible for accessing the resource, and satisfies qualifications required for the use case. Use cases, qualifications, resources, and/or links between them can be implemented using an object model. The system can be used in addition to authentication and authorization.

Abstract: Using entropy to prevent inclusion of pay load data in code execution log data. Embodiments determine that a payload data item associated with code execution log data has entropy exceeding a defined entropy threshold and identify a particular executable code that interacted with the payload data item. Embodiments then take a preventative action that excludes the pay load data item from inclusion with a record of execution of the particular executable code. Examples of preventative actions include preventing the pay load data item from being exported from the computer system, preventing the pay load data item from being included in the code execution log data, and adding the payload data item to a block list in reference to the particular executable code.

Abstract: An embodiment of a feedback-based system and methods are disclosed for real-time mitigation of fraud and otherwise invalid traffic in a mobile ad environment. The system of three complementary facets of one embodiment comprises four major sub-systems: prevention, detection, control and reporting, which work in cohesion with one another to achieve the common goal of the system. In the embodiment, deterministic and probabilistic methods are applied across all levels of user engagement (impressions, clicks, installs, post-install events, and conversions) to detect the likely sources of invalid traffic and block them in real time. A distinctive and unifying feature of the embodiment of the system is the feedback loop that connects advanced analytics and machine learning techniques that the detection subsystem employs at all levels of user engagement to the real-time blocking mechanism of the prevention subsystem that operates at the initial levels of user engagements, such as clicks and impressions.

Abstract: Methods and systems for a processing architecture that maintains a separate logic pathway corresponding to a first operation type and a second operation type, until a blockchain operation is submitted to the blockchain network using either the first operation type or a second operation type. Following submission of the blockchain operation to the blockchain network, the architecture collapses the parallel logic pathways to a single logical pathway for both types.

Abstract: A new transactional, constraint-based system is provided to define and maintain authorization policies. Constraints are expressed as user-defined, domain-specific programs that operate on authoritative representations of entities and administrative hierarchies.

Abstract: A processor may identify that one or more client-side applications have been initiated. The processor may identify a browser container. The processor may securely run the one or more client-side applications in the browser container. A website server may collect data that is to be transferred to a browser and sent back from the browser, and the browser container may be associated with the browser. The processor may permit a transfer and sending of the data between the website server and the browser. The transfer and sending of the data may include session specific information that is to be cached on a client-side.

Abstract: A method includes obtaining, by an application executing on a processor of an electronic device, user data of a user, generating a representation of the user data, applying local differential privacy to the representation of the user data, to generate a transform of the representation of the user data, sending the transform of the representation of the user data, to a service provider via a network and receiving, from the service provider, via the network, service data based on the transform of the user data. The service data includes a user-specific output based on the transform of the user data. The application executes outside of a trusted execution environment (TEE) of the electronic device. The transform of the representation of the user data is generated in the TEE of the electronic device.

Abstract: A system includes one or more privacy vaults. At least one of the one or more privacy vaults is associated with at least one individual user, stores contents associated with the associated at least one individual user, and stores specific identification of a plurality of third-party entities, authorized to access at least a portion of the contents stored by the one or more privacy vaults, along with access permissions, one or more of the access permissions defined for each of the plurality of third-party entities. At least one of the access permissions defines accessibility of the contents for at least one of the plurality of third-party entities for which the at least one access permission is defined.

Abstract: A method of authenticating and authorizing a wireless communication device for access to a communication service. The method comprises receiving a service request from a wireless communication device by a access node, parsing the service request by the access node, based on parsing the service request, determining by the access node that the wireless communication device is seeking combined authentication and service authorization, sending the service request by the access node to a hyperledger gateway, receiving an authentication success response associated with the wireless communication device and a service authorization success response by the access node from the hyperledger gateway, and sending the service request by the access node to a communication service computer system, whereby the service request is both authenticated and authorized by the hyperledger gateway in a combined transaction and a requested communication service is provided to the wireless communication device.

Abstract: Methods, systems, and apparatuses are described herein for improving computer authentication processes by analyzing user response times to authentication questions. A request for access to an account may be received. Transaction data associated with a user of that account may be retrieved, and a list of merchants may be generated based on the transaction data. A blocklist may be retrieved, and the list of merchants may be filtered based on the blocklist. An authentication question may be presented. The authentication question may relate to the list of merchants. User responses may be received, and response times for the user responses may be measured. Based on the response times and the response times for other users, an average response time for the merchants may be determined. Based on the average response time for a particular merchant exceeding a threshold, the particular merchant may be added to the blocklist.

Abstract: According to one embodiment, a data management method performed by a computer, includes: receiving first request information for requesting to execute a first process on first data, the first data being data regarding a person; and determining whether the first process is executable, based on the first request information and consent information, the consent information including a first condition that the person consents to perform the first process.

Abstract: An approach for real time, round trip pseudonymization (a.k.a. anonymization or tokenization) of data on the fly, in real time, enabling remote secure processing of sensitive data such as by a cloud service. Sensitive data remains on premises with the client at all times. A user may thus run extensive queries that return sensitive data without noticing that such data was pseudonymized in transit.

Abstract: A method for distributing event data for smart contracts executed on a blockchain to subscribing systems includes: collecting, by a processor of a blockchain node in a blockchain network, a set of event data emitted by a smart contract executed on a blockchain associated with the blockchain network; identifying, by the processor of the blockchain node, communication data for one or more subscriber computing systems; and after a predetermined period of time, transmitting, by a transmitter of the blockchain node, the collected event data to each of the one or more subscriber computing systems using the communication data.

Abstract: A computer-implemented method of generating a secondary transaction identifier of a target transaction which enables a querying user to determine whether the target transaction comprises a candidate data field. The method comprises identifying a set of data fields of the target transaction, each data field comprising respective data of the transaction; and generating a transaction hash tree. Each data field is hashed to generate a respective one of a plurality of leaf hashes of the transaction hash tree. The root hash of the transaction hash tree comprises the secondary transaction identifier.

Abstract: Polymorphic encryption is described in a way to restrict access and enhance security of a data vault. In an example, the data vault has a primary partition with a first subset of records having an encrypted value for each of at least a portion of the fields encrypted according to a first encryption scheme. A secondary partition has a second subset of the records encrypted according to a second encryption scheme that is different from the first encryption scheme. The first encryption scheme is configured to permit a first set of operations on the values when the values are encrypted and the second encryption scheme is configured to permit a second set of operations on the values when the values are encrypted.

Abstract: A bus filter driver and security agent components configured to retrieve and analyze firmware images are described herein. The bus filter driver may attach to a bus device associated with a memory component and retrieve a firmware image of firmware stored on the memory component. The bus filter driver may also retrieve hardware metadata. A kernel-mode component of the security agent may then retrieve the firmware image and hardware metadata from the bus filter driver and provide the firmware image and hardware metadata to a user-mode component of the security agent for security analysis. The security agent components may then provide results of the analysis and/or the firmware image and hardware metadata to a remote security service to determine a security status for the firmware.

Abstract: A user terminal generates a first key pair and a second key pair, transmits a permission request including a public encryption key of the second key pair after electronically signing the permission request with a secret encryption key, and acquires, from permission information transmitted from a right-holder terminal, a content decryption key by using a secret decryption key of the second key pair and uses the content. The right-holder terminal stores a third key pair and the content decryption key, verifies the permission request received, and encrypts the content decryption key by using the public encryption key of the second key pair included in the permission request and transmits the permission information including the encrypted content decryption key after electronically signing the permission information with a secret encryption key of the third key pair. The permission request and the permission information are transmitted and received via a blockchain.

Abstract: Embodiments are disclosed for a method. The method includes validating training data that is provided for training a machine learning model using ordinary differential equations. The method further includes generating pre-processed training data from the validated training data by generating encrypted training data from the validated training data using homomorphic encryption and generating random noise based on the validated training data. The method also includes training the machine learning model adversarially with the pre-processed training data.

Abstract: In some implementations, a device may monitor a screenshot function of a user device. The device may receive, via an application, sensitive information associated with an operation of the application. The device may detect a screenshot instruction associated with the screenshot function capturing a screenshot of a graphical user interface of the application that is displaying the sensitive information. The device may control the screenshot function to suspend a capture of the screenshot of the graphical user interface. The device may identify a portion of the graphical user interface that includes the sensitive information. The device may mask portion of the graphical user interface to obfuscate the sensitive information. The device may enable the screenshot function to capture, according to the screenshot instruction, the screenshot with obfuscated sensitive information. The device may unmask the portion to enable the sensitive information to be displayed via the graphical user interface.

Abstract: Techniques are disclosed relating to maintaining device security associated with reduced power modes. In some embodiments, a computing device receives a request to place the computing device in a reduced power mode in which a first memory of the computing device is powered off. Based on the request, the computing device offloads a memory page from the first memory to a second memory such that the offloading includes encrypting the memory page. Based on a request to resume from the reduced power mode, the computing device restores the memory page from the second memory to the first memory such that the restoring includes decrypting the encrypted memory page. After initiating the restoring, the computing device presents a user authentication prompt asking for a user credential.