Abstract: Methods and apparatus for small data communications over a user plane in a wireless communication network. A method performed by a wireless device comprises receiving, from mobility management network equipment (e.g., implementing an AMF), control signaling indicating that the wireless device is to horizontally derive a base security key and/or that the wireless device is to derive a small data transfer, SDT, security key from the base security key. The base security key may be included in a non-access stratum, NAS, security context at the wireless device and at the mobility management network equipment. The method may further comprise, responsive to receiving the control signaling, deriving the SDT security key from the base security key and a freshness parameter.

Abstract: A device may collect environmental information surrounding the device. Based on the collected environmental information, the device may automatically identify a potentially secured location that has lower security risk. When a potentially secured location is identified, the device may prompt the user to setup a security profile having reduced security requirement for the secured location. The device may store and associate the security profile with the secured location. The device may activate the security profile with reduced security requirement when the device is in the secured area. Further, the security profile may require that certain features of the device be disabled when the device is in the secured location.

Abstract: An authentication-gaining apparatus includes: an acquiring unit that acquires unique information; an encrypting unit that encrypts the unique information using a cryptographic key, thereby generating encrypted information; and a transmitting unit that repeatedly transmits an authentication request containing the encrypted information, to an authentication apparatus, during an authentication period, wherein multiple authentication requests respectively containing encrypted information obtained by encrypting multiple pieces of unique information are transmitted during the authentication period.

Abstract: Provided herein are smart cloud service systems to enhance information technology system access security and computer-implemented and user-implemented methods of use. The smart cloud service is in electronic communication with a system access point on a system access management (SAM) server which is configured to establish a distributed system access point on a system access management (SAM) client. The smart cloud service distributes, deploys, updates and synchronizes modules or components on the SAM server and the SAM client to enable authentication questions and answers to be generated by a multi-factor authentication engine from data acquired from a user's personal online use and behavior history when access to a protected IT system is requested.

Abstract: A packet gateway may protect TCP/IP networks by enforcing security policies on in-transit packets that are crossing network boundaries. The policies may include packet filtering rules derived from cyber threat intelligence (CTI). The rapid growth in the volume of CTI and in the size of associated CTI-derived policies, coupled with ever-increasing network link speeds and network traffic volume, may cause the costs of sufficient computational resources to be prohibitive. To efficiently process packets, a packet gateway may be provided with at least one probabilistic data structure, such as a Bloom filter, for testing packets to determine if packet data may match a packet filtering rule. Packet filtering rules may be grouped into subsets of rules, and a data structure may be provided for determining a matching subset of rules associated with a particular packet.

Abstract: The subject disclosure relates to employing sourcing and generation components to facilitate a generation of identity data by a biometric chip. In an example, a system comprising one or more processors and one or more storage devices comprising processor executable instructions that, responsive to execution by the one or more processors, cause the system to perform operations comprising sourcing, by a biometric chip implantation device, biometric data, transactional data, activity data and statistical data corresponding to a user from a set of data sources corresponding to a set of data feeds. Furthermore, the system can employ the biometric chip to interpolate subsets of data feeds.

Abstract: A computer implemented system for electronic verification of credentials including at least one processor and data storage is described in various embodiments. The system includes cryptographic mechanisms and electronic communication between one or more computing systems that in concert, provide verification of a prover's credentials in accordance to logical conditions of a verifier's policy without providing additional information to a verifier entity.

Abstract: A method is disclosed. The method includes receiving a communication comprising a real credential from a communication device and providing the real credential to a token computer. The token computer generates a token and a cryptogram, and the cryptogram is formed using a resource provider initiated transaction indicator. The method includes receiving, from the token computer, the token and the cryptogram, and transmitting, to a processing computer, an authorization request message comprising the token, the cryptogram, a resource provider identifier, and a transaction amount for a first transaction. The processing computer validates the cryptogram, exchanges the token for the real credential, stores the resource provider identifier, and forwards the authorization request message including the real credential, and the transaction amount to an authorizing entity computer. The method also includes receiving an authorization response message from the authorizing entity computer.

Abstract: Dynamic Software Defined Networking (DSDN) systems and methods provide secure and isolated subnetworks within a larger network. Each subnetwork may be formed with varied policies and communication restrictions based on at least device type, device grouping, and risk level. The DSDN systems and methods may also be applied to form a network, with or without subnetworks, of devices that are spatially separated, thereby reducing the attack surface of the DSDN-formed network.

Abstract: An association management system for establishing, maintaining, and monitoring associations between a personal identifier and an electronic device, includes a provider subsystem in operable communication with at least one of the personal identifier and the electronic device. The provider subsystem is configured to provision a person associated with the personal identifier, authenticate both of the personal identifier and the electronic device, and establish an association of the authenticated personal identifier to the authenticated electronic device. The system further includes a certificate authority subsystem for issuing at least one digital certificate to verify an identity of one or more digital entities operating on the management system, and a digital distributed ledger including a plurality of a consensus pool of participating processors. The digital distributed ledger is configured to verify, using the at least one digital certificate, transaction events of the association management system.

Abstract: One embodiment provides a method, including: identifying, on an information handling device, a security level associated with an application window displayed on a display screen of the information handling device; capturing, using a sensor associated with the information handling device, an image of an area in front of the display screen; identifying, based upon analysis of the image, that an individual is present in the image; determining, using a processor, whether the individual is authorized to view the application window based upon the security level; and activating, responsive to determining that the individual is not authorized to view the application window, a privacy filter that obscures content in the application window from the individual. Other aspects are described and claimed.

Abstract: The techniques disclosed herein provide an enhanced single sign-on flow for secure computing resources, such as a virtual machine or hosted applications. In some configurations, the techniques process different types of security data, e.g., credentials, tokens, certificates, and reference objects at specific computing entities of a system to provide a single sign-on flow for providing access to secure computing resources from a client computing device. In one illustrative example, a select type of security data, such as a certificate, is generated from a token and a claim at a particular computing resource, such as an agent operating on a virtual machine. In another example, a signed version of the certificate can be stored and verified at the virtual machine. By generating certificates at such particular computing resources, the computing resource can verify a person's credentials using a secure single sign-on flow without requiring the person to provide credentials multiple times.

Abstract: In the IKE or IPSec SA rekeying, whether the rekey exchange includes the cryptographic suite in the payload depends on whether the cryptographic suite used in the old SA is changed on both ends, e.g., the initiator and the responder. If the cryptographic suite is not changed, then the rekey exchange does not include the cryptographic suite. Additionally, in the IPSec SA rekey, if the flowing information is not changed in either end, the rekey exchange further does not include the Traffic Selector (TS). As such, the size of the payload is decreased, which saves bandwidth, more processing time and power in the course of the IKE SA or the IPSec SA rekey.

Abstract: Embodiments herein include an intelligent electronic device (IED) by employing a multi-factor authentication process. In some embodiments, to change the access level of the IED, the user may use the password and additional inputs such as an off-site operator sending a command, or the user engaging a push button or switch local to the IED.

Abstract: The messages established on a communication path between two nodes are increasingly encrypted. However, the devices present on the communication path may intervene to transport the messages and to read, edit or add data in the messages. It may also be desirable that only “authorized” devices can carry out these actions. In order to intervene on these data, it would be necessary that the devices on the communication path have available all the keys used by the nodes to encrypt and decrypt the data of the messages, which is difficult to envisage. A modification method enables a device, capable of intercepting a data message on a communication path between two nodes, to edit the data under the control of the nodes, while ensuring that a device cannot access the data edited by another device on the path.

Abstract: Techniques for compiling firewall rules into byte code or assembly code that can be loaded into cache memory of a processor and executed to evaluate received data packets. Rather than representing firewall rules in mid- or high-level languages stored in main memory, the techniques described herein include compiling the firewall rules into bytecode or assembly code, and distributing the code to the data plane. A packet-processing device may load the code representing the firewall rules into instruction cache of the processor. Further, the packet-processing device receives a data packet and extracts packet context data indicating attributes of the packet, and load the packet context data into a data cache of the processor. The processor can then execute the byte code or assembly code representing the firewall rules to evaluate the packet context data without having to access main memory to determine whether allow or block the data packet.

Abstract: A risk analysis system configures the decision engine to detect anomalous online activities by analyzing usage patterns associated with one or more user accounts across multiple frequencies. The risk analysis system obtains transaction log data representing transactions associated with one or more accounts, and extracts data from the transaction log data to generate time-series data along a time dimension. The time-series data may represent usage characteristics of one or more user accounts over a period of time. The risk analysis system derives pattern data representing usage patterns across multiple different frequencies based on the time-series data. The risk analysis system then configures the decision engine to detect anomalous account activities based on the derived pattern data.

Abstract: An out-of-order and speculative execution microprocessor that mitigates side channel attacks includes a cache memory and fill request generation logic that generates a request to fill the cache memory with a cache line implicated by a memory address that misses in the cache memory. At least one execution pipeline receives first and second load operations, detects a condition in which the first load generates a need for an architectural exception, the second load misses in the cache memory, and the second load is newer in program order than the first load, and prevents state of the cache memory from being affected by the miss of the second load by inhibiting the fill request generation logic from generating a fill request for the second load or by canceling the fill request for the second load if the fill request generation logic has already generated the fill request for the second load.

Abstract: An information processing method is executed by a processor of an apparatus, and includes a step of generating a public key of the apparatus based on a private key of the apparatus (S2), a step of generating a hash value based on the public key and a predetermined hash function (S3), and a step of determining an IP address of the apparatus based on the hash value (S6).

Abstract: The attack vectors for some denial-of-service cyber attacks on the Internet's Domain Name System (DNS) are bad, bogus, or unregistered domain name DNS requests to resolve domain names that are not registered in the DNS. Some other cyber attacks steal sensitive data by encoding the data in bogus domain names, or domain names otherwise not registered in the DNS, that are transferred across networks in bogus DNS requests. A DNS gatekeeper may filter in-transit packets containing DNS requests and may efficiently determine if a request's domain name is registered in the DNS. When the domain name is not registered in the DNS, the DNS gatekeeper may take one of a plurality of protective actions. The DNS gatekeeper drops requests determined not to be legitimate, which may prevent an attack.