Abstract: Embodiments of this application provide a private key generation method and system, and a device. The method includes: receiving, by a terminal device, a first response message sent by a first network device, where the first response message includes at least a first sub-private key, and the first sub-private key is generated based on a first parameter set sent by a second network device; receiving, by the terminal device, a second response message sent by the second network device, where the second response message includes at least a second sub-private key, and the second sub-private key is generated based on a second parameter set sent by the first network device; and synthesizing, by the terminal device, a joint private key based on at least the first sub-private key and the second sub-private key.

Abstract: Systems and methods are provided for chaining network access control authorization processes. A method includes executing a first authorization process to generate a first authorization result for a user according to first authorization data obtained from a first authorization source corresponding to the first authorization process; executing a second authorization process to generate a second authorization result for the user according to second authorization data obtained from a second authorization source corresponding to the second authorization process and the first authorization data obtained by the first authorization process; and authorizing the user to access a network resource according to the first authorization result generated by the first authorization process and the second authorization result generated by the second authorization process.

Abstract: The technology described in this document can be embodied in a computer-implemented method that includes receiving, at one or more servers from a first computing device, (i) first identification information identifying the first computing device or an application executing on the first computing device, and (ii) second identification information identifying a second computing device. The second identification information is obtained by the first computing device by detecting changes to one or more parameters of a magnetic field generated by the second computing device. The method also includes determining, by the server based on the first information, identity information of a user associated with the first computing device, and transmitting, from the one or more servers to the second computing device, the identity information, such that the identity information is usable by the second computing device to verify an access attempt by the user.

Abstract: Methods and systems for performing secure device selection based on sensitive content detection are described herein. The methods and systems may analyze content being accessed via a virtual session established with a first device to determine that at least a portion of the content is sensitive content, determine information indicating one or more security features of the first device and one or more security features of a second device associated with a user of the first device, determine, based on the information, that the second device is more secure than the first device, and, responsive to the determination that the second device is more secure than the first device, transfer the virtual session to the second device or enter a more secure configuration of the first device.

Abstract: The present disclosure provides a blockchain system and a permission management method thereof. The blockchain system includes a plurality of node groups, group account information of each node group is stored in a block of the blockchain, the group account information includes a permission set of the node group, and each node in the node group has all permissions in the permission set of the node group; and the permissions of the nodes in each node group are controlled by a management node in a parent group of the node group; and the permissions in the permission set of each node group are more than those of the permission set corresponding to a child group of the node group; and the member account information of each node is stored in the block of the blockchain, and the member account information includes the permissions of the node.

Abstract: A method and system for protecting an application from unsecure network exposure. The method includes identifying at least one port through which the application is accessible when the application is not configured correctly, wherein the application is executed at a host device connected to at least one network, the host device having the at least one port; sending, to an external resource, connection data for connecting to the application via the at least one port, wherein the external resource is configured to attempt to connect to the application based on the connection data and to return results of the connection attempt; determining, based on the results of the connection attempt, whether an exposure vulnerability exists; and performing at least one mitigation action when an exposure vulnerability exists.

Abstract: System and method for executing a security operation for microservices/serverless function of a microservices-based/serverless application running on a physical infrastructure use a central security controller to execute the security operation for different microservices/serverless functions of the microservices-based/serverless application. Requests for the security operation are transmitted to the central security controller when communications are received at the different microservices/serverless functions of the microservices-based/serverless application. Results of the security operation are then received from the central security controller at the different microservices/serverless functions of the microservices-based/serverless application. Based on the results of the security operation, a task associated with the communications is executed at the different microservices/serverless functions.

Abstract: User permissions for a search on content managed by a content management system (CMS) can be evaluated in a search engine based on a user identity of a user providing a query input for the query rather than after return of an initial results set to the CMS or some other front-end application. The search engine can constrain possible results returned from a search for the query input using a content index of a plurality of content items maintained in a repository of the content management system. The constraining can include limiting the search engine from adding a content item of the plurality of content items to a permissions-filtered results set unless the evaluating of the user permissions and the search for the query input against the content index do not exclude the content item. Other aspects can support index updating by selective use of a metadata index.

Abstract: A secure computation technique of calculating a polynomial in a shorter calculation time is provided. A secure computation system generates concealed text [[u]] of u, which is the result of magnitude comparison between a value x and a random number r, from concealed text [[x]] by using concealed text [[r]]; generates concealed text [[c]] of a mask c from the concealed text [[x]], [[r]], and [[u]]; reconstructs the mask c from the concealed text [[c]]; calculates, for i=0, . . . , n, a coefficient bi from an order n, coefficients a0, a1, . . . , an, and the mask c; generates, for i=1, . . . , n, concealed text [[si]] of a selected value si, which is determined in accordance with the result u of magnitude comparison, from the concealed text; [[u]]; and calculates a linear combination b0+b1[[s1]]+ . . . +bn[[sn]] of the coefficient bi and the concealed text [[si]] as concealed text [[a0+a1x1+ . . . +anxn]].

Abstract: A method for interworking of a security tool and a cloud platform includes checking whether there is a record of confirming or applying security related to a target identifier when a cloud platform client calls a platform interface module, determining whether to interwork with the security tool when the record of confirming or applying security related to the target identifier is not present, requesting a resource required for running the security tool to the cloud platform when the security tool is invoked, and obtaining the resource from the cloud platform and storing the same.

Abstract: This disclosure relates to a cloud-local joint or collaborative data analytics framework that provides data analytics models trained and hosted in backend servers for processing data items preprocessed and encrypted by remote terminal devices. The data analytics models are configured to generate encrypted output data items that are then communicated to the local terminal devices for decryption and post-processing. This framework functions without exposing decryption keys of the local terminal devices to the backend servers and the communication network. The encryption/decryption and data analytics in the backend servers are configured to process and communicate data items efficiently to provide real-time or near real-time system response to requests for data analytics from the remote terminal devices.

Abstract: A wearable apparatus, an anti-peeping display system and an anti-peeping display method are disclosed. The anti-peeping display system includes a display apparatus and a wearable apparatus, the display apparatus is configured to display infrared images, the wearable apparatus acquires the infrared images and converts the infrared images to original images, and the original images are visible images.

Abstract: Dynamic data anonymization utilizes the introduction, tracking, and checking of taint information. During taint introduction, taint information relevant to a source of input data is bound with that data, and the taint information stored as metadata. During taint tracking, the taint information is maintained with the original data over its lifespan, and is also propagated with any derivative data generated from the original data. An anonymization procedure considers the taint information as semantic content to covert the data into anonymous form. Taint checking during anonymization determines whether a data object or a variable is tainted, and identifies the relevant taint information to allow the output of data in anonymous form. Introduction, tracking, and checking of semantic taint information permits embodiments to dynamically calculate anonymization metrics (e.g., k-anonymization, l-diversity) on the basis of the semantics of taint metadata that is actually present.

Abstract: A system includes a secure storage database maintaining a plurality of secure data, a storage access interface, and an access controller. The storage access interface receives a first request to retrieve a first secure data from the secure storage domain. The access controller receives the first request; determines, using a first access module, if the first request satisfies a first access condition based on the first secure data requested to be retrieved; extracts, from the first request, an indication of a role of a user associated with the first request; initializes, responsive to receiving the first request, a second access module; determines, using the second access module, if the first request satisfies a second access condition based on the indication of the role of the user; and outputs the first secure data responsive to the first request satisfying the first access condition and the second access condition.

Abstract: An access control system includes a processor configured to provide a trusted execution environment isolated from a rich execution environment. A rich OS operates in the rich execution environment while a trusted OS operates in the trusted execution environment. An access monitoring module operates within the kernel of the rich OS and a trusted application operates in the trusted OS. The access monitoring module intercepts file requests directed at the file systems of the rich OS, and forwards the file requests to the trusted application. The trusted application then evaluates whether the file request is permitted and provides the access monitoring module with a response. The access monitoring module forwards the request to the file system only if the trusted application approves the request.

Abstract: As provided herein, a first device may be registered as authorized to authenticate a user login into a service from a second device (e.g., a smart phone may be used to log the user into a webmail service on a computer without the user having to enter a password through the computer). Responsive to the user attempting to access the service through the second device, a login interface may be displayed on the first device. The user may confirm or deny that the user wants to log into the service on the second device, thus allowing the user to seamlessly log into the service on the second device (e.g., without entering a password) while mitigating unauthorized logins into the service from unknown devices. Further, the user may use the first device to delegate the authority to authenticate the user login into the service to one or more other devices.

Abstract: A fraud detection electronic control unit is connected to an electronic control unit through an in-vehicle network system. The fraud detection electronic control unit includes a storage and a determination unit. The storage stores a first regulation for determining whether the frame transmitted from the electronic control unit is fraudulent. The determination unit determines whether the frame transmitted from the electronic control unit is fraudulent in pursuant to the first regulation. When a predetermined condition is satisfied, the storage acquires a second regulation retained by the electronic control unit and updates the stored first regulation.

Abstract: In an example, techniques of this disclosure include establishing, by a computing device, authentication data for authenticating a user of a service provided by a service provider, where the authentication data comprises one or more first data entries and one or more second data entries that correspond to the one or more first data entries. The techniques also include retrieving, from at least one third-party service provider, one or more second data entries maintained by the at least one third-party service provider that correspond to the one or more first data entries, and authenticating the user based on the authentication data, where authenticating the user comprises comparing the one or more first data entries to the one or more second data entries retrieved from the at least one third-party service provider.

Abstract: Embodiments of the present invention provide systems and methods for monitoring action records in virtual space. The systems and methods for monitoring action records in virtual space display recorded activity on an avatar within the virtual space by communicating in a virtual space with a user account. The recorded activity is analyzed and processed in order to compile information on the avatar and display an avatar (which is a reflection of the compiled information).

Abstract: A system and method provides access to one or more web services by capturing a human perceptible rendering on a separate device, identifying a code from the human-perceptible rendering captured and granting access to the one or more web services, responsive to the code identified and an identifier of the user.