Abstract: A system for detecting whether a device seeking communication with a server is a returning device that previously communicated with the server includes a database that stores groups of device attributes based on observable device characteristics and unique identifiers. The database is generally not accessible to the devices. Each attribute group and the associated device identifier (DID) can uniquely identify a particular device, and the associated DID is generally not derivable from the attributes. The database may satisfy a uniqueness property so that each attribute value in the database may also uniquely identify a device.

Abstract: An Initialization Unit (IU) initiates an initial secure connection with an Intrinsic Use Control (IUC) Chip based on very large random numbers (VLRNs). The IUC Chip in turn initiates a secondary secure connection between it and one or more Use Controlled Components (UCCs). Polling by the IU allows confirmation of an ongoing secure connection, and also allows the IUC Chip to confirm the secondary secure connection to the UCCs. Removal or improper polling response from one of the UCCs results in a response from the IUC Chip that may include notification of tampering, or temporary or permanent discontinued operation of the offending UCC. Permanent discontinued operation may include destruction of the offending UCC, and cascaded discontinued operation of all other UCCs secured by the IUC Chip. A UCC may in turn be another nested layer of IUC Chips, controlling a corresponding layer of UCCs, ad infinitum.

Abstract: A method for handling change of serving Access and Mobility Managing Function for a user equipment. The method comprises sending of a context request to a source Access and Mobility Managing Function. This sending is performed from a target Access and Mobility Managing Function. In the target Access and Mobility Managing Function, a context is received (S3) in reply from the source Access and Mobility Managing Function. The context comprises a parameter which identifies a Security Anchor Function Access and Mobility Managing Function. The Security Anchor Function Access and Mobility Managing Function keeps a key, which is shared with the user equipment. A method for handling a change of serving Access and Mobility Managing Function in a user equipment is also disclosed as well as Access and Mobility Managing Function and User Equipments therefore.

Abstract: Methods and systems for Predictive Malware Defense (PMD) are described. The systems and methods can utilize advanced machine-learning (ML) techniques to generate malware defenses preemptively. Embodiments of PMD can utilize models, which are trained on features extracted from malware families, to predict possible courses of malware evolution. PMD captures these predicted future evolutions in signatures of as yet unseen malware variants to function as a malware vaccine. These signatures of predicted future malware “evolutions” can be added to the training set of a machine-learning (ML) based malware detection and/or mitigation system so that it can detect these new variants as they arrive.

Abstract: The present disclosure relates to a cybersecurity-monitoring system, method, and computer program for dynamically determining a rule's risk score based on the network and user for which the rule triggered. The methods described herein addresses score inflation problems associated with the fact that rules have different false positive rates in different networks and for different users, even within the same network. In response to a rule triggering, the system dynamically adjusts the default risk points associated with the triggered rule based on a per-rule and per-user probability that the rule triggered due to malicious behavior. In certain embodiments, network context is also a factor in customizing the risk points for a triggered rule.

Abstract: Techniques are described that provide a session management authorization token by receiving a session request message to establish a protocol data unit (PDU) session for a logical data network associated with a user equipment (UE), the session request message may include one or more session parameters; verifying that the UE is authorized to establish the PDU session for the logical data network; receiving a key associated with the PDU session; generating an authorization token based on the received key and the session parameters; and transmitting a session response message including the generated authorization token to the UE.

Abstract: A method for transferring digital data from a source to a target device, each of the source and target devices including a respective user interface. The method receives a user selection of digital data on the source device via a user interface. The method authenticates the user on the source device. The method, based on recognizing a user selection of target input field(s), of an interface of the target device, to which the digital data is to be provided as input, authenticates the user on the target device and verifies that a common user has authenticated with the source device and the target device. The method transfers the digital data to the target input field(s) of the interface of the target device.

Abstract: Providing access to an external application includes receiving login credentials to access a client instance, wherein the login credentials are associated with a user account, causing the client instance to provide a link to an external application in the client instance, detecting a request to navigate to the external application from the link, generating a authentication record for the user account and the external application, storing information for the user account based on the authentication record, and generating a URL for the external application based on the authentication record. Providing access to the external application also includes receiving, from a remote client device hosting the external application, an authorization request comprising nonce information, determining that the user account is authorized to access the external application based on the authentication table, and providing access to the external application.

Abstract: Examples of the present disclosure describe systems and methods for partially encrypting conversations using different cryptographic keys. Messages communicated during a conversation session may be encrypted using a cryptographic key. Other conversation participants may then decrypt the messages using the cryptographic key. During the conversation, an event may occur that causes a new cryptographic key to be generated. The conversation participants may then use the new cryptographic key when communicating. As such, previously-encrypted messages may be inaccessible to new members that do not have the old cryptographic key, while newly-encrypted messages may be inaccessible to former members that do not have the new cryptographic key. An isolated collection may store the messages and related cryptographic keys. Relationships may exist within the isolated collection, such that messages may be related to one another and messages may also be related to the cryptographic keys used to encrypt them.

Abstract: A system and method enforce a security policy in a message-based operating system by controlling access to an operating system authenticator. The control occurs in response to an invocation of a microkernel call that initiates a process manager's function in accordance with the access right retained stored in a microkernel. The system and method control access to a server serving a client in the message-based operating system according to a token. The token is issued by the operating system authenticator and establishes a client's access to the services provided by the server.

Abstract: A new approach is proposed to support automated dynamic reconfiguration of a mobile device of a client from using a primary document service to a secondary document service by the same service provider based on pushed data received via the mobile device. When the client logs in to his/her account at the primary cloud-based document service by default and later receives an invite sent by another client via the secondary document appliance, a document app on the client's mobile device would automatically reconfigure itself to use the secondary document appliance for a specific set of operations on a document as required by the invite instead. The client may then access the secondary document appliance to view the document, sign it, and complete the entire process within the document app. Following the client's completion of the operations, the document app is automatically reconfigured back to use its primary cloud-based document service.

Abstract: A software verification method and apparatus are disclosed, applied to the cloud computing field and the communications field, and can be used to automatically verify whether an installation file of VNF software has been tampered with. The method includes: obtaining installation files of VNF software and signature files of the installation files, where the signature files of the installation files are used to store verification information of the installation files; verifying the installation files according to the signature files of the installation files; and determining, if the verification of the installation files succeeds, that the VNF software has not been tampered with.

Abstract: A computer-implemented method according to one embodiment includes identifying an object within a system, determining metadata associated with the object, calculating a logical protection level for the object, utilizing the metadata, and implementing a physical protection level for the object within the system, utilizing the logical protection level for the object.

Abstract: The present teaching relates to generating an identifier for a person. In one example, an actual name of the person is received. The identity of the person that is associated with the actual name of the person is proved at a pre-determined level of assurance (LOA) required by an identity management system. When the identity of the person has been proved, a peripheral name is solicited from the person. An identifier that includes the actual name and the peripheral name of the person is created. Whether the identifier is unique is determined. The steps of soliciting, creating, and determining are repeated until the identifier is unique. The peripheral name is associated with the person. The identifier is associated with the person.

Abstract: A virtual machine transmits local files to a secure virtual machine hosted by a hypervisor for malware detection. When malware is detected, the secure virtual machine can responsively provide remediation code to the virtual machine on a temporary basis so that the virtual machine can perform suitable remediation without a permanent increase in size of the virtual machine.

Abstract: Protecting a runtime Web service application. A web service application is instrumented to log its operation and allow recreation of its execution trace. Trace point vulnerabilities are identified using one or more data payloads. Candidate trace point operations associated with the trace point vulnerabilities are identified. Supplementary candidate operations are computed based on the existing trace point operations and the one or more data payloads. The Web service application is further instrumented with the one or more supplementary candidate operations.

Abstract: A system and method for a distributed security model that may be used to achieve one or more of the following: authenticate system components; securely transport messages between system components; establish a secure communications channel over a constrained link; authenticate message content; authorize actions; and distribute authorizations and configuration data amongst users' system components in a device-as-a-key system.

Abstract: The aspects disclosed herein are directed to systems and methods for employing multi-factor authentication for the transfer of goods or information. By employing the aspects disclosed herein, the authentication may become more secure and less vulnerable to attacks by unauthorized parties. The aspects disclosed herein may be implemented as a thin-client implementation, or a thick-client implementation.

Abstract: A method of transmission scheduling for one or more process devices (P1, P2, P3, P4) in an industrial application (IA), such as a sensor, an actuator and/or a process controller, capable of wireless communication, implemented by a radio control unit (LRC, GRC), is proposed, the method comprising: determining with respect to the industrial application (IA) whether a licensed shared access spectrum (LSA) is available and assigning to the one or more process devices (P1, P2, P3, P4), based on a traffic type of the data to be transmitted by the one or more process devices (P1, P2, P3, P4), an access spectrum within the licensed shared access spectrum (LSA).

Abstract: A computer-implemented method, a computer program product, and a computer system for handling email flows arising from transactions initiated with a shared privileged identity at a service provider. A privileged identity management (PIM) system reads an email sent from a service provider to a single shared PIM email address, wherein the single shared PIM email address is associated with a shared ID and wherein the email is related to a transaction initiated with the shared ID at the service provider. The PIM system analyzes the email by extracting an ID of the transaction and keywords in the email. The PIM system identifies one or more PIM users relevant to the transaction, based on analysis of the email. The PIM system sends a notification of the email to the one or more PIM users relevant to the transaction.