Abstract: A technique to implement access control from within an application begins by dynamically-generating a “management scope” for a transaction associated with a set of managed resources. The management scope is a collection of permissions defined by at least one of: a set of roles, and a set of resource administration rights, that are assigned to a first operator that issues the transaction. As the transaction executes, a request to alter the transaction is then received from a second operator. According to the technique, the management scope for the transaction and associated with the first operator is then evaluated against a management scope associated with the second operator. Upon determining the management scope associated with the first operator has a given relationship to the management scope for the second operator, the transaction is permitted to be altered in response to the request. The given relationship is scoped by one or more rules.

Abstract: A method and system and computer program product for subscribing to action plans including a processing device for receiving an action plan transaction message having one or more data fields from an analyst node in a blockchain network and generating an action plan transaction in a blockchain including the one or more data fields of the action plan transaction message and a newly generated plan identification. The processing device may transmit an action plan notice to the blockchain network alerting the nodes of the blockchain network of the action plan transaction. The processing device may receive one or more client bids for the action plan transaction, determine a winning client bid of the one or more client bids, generate a winning bid transaction in the blockchain and transmit a winning bid notification to the client node of the winning client bid.

Abstract: This invention relates generally to distributed ledger technology (including blockchain related technologies), and in particular the use of a blockchain in implementing, controlling and/or automating a task or process. It may relate to the use of a blockchain or related technology for recording or representing the execution of a portion of logic. This portion of logic may be arranged to implement the functionality of a logic gate, or plurality of logic gates, such as AND, XOR, NOT, OR etc. . . . .

Abstract: The present disclosure is designed to properly prevent tampering of data, which might take place in a data collection route. Data managing apparatus 100 includes a reception processing unit 131 configured to receive processing history information related to a history of processing performed on collected data and encrypted information of a first hash value generated from the processing history information using a public key associated with the processing, a generation processing unit 133 configured to generate a second hash value from the processing history information, and a maintaining unit 135 configured to maintain the processing history information when the first hash value, decrypted from the encrypted information using a private key associated with the data collection process, and the second hash value match.

Abstract: According to one embodiment, a computer-implemented method includes receiving an object to be stored within a storage library, computing a hash value, utilizing the object, determining a storage location within the storage library to store the hash value, and sending the hash value to the storage location and neighbor locations of the storage location within the storage library.

Abstract: According to an embodiment, an information processing apparatus includes: a memory on which first/second processing applications are stored, the first processing application being a secure application; and a processor that is coupled to the memory and executes the first and second processing applications. The first processing application includes an issuance module, a first communication module, and a log verification module. The issuance module issues a command to call a function of the second processing application and links the command to a verification rule. The first communication module transmits, to the second processing application, a command execution request including command identification information that identifies the command, and receives, from the second processing application, an execution log including an execution result of the command identified by the command identification information.

Abstract: Provided is an information processing apparatus including: a generation section that generates, from secret keys corresponding to a plurality of respective algorithms, a plurality of public keys corresponding to the respective algorithms, a plurality of addresses corresponding to the respective algorithms, and a plurality of electronic signatures corresponding to the respective algorithms, by using the algorithms, at least one of the algorithms being an algorithm that is not solved in polynomial time; and a transmission control section that allows transaction data including the generated public keys, addresses, and electronic signatures to be transmitted to a P2P network.

Abstract: A control panel may prevent access to one or more aspects of the control panel based at least in part on one or more security parameters. The security parameters may include a default locked status and a takeover locked status. The default locked status may prevent a user or other personnel from accessing the software, code, or other intellectual property on the control panel while still allowing the user to interface with the security and/or automation system. The takeover locked status may prevent any access or use of the control panel. To protect the automation system and the automation system provider, it may be desired to use a unique identifier to unlock at least one or more aspects of the control panel. The unique identifier may be loaded onto an external storage device which the control panel may automatically recognize.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, apparatuses, and processes that manage cryptographically secure exchanges of data using a permissioned distributed ledger. For example, an apparatus may obtain parameter data and additional content associated with a data exchange. The apparatus may generate first data that includes at least a portion of the additional content accessible to a first computing system, and may generate second data that includes at least a portion of the parameter data. The apparatus may provide the first data to a peer computing system, which records encrypted information associated with the first data within an element of a distributed ledger accessible at the first computing system. The apparatus may also provide the second data to a second computing system, which executes the data exchange in accordance with at least the portion of the parameter data.

Abstract: Generally discussed herein are systems, apparatuses, and methods for cyber resiliency. An apparatus can include one or more memory devices including a plurality of instruction sets corresponding to respective application variants stored thereon, one of the application variants including an unmodified version of an application, and one of the application variants including a modified version of the application including the application altered to be resistant to a specified type of cyberattack, processing circuitry to execute the application variants based on a same input, and generate an output, and a monitor to compare output from each of the application variants, and in response to detecting that the output from an application variant of the application variants is not equal to the output from other application variants of the application variants executing a time delayed version of the application variants or restoring the application variants to a known good operating state.

Abstract: User data is aggregated across a plurality of electronic communication channels and domains. An online system initially authenticates a user for access to the online system over a network. The online system provides a user identifier for the user to an authentication service. The authentication service generates a non-repeatable challenge from the aggregated user data for the user identifier and provides the non-repeatable challenge to the online system. The online system provides the challenge to the user and receives a response from the user. The online system provides the response to the authentication service and the authentication sends a success or failure back to the online system based on the response to the challenge, and based on the success or failure the online system makes a final determination for authenticating the user for accessing to the online system.

Abstract: The present disclosure relates to a method method for performing a disjunctive proof for two relations R0 and R1. The relation R0 is between an instance set X0 and a witness set W0 and defines a language L(R0) containing those elements x0?X0 for which there exists a witness w0 that is related to x0 in accordance with R0. The relation R1 is between an instance set X1 and a witness set W1 and defining a language L(R1) containing those elements x1?X1 for which there exists a witness w1 that is related to x1 in accordance with R1. For proving knowledge of a witness wb of at least one of instances x0 and x1, where b is 0 or 1, of the respective relations R0 and R1, the prover may generate using a bijective function a challenge from a simulated challenge c1-b.

Abstract: Techniques to facilitate feature licensing of industrial devices employed in an industrial automation environment are disclosed herein. In at least one implementation, a security certificate for an industrial device is provisioned based on a first private key associated with the industrial device, wherein the first private key is securely stored in a hardware root of trust within the industrial device. A device information package for the industrial device is generated based on the security certificate, wherein the device information package is encrypted with a first public key paired with the first private key and signed by a certificate authority using a second private key. The device information package is provided to the industrial device, wherein the industrial device is configured to validate the device information package using a second public key paired with the second private key and decrypt the device information package with the first private key.

Abstract: A communication method is used in a communication system that includes a plurality of nodes. Two or more authentication nodes among the plurality of nodes respectively receive account information of a user and a public key of the user from the user. The two or more authentication nodes respectively transmit a massage that indicates the account information is correct and the public key of the user to the plurality of nodes when it is decided that the account information is correct. Each of the plurality of nodes registers the public key of the user in a public key list that stores public keys of users who have been allowed to participate in the communication system, when detecting according to messages received from other nodes that a specified number of authentication nodes or more have decided that the account information is correct.

Abstract: Techniques are provided for authenticating a user using shared secret updates. One method comprises, in response to a first authentication of a client using a given shared secret, updating, by the server, the given shared secret using information from the first authentication as part of a secret update protocol to generate an updated shared secret; and evaluating a second authentication using the updated shared secret. An anomaly may be detected when the client attempts the second authentication using a shared secret and the server determines that the shared secret was previously used for an authentication. The server may detect a breach of shared secrets of multiple users by monitoring a number of the detected anomalies across a user population and initiate a predefined recovery flow depending upon a number of impacted users.

Abstract: Techniques are provided for machine learning-based anomaly detection in a monitored location. One method comprises obtaining data from multiple data sources associated with a monitored location for storage into a data repository; processing the data to generate substantially continuous time-series data for multiple distinct features within the data; applying the substantially continuous time-series data for the distinct features to a machine learning baseline behavioral model to obtain a probability distribution representing a behavior of the monitored location over time; and evaluating a probability score generated by the machine learning baseline behavioral model to identify an anomaly at the monitored location. The machine learning baseline behavioral model is trained, for example, to identify anomalies in correlations between the plurality of distinct features at each timestamp.

Abstract: An apparatus is adapted for implementing a method of creating a data chain, which can be cryptographically proven to contain valid data. The method includes creating a data chain with no elements, validating the data chain for nodes before accepting the data chain, verifying the size of close group to add the data chain, adding a data block to the data chain, removing old copies of entries from the data chain only if a chained consensus would not be broken, else maintaining the entry and marking it as deleted, validating a majority of pre-existing nodes and validating a signature of the data chain via the data chain of signed elements. The apparatus is operable to support a data communication system and provides a technical effect of making a data processing system robust against data corruption, data loss, failure in data communication synchronization and similar practical operational issues.

Abstract: Systems and methods are disclosed for identifying human users on a network.

Abstract: A processing device receives, from a host system, a key manifest and a digital signature generated based on the key manifest using a private key corresponding to a public/private key pair. The key manifest comprises one or more verification keys. The digital signature is verified using the public key and the processing device stores the key manifest in a persistent storage component in response to successful verification of the digital signature. The one or more verification keys are utilized in one or more verification operations based on the key manifest being stored in the persistent memory component.

Abstract: The present invention relates to systems and methods suitable for establishing communication between secure and unsecure devices. In particular, the present invention relates to systems and methods that enables communication between secure and unsecure devices utilizing communication protocols that require implementation over secured connections.