Abstract: Systems, methods, and software described herein provide for validating security actions before they are implemented in a computing network. In one example, a computing network may include a plurality of computing assets that provide a variety of different operations. During the operations of the network, administration systems may generate and provide security actions to prevent or mitigate the effect of a security threat on the network. However, prior to implementing the security actions within the network, computing assets may exchange security parameters with the administration systems to verify that the security actions are authentic.

Abstract: The present disclosure relates to a method for authenticating a user. The method comprises recording image data of the user and deriving at least one first facial feature of the user's face and at least one first gesture feature of one or more gestures of the user from the image data. The method further provides for determining a degree of access of the user to data depending on whether the first gesture feature corresponds to at least one predetermined second gesture feature and whether the first facial feature corresponds to at least one predetermined second facial feature.

Abstract: Various systems and methods of establishing and providing credential dependency information in RESTful transactions are described. In an example, accessing credential resource dependencies may be performed by a credential management service (CMS) or other server, with operations including: receiving a request for a credential resource in a Representation State Transfer (RESTful) communication; identifying the credential resource which has a credential path that indicates a dependency associated with a credential; identifying dependency characteristics of the credential resource, based on the dependency; populating the credential resource to include a dependent credential, based on the dependency characteristics; and transmitting the populated credential resource in response to the request.

Abstract: A managed container may have a managed cache storing content managed by or through an application gateway server computer. The managed container may receive a request for content from an application running in a secure shell provided by the managed container on a client device. The managed container may determine whether the client device is within a specified geographical location. If not, the managed container may deny or restrict the application access to the requested content. The access denial or restriction may continue until a connection is made to the application gateway server computer or until the client device has returned to within the specified geographical location. If the client device is within the specified geographical location, the managed container may provide or restore access to requested content. Embodiments of the managed container can therefore perform geofencing by disabling or limiting access to content based on predetermined secure/insecure designations.

Abstract: An authorization access system and method of minimizing unauthorized access to a resource are provided. The authorization access system comprises at least one processor, and a memory storing instructions which when executed by the at least one processor configure the at least one processor to perform the method. The method comprises assigning a first risk score to application programming interface (API) traffic associated with a user device and/or user behaviour pattern observed prior to an API gateway, assigning a second risk score to the API traffic associated with the user device observed at the API gateway, assigning a third risk score to the API traffic associated with the user device and/or back end service responses observed after the API gateway, and performing an authorization action based on any of the first, second or third risk scores.

Abstract: Aspects concern a server computer for verifying a location of a user device including a memory interface connected to a memory device that stores a database including verification and gathering questions, wherein each question of the verification and gathering questions is associated with a location, the database including an answer to each verification question and not including an answer to each gathering question; and a processing unit configured to: receive location data representing the location of the user device; select a verification question and a gathering question associated with the location of the user device; transmit the verification question and the gathering question to the user device and receive an answer to each of the verification and gathering question from the user device; if the answer provided by the user device to the verification question corresponds to the answer included in the database, verify the location of the user device.

Abstract: A network device identifies an Internet Protocol Security (IPsec) tunnel that connects the network device to a remote device and determines that dead peer detection (DPD) is enabled at the network device. The network device receives a first DPD request message from the remote device via the IPsec tunnel, and sends a first DPD response message to the remote device via the IPsec tunnel. The network device determines that a workload of the network device satisfies a threshold amount, and sends one or more encapsulating security payload (ESP) packets that include traffic flow confidentiality (TFC) payload data to the remote device via the IPsec tunnel. The network device determines that the workload of the network device does not satisfy the threshold amount. The network device receives a second DPD request message from the remote device and sends a second DPD response message to the remote device via the IPsec tunnel.

Abstract: A system and method to manage privileges, wherein privileges are assigned to uniquely identifiable objects and a link between a uniquely identifiable object and a uniquely identifiable programmable device is established. The established link allows the uniquely identifiable programmable device to make use of at least a part of the privileges assigned to the uniquely identifiable object. The link is established under a set of preconditions, where at least the precondition of physical proximity between the uniquely identifiable object and the uniquely identifiable programmable device is verified. The uniquely identifiable object includes a irreproducible security device, which is registered to the uniquely identifiable object and can be used to verify physical proximity between the uniquely identifiable object and the uniquely identifiable programmable device by authenticating the irreproducible security device by optical authentication means.

Abstract: An online system monitors resources utilization by users connecting with the online system and detects unauthorized resource utilization caused by sharing of sessions. The online system collects samples of browser attributes from browsers interacting with the online system. The online system determines a score indicating a difference between two samples of browser attributes taken at different times. The online system uses the score to determine whether the two samples of browser attributes in the same session were received from different browsers. If the online system detects unauthorized resource utilization if the two samples are determined to be from two different browsers. The online system takes mitigating actions, for example, by invalidating the session or requiring users to re-enter credentials.

Abstract: In variants, a fleet management method can include determining information about a device S100; sending information to a device S200, and operating the device according to the information S300 (e.g., example shown in FIG. 1). The fleet management system can function to scalably manage the operation and permissioning of one or more fleets of devices.

Abstract: A system and method for digital petition management utilizing the establishment of a universal, secure identity for online communications, interactions, and exchanges that uniquely associates an image, sound, or other digital asset with a person's identity using non-fungible tokens (NFTs). A digital signature associated with an individual who wants to sign a digital petition is obtained and verified using one or more mechanisms to ensure that each digital signature is associated with only one individual and to maintain compliance with rules and regulations governing petitions. Links to the petition (also herein called “calls to action” or CTAs) can be customized via an online platform such that interaction with a given link or type of link initiates automated petition signature acquisition. In some implementations, the digital signature is a personal NFT (PNFT) which can be verified using a unique identifier to match with existing PNFTs stored in a distributed ledger.

Abstract: Systems and methods for detecting malicious activity in a computer system. One or more graphs can be generated based on information objects about the computer system and relationships between the information objects, where the information objects are vertices in the graphs and the relationships are edges in the graphs. Comparison of generated graphs to existing graphs can determine a likelihood of malicious activity.

Abstract: A computer server may receive location data from a mobile client device and may compare the location data to predefined secure location definitions, which may be trusted or private locations. The computer server may receive a request from the mobile client device to access network resources or services, and the computer server may determine, using a result of comparing the location data and the one or more predefined secure location definitions, an authentication process for providing the mobile client device with access to the network resources or services. The computer server may execute the authentication process and may provide the mobile client device with access to the network resources or services.

Abstract: A proxy server receives a first request from a first user to access a resource hosted by a cloud-based server. The proxy server inserts a first tenant control header into the first request specifying a tenant identifier. The tenant identifier indicates a tenant permitted to access the resource. The proxy server then transmits the first request with the inserted first tenant control header to the cloud-based server. In response to receiving a first response indicating a rejection of the first request with the inserted first tenant control header, the proxy server transmits the first request again to the cloud-based server but without the first tenant control header. The proxy server then logs the first request as an access request using a non-permitted tenant identifier.

Abstract: Disclosed are various approaches for workflow service back end integration. In some examples, a command is transmitted causing a client device to present a workflow action to perform. A user command to perform the workflow action is identified using the client device. Authentication data including user credentials and a navigation action for a visual user interface is identified. The user credentials are transmitted to the network service and an emulation of the navigation action is performed. A command that performs the workflow action is transmitted to the network service.

Abstract: A system and method for identifying device attributes based on string field conventions. A method includes applying at least one machine learning model to an application data set extracted based on a string indicated in a field of device data corresponding to a device, wherein each of the at least one machine learning model is trained based on a training data set including a plurality of second strings and a plurality of device attribute labels, wherein each device attribute label corresponds to a respective second string of the plurality of second strings, wherein each of the at least one machine learning model is configured to output a predicted device attribute for the device based on the first string; and identifying, based on the output of the at least one machine learning model, a device attribute of the device.

Abstract: It is provided a multi-access edge computing node located within a cellular coverage area supported by a base station of a mobile network operator, the multi-access edge computing node comprising at least one memory to store a chained data block, where each data block is coded with data of a past transaction in respect of a good or service; and at least one stock processor configured with functions that: include a new data block, to record a current transaction in respect of a good or service, into the chained data block in response to a signature, generated from processing the data of the current transaction with the coded data of the past transactions stored in the chained data block, being validated by a group of external multi-access edge computing nodes, wherein the multi-access edge computing node and the group of external multi-access edge computing nodes are trusted, and communicate over a common channel.

Abstract: A privacy computing-enabled migration method for large-scale persistent data across platforms is provided. By virtue of a sealing key management service SKMS, based on trusted sealing and trusted connection which are the basic functions of privacy computing, large-scale migration of privacy data with low deployment cost, high security and high efficiency can be realized by providing download links to platforms that meet requirements, thus greatly improving the flexibility of data deployment and use and the landing of trusted sealing technology.

Abstract: A system includes first and second subsystems. The first subsystem receives a validation number request, transmitted by a first device in response to the entry of an account number into a first field of a webpage. In response to receiving the request, the first subsystem randomly generates the validation number, stores a copy in memory, and transmits it to a second device. The second subsystem receives a transaction request that includes the validation number from the first device, and transmits the received number to the first subsystem. The first device transmitted the request in response to the second device receiving the validation number and its subsequent entry into a second field of the webpage displayed on the first device. In response to receiving the validation number, the first subsystem determines that it matches the stored copy and transmits a message to the second subsystem authorizing the transaction.

Abstract: Methods, systems, and computer readable media for using metadata tag compression. A method occurs at a metadata processing system for enforcing security policies in a processor architecture. The method comprises: receiving, at the metadata processing system, a short tag associated with a word in memory; translating the short tag, using a tag map, into a long tag, wherein the short tag indicates a location of the long tag relative to an offset in the tag map and wherein the long tag indicates a memory location containing metadata associated with the word or an instruction; obtaining the metadata from the memory location; and determining, using the metadata, whether the word or the instruction violates a security policy.