Abstract: An information processing apparatus includes a processor configured to request a management apparatus for user authentication to acquire second credential information that is used for acquiring first credential information that is used for a Web service, the second credential information indicating that a user has been authenticated, receive the second credential information transmitted from the management apparatus in a case where the user authentication is successful by the management apparatus, transmit the received second credential information to an authentication server, receive the first credential information transmitted from the authentication server in response to the transmission of the second credential information, and use the Web service by using the received first credential information.

Abstract: A system for communicating with multiple vehicles or other electronic devices that share a common media access control (MAC) or other address is disclosed. Upon receiving a certificate signing request (CSR) from a connected device and determining that the device does not have a unique address, the system will generate a unique address for the device and embedding the unique addresses in a certificate, sign the certificate, and transfer the certificate to the device. Then, when the system communicates with the device, the system may use that unique address to identify the device.

Abstract: Application permissions can be set in a cloud computing environment based on a user's authorization level in the cloud computing environment. For example, a system can determine that a user has a particular authorization level in a cloud computing environment. The system can determine that the user is to have particular permissions for a continuous integration tool by mapping the particular authorization level to the particular permissions. The system can then set a permission setting for the continuous integration tool to limit the user to the particular permissions.

Abstract: Privately determining whether a password satisfies a constraint without having to divulge the password itself to a third party that evaluates the constraint, and without the third party even being aware of the result of the evaluation. After the user selects a password, private communication (e.g., private information retrieval) is used to determine whether the selected password satisfies password constraints. For instance, the password might be encrypted (e.g., homomorphically), and then the encrypted password and a function definition (e.g., a homomorphic function definition) is then provided to the third party. The third party then performs the function and returns an already encrypted result. The third party generated the encrypted result directly, without having access to the result in the clear. Upon receiving the encrypted result, the user's computing system may then decrypt the result, to find out whether the password satisfies the constraints, and thus is sufficiently safe.

Abstract: A device may receive data relating to a site plan and image data relating to a network device. The device may determine a device identifier based on the image data, associate the device identifier with the site plan based on a common attribute between the network device and the site plan, and cause a certificate to be generated based on an authentication request to a network controller. The authentication request may cause the network controller to generate the certificate based on the device identifier and/or the site plan. The device may cause an Internet protocol (IP) address to be assigned to the network device based on the certificate, a location of the network device, and/or another related parameter, cause a node configuration to be generated based on the IP address, the device identifier, and/or the site plan, and provision the network device according to the node configuration.

Abstract: A server computing system generates a universally unique identifier (UUID) associated with a first application, the UUID to be encrypted using a private key associated with the first application to generate a first digital signature. The server computing system generates a first session key associated with the first application, the first digital signature to be encrypted using the first session key to generate a first encrypted digital signature. The server computing system encrypts the first session key using a public key associated with a second application to generate a first encrypted session key, wherein the first application and the second application are deployed with the PaaS associated with the server computing system. The server computing system transmits the UUID, the first encrypted digital signature, and the first encrypted session key to the second application using hypertext transfer protocol (HTTP) to enable the second application to authenticate the first application.

Abstract: A method of controlling a building system is provided. The method comprising: receiving an action request to adjust a building device from a user device; obtaining a token from a previous action request from the user device to adjust the building device when a token exists from a previous action request; transmitting the token for validation within the building device; and adjusting the building device when the token has been validated.

Abstract: A system for enhanced public key infrastructure is provided. The system includes a computer device. The computer device is programmed to receive a digital certificate including a composite signature field including a plurality of signatures. The plurality of signatures include at least a first signature and a second signature. The computer device is also programmed to retrieve, from the digital certificate, a first key associated with the first signature from the digital certificate. The computer device is further programmed to retrieve the first signature from the composite signature field. In addition, the at least one computer device is programmed to validate the first signature using the first key.

Abstract: A process for detecting a threat for a file system is described. Audit events in the file system may be accessed, which may include unique file operations and duplicative file operations. The audit events may be de-duplicated to remove the duplicative file operations. Time series data may be generated that includes the unique file operations but not the duplicative file operations, and the time series data may be analyzed to determine whether a subset of the unique file operations includes file-access instructions. An observed pattern of the file-access instructions may be compared to a normal pattern of file-access instructions to determine whether the observed file-access instructions are abnormal. If the observed file-access instructions are abnormal, an alert may be generated.

Abstract: One or more medical devices are configured to connect to a predetermined temporary provisioning network of a healthcare organization, the temporary provisioning network being different than a healthcare network of the healthcare organization. After the devices are received by the healthcare organization, and powered up for the first time, device identifiers corresponding to the medical devices are received at a server remote from the healthcare organization, from the temporary provisioning network, together with an indication that the medical devices are requesting access to a management server within a healthcare network of the healthcare organization.

Abstract: Disclosed embodiments relate to systems and methods for securely establishing secretless and remote native access sessions. Techniques include identifying a client configured to participate in remote native access sessions, wherein the client has a remote access protocol file that has been modified to include an identifier associated with the client; sending a prompt to the client to establish a secure tunnel connection with a connection agent using the identifier associated with the client; and authentication the client. The techniques may further include accessing target identity information associated with one or more target resources; receiving from the client a token that identifies a target resource from among the one or more target resources; obtaining, based on the token, a credential required for secure access to the target resource; and initiating, using the credential, a remote native access session between the client and the target resource.

Abstract: A policy-controlled access security system for managing access security to electronic agents in cloud based multi-tenant systems includes a client device, a mid-link server, and a web server. A local application running on the client device requests for access to an electronic agent of a remote application of the web server. Policies are determined corresponding to the electronic agent for controlled access to the electronic agent. A token for the electronic agent is correlated with a plurality of tokens for identifying a user application associated with the token. The remote application corresponding to the token from the request is compared with the user application. Based on the comparison an authorization is determined by the mid-link server corresponding to the token for accessing the electronic agent. The policies are enforced on the client device and the access to the electronic agent is provided based on the policies via the web server.

Abstract: Aspects of the current subject matter are directed to secure group file sharing. An architecture for end-to-end encrypted, group-based file sharing using a trusted execution environment (TEE) is provided to protect confidentiality and integrity of data and management of files, enforce immediate permission and membership revocations, support deduplication, and mitigate rollback attacks.

Abstract: A fraud detection system may obtain a number of known fraudulent end-user profiles and/or otherwise undesirable end-user profiles. Using statistical analysis techniques that include clustering the end-user profiles by attributes and attribute values and/or combinations of attributes and attribute values, the fraud detection system identifies on a continuous, periodic, or aperiodic basis those attribute values and/or attribute value combinations that appear in fraudulent or otherwise undesirable end-user profiles. Using this data, the fraud detection system generates one or more queries to identify those end-user profiles having attribute values or combinations of attribute values that likely indicate a fraudulent or otherwise undesirable end-user profile.

Abstract: Techniques for managing permissions to cloud-based resources with session-specific attributes are described. A first request to create a first session to permit access to resources of a provider network is received under an assumed role. The first request is permitted based on an evaluation of a rule associated with the role. Session data including a user-specified attribute included with the first request is generated. A second request to perform an action with a resource hosted by the provider network is received. The user-specified attribute is obtained from the session data based at least in part on the second request. The second request is permitted based on an evaluation of another rule with the user-specified attribute.

Abstract: Techniques are described for managing access to data stored in a blockchain, and for managing the communication of blockchain data to other entities. A private key may be generated and issued to an external entity to enable the external entity to access an internal (e.g., private blockchain). The external entity may be an external (e.g., public) blockchain, device, process, or user that is outside an internal network. The key may be associated with metadata that includes constraints, conditions, or rules governing access to the blockchain. An authorized entity may employ the key to request access to the blockchain via access management module(s), and the access management module(s) may employ the metadata to determine whether to approve the request. The access management module(s) may also employ rules governing outbound communication of data from internal blockchain(s) to external entities.

Abstract: A method may include detecting a keylogger based at least in part on an increase in power drawn by an input device, detecting the keylogger based at least in part on a driver of the input device, detecting the keylogger based at least in part on a duration of time that a signal generated by the input device takes to transmit to a computing device, or any combination thereof. The method may also include, in response to detecting the keylogger, generating an alert to indicate a presence of the keylogger.

Abstract: An extraction device includes: at least one memory configured to store instructions; and at least one processor configured to execute the instructions to: sort each set of frames that have the same identifier associated with a node, into frames maintaining a cycle and frames out of the cycle; and extract, as an event rule, a feature of a bit change in a data field related to an event occurrence, from the frames that have the same identifier and are out of the cycle.

Abstract: A continuous vulnerability management system for identifying, analyzing, protecting, and reporting on digital assets is disclosed. The continuous vulnerability management system comprises a sandbox engine configured to scan digital assets for vulnerabilities, including a static analysis unit for static code scanning, a dynamic analysis unit for analyzing compiled code, and a statistical analysis unit for processing a risk score and generating an audit report. A knowledge base is also disclosed, including a knowledge base engine configured to acquire information related to new vulnerabilities to digital assets. A risk scoring engine is configured to analyze sandbox engine outcomes and assign a risk score to each vulnerable asset. A security control system is configured to act on an identified vulnerable asset based on the risk score assigned to the identified vulnerable asset.

Abstract: A system provides for automated image authentication and external database verification. In particular, the system may perform automatic authentication of an image by extracting data and/or metadata from the image for subsequent analysis. For instance, the extracted data and/or metadata may be compared with historical data to drive authorization processes (e.g., past instances of unauthorized activity). In some embodiments, the system may further use external databases which may be hosted by a trusted third party to perform additional authentication steps and/or verification. In this way, the system may provide a reliable and efficient way to perform authentications.