Abstract: A method for enabling access by a first network subscriber to a second network subscriber in a network includes receiving a communication request from the first network subscriber and determining whether the second network subscriber has carried out an authentication of the first network subscriber during a first phase. The second network subscriber allows communication with the first network subscriber when the second network subscriber has carried out authentication of the first network subscriber during the first phase. The second network subscriber receives an access request from the first network subscriber and determines a level of trustworthiness of the first network subscriber. The second network subscriber enables access of the first network subscriber based on the determination of the level of trustworthiness of the first network subscriber.

Abstract: Technologies for detecting malware based on reinforcement learning model to detect whether a file is malicious or benign and to determine the best time to halt the file's execution in so detecting. The reinforcement learning model combined with an event classifier and a file classifier learns whether to halt execution after enough state information has been observed or to continue execution if more events are needed to make a highly confident determination. The algorithm disclosed allows the system to decide when to stop on a per file basis.

Abstract: Embodiments of the invention provide improved account authentication using public-private key cryptography instead of passwords. Instead of registering a password and using that password to login to an account, an authentication server of an account provider registers a public key received from a user device. To authenticate the user device for logging into an account, the authentication server generates a challenge and encrypts using the registered public key. The encrypted challenge is sent to the user device, which can decrypt the challenge using the private key corresponding to the registered public key. The decrypted challenge is used for authentication instead of using a password. The private key corresponding to the public key is securely stored and not revealed to the authentication server.

Abstract: For secure communications, a processor determines if a correspondent device is trusted. In response to the correspondent device not being trusted, the processor terminates communications with the correspondent device. In response to the correspondent device being trusted, the processor exchanges unencrypted communications with the correspondent device over an IP interface.

Abstract: Systems and methods provide for communication of transaction data that is formatted according to a transaction type that is support by an access device. First transaction data may be formatted according to a first type of transaction supported by a first access device and second transaction data may be formatted according to a second type of transaction supported by a second access device. The first transaction data may be transmitted over a first communication link to the first access device and the second transaction data may be transmitted to the second access over a second communication link.

Abstract: To resolve a conflict between CMIS secondary types and certain ECM features such as content server categories, and allow the underlying ECM system to be fully CMIS-compliant, an ECM-independent ETL tool comprising a CMIS-compliant, repository-specific connector is provided. Operating on an integration services server at an integration tier between an application tier and a storage tier where the repository resides, the connector is particular configured to support CMIS secondary types and specific to the repository. On startup, the connector can import any category definition from the repository. The category definition contains properties associated with a category in the repository. When the category is attached to a document, the properties are viewable via a special category object type and a category identifier for the category. Any application can be adapted to leverage the ECM-independent ETL tool disclosed herein.

Abstract: Systems and methods for user identity and transaction authentication are described. A user may be authenticated by a terminal configured to process image data of a two-dimensional code to decode key information, the two-dimensional code comprising a cryptographic binding of user credentials including a low-resolution image of the user's face and optionally user biometric data to database user information stored on a secure server. A hash of the two-dimensional code has several digits in common with the hash of the user information stored on the secure server. Authentication may be carried out by computing and comparing the hash values, comparing the high-resolution image of the user's face fetched from the secure server to the user and to the low resolution image embedded in the two dimensional code. The two-dimensional code may be generated to provide access to a restricted area.

Abstract: Examples disclosed herein describe authenticating a first electronic device based on a push message to a second electronic device. In one implementation, a processor receives a user identifier from a first electronic device. The processor may select a message communication type based on the user identifier and transmit an authentication information request to a second electronic device using a push message communication of the selected message communication type. The processor may authenticate the user based on the received response to the request and transmit information related to the user authentication to the first electronic device.

Abstract: Provided are systems and methods for hardware attestation. Hardware attestation can ensure that only trusted hardware components are being used in a computing system. In various implementations, the computing system can include a hardware component coupled to the motherboard, where the hardware component is independent of the main processor of the computing system. The hardware component can determine whether a particular component connected to the motherboard includes an identification code, where the identification code can be used to attest to an identity of the particular component. The hardware component can further determining whether the identification code matches an expected value. The hardware component can further configure the particular component based on whether the identification code matches the expected value.

Abstract: According to aspects of the present disclosure, a computer-implemented method includes generating, by a host processing system, a single use authentication map to map a private set of characters to a public set of characters. The method further includes transmitting, by the host processing system, the single use authentication map to a user processing system that presents an authentication interface comprising the public set of characters to enable a user to enter a user passcode using the public set of characters. The user processing system encodes the user passcode into a single use passcode using the single use authentication map. The method further includes the host processing system receiving the single use passcode from the user processing system, decoding the single use passcode back the user passcode using the single use authentication map, and determining whether the user passcode matches an expected passcode.

Abstract: A compute resource provider system is shown having an encryption agent that obtains a cryptographic key for a virtual machine and sends the cryptographic key to a host agent. The host agent receives the cryptographic key from the encryption agent and stores the received cryptographic key to a user key vault. The host agent generates a key vault secret reference (KVSR) locator pointing to the cryptographic key stored in the user key vault, associates the KVSR with the virtual diskset, and sends a success message to the encryption agent. The encryption agent receives the success message from the host and, responsive thereto, encrypts the virtual diskset using the cryptographic key. Subsequently, another host agent uses the KVSR to obtain the cryptographic key from the key vault and boot the virtual machine with the encrypted virtual diskset.

Abstract: Techniques are disclosed for multi-hop security amplification. The techniques disclosed provide multi-hop security amplification by applying a secret sharing scheme to data as the data is routed within a network to an intended recipient device. In an embodiment, a sending device divides the data into shares based on a secret sharing scheme, and sends the shares to respective network nodes in a network. These network nodes then divide their respective shares into lower-level shares based on the secret sharing scheme, and route the lower-level shares to downstream network nodes for further routing to the intended recipient device. The intended recipient device receives some or all of the lower-level shares and reconstructs the data from the received lower-level shares. In an embodiment, the secret sharing scheme is a threshold-based secret sharing scheme, such as Shamir's secret sharing scheme.

Abstract: A cryptography system for digital identity authentication, and security including computer system or platform to enable users (individual, identity editor, requestor) using one or more user devices, having user data including a public identifier and a hardware key, a server, a private key on an individual user device and a matching public key on the server linked to individual user data on the server, an individual user device converts an individual user data into an individual user code on individual user device, editor user device receives individual user code and communicates individual user code to server, server pairs individual user device and editor user device by matching individual user code transmitted by said editor user device to user data on the server, and requestor to request verification of an identity of individual via issuance of a verification request and verified if match of decrypted public identifier in an identity contract.

Abstract: In a network system (100) for wireless communication an enrollee (110) accesses the network via a configurator (130). The enrollee acquires a data pattern (140) that represents a network public key via an out-of-band channel by a sensor (113). The enrollee derives a first shared key based on the network public key and the first enrollee private key, and encodes a second enrollee public key using the first shared key, and generates a network access request. The configurator also derives the first shared key, and verifies whether the encoded second enrollee public key was encoded by the first shared key, and, if so, generates security data and cryptographically protects data using a second shared key, and generates a network access message. The enrollee processor also derives the second shared key and verifies whether the data was cryptographically protected and, if so, engages the secure communication based on the second enrollee private key and the security data.

Abstract: A provider network includes a service that creates virtual private network (VPN) endpoint nodes. Application programming interfaces are available that the creation of VPN endpoint nodes, peer them together, and attach them to respective virtual private networks to thereby establish communication tunnels between pairs of virtual private networks. Each VPN endpoint node may be implemented as a fault tolerant endpoint node in which the node is created as a plurality of virtual machines. Each of the virtual machines is configured from a common machine image that includes software capable of causing the respective virtual machine to configure a tunnel such as an IPSec tunnel. One of the virtual machines, however, is operated in an active mode, while another virtual machine is configured to operate in a standby mode.

Abstract: In some examples, a system receives anomaly scores regarding an entity from a plurality of detectors, produces a weighted anomaly score for the entity based on the anomaly scores and respective weights assigned to the plurality of detectors, the weights based on historical performance of the plurality of detectors, determines an impact based on a context of the entity, wherein the impact is indicative of an effect that the entity would have on a computing environment if the entity were to exhibit anomalous behavior, and computes a risk score for the entity based on the weighted anomaly score and the determined impact.

Abstract: Biometric health monitoring of a specific user or population is performed during biometric authentication for granting access to physical or digital assets. If biometric authentication, biometric verification and biometric health monitoring is acceptable, access to the physical or digital assets is allowed. Likewise, if a health anomaly is detected in a specific user or if an outbreak is detected in a specific community, an electronic notification can be sent to the individual, a health administrator, or to a government official, and access may be denied to the specific user.

Abstract: A system is provided for the storage of data, the system having: an encrypted host platform disposed in a specific territory and upon which export controlled data is stored; a controller configured to allow a primary user to set permission settings and identify authorized end users and degrees of access granted to each the authorized end user, the authorized end user being pre-cleared for compliance with export controls pertaining to the export controlled data; the controller configured to permit access to the encrypted host platform only if the host platform is located within a specific territory and if the hosting platform is in compliance with predefined data security protocols the controller configured to allow the authorized end user access to the export controlled data, and the controller configured to exclude access to both a provider of the system for storage and a system host platform provider; at least one individual computing device accessible by at least one the authorized end user, disposed withi

Abstract: Embodiments of the present disclosure provide a control method for enrolling face template data and related products. The control method includes: controlling a face image collection device to capture a face image and generate face template data; acquiring via the face recognition service a dynamic check token sent by the face recognition trusted application; sending a face template enrolling command carrying the dynamic check token and the face template data to the face recognition trusted application via the face recognition service; and verifying the dynamic check token in the face template enrolling command is valid and storing the face template data in the security system via the face recognition trusted application.

Abstract: A computer implemented method of correlating between detected access events to access client terminals in a monitored location and physical activity of people in the monitored location, comprising detecting one or more access events to access one or more of a plurality of client terminals located in a monitored location and operatively connected to a first network, obtaining sensory activity data from one or more activity detectors deployed in the monitored location to capture physical activity of people in the monitored location wherein the activity detector(s) are operatively connected to a second interconnection isolated from the first network, analyzing the sensory activity data to identify a spatiotemporal activity pattern of one or more persons in the monitored location, correlating between the access event(s) and the spatiotemporal activity pattern(s) to validate the access event(s) and initiating one or more actions according to the validation.