Abstract: The present disclosure provides systems and methods for classifying or determined whether a request for a user's information is malicious or safe/legitimate. Request information related to a request for a user's information can be received, and one or more screenshots associated with the request can be obtained and provided to a machine learning model. The machine learning model can generate a probability or confidence level that the request is malicious.

Abstract: Method for establishing a trust chain, comprising: requesting a third CA for a third key pair and a third certificate, writing a private key of the third key pair and the third certificate into a security storage area, the third certificate comprising model information of the smart television (SMTV) terminal and information of a public key of the third key pair. The SMTV terminal check its possession of a fourth certificate on every start, generate a unique fourth key pair in absence of a fourth certificate, submit online a public key of the fourth key pair and a unique identification of each SMTV terminal to a fourth CA to request for a fourth certificate, and send along the third certificate and a signature signed on the request with the private key of the third key pair; write the fourth certificate into the security storage area upon receiving the fourth certificate.

Abstract: A method for securing entry of sensitive data, the method being implemented by a communications terminal having a processor, an entry touchpad screen on which the entry of sensitive data is carried out. Such a method includes: displaying a random keypad for the entry of a confidential code; receiving, by the processor, a reference pad display signal; and displaying the reference keypad, the reference keypad being inactive.

Abstract: This document describes, among other things, security hardening techniques that guard against certain client-side attack vectors. These techniques generally involve the use of an intermediary that detects and handles identity service transactions on behalf of a client. In one embodiment, the intermediary establishes a resource domain session with the client in order to provide the client with desired resource domain content or services from a resource domain host. The intermediary detects when the resource domain host invokes a federated identity service as a condition of client access. The intermediary handles the identity transaction in the identity domain on behalf of the client within the client's resource domain session. Upon successful authentication and/or authorization with an IdP, the intermediary connects the results of the identity services domain transaction to the resource domain.

Abstract: Systems and methods relating to an extension of a group signature scheme certificate that allows group users to conduct anonymous transactions in public, with the ability to subsequently audit and confirm signer identity. Auditing and confirmatory functions may include group signature openers that are configured to reveal the identity of a signer that is a member of a group by their signature. Auditing and confirmatory functions may also include group signature linkers that are configured to link two signatures to the same signer using a linking key or linking base.

Abstract: A session user enters session user credential the session user credentials that are compared with stored user credentials to validate the session user credentials. The session user identifies a selected communications method from the at least one communications method presented to the session user, and an authentication message is sent to the session user using the selected communications method. The session user enters a handwritten session signature in response to the authentication message. The handwritten session signature entered by the session user is compared with the reference signature associated with the session user to validate the handwritten session signature. If the handwritten session signature is validated, the session user is authenticated. If the session user has been validated, the session user is allowed to access a set of user information that is associated with the session user and stored on the partner server.

Abstract: An in-vehicle computer generates a message authentication code about its own log using its own signature key and thereby transmits a log annotated with its message authentication code to a vehicle information collection device. The vehicle information collection device generates the signature key of the in-vehicle computer, verifies the message authentication code, which is included in the log annotated with its message authentication code received from the in-vehicle computer, using generated signature key, and thereby stores the log relating to the successfully verified message authentication code on storage media.

Abstract: In some examples, a target device determines that each device of a plurality of devices (i) includes a certificate that is provided to each device during provisioning, (ii) is within a predetermined distance from the target device, (iii) includes a beacon secret that is broadcast to each device at a predetermined time interval, and (iv) that either: (a) a privilege level associated with at least one device of the plurality of devices satisfies a particular privilege level specified by an access policy or (b) a number of the plurality devices with the determined distance from the target device satisfies a predetermined number specified by the access policy. The target device grants at least one device of the plurality of devices access to the target device, and receives a message from the at least one device. The target device initiates an action based at least in part on the message.

Abstract: An example operation may include one or more of receiving a request to store a data block on a hash-linked chain of data blocks, dynamically selecting a subset of non-consecutive data blocks which have been previously stored within the hash-linked chain of data blocks, generating a linking hash based on a hash value of the data block to be stored and an accumulation of hash values from the subset of non-consecutive data blocks, and adding the data block to the hash-linked chain of data blocks, wherein the added data block includes the linking hash stored therein.

Abstract: An opportunity for a computing device to participate in a secure session with a particular domain is identified. A secured microcontroller of the computing device is used to identify a secured, persistent seed corresponding to the particular domain and stored in secured memory of the computing device. A secure identifier is derived based on the seed and sent for use by the particular domain in authenticating the computing device to the particular domain for the secure session. The particular domain can further apply security policies to transactions involving the computing device and particular domain based at least in part on the secure identifier.

Abstract: Various embodiments are directed to techniques for controlling access to data in a decentralized manner. An apparatus includes an apportioning component to divide an item of data into multiple portions based on an organizational structure of the item of data; a tree component to generate a PRN tree including a multitude of nodes and a branching structure based on the organizational structure, the multitude including at least one branching node and multiple leaf nodes that correspond to the multiple portions; a PRN component to generate a PRN for each node of the multitude, the PRN component to use a PRN of a branching node of the PRN tree to generate a PRN for a leaf node that depends therefrom; and a communications component to transmit the multiple portions and multiple addresses based on PRNs of leaf nodes of the PRN tree to a server. Other embodiments are described and claimed.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to defend against dynamic-link library (DLL) side-loading attacks. An example apparatus includes a fingerprint generator to determine a first DLL fingerprint of a first DLL stored at a first OS path referenced by an operating system (OS) event generated by a computing device, and, in response to determining that a second DLL having the same name as the first DLL is stored at a second OS path superseding the first OS path, determine a second DLL fingerprint of the second DLL, a fingerprint comparator to determine whether at least one of the first or the second DLL fingerprint satisfies a deviation threshold based on a comparison of the first and the second DLL fingerprint to a reference DLL fingerprint, and a security action enforcer to execute a security action to protect a computing device from an attack.

Abstract: Systems and methods of encrypted communication between a server and client devices using keyless encryption schemes are disclosed. Client devices with arrays of physical-unclonable-function devices respond to challenges from a server. Characteristics of the arrays are stored by the server during a secure enrollment process. Subsequently, the server issues challenges to the clients. The clients derive a ciphertext according to a variable cipher scheme determined using responses to the challenges issued by the server using characteristics of portions of the arrays specified by the challenges. The server and clients may independently determine encryption and decryption procedures using characteristics of the arrays.

Abstract: Embodiments of the present disclosure include a platform for a resource provisioning system. The platform can execute big data analysis techniques to access-right data to generate statistics that characterize a set of users. For example, characteristics of users who access resources events can be analyzed with varying levels of detail. The access-right data can include access right assignments, and data identifying the users to which access rights are assigned. In some implementations, spatial management systems can access the platform to generate statistics for the resources.

Abstract: In some examples, a secure compliance protocol may include a virtual computing instance (VCI) deployed on a hypervisor and may be provisioned with hardware computing resources. In some examples the VCI may also include a cryptoprocessor to provide cryptoprocessing to securely communicate with a plurality of nodes, and a plurality of agents to generate a plurality of compliance proofs; the VCI may communicate with a server corresponding to a node of the plurality of nodes; and receive a time stamp corresponding to at least one compliance proof based on a metric of a connected device.

Abstract: Embodiments for providing content authentication of data in a network having a name node and a data node which may be in a Hadoop Distributed File System (HDFS) network, by associating each data set of the data with a first key identifying a job owner issuing a task for the data set, the first key being a session key that is randomly generated for the task, generating a second identity value for the data set on the data node, and performing the task if the second identity value matches the first key.

Abstract: An electronic device is provided. The electronic device includes a user interface, a location sensor configured to sense a location of the electronic device, a processor electrically connected with the user interface and the location sensor, and a memory electrically connected with the processor and configured to store a first application program and a second application program. The memory is further configured to store instructions that, when executed, enable the processor to receive first location data with a first degree of accuracy regarding the location of the electronic device from the location sensor, process at least part of the first location data to generate second location data with a second degree of accuracy lower than the first degree of accuracy regarding the location of the electronic device, provide the at least part of the first location data to execute the first application program, and provide at least part of the second location data to execute the second application program.

Abstract: A flexible framework is provided for specifying permissions a user allows for an application to access. The framework further provides for specifying the way in which the application can behave during run-time. Predefined rules are used to detect a potentially misbehaving application, and a user may be notified or a specific action may be taken. Behavior of the application may be monitored during run-time to verify that the application is behaving in accordance to the predefined rules.

Abstract: An interface device may provide a first wireless network and a second wireless network in a user's premise. The interface device may encourage some user devices to connect to the second wireless network without controlling the user devices. For example, the interface device may receive a request from a device to access its first wireless network. The interface device may then determine whether the device is a premise device by, for example, searching a database of device registration information. The interface device may determine that the device is a premise device and deny the request to access the first wireless network. The device may then be available to access the second wireless network.

Abstract: A method includes identifying two or more vulnerabilities, each vulnerability affecting a set of one or more assets of an enterprise system. The method also includes assigning a weight to each vulnerability, the weight assigned to each of the vulnerabilities being based at least in part on the set of assets affected by that vulnerability, asset criticalities associated with the set of assets affected by that vulnerability, and at least one of (i) an exploitability potential of that vulnerability and (ii) an impact potential of that vulnerability. The method further includes determining an order in which to apply remediation actions in the enterprise system to address at least one of the vulnerabilities based at least in part on the weights assigned to the vulnerabilities, and applying, in accordance with the determined order, at least one of the remediation actions to at least one of the assets in the enterprise system.