Abstract: A system and method for providing secure data to a client device having a token is disclosed. In one embodiment, the method comprises (a) binding the token to the client device according to first token binding information comprising a first token identifier (ID), first client device fingerprint data, and a first timestamp, (b) receiving a request to provide secure data to the client device in a secure data service, (c) determining if the request to provide the secure data to the client device was received within an acceptable temporal range of the stored timestamp, and (d) providing the requested secure data according to the determination.

Abstract: Mechanisms support machine-to-machine service layer sessions that can span multiple service layer hops where a machine-to-machine service layer hop is a direct machine-to-machine service layer communication session between two machine-to-machine service layer instances or between a machine-to-machine service layer instance and a machine-to-machine application. Mechanisms are also disclosed that illustrate machine-to-machine session establishment procedures for oneM2M Session Management Service supporting multiple resources.

Abstract: The disclosed technology relates to a process of evaluating any number of different identity providers (IDPs) and their respective set of credentials that are used to authenticate corresponding users to assist with the onboarding of the different IDPs in connection with Wi-Fi identity federations. In particular, the process allows a person's electronic identity and attributes (stored across one or more IDPs) to be determined once using a standard. Once trust has been established for the user, that trust can then be utilized across a number of different systems (e.g., Single-sign on). The same trust determination can be used without the need for the authenticity of the user identity to be re-evaluated with each new access request.

Abstract: A system for detecting and mitigating forged authentication object attacks in federated environments is provided, comprising an event inspector to monitor logs and detect vulnerable events, an authentication object inspector configured to observe a new authentication object generated by an identity provider, and intercept the new authentication object; and a hashing engine configured to calculate a cryptographic hash for the new authentication object, and store the cryptographic hash for the new authentication object in the SAML response; wherein subsequent access requests accompanied by authentication objects are validated by comparing hashes for each authentication object to previous generated hashes.

Abstract: A system and method for providing secure data to a client device having a token is disclosed. In one embodiment, the method comprises: (a) binding the token to the client device according to first token binding information comprising a first token identifier (ID), first client device fingerprint data, and a first timestamp, (b) receiving a request to provide secure data to the client device in a service, the request comprising the signed first token binding information and timestamp, (c) determining if the request to provide the secure data to the client device was received within an acceptable temporal range of the stored timestamp; and (d) providing the requested secure data according to the determination.

Abstract: Theft identification, prevention, and remedy are provided. A determination is made that a client device has been compromised. When the device makes the determination, a message is conveyed to the server and the server replies with a security challenge. When the server makes the determination, the security challenge is automatically sent to the device. An intelligence manager on the device attempts to answer the security question without interaction from the user. If there is an anomaly, a challenge is output to the user. Based on a false response to the challenge, a current data stream may be disrupted and removed from the device. Further, other devices in the network may be notified about the compromised device.

Abstract: A method for historical 5G user equipment (UE) mobility tracking and security screening includes receiving, at a network data aggregation node including at least one processor, UE registration data from 5G network functions (NFs) as UEs connect to different network locations. The method further includes aggregating, at the network node, registration data for individual UEs from the 5G NFs to produce mobility patterns for the UEs. The method further includes receiving, at the network node and from a 5G NF located in a home network of a UE, a request for a mobility pattern of the UE in response to receiving a message for effecting a new registration for the UE. The method further includes responding to the request by transmitting the mobility pattern to the 5G NF located in the home network of the UE.

Abstract: Embodiments described herein disclose methods and systems for authorizing transactions received from client applications. The transaction request can include a first access token. After validating the first access token, the system can determine whether additional authentication is needed to authorize the transaction. If additional authentication is needed, the system can determine the authentication requirements. Once the additional authentication is received and verified, the system can generate a second access token and authorize the transaction by releasing the first access token.

Abstract: Embodiments described herein enable the interoperability between processes configured for pointer authentication and processes that are not configured for pointer authentication. Enabling the interoperability between such processes enables essential libraries, such as system libraries, to be compiled with pointer authentication, while enabling those libraries to still be used by processes that have not yet been compiled or configured to use pointer authentication.

Abstract: A vault encryption abstraction framework computing system provides interface functionality to facilitate integration of client applications with vaulting solutions. The vault encryption abstraction framework manages custom authentication and authorization using the vaulting solution application for one or more client applications such as by periodically rotating or renewing any authentication tokens. The vault encryption abstraction framework includes a scheduler to manage timing requirements and to configure the client application to the schedule by setting the renewed token value to an API endpoint (e.g., a function return) and/or a configuration file for access by one or more client applications. This event triggers the client application to update to the latest token value. The vault encryption abstraction framework then triggers the vaulting solution to create and return the new key. The new key is then returned to the client application.

Abstract: Embodiments of this application relate to an access token management method. The method includes: obtaining, by a server, an access token and login information of an authorized account corresponding to the access token in a terminal, where the access token is a credential used for accessing a protected resource in the server, and the authorized account is an account that logs in to a resource authorization application on the terminal when the resource authorization application authorizes the access token; and when the login information indicates that the authorized account is in a non-login state, performing, by the server, invalidation processing on the access token.

Abstract: Resources can be secured by a resource security system. The resource security system can determine whether to grant or deny access to resources using authorization information in an access request. The resource security system can also determine whether the access request is legitimate or fraudulent using risk scoring models. A score transformation table can be used to provide consistency in the risk level for a particular score over time. The score transformation table can be based on a target score profile and a precision format (e.g., integer or floating point). The score transformation table can dynamically adapt based on the trending top percent of risk and can account for changes in the distribution of scores over time or by weekday. The scores can be used to determine an access request outcome. Access to the resource can be accepted or rejected based on the outcome.

Abstract: A patient support apparatus includes a frame, patient support surface, memory having a first key stored therein, a transceiver, and a controller. The transceiver wirelessly communicates with a medical device over a first mesh network using the first key. The controller transmits a request message over the first mesh network to the medical device via the transceiver. The request message includes an identifier identifying the patient support apparatus and a request to join a second mesh network different from the first mesh network. The controller receives a second key input over the first mesh network, uses the second key input to generate a second key, and to use the second key to communicate over the second mesh network. In some instances, the second key input originates from a cloud-based server storing a list of authorized devices for a particular healthcare facility.

Abstract: The present application is directed a computer-implemented technique for enhancing security and preventing cyber-attacks on a network. The technique includes receiving information from user equipment, selecting a first VPN server from a VPN service provider based upon a traffic-type of the user equipment, creating a policy to prevent cyber-attacks such that traffic associated with the received information of the user equipment is routed to the first VPN server, provisioning the first VPN server to last a predetermined amount of time based on the policy, coordinating the policy with a router on the network, with the traffic being sent to the VPN server via the router, and sending, after a predetermined condition is met, a request to the VPN service provider to transmit a second VPN server, and where the first VPN server terminates.

Abstract: The present disclosure relates to establishing secure communication between a dialysis machine and a fluid preparation device. In an example, a dialysis machine includes a control unit configured to establish a short-range wireless connection with an external fluid preparation device. The control unit establishes the short-range wireless connection by causing a user interface to display a prompt to enter a passkey associated with a fluid preparation device, using the received passkey to pair with the fluid preparation device, and creating a new bonding table or write to an empty bonding table using the passkey. The control unit is also configured to generate a shared key using the passkey and at least one predetermined criterion and use the shared key to authenticate with the fluid preparation device. When authentication with the fluid preparation device is successful, the control unit enables data communication using the short-range connection with the fluid preparation device.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, devices, apparatuses, and processes that dynamically implement and manage consent and permissioning protocols using container-based applications. By way of example, a device may receive, through a programmatic interface, a first request for an element of data generated by an executed application program. When the first request is consistent with consent data associated the executed application program, the device may obtain the requested data element and a digital signature applied to the requested data element by a computing system. Based on a verification of the applied digital signature, the device may generate and present a representation of the requested data element within a digital interface, along with an interface element that confirms the verification of the digital signature.

Abstract: Creating vendor-neutral data protection operations for vendors' application resources is described. Capabilities specified for data protection operations by a vendor of an application are input from a host of the application. Any capabilities specified for the data protection operations are used to create a vendor-neutral version of a data protection operation for a resource of the application. The vendor-neutral version of the data protection operation for the application resource is output to the host. A result of performing the vendor-neutral version of the data protection operation on the application resource is input from the host.

Abstract: A wireless device enterprise management system and a method for operating the management system in a controlled environment is disclosed. The enterprise management system includes implementing a container-based file system on wireless devices within the controlled environment. Enterprise management system manages and controls the organization of files into one or more containers on each wireless device. Each container is associated with one or more execution rules that allow or restrict execution of files that are located in the container.

Abstract: A security token is provided having a communication interface with a communication transceiver; a circuit having encoded thereon an immutable hardware key; and a tangible, nonvolatile memory, the nonvolatile memory having stored thereon a mutable software key, the mutable software key including a cryptographic key and an expiry for the cryptographic key.

Abstract: Described embodiments provide systems, methods, computer readable media for accessing services via identity providers. A computing device may transmit, responsive to a request from a client to access a service, a value to the client. The client may be configured to access the service using an access token. The computing device may receive, from the client, a signature, the signature generated using the value, a device identifier, and a first encryption key. The computing device may determine, using the value and a second encryption key, the device identifier from the signature. The computing device may identify a status of the client according to the device identifier. The computing device may provide, responsive to the status, a new access token to permit access to the access and a refresh token to obtain subsequent access tokens.