Abstract: In one embodiment, a method by an apparatus of a Border Gateway Protocol-Link State (BGP-LS) environment includes receiving an attestation token from a first component and encoding the attestation token in a BGP-LS signaling message. The method further includes sending the BGP-LS signaling message with the encoded attestation token to a second component of the BGP-LS environment.

Abstract: Performing controlled access to data stored in a secure partition is described herein, including: associating a predetermined exception with an exception handling program in an operating system; restricting a user program to execution by a normal privilege user; and designating a secure partition and restricting the secure partition to be accessible by a highest privilege user; wherein, when executed in user space corresponding to the normal privilege user, the user program generates the predetermined exception, and wherein the predetermined exception triggers execution of the exception handling program in kernel space, and the exception handling program is configured to read data from the secure partition and deliver the data after processing to the user program.

Abstract: Systems, devices, and methods are provided for implementing a cloud-based mainframe service. A cloud-based mainframe service may utilize various resources, including an operating system that is provisioned with an authorization interceptor that uses a first set of security policies stored in a policy database to determine whether to grant or deny access to resources managed by the operating system. The authorization interceptor may use the security policies of the policy database to determine whether to grant access to operating system resources. A database management system may use a second set of security policies stored in the policy database to determine whether to grant or deny access to resources managed by the database system. Security policies for a mainframe service may be centrally stored in a policy database managed by a policy management service.

Abstract: A terminal apparatus according to an embodiment includes a solid-state imaging element and a first communication unit. The solid-state imaging element includes an image sensor, an image processing unit, and an output interface. The image sensor converts received light into an image. The image processing unit detects a specific object in the image. The output interface outputs the image. The first communication unit transmits the image output from the output interface. The information processing apparatus includes a second communication unit and a processor. The processor receives an image transmitted from the terminal apparatus with the second communication unit. When the image received with the second communication unit is an image in which the image processing unit has detected a specific object, the processor performs mask processing of masking the specific object.

Abstract: Message delivery in cellular roaming scenarios involves a user device activated with a home telecommunications service provider (TSP) that provides cellular service to the user device. The user device is located in a remote location and the user device is activated with a remote TSP providing roaming cellular service to the user device in a remote location on a cellular network of the remote TSP. A process includes, based on the user initiating a transaction with a remote application server that requires user authentication based on delivery of a transactional text message, receiving from the remote application server the transactional text message, encrypting the transactional text message to produce an encrypted transactional text message, and forwarding the encrypted transactional text message to the remote TSP for delivery as a short message service (SMS) text to the user device in the remote location via the cellular network of the remote TSP.

Abstract: The invention provides a consent management system for managing a user's consent for a plurality of services. The system includes a consent management unit adapted to register a plurality of services to a user and obtain user consent information associated with the user. The consent management unit is further adapted to control consent operation of the plurality of services registered to the user, based on user consent information associated with the user.

Abstract: A homomorphic encryption scheme, such as Paillier encryption in combination with a bit packing process allows biometric matching at a terminal without exposing a biometric template stored at a user's device. Because such encryption schemes are data intensive, the bit packing process allows reductions in data being sent and processed so that the biometric matching process can be accomplished in near real time. The high speed of this optimized process allows the technique to be applied to many real world processes such as access control and transaction processing.

Abstract: A passive Multi-Factor Authentication (MFA) system includes a passive MFA server that receives, from a user computing device, passive biometrics data and device data collected during a current session on a remote site; submits the passive biometrics data to a user profile model, and in response receives a user authentication confidence score; and submits the device data to a device profile model, and in response receives a device authentication confidence score. The passive MFA server is also configured to receive a user authentication request for a current payment transaction associated with the current session on the remote site, and transmit the user authentication confidence score and the device authentication confidence score to an Access Control Server (ACS) configured to determine that the scores satisfy a predefined threshold for passively authenticating a user of the user computing device during the current session, without conducting an active authentication process with the user.

Abstract: A network device implements a method to protect a vehicle from insertion of malicious operations. The method includes establishing a communication session with a requestor as a proxy for the vehicle, receiving status information from the vehicle, querying a deep learning platform with the status information and message from the requestor, and dropping the message from the requestor in response to the deep learning platform indicating the message is malicious.

Abstract: In general, techniques are described for distributed route and packet flow evaluation within a cloud exchange fabric. In some examples, a routing engine is operative to: establish sessions between a first network and a second network to exchange message data identifying destinations in the second network; and verify routing information comprising routes from endpoints in the first network to the destinations based upon the message data, including, for each route of the routes: evaluating a source or a destination for indicia of illegitimate origination, and in response to detecting an illegitimate endpoint at the at least one of a source or a destination based upon identifying one or more of the indicia of illegitimate origination, dropping a corresponding route from the routing information.

Abstract: Techniques for data lifecycle discovery and management. Data lifecycle discovery platform (DLDP) can identify data of users, data type, and language of data stored in data stores (DSs) of entities based on scanning of data from databases. DLDP determines compliance of DLDP and DSs with obligations relating to data protection arising out of jurisdictional laws or agreements. DLDP generates rules to facilitate complying with and enforcing laws and agreements. DLDP can determine, and present to authorized users, risk scores relating to levels of compliance of the DLDP, associated platforms, or entities, risk indicator metrics, or a privacy health index of the organization associated with DLDP. DLDP can manage user rights regarding data, and access to data in DSs and information relating thereto stored in secure data store of DLDP. DLDP can remediate issues involving anomalies indicating non-compliance. DLDP can utilize machine learning to enhance various functions of DLDP.

Abstract: Methods and apparatus for hardware based file/document expiry timer enforcement is disclosed. An example method includes instructing, by executing an instruction with a processor, a trusted execution environment to generate an encryption key and a certificate for a document, the certificate including expiry information for the document, the certificate associated with identification information of the document, and the expiry information indicative of a time period for which the encryption key is valid to decrypt the document; encrypting, by executing an instruction with the processor, the document using the encryption key; transmitting the certificate to a first remote network storage device; and transmitting the document to a second remote network storage device.

Abstract: Methods, computer readable media, and devices for efficient application programming interface (API) processing with privacy protection include one method of receiving a user request for content from a client, parsing the user request for content to identify one or more request portions having a type of public information, customized information, and personal information, transmitting the one or more request portions to a corresponding microservice based on the type of the portion of content being requested, receiving one or more response portions, determining a type of the one or more portions of content, and in response to determining the type of a portion of content is not personal information, caching the portion of content based on the type of the portion of content, combining the one or more response portions into a user response, and sending the user response to the client.

Abstract: Systems and methods enhanced authentication techniques using virtual persona. An example method includes receiving a request associated with authorization of a user. Information identifying a virtual persona associated with the user is accessed, the virtual persona comprising meshes. Confidence measures associated with the user's identity are determined based on the meshes. The request is responded to based on the confidence measures.

Abstract: An electronic device is provided for control of an execution of a third-party application based on a blacklisting function. The electronic device includes circuitry that executes a monitor application that is a part of an operating system rooted onto the electronic device. The monitor application has system privileges to examine the code and execution of the third-party application installed on the electronic device. The circuitry identifies, by the monitor application, one or more requests to access a network resource from a runtime code of the third-party application. The circuitry extracts, by the monitor application, one or more first network resource identifiers associated with the network resource from the one or more requests. The circuity compares, by the monitor application, the first network resource identifiers with the blacklist associated with the monitor application. The circuitry controls, by the monitor application, the execution of the third-party application based on the comparison.

Abstract: Replicating data using inferred trust, including: receiving, by a first storage system from a computing device, data encrypted using a first encryption key; decrypting, by the first storage system, the encrypted data using the first encryption key; encrypting, by the first storage system, the decrypted data using a second encryption key; storing, on the first storage system, the data encrypted using the second encryption key; sending, from the first storage system to the second storage system, the data; and servicing, by the second storage system, an input/output (‘I/O’) operation directed to the data.

Abstract: A method of providing information for display, from a portable electronic device, includes displaying information on a display of the portable electronic device, identifying a portion for redacting from the information displayed on the display of the portable electronic device, extracting the portion from the information to provide redacted information and an extracted portion, storing the redacted information, protecting and storing the extracted portion in association with a location identification in a file, and sending the redacted information and sending the file including extracted portions associated with the location identifiers.

Abstract: Techniques are disclosed in which a computer system receives a transaction request and uses a federated machine learning model to analyze the transaction request. A server computer system may generate a federated machine learning model and distribute portions of the federated machine learning models to other components of the computer system including a user device and/or edge servers. In various embodiments, various components of the computer system apply transaction request evaluation factors to the portions of the federated machine learning model to generate scores. The server computer system uses the scores to determine a response to the transaction request.

Abstract: A computer-implemented method is disclosed. The method includes: receiving, via a computing device in a locked state, input of a first PIN; determining that the first PIN is associated with a first cryptographic key that is stored in a memory; responsive to determining that the first PIN is associated with the first cryptographic key, retrieving, from the memory, an encrypted form of a first credential that is associated with the first cryptographic key; recovering the first credential from the encrypted form using the first cryptographic key; and causing the computing device to be unlocked using the recovered first credential.

Abstract: Non-transitory computer readable storage mediums have instructions executed by processors to access a first random data element at a first computing device. A first vector and a second vector are generated at a second computing device. A communication channel is utilized to execute a secure multiparty computation protocol between the first computing device and the second computing device. The first computing device alternately identifies a polynomial relations satisfied state and a polynomial relations unsatisfied state. A first selected instruction set is executed at the first computing device in response to the polynomial relations satisfied state. A second selected instruction set is executed at the first computing device in response to the polynomial relations unsatisfied state.