Abstract: Some embodiments provide a method for enforcing policies for authorizing API (Application Programming Interface) calls to an application operating on a host machine. The method receives a request to authenticate a client attempting to gain access to the application, and authenticates the client based on a first set of parameters associated with the request. Using a second set of parameters associated with the request, the method evaluates a set of one or more policies associated with a set of one or more API calls to the application. Based on the evaluated policies, the method defines a third set of one or more authentication field parameters that control the API calls that the client is authorized to make to the application. The method sends an authentication reply message with the defined third set of authentication field parameters in order to control the API calls that the client is authorized to make.

Abstract: A network device may determine that network traffic for a communication session between a first peer device and a second peer device is to be protected using a security protocol suite. The network device may establish, using one or more tunnels, multiple security associations that are to be used to securely provide the network traffic of the communication session over an unsecured medium. The network device may determine a rekey scheduling time for each security association, of the multiple security associations, based on a combination of configuration information and dynamic network device information. The network device may perform, at each rekey scheduling time, a rekeying procedure to rekey each security association of the multiple security associations.

Abstract: Methods, systems, and apparatus, including computer-readable media encoded with computer program instructions, for a decentralized application ecosystem and data sharing platform. In some implementations, a system stores data for different individuals in different logical data storage areas. The system stores data indicating a set of predetermined data classifications, and for at least some of the data storage areas, the system determines and stores data classifications for data stored in an encrypted form in the data storage area. The system provides an application programming interface (API) that enables multiple different applications to access the data storage areas over a communication network. The system is configured to (i) provide access through the API to the data of data storage areas, conditioned on applications providing authorization tokens, and (ii) provide access through the API to the data classifications in the metadata that is not conditioned on providing authorization tokens.

Abstract: An apparatus in one embodiment comprises a processing platform configured to communicate over a network with a plurality of Internet of Things (IoT) devices. The processing platform receives at least a first intermediate message from a first gateway of the network, receives one or more additional intermediate messages from each of one or more additional gateways of the network, associates the first and additional intermediate messages with one another based at least in part on a common message identifier detected in each such intermediate message, and processes the associated first and additional intermediate messages to recover a device message from a given one of the IoT devices. The first intermediate message is based at least in part on at least one application of a designated cryptographic function to the device message utilizing a corresponding key. At least one of the one or more additional intermediate messages provides at least a portion of the key.

Abstract: A display apparatus with increased security performance, for using the resources of a restricted secure world (SW), and/or an operation method thereof. The display apparatus may include a display, and a controller including at least one processor configured to perform one or more instructions to separately run a normal operating system (OS) and a secure OS, which are respectively executed in a normal world (NWD) and an SWD corresponding to a TrustZone.

Abstract: A system and method provide automatic access to applications or data. A portable physical device, referred to herein as a Personal Digital Key or “PDK”, stores one or more profiles in memory, including a biometric profile acquired in a secure trusted process and uniquely associated with a user that is authorized to use and associated with the PDK. The PDK wirelessly transmits identification information including a unique PDK identification number, the biometric profile and a profile over a secure wireless channel to a reader. A computing device is coupled to the reader. An auto login server is coupled to the reader and the computing device and launches one or more applications associated with a user name identified by the received profile.

Abstract: A method includes creating a sample of the generated work, generating a unique identifier, associating the unique identifier with the registration, generating a physical copy of the unique identifier, attaching the physical copy to the sample, taking an image of the sample with the physical copy attached to the sample, and registering the image. The method may further include encrypting a representation of the generated work with a public key. The method may further include transmitting a licensed identifier to a remote data computer system, receiving an occurrence from the remote data computer system, and executing a compensation routine based on the occurrence.

Abstract: A blockchain sharding method combining spectral clustering and a reputation value mechanism includes: obtaining, every other account grouping cycle Ta, account transaction data recorded during operation of a blockchain to generate an account transaction graph; obtaining an adjacency similarity matrix W and a degree matrix D based on the account transaction graph; generating a Normalized Laplace matrix L based on the adjacency similarity matrix W and the degree matrix D, performing dimension reduction on L to obtain a feature matrix F, and then clustering the feature matrix F with a clustering dimension of k by row through a K-means clustering method; and dividing blockchain accounts into k groups based on an obtained clustering result, and allocating accounts in the k groups to k blockchain shards.

Abstract: A mobile device can detect an idle state and, in response, initiate an access monitoring function to covertly monitor activity involving a human interaction with the mobile device. The covert monitoring is undetectable by a user of the mobile device. The mobile device can then detect a human interaction with the mobile device and, in response, cause the mobile device to covertly capture and log one or more human interactions with the mobile device. An authorized user of the mobile device is enabled to review the log of human interactions with the mobile device.

Abstract: An application executing on an endpoint accesses remote resources using a gateway. In response to a requested remote access, the application may be marked with a descriptor that specifies a target action and a pattern of occurrences of the target action. When a second observable action on the endpoint includes the pattern of events following the first observable action, a reportable event may be generated indicating a compromised state of the endpoint. The gateway can then regulate usage of the remote resource based on the reportable event.

Abstract: A system provides for a client to receive enhancement data without having personally identifiable information leave its systems. The system receives access to a client configuration and a data graph to perform configuration defined filtering and aggregation steps to produce a set of client files. These files contain a hashed version of PII from the data graph. They are then used by the client to match the identity of its population of objects to keys, the keys also being included in the set of client files. The client associates corresponding keys with objects in its own data graph, then requests enhancement data using only the keys. The data is returned using the matched keys without the use of personally identifiable information.

Abstract: Technologies are described for managing metadata associated with external content. For example metadata can be obtained that describes content stored on external systems. The metadata can be obtained without locally storing the content items themselves. For example, the metadata can be retrieved from the external systems while the external content continues to be stored on the external systems. The metadata can also include indications of the actions that can be performed in relation to the external content. For example, actions can be obtained (e.g., locally determined and/or obtained from the external systems) and added to the metadata. The metadata can be stored and used locally. For example, the metadata can be used to locally perform the actions in relation to the external content. The metadata can also be used to locally initiate actions that are then carried out in the external systems.

Abstract: Apparatuses, methods, and systems are disclosed for supporting a notification procedure during 5G registration over a non-3GPP access network. One apparatus includes a transceiver that communicates with a mobile communication network (“MCN”) via a trusted non-3GPP access network (“TNAN”) and a processor that receives a message that starts an EAP session with an access gateway in the TNAN. Here, the EAP session facilitates the establishment of a NAS signaling connection between the apparatus and the MCN and to encapsulate NAS messages exchanged between the apparatus and an AMF in the MCN. The processor receives an EAP notification request from the access gateway before the EAP session is completed. Here, the EAP notification request including at least one access parameter. The processor sends an EAP notification response and completes the EAP session.

Abstract: The present invention relates to a highly flexible, scalable multi-blockchain, hierarchical data-sharing and data-storing system, at least comprising a third-party blockchain system, a data-sharing blockchain system, and an application-layer client, wherein the data-sharing blockchain system performs data aggregation and hierarchical storage on shared data uploaded by the third-party blockchain system through accessing the data-sharing blockchain system, so as to allow the application-layer client to require the shared data from the data-sharing blockchain system. The disclosure herein creates a single reliable data-sharing blockchain apparatus based on blockchain systems, so as to facilitate aggregation of data coming from different blockchain systems, reduce node complexity and block data redundancy when data are acquired from multiple parties, and define different sharing rules for different data contents, thereby being adaptive to scenarios where data are shared among parties.

Abstract: A Software-Defined Networking (SDN)-based “upstream” approach is a controller-based solution that provides secure key distribution and management for multi-site data centers. The approach uses an SDN Multi-Site Controller (MSC) that acts as an intermediary between SDN controllers at sites in a multi-site data center and manages the distribution of keys to sites. The approach is not dependent upon any particular routing protocol, such as the Border Gateway Protocol (BGP), and is well suited for multicast stream encryption by allowing the same key to be used for all replicated packets sent to downstream sites from an upstream source site. The approach distributes keys in a secure manner, ensures that data transferred between sites is done in a secure manner, and supports re-keying with error handling.

Abstract: A system and method provide automatic access to applications or data. A portable physical device, referred to herein as a Personal Digital Key or “PDK”, stores one or more profiles in memory, including a biometric profile acquired in a secure trusted process and uniquely associated with a user that is authorized to use and associated with the PDK. The PDK wirelessly transmits identification information including a unique PDK identification number, the biometric profile and a profile over a secure wireless channel to a reader. A computing device is coupled to the reader. An auto login server is coupled to the reader and the computing device and launches one or more applications associated with a user name identified by the received profile.

Abstract: Implementations include a computer-implemented method for mitigating cyber security risk of an enterprise network, the method comprising: receiving an analytical attack graph (AAG) representing paths within the enterprise network with respect to at least one target asset, the AAG defining a digital twin of the enterprise network and comprising a set of rule nodes, each rule node representing an attack tactic that can be used to move along a path of the AAG; integrating the AAG with a knowledge graph comprising a set of asset nodes, each asset node representing a digital asset that can be affected by one or more of the attack tactics; determining, based on integrating the AAG with the knowledge graph, a plurality of security controls, each security control having an assigned priority value; and selectively implementing the security controls in the enterprise network based on the assigned priority values of the security controls.

Abstract: In various implementations, a system includes a mobile device and a computing server system. The mobile device executes instructions including generating profiles via the application program, where each profile contains information of an individual, identifying at least one of the profiles to transmit to recipients, obtaining an update to the profiles, and transmitting the update to the recipients. The computing server system transmits a profile template to the mobile device, receives the profiles generated in connection with the profile template, validates data fields of the received profiles generated based on the profile template, stores the received profiles that are validated, receives the update, updates the profiles accordingly, generates an identifier of the profiles, and transmits the identifier and data associated with the profiles to a computing device of the recipients.

Abstract: Techniques for creating, sharing, and using bundles (also referred to as packages) in a multi-tenant database are described herein. A bundle is a schema object with associated hidden schemas. A bundle can be created by a provider user and can be shared with a plurality of consumer users. The bundle can be used to enable code sharing and distribution without losing control while maintaining security protocols.

Abstract: The present disclosure describes systems and methods for determining a subsequent action of a simulated phishing campaign. A campaign controller identifies a starting action for a simulated phishing campaign directed to a user of a plurality of users. The simulated phishing campaign includes a plurality of actions, one or more of the plurality of actions to be determined during execution of the simulated phishing campaign The campaign controller responsive to the starting action, communicates a simulated phishing communication to one or more devices of a user. The campaign controller determines a subsequent action of the plurality of actions of the simulated phishing campaign based at least on one of a response to the simulated phishing communication received by the campaign controller or a lack of response within a predetermined time period and initiating, responsive to the determination, the subsequent action of the simulated phishing campaign.