Abstract: The present disclosure involves systems, software, and computer implemented methods for determining and visualizing effective mask expressions. One example method includes identifying a request for an object in a software application. The request is associated with a particular user. An object hierarchy associated with the requested object is identified. At least one column in the object hierarchy is associated with a mask expression. A current dependent object in the identified object hierarchy is determined. Masking status data for the current dependent object is determined that identifies whether masking is to be applied to the current dependent object when fulfilling the request. The generated masking status data is used to determine which masking expressions are to be applied to which columns in the object hierarchy when responding to the request.

Abstract: In a distributed system, each of N machines receives a similarity search query through a linear communication orbit. The similarity search query includes token identifiers corresponding to tokens in a target document. Each machine, in response, identifies files that meet predefined similarity criteria with respect to the target document. Subsequent to receiving the similarity search query, the machine generates a first report, including a count of files stored at the machine that meet the predefined similarity criteria with respect to the target document, and/or information identifying a set of files that meet the predefined similarity criteria with respect to the target document; and sends the first report to a server through the linear communication orbit. The server produces a merged report presenting information with respect to files at a set of machines, including the N machines, that meet the predefined similarity criteria with respect to the target document.

Abstract: A memory region on an IC card has a hierarchical structure. Each application allocated on the memory region is registered in a directory, and the memory region is managed in directory units. A personal identification code is set for each application and directory, and the access right is controlled in application units or directory units. If a mobile terminal is lost, the right to access each application in the IC card automatically disappears. Therefore, the right to access each application allocated to the memory region on the IC card is efficiently controlled.

Abstract: A method for integrating a medical device into a medical facility network by equipping the medical device with wireless communication device is disclosed. The medical device is provided into a medical treatment area within wireless range of the medical facility network. The medical facility network is configured to detect the medical device upon entry into the medical treatment area, and then recognize or authenticate the medical device. The medical facility network is configured to thereafter transmit an initialization signal to the medical device. A system for integrating medical devices, a medical device capable of integration, and a medical facility network are also disclosed.

Abstract: The present application discloses a virtual trusted platform module (vTPM)-based virtual machine security protection method and system. The method, executed by a physical host, includes: receiving a primary seed acquisition request sent by a virtual machine, where the primary seed acquisition request carries a UUID; sending the UUID to a KMC, so that the KMC generates a primary seed according to the UUID; and receiving the primary seed fed back by the KMC, and sending the primary seed to the virtual machine, so that the virtual machine creates a root key of a vTPM according to the primary seed, where the root key is used by the vTPM to create a key for the virtual machine to protect security of the virtual machine. As such, the same root key can be created by using the primary seed.

Abstract: A registry apparatus is provided for maintaining a device registry of agent devices for communicating with application providing apparatus. The registry comprises authentication information for uniquely authenticating at least one trusted agent device. In response to an authentication request from an agent device, the authentication information for that device is obtained from the registry, and authentication of the agent device is performed. If the authentication is successful, then application key information is transmitted to at least one of the agent device and the application providing apparatus.

Abstract: Various implementations disclosed herein enable controlling access to networks. In various implementations, a method of controlling access to a network is performed by a computing device including one or more processors, and a non-transitory memory. In various implementations, the method includes obtaining an indication that a mobile device having access to a first network utilizing a first radio access technology (RAT) has requested access to a second network utilizing a second RAT. In some implementations, the method includes determining whether the access to the first network satisfies an authentication criterion associated with the second network. In some implementations, the method includes granting the mobile device access to the second network in response to determining that the access to the first network satisfies the authentication criterion associated with the second network.

Abstract: Examples of the present disclosure describe systems and methods for providing advanced file modification heuristics. In aspects, software content is selected for monitoring. The monitoring comprises determining when the software content performs file accesses that are followed by read and/or write operations. The read/write operations are analyzed in real-time to determine whether the software content is modifying file content. If the monitoring indicates the software content is modifying accessed files, mathematical calculations are applied to the read-write operations to determine the nature of the modifications. Based on the determined nature of the file modifications, the actions of the software content may be categorized and halted prior to completion; thereby, mitigating malicious cyberattacks and/or unauthorized accesses.

Abstract: Certificates issued by a CA are distributed across multiple CRLs. Each certificate issued by the CA is assigned to a specific CRL, and the address of that CRL is written to the appropriate field of the certificate, such that an authenticating application can subsequently determine if the certificate is revoked. When the CA revokes a specific one of the issued certificates, it determines to which CRL the revoked certificate is assigned, and updates the specific CRL accordingly. In some embodiments, a single one of the multiple CRLs is active for assignment of certificates at any given time, and each certificate issued by the CA is assigned to the currently active CRL. In other embodiments, assignments of issued certificates are distributed between different ones of a pre-determined number of multiple CRLs by applying a statistical distribution formula to each issued certificate to determine a corresponding target CRL.

Abstract: A credential, such as a password, for an entity is used to generate multiple keys. The generated keys are distributed to credential verification systems to enable the credential verification systems to perform authentication operations. The keys are generated such that access to a generated key allows for authentication with a proper subset of the credential verification systems. Thus, unauthorized access to information used by one authentication system does not, by itself, allow for successful authentication with other authentication systems.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage devices, for data processing and storage. One of the systems includes a first tier storage device with a first performance characteristic and a second tier storage device with a second performance characteristic inferior to the first performance characteristic. The first tier storage device stores a first data log file that includes first blockchain data generated by a blockchain network. The second tier storage device stores a second data log file that includes second blockchain data generated by the blockchain network at an earlier time than the first blockchain data.

Abstract: A method and an apparatus for invoking a fingerprint identification device are provided. The method includes the following. When a request of a current application to invoke a fingerprint identification device is detected, whether the fingerprint identification device is occupied by a historical application is determined. When the fingerprint identification device is occupied by the historical application, whether the current application meets a preset invoking condition is determined, and then the fingerprint identification device is controlled to process the request of the current application according to the determination result.

Abstract: The present disclosure provides a solution to this problem by enabling the communications network to verify the relationship of the first UE and the second UE based on stored pairing information that is used to verify that the first UE is allowed to make a connection to the communications network. The apparatus transmits a pairing request from a first UE to a second UE. In an aspect, the pairing request is intended for a communication network. Further, the apparatus receives a pairing acknowledgement. In an aspect, the pairing acknowledgement verifies the pairing of the first UE and the second UE. In addition, the apparatus connects to the communication network via the second UE once the first UE pairs with the second UE.

Abstract: Single sign-on (SSO) techniques of the present disclosure provide for enterprise application user identities that are bound to a mobile identity (e.g. IMSI) associated with a user equipment (UE) for authentication, using general bootstrapping architecture (GBA)/general authentication architecture (GAA) functionality in combination with identity provider (IDP) functionality (e.g. OpenID Connect), all of which may be provided in an enterprise network. The present techniques need not rely on GBA/GAA infrastructure of a mobile network operator (MNO), and have little or no impact or effect on the mobile network.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for managing blockchain-based centralized ledger systems.

Abstract: A system and method for generating an alert regarding a potential attack is described. The method involves receiving data associated with previously analyzed or known malware attacks by a first network device. Additionally, the first network device receives an attack alert associated with an object analyzed and identified as suspicious by a second network device. The attack alert includes information associated with the suspicious object. For alert generation, at least a portion of the information of the attack alert is provided to a system configured to at least (i) extract feature(s) from the attack alert, (ii) determine similarities between the extracted features and features associated with the previously analyzed or known malware attacks to determine a result, (iv) compute an attack value based on the result and at least a portion of the extracted features including time-dependent and/or independent features, and (v) generate an alert based on the attack value.

Abstract: A method according to one embodiment includes determining whether a guest associated with a guest device is authorized to control an access control device based on an access control list, generating a caveated cryptographic bearer token in response to determining the guest is authorized to control the access control device, the caveated cryptographic bearer token including a time-based caveat defining a time limit for control of the access control device, transmitting the caveated cryptographic bearer token to the guest device in response to generating the caveated cryptographic bearer token, transmitting, in response to receiving the caveated cryptographic bearer token, a request including the caveated cryptographic bearer token to control the access control device to the access control device, and authenticating the request based on the received caveated cryptographic bearer token, a base cryptographic bearer token stored on the access control device, and a real-time clock of the access control device.

Abstract: A processing device comprises a memory comprising memory blocks configured to store bit values, wherein bit values of an initial memory block are set to a target value; a memory controller configured to perform control of copying bit values from at least one source memory block to at least one destination memory block; the memory controller being configured to perform: copying the set bit values to the at least one destination memory block, subsequently copying the set bit values and the copied bit values to further destination memory blocks.

Abstract: Systems and methods for providing a threat intelligence system include a system provider device that downloads, through communication over a network and from one or more targeted websites, a plurality of images of a first environment. Based on an OCR process, the system provider device may extract a set of textual data corresponding to a subset of images of the plurality of images, where the subset of images depict text. The system provider device stores the set of textual data in an indexed and searchable database. The system provider device assigns a threat assessment score to each image based on the set of textual data, and the threat assessment score may be updated based on comparison of the set of textual data with other sets of textual data. Based on the threat assessment score being greater than a threshold value, the system provider device may generate a security alert.

Abstract: A controller of an information handling system (IHS) prevents unauthorized access to an information handling system (IHS). The controller determines whether a lock data structure in a persistent memory device indicates one or more resources of the IHS are in a locked state. If in locked state, the controller: (i) disables a processor subsystem of the IHS from performing a start-up procedure until a unique password is received from a user interface coupled to the IHS; (ii) receives an input; (iii) determines whether the input matches a unique password contained in an externally unreadable portion of memory of the IHS; (iv) in response to the input matching the unique password, permanently changes the lock data structure to an unlocked state and enables the processor subsystem to perform the start-up procedure.