Abstract: A cloud-based identity and access management system that implements single sign-on (“SSO”) receives a first request for an identity management service configured to allow for accessing an application. Embodiments send the first request to a first microservice which performs the identity management service by generating a token. The first microservice generates the token at least in part by sending a second request to a SSO microservice that is configured to provide SSO functionality across different microservices that are based on different protocols. Embodiments then receive the token from the first microservice and provide the token to the application, where the token allows for accessing the application.

Abstract: A security event that is associated with one or more communication devices is detected. For example, the security event may be an unexpected change in data being sent from a communication device outside an enterprise. In response to detecting the security event, a Virtual Service Network (VSN) is created that isolates one or more communication devices that may pose a security risk. A corrective action to mitigate the security event is then implemented. For example, the corrective action may be to dynamically instantiate a firewall on the VSN that blocks the transfer of data from the communication device outside the enterprise. This allows an administrator to review the security event and take further action if necessary. Because the VSN with the firewall is created dynamically, the network remains secure while the security event is investigated.

Abstract: Provided is a method of providing, by a server, account information, the method including: receiving an account generation request message from a first device; generating first account information, based on user identification information included in the account generation request message; transmitting the generated first account information to the first device; receiving an account use request message from a second device; identifying the first account information and service identification information included in the received account use request message; and transmitting second account information corresponding to the identified first account information and the service identification information, to the second device.

Abstract: Disclosed herein are methods, systems, and apparatus for securely executing smart contract operations in a trusted execution environment (TEE). One of the methods includes receiving, by a blockchain node participating in a blockchain network, a request to execute one or more software instructions in a service TEE hosted by the blockchain node, wherein the request is encrypted by a public key associated with the service TEE; decrypting the request with a first private key associated with the service TEE, wherein the first private key is paired with the public key; in response to decrypting the request, executing the one or more software instructions to produce an execution result; encrypting the execution result with a client encryption key associated with the service TEE to produce an encrypted result; and signing the encrypted result using a second private key associated with the TEE to produce a signed encrypted result.

Abstract: Methods, systems, and media for adding IP addresses to firewalls are provided. In some embodiments, the method comprises: receiving a network packet that includes an external IP address associated with an external device, wherein the external device is a device not protected by a firewall; determining whether the external IP address is included in a group of IP addresses maintained by the firewall; determining whether to add the external IP address to the group of IP addresses; identifying an Internet Service Provider (ISP) associated with the external IP address; determining whether the ISP is included in a group of ISPs maintained by the firewall; and in response to determining that the ISP is not included in the group of ISPs maintained by the firewall, adding the external IP address to the group of IP addresses and adding the ISP to the group of ISPs.

Abstract: Systems and methods are described to identify and correct inaccurate or non-compliant access policies for an authorization service that uses such policies to control access to instances of one or more network-accessible services. Each service can implement one or more instances on behalf of individual service users, which users can author an access policy to control whether requests to access the instances are allowed or disallowed at the authorization service. The access policies can be authored according to policy guidelines established by the service. If the policy guidelines of a service change (e.g., are updated to a new version), the authorization service can detect policies non-compliant with the changed guidelines, and notify service users of the non-compliant policies. The authorization service may further notify users of modifications or transformations to bring access policies into compliances with changed policy guidelines.

Abstract: A method for image based authentication of a human computer user as opposed to a robot is applied in a server. The server generates a CAPTCHA image and preprocesses the CAPTCHA image. The CAPTCHA image is preprocessed by halftoning and mapping pixel sparsity onto pre-computed levels by block based operation. The server then encrypts the preprocessed CAPTCHA image into two shared images and transmits same to the client device. The client device renders the two shared images on a display through a user interface to facilitate superimposition of the two shared images and the user can visually decrypt the preprocessed CAPTCHA image and input an authentication code according to the CAPTCHA characters.

Abstract: A method for confirming pairing connection of terminal devices, including: acquiring third touch slide data collected by a target second Bluetooth device via a touch sensing point thereof, if a touch slide operation is detected after a connection between the first Bluetooth device and the target second Bluetooth device is established; establishing a third touch slide variation curve device according to the third touch slide data; acquiring fourth touch slide data collected by a touch screen thereof, and establishing a fourth touch slide variation curve according to the fourth touch slide data; determining whether the third touch slide variation curve matches with the fourth touch slide variation curve or not; and disconnecting the connection with the target second Bluetooth device if the third touch slide variation curve does not match with the fourth touch slide variation curve.

Abstract: Jointly discovering user roles and data clusters using both access and side information by performing the following operation: (i) representing a set of users as respective vectors in a user feature space; representing data as respective vectors in a data feature space; (ii) providing a user-data access matrix, in which each row represents a user's access over the data; and (iii) co-clustering the users and data using the user-data matrix to produce a set of co-clusters.

Abstract: Systems, computer program products and methods implementing access control on a distributed file system are described. A file system enforcement point protects an HDFS from unauthorized access by authenticating a declared identity of a task submitting a request from a client. Upon receiving the request, the file system enforcement point submits a challenge to the client, requesting the task to provide credentials of the declared identity. The task submits credentials. On the client, each task has access to credentials of a true identity of the task. Accordingly, in case a task submits a claimed identity that is different from the true identity of the task, the task cannot submit correct credentials in response to the challenge. The file system enforcement point authenticates the declared identity using the submitted credentials. The file system enforcement point allows the client to access the HDFS only upon successful authentication.

Abstract: A method for storing an object on storage nodes includes encrypting an object to be stored with a key. One or more hash values are computed for the object. The encrypted object is stored on the storage nodes. Storage location data is provided for the stored object. A transaction is computed for a blockchain, wherein information is encoded in the transaction, the encoded information representing the storage location data, the computed o hash values and key data. The transaction is stored in the blockchain provided by one or more blockchain nodes hosting the blockchain. A number of confirmations is provided for the transaction. The number of confirmations is compared with a predefined threshold confirmation number, wherein the predefined threshold confirmation number is computed such that with a pregiven certainty the encoded information in the transaction stored in the blockchain cannot be modified.

Abstract: Firewall rules and policies are automatically managed in accordance with relevancy to network traffic on a wireless network. A specific firewall rule is applied to the network packet being examined based on the identified application based on a ranking of a relevancy score. Responsive to the specific firewall rule application, the relevancy score associated with the specific firewall rule are increased, and relevancy scores for other firewall rules of the predetermined firewall rule category that are not applied to the network packet decreased. Firewall rules of the category, for order of application, are ranked based on the relevancy scores. Firewall rules having relevancy scores below a predetermined relevancy threshold are disabled and the administrator is notified.

Abstract: The present invention discloses a method and a browser for browsing a web page, and a storage medium, and the method comprises: prestoring identity information of an owner user; receiving a web page browsing request from a browsing user, and obtaining the identity information of the browsing user; comparing the identity information of the browsing user with the prestored identity information of the owner user to determine whether the browsing user is the owner user; browsing a web page in a private browsing mode when the browsing user is determined as the owner user; and browsing a web page in a non-private browsing mode when the browsing user is determined as a non-owner user. By the invention, the privacy of browsing behaviors of the owner user may be effectively protected, and the owner user is enabled to examine browsing behaviors of other non-owner users.

Abstract: A system includes a first computer system (FCS) configured to receive an authentication request of a user with respect to the first authentication system (FAS), and communicate an unsuccessful authentication attempt. In response, a bridge computer system (BCS), is configured to request a user ID and receive at least the user ID; identify an address of a second computer system (SCS) based on of the user ID; and initiate the second authentication system (SAS) using the address. The SCS, if the user has been successfully authenticated with respect to the SAS, is configured to communicate successful authentication to the BCS; and in response, the BCS is configured to send the FAS a confirmation message, and the FCS is configured to treat the user as authenticated.

Abstract: An anti-phishing email system and an anti-phishing email method are provided. The system includes an email address registration and authentication subsystem configured to register an email address of a user, an email signature registration subsystem configured to register a signature generated by the user for information on a to-be-sent email, and an email signature query subsystem configured for an email receiving user to query whether the email is registered after the email receiving user receives the email, to determine whether the email is an illegal phishing email.

Abstract: In various embodiments, a computer-implemented method for generating and verifying officially verifiable electronic representations may be disclosed.

Abstract: A communication system includes multiple nodes connected with each other. Each of the multiple nodes generates a message authentication code using a count value of a counter. The multiple nodes include a transmission node and a reception node. The count value of the counter is includes a high-order count value and a low-order count value. In the transmission node, a normal message generation portion generates a normal message to include a transmission data, the low-order count value, and the message authentication code, and a synchronization message generation portion generates a synchronization message. In the reception node, a message verification portion verifies the received normal message, a resynchronization request portion transmits a resynchronization request of the counter to the transmission node, and a count value update portion updates the high-order count value stored in the reception count value storage portion when the synchronization message is received.

Abstract: Method and apparatus for a system to harden digital consents. The system uses an evaluation of geographic locations, transaction times, and device identities to control the upload of consent data. Evaluations occur using numerous techniques including MAC address evaluation, IP address evaluation, meta-data evaluation, and physical location of restricted equipment such as ATMs and kiosks. Reliability of consent data entered into the system may be enhanced by strictly evaluating geographic locations, transaction times, and/or device identities.

Abstract: Method and apparatus for a system to harden digital consents. The system uses an evaluation of geographic locations, transaction times, and device identities to control the upload of consent data. Evaluations occur using numerous techniques including MAC address evaluation, IP address evaluation, meta-data evaluation, and physical location of restricted equipment such as ATMs and kiosks. Reliability of consent data entered into the system may be enhanced by strictly evaluating geographic locations, transaction times, and/or device identities.

Abstract: Provided are a communication destination determination device and the like in which a communication destination that is highly likely to pose a threat can be detected. A communication destination determination device 101 is provided with: a signal transmission unit 102 which transmits, when a first signal transmitted from a communication destination 104 is received via a communication network, a second signal in response to the first signal to the communication destination 104; and a communication destination determination unit 103 which classifies whether the communication destination 104 is highly likely to pose a threat or not, on the basis of whether or not a third signal transmitted from the communication destination 104 is received within a certain time period from the timing of transmission of the second signal.