Abstract: A computing device includes a direct memory access (DMA) engine coupled to a memory, a network interface, and processing circuitry. The processing circuitry is to perform a secure exchange with a second computing device to negotiate a shared encryption key, based on a request for data received via the network interface from the second computing device. The DMA engine is to retrieve the data from a storage location based on an encryption command. The encryption command indicates the storage location. The DMA engine is to encrypt the data based on the shared encryption key to generate encrypted data, and store the encrypted data in the memory.

Abstract: A method and SaaS-based computing platform implemented by a service provider provide for authentication and authorization services in association with the provisioning of a cloud data lake. According to the method, a data lake is provisioned across one or more cloud computing services, preferably within a private data cloud. The data lake comprises at least a first service and a second service, wherein the first and second services use different authentication mechanisms. An authentication framework including an identity and access manager (e.g., Keycloak provisioned to support both OpenLDAP and Kerberos) is configured to enable a permitted user to use a single identity to access the first and second services in the data lake. An authorization framework also is provisioned in association with the authentication framework. The authorization framework configured to apply authorization or data access rules to the single identity across the first and second services in the data lake.

Abstract: Techniques for managing composite tokens for content access requests are disclosed. A system provides a client device with a composite token to allow the client device to make subsequent requests to access content of a content provider without requiring re-authentication of the client device with each request. The composite token includes an access segment associated with permissions to access content. The composite token further includes a regeneration segment associated with permissions to invalidate the composite token and create a new composite token associated with a same user or session. The system invalidates a previous composite token and regenerates a new composite token if the access segment expires. The system requires re-authentication if the regeneration segment expires or if a composite token is received that is not the most recently-generated composite token.

Abstract: A control method for an information processing apparatus controlled by a computer is executed by the computer and includes performing a first input to accept an input of first authentication information, performing a second input to accept an input of another authentication information different from the first authentication information, executing first processing on condition of success of authentication with the first authentication information input in the first input and success of authentication with the another authentication information input in the second input, and executing second processing on condition of success of at least one of authentication with the first authentication information input in the first input or authentication with the another authentication information input in the second input.

Abstract: The present embodiments relate to systems and methods for automatic sign in upon account signup. Particularly, the present embodiments can utilize a federated login approach for automatic sign in upon account signup for a cloud infrastructure. Specifically, the signup and sign in service (also known as SOUP) and an identity provider portal can be configured such that the nodes are aware of each other as Security Assertion Markup Language (SAML) partners. After new account registration, the signup service can redirect the user browser to a cloud infrastructure console to start with a federated login flow, where a sign in service can issue a SAML authentication request, and redirects it to signup service. Responsive to validating the browser using a SAML authentication process, the browser can be automatically signed into the new account and allowed access the account relating to the cloud infrastructure service.

Abstract: The system includes an electronically controllable access point device and a server. The server includes one or more processors, which are communicatively coupled to the access point device and a portable device. The one or more processors are configured to determine whether a user of the portable device is authorized to access the access point device based on one or more credentials received from the portable device and retrieve a location of the portable device. The one or more processors are further configured to determine whether the location of the portable device is within a pre-defined geographical area. Upon determination of user authorization to the access point device and that the location of the portable device is within the pre-defined geographical area, the one or more processors direct the access point device to provide access to the user.

Abstract: A packet-filtering system described herein may be configured to filter packets with encrypted hostnames in accordance with one or packet-filtering rules. The packet-filtering system may resolve a plaintext hostname from ciphertext comprising an encrypted Server Name Indication (eSNI) value. The packet-filtering system may resolve the plaintext hostname using a plurality of techniques. Once the plaintext hostname is resolved, the packet-filtering system may then use the plaintext hostname to determine whether the packets are associated with one or more threat indicators. If the packet-filtering system determines that the packets are associated with one or more threat indicators, the packet-filtering system may apply a packet filtering operation associated with the packet-filtering rules to the packets.

Abstract: Provided are a method and a system for analyzing a vulnerability in software installed on an Internet of things (IoT) device. In the method and the system, a target binary file extracted from firmware of the IoT device is acquired, a taint path is generated by performing taint analysis on the target binary file, transmission information related to the taint path is generated, and a vulnerability is detected in the target binary file by performing symbolic execution on the target binary file on the basis of the taint path and the transmission information.

Abstract: Disclosed herein are a communication technique for merging, with an IoT technology, a 5G communication system for supporting a data transmission rate higher than that of a 4G system; and a system therefor. Embodiments herein disclose a method of protecting sensitive user plane traffic in an User Equipment (UE) (100), the method comprising: transmitting, to a network (200), by the UE (100) a first NAS message comprising an indicator indicating that the UE (200) supports of a secure channel for domain name system (DNS); receiving, from the network (200), by the UE (100) a second NAS message including DNS server security information in response to transmitting the first NAS message; and transmitting, to the network (200), by the UE (100) the DNS over the secure channel based on the DNS server security information.

Abstract: An access control apparatus (2000) acquires a request (20) for access to data stored in a first storage apparatus 30. The access control apparatus (2000) acquires privilege information (70) from a blockchain storage (40). The privilege information (70) represents access privilege pertaining to access to the first storage apparatus (30). The access control apparatus (2000) determines whether requested access is within a range of the access privilege of a target entity (10) being a subject of the request (20), by using the privilege information (70) of the target entity (10). When it is determined that the access is within the range of the access privilege of the target entity (10), the access control apparatus (2000) executes the access.

Abstract: A networking device credential information reset system includes credential information reset authorization devices coupled to a networking device. At least one of the credential information reset authorization devices receives a networking device credential information reset request from the networking device and, in response, generates a networking device credential information reset alert and provides it for display on an administrator device. Following the networking device credential information reset alert being provided for display on the administrator device, a first credential information reset authorization device receives first credential information for the first credential information reset authorization device from the administrator device, validates the first credential information and, in response, provides a credential information reset authorization to the networking device that is configured to cause the networking device to reset second credential information for the networking device.

Abstract: Described herein are complete lifecycle management processes for IoT/M2M devices. In an example, devices are commissioned and de-commissioned in a given system without requiring a user/human administrator. A delegated life-cycle management process is described, wherein devices rely upon a delegatee, which may have more computing and battery resources than the devices, to perform complete or partial lifecycle management operations on behalf of the devices. The delegatee may be a trusted entity that may belong to the same domain as the devices. Further, a Trust Enabling Infrastructure (TEI) is described herein, which may belong to a different trusted domain than the given device and its delegatee.

Abstract: Techniques for certificate authority (CA) selection are described. A certificate management service of a cloud provider network receives a first request to generate a certificate from an electronic device, the first request including an indication of an identity of a user and an identification of a domain name to associate with the certificate. A CA selection policy applicable to the first request is identified, the CA selection policy including a CA selection rule. A CA to generate the certificate is identified by evaluating the CA selection rule, the CA selection rule associates at least a portion of the domain name with the CA. A second request to generate the certificate is sent to the identified CA. The certificate or an identification of the certificate from the CA is returned to the electronic device.

Abstract: Embodiments of the present disclosure relate to a method, an apparatus, an electronic device, and a medium for data transfer. The method includes generating, based on metadata of to-be-transferred data and a blockchain including a data transfer record, an ownership certificate of an initiator of a transfer for the to-be-transferred data. The method further includes generating a new transfer record for validation by a blockchain system, where the new transfer record includes the ownership certificate and validation information associated with a receiver of the transfer. The method further includes transferring the to-be-transferred data to the receiver in response to that the new transfer record passes validation of the blockchain system. In this way, the data transfer record may be reliably stored in the blockchain, thereby providing reliable integrity protection and data traceability for a storage system.

Abstract: Systems and methods of embodiments are described of a campaign controller that establishes a model for using a plurality of types of exploits based on at least results of simulated phishing communications using those exploits, and uses the model to communicate a first simulated phishing communication to one or more devices of a user where the type of exploit used for the first simulated phishing communication is selected using the model. The campaign controller applies either artificial intelligence or machine learning to the results of simulated phishing communications to establish the model. The campaign controller selects the exploit by applying either artificial intelligence or machine learning to one or more attributes of the user and/or one or more responses from the user.

Abstract: A system may receive, from one or more data sources, one or more de-identified data sets that include de-identified personal data. The system may receive a request for a feature set of the one or more de-identified data sets, wherein the feature set includes a set of quasi-identifiers included in the de-identified personal data. The system may calculate a re-identification risk score for the set of quasi-identifiers. The system may selectively output, based on the re-identification risk score, one of: actual data, from the one or more de-identified data sets, of the feature set if the re-identification risk score satisfies a condition, or synthetic data, generated by the device from the one or more de-identified data sets, for the feature set, or a combination of the synthetic data and the actual data for the feature set, if the re-identification risk score does not satisfy the condition.

Abstract: Anomalies are detected in network packet header data associated with a user's smart device that is in communication with one or more external sources via an electronic network. The user's smart device has one or more device classifications. Bayesian priors are stored of network traffic obtained from crowdsourced network packet header data for a plurality of smart devices having one of the same device classifications as the user's smart device. Network traffic obtained from network packet header data for the user's smart device is captured. The network traffic for the user's smart device is compared with the Bayesian priors and any anomalies are identified. The anomalies indicate potential abnormal data communication behavior regarding the user's smart device.

Abstract: Data from a SaaS application may be stored and accessed locally, enabling SaaS data to be interacted with, regardless of connectivity, while providing secure authentication when offline. When online, a user may perform an authentication procedure and provide credentials to an application server, which may provide an authentication token for access to secure data or applications. The authentication token and user credentials may be cached locally. When offline or experiencing intermittent connectivity, if user provided credentials match the cached credentials, then the client application may retrieve the cached authentication token and allow the embedded browser to resume utilizing the network application and/or data; while if the new credentials do not match the previously provided and cached credentials, access may be denied. Thus, the embedded browser may perform authentication agnostic to whether the device is online or offline at that time, requiring no changes to the browser or network application.

Abstract: Embodiments of the present invention relate to apparatuses, systems, methods and computer program products for security analysis and validation during construction and deployment of dynamic network components. Specifically, the system is typically structured for identifying and remediating defects in a first resource program code being built at an internal network layer of the first distributed network, in real-time, and validating the first resource program code at both a lower deployment environment and a higher deployment environment. In some aspects, the system, in response to the successful first validation of the first resource program code, stores the first resource program code at an artifactory system. In response to a successful second validation, the system then typically allows deployment of the first resource program code to the lower deployment environment.

Abstract: Methods and systems for scanning an endpoint terminal across an open computer network are disclosed. An exemplary method includes providing a scanner engine in a computer server in communication with an open computer network, and establishing a secure connection across the open computer network between the scanner engine and a scanner agent installed on the endpoint terminal in communication with the open computer network. Commands for collecting data regarding the endpoint terminal are sent from the scanner engine across the secure connection to the scanner agent. The scanner engine then receives the collected data from the scanner agent across the secure connection, analyzes the data to assess a current posture of the endpoint terminal, and determines any updates for the endpoint terminal from the analysis. Updates are sent across the secure connection to the scanner agent for installation on the endpoint terminal, and the secure connection may then be terminated.