Abstract: A device that incorporates the subject disclosure may perform, for example, generating a security domain root structure for a universal integrated circuit card of an end user device, where the security domain root structure includes a hierarchy of a link provider operator security domain above a mobile network operator trusted security domain, where the link provider operator security domain enables transport management by a link provider operator, and where the mobile network operator trusted security domain enables card content management and subscription eligibility verification by a mobile network operator trusted service manager. Other embodiments are disclosed.

Abstract: A computing platform may receive, from a client communication server, a first token request requesting a token for a first client. The computing platform may generate a first token linked to a first record associated with the first client. Subsequently, the computing platform may send, to the client communication server, the first token linked to the first record associated with the first client. Thereafter, the computing platform may receive, from a client portal server, a first token validation request comprising the first token linked to the first record associated with the first client, and may validate the first token linked to the first record associated with the first client. Based on validating the first token, the computing platform may send, to the client portal server, a first token validation message directing the client portal server to provide the first record associated with the first client to the first client.

Abstract: Aspects of the subject disclosure may include, for example a method that includes detecting, by a system comprising a processor, a password creation request, obtaining, by the system, an identification of a password requesting application associated with the password creation request, receiving, by the system, an input password, obtaining, by the system, a transformation key for the input password, transforming, by the system, the input password into an adjusted password by applying the transformation key to the input password, and providing, by the system, the adjusted password to the password requesting application. Other embodiments are disclosed.

Abstract: Systems and methods for distributed authorization are described. In some embodiments, an Information Handling System (IHS) may include a processor; and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: receive a first authentication material from a first device; identify, based upon a policy stored in the IHS, a second device; and distribute a second authentication material to the second device.

Abstract: In one embodiment of the present invention a computerized method includes receiving at a personal-mobile device a first communication, which includes information for requesting user verification for logging into an account of a user, via a computing device. The account is with a service provided by an application server. The method includes starting a personal-authentication application on the personal-mobile device in response to receiving the first communication, and receiving in the personal-authentication application a user verification for confirming logging into the account. The method includes logging into the account via the computing device based on receipt of the user verification. Embodiments of the present invention provide enhanced security for logging into an account that a user may have with a service by providing that a personal-mobile device, such as a mobile telephone, which is personal to a user, is configured as a security token for login to the account.

Abstract: A method and apparatus for providing a masked short message service in a wireless network are disclosed. For example, the method receives a message from a first endpoint device directed to a second endpoint device, wherein the message indicates that the message is a masked short message service message, and forwards the masked short message service message with a code towards the second endpoint device. In one example, the second endpoint device parses the message and executes instructions contained therein, e.g., for sending a regular SMS with content derived from masked SMS, making a call, playing music, finding location by invoking an API, sending a file or a picture and any other functions that the second endpoint device may be capable of doing. The masked short message service provides a method for remotely controlling a 2G/3G mobile device through a computer or another mobile device.

Abstract: To install a monitor apparatus module, a monitor apparatus transmits a registration request including a client ID and an initial authentication key included in an installer to a management apparatus. When an authentication key related to the client ID included in the registration request is yet to be issued, the management apparatus issues an authentication key and provides the same to the monitor apparatus. Meanwhile, when the authentication key is already issued, the monitor apparatus displays a screen for input of a ticket issued by the management apparatus and resends the initial registration request with the input ticket to the management apparatus. When the ticket included in the registration request is valid, the management apparatus issues the authentication key and provides the same to the monitor apparatus.

Abstract: Techniques are described in which to access a user's web applications, the user registers and signs on to an aggregator system using any supported login identity provider username and password. When the user registers for the first time, the system collects additional information to verify the user for a subsequent access to the system. The system also automatically creates a system secret username and secret, highly securely generated password, both of which are unknown and inaccessible to the user. The secret username and password are stored in an lightweight directory access protocol (LDAP) server or database or in a distributed cloud database system. The system also maps the login identity provider user name to the secret user name and password for subsequent usage.

Abstract: A federated realm discovery system within a federation determines a “home” realm associated with a portion of the user's credentials before the user's secret information (such as a password) is passed to a non-home realm. A login user interface accepts a user identifier and, based on the user identifier, can use various methods to identify an account authority service within the federation that can authenticate the user. In one method, a realm list of the user device can be used to direct the login to the appropriate home realm of the user. In another method, an account authority service in a non-home realm can look up the user's home realm and provide realm information directing the user device to login at the home realm.

Abstract: A device may transmit, to a first device, a first point-to-multipoint message to determine whether to request security information. The security information may be associated with permitting the first device to register with a registration device. The device may receive, from the first device, a point-to-multipoint response that includes first device information associated with connecting to the first device. The device may transmit, to the first device, a second point-to-multipoint message based on the first device information. The device may request and receive the security information from the registration device. The device may provide the security information to the first device to permit the first device to register with the registration device.

Abstract: The present disclosure is drawn to systems and methods for activating a mobile device in an enterprise mobile management context. The mobile device is configured to generate a first device security certificate which comprises a device key and an identifier of the mobile device. The device key corresponds to a shared secret known to the mobile device and to an authentication server. The mobile device sends the first device security certificate to the authentication server. The authentication server validates the mobile device by comparing the device key to a server key and by locating the identifier in a list of known identifiers. When the mobile device is validated, the authentication server sends a first server security certificate to the mobile device. The first device and server security certificates may then be used to establish a secure connection, over which a second set of device and server certificates may be enrolled.

Abstract: A device, system, and method gives temporary control of a user device using location based grants. The method performed by a control server of a third party is performed when the user device is in a predetermined area. The method includes transmitting authentication data to the user device, the authentication data configured to authenticate the third party to the user device, the predetermined area being associated with the third party. The method includes receiving a request from the user device for command data, the command data configured to be executed on the user device to provide the third party with a limited control over the user device while the user device remains in the predetermined area. The method includes transmitting the command data to the user device.

Abstract: A system, a medium, and a method involve a communication interface of a server device that receives first activity data associated with a first activity of an account and second activity data associated with a second activity of the account. A processor of the server device determines a first location of the first activity from the first activity data and a second location of the second activity from the second activity data. An authentication circuit of the server device determines a first authentication of the first activity based at least on the first activity data. The authentication circuit determines a second authentication of the second activity based on at least one of the first authentication, the first location, and the second location. A transmitter of the communication interface transmits an indication of the second authentication to a client device.

Abstract: Some embodiments are directed to a method for peering between first and second modules each installed in a different device, the device of the first module includes a human-machine interface, and the two devices can be linked by an unsecure communication channel. The method can include: receiving via the human-machine interface a command setting the device of the first module in operating mode so the first module takes control of a part of the communication means of the first device in order to set them in a secure operating mode and takes control of the human-machine interface; establishing a temporarily secure communication between first and second modules; displaying on the human-machine interface a status signaling the set-up of the secure communication; receiving via the human-machine interface a peering acceptance command; and exchanging of keys/secrets between the modules through the temporarily secure communication channel to perform the peering.

Abstract: A method and a system are provided for providing a subscription profile on a mobile terminal for communication via a mobile communication network. The method comprises the following steps: the logging in of a first mobile terminal with a first subscription profile to a mobile communication network; the downloading of a second subscription profile to the first mobile terminal via the mobile communication network; and the forwarding of the second subscription profile from the first mobile terminal to a second mobile terminal via a communication channel.

Abstract: A system for wearable authentication and management is disclosed. In particular, the system may include identifying and authenticating a user through biometric data or movement signatures specific to the wearer of a wearable device. Once the user and wearable device are authenticated, the system may activate and provision connectivity services for the wearable device, associate the device with a device ecosystem of the user, and push predefined settings to the wearable device. Additionally, the system may deliver communications that are transmitted to other devices in the device ecosystem to the wearable device while the wearable device is worn by the user. If the user no longer wears the wearable device or the wearable device is not utilized for a period of time, the system may deactivate the connectivity services for the wearable device and remove any settings pushed to the wearable device.

Abstract: An electronic device is provided. The electronic device includes a communication circuit configured to communicate with a user terminal and an authentication server, a memory configured to store a plurality of one time password (OTP) generation modules and a plurality of module identification information respectively corresponding to the plurality of OTP generation modules, and a processor electrically connected with the communication circuit and the memory.

Abstract: An account authentication method performed at a server, including: receiving a login request sent by an initiating terminal; searching, among binding relationships between initiating terminal identifiers, authentication terminal identifiers, and registered biological characteristic information according to the first terminal's identifier, a matching target binding relationship; when found, sending an authentication request to an authentication terminal corresponding to an authentication terminal identifier; receiving biological characteristic information that is sent by the authentication terminal, and determining, through comparison, whether the biological characteristic information is consistent with registered biological characteristic information included in the target binding relationship; and if so, authenticating the login request.

Abstract: Various exemplary embodiments relate to an anonymous database system. The system includes a plurality of biometric nodes in communication with one another. Each of the plurality of biometric nodes includes a biometric input that receives biometric data from a user. The system also includes at least one central database in communication with the plurality of biometric nodes; and a plurality of institution databases in communication with the plurality of biometric nodes. A first node of the plurality of biometric nodes is configured to receive a message from a second node of the plurality of biometric nodes, the message requesting authorization of data access by the second node. Various embodiments relate to a method for performing an action requiring multiple levels of authentication using an anonymous database system.

Abstract: An identity verification method performed at a terminal includes: displaying and/or playing in an audio form action guide information selected from a preset action guide information library, and collecting a corresponding set of action images within a preset time window; performing matching detection on the collected set of action images and the action guide information, to obtain a living body detection result indicating whether a living body exists in the collected set of action images; according to the living body detection result that indicates that a living body exists in the collected set of action images: collecting user identity information and performing verification according to the collected user identity information, to obtain a user identity information verification result; and determining the identity verification result according to the user identity information verification result.

Abstract: The present disclosure provides a solution to this problem by enabling the communications network to verify the relationship of the first UE and the second UE based on stored pairing information that is used to verify that the first UE is allowed to make a connection to the communications network. The apparatus transmits a pairing request from a first UE to a second UE. In an aspect, the pairing request is intended for a communication network. Further, the apparatus receives a pairing acknowledgement. In an aspect, the pairing acknowledgement verifies the pairing of the first UE and the second UE. In addition, the apparatus connects to the communication network via the second UE once the first UE pairs with the second UE.

Abstract: Systems and methods are disclosed for collaborative authentication of a person based on an interaction with another person. A request for collaborative authentication is sent to the computing device of a person wanting to access a system, including an authentication ID unique to the request. The person collaborates with another person associated with the system and provides the second person with the authentication ID. The second person sends the authentication ID to the system such that the system associates the second person with the first person. Data is sent to the second person in order to challenge the first person. The first person responds to the challenge using the computing device and the system receives the response. The system compares the response to an expected answer and can either allow or deny the first person access to the system based on the comparison. Co-location may also be verified.

Abstract: Control of access by a requesting entity to an asset includes defining an approved state of the requesting entity. A validation of a representation of the approved state of in a non-repudiatable form in obtained from an event validation system. The requesting entity is triggered to determine its current state by an access-control entity, which compares the current state with the approved state and allows access by the requesting entity to the asset only if the current state is the same as the approved state. In a pre-authorization procedure, one or both of the entities issues a data set challenge to the other, which then validates the challenge via the event validation system and returns this validation to the challenging entity, which then checks the validation to see if it is correct. Data sets may be validated, for example, with hash tree based signatures or blockchain entries.

Abstract: A method, a system and/or an apparatus of activity based access control in heterogeneous information technology infrastructure is disclosed. The infrastructure security server authenticates that a user is authorized to access a set of heterogeneous cloud-based services using at least one heterogeneous authorization system. The method monitors an activity of the user when accessing any of the set of heterogeneous cloud-based services over a period of time using a processor and a memory. The method dynamically adjusts access privileges to the set of heterogeneous cloud-based services. The adjustment to the access privileges includes a revocation of access to the user to a particular service of the set of heterogeneous cloud-based services and/or dynamically granting of access to the user to the particular service of the set of heterogeneous cloud-based services.

Abstract: In some embodiments, the present invention provides for an exemplary inventive device which includes at least the following components: a secure lockdown component that is operationally associated with at least one electronic control unit (ECU) of at least one network; where the secure lockdown component is configured such that the device physically separates at least one of: i) the at least one network from any other network, ii) the at least one network from external inputs directed to the at least one network, iii) the at least one ECU from at least one other ECU, iv) the at least one ECU from external inputs directed to the at least one ECU, v) at least one memory component within the at least one ECU from at least one processing unit within the at least one ECU, and vi) any combination thereof.

Abstract: An example method is provided for a computing device to perform access control for a user account. The method may comprise receiving a request for the user account to access a resource; determining a first permission set and a second permission set required to access the resource; and performing a first search and a second search in parallel. Prior to receiving results from the second search and in response to determination that the user account is assigned to the first permission set based on results of the first search, permitting the user account to access the resource using the first permission set; and in response to determination that the user account is assigned to the second permission set based on results of the second search, permitting the user account to access the resource using the second permission set.

Abstract: An approach for standardizing access to user registries, the approach involving providing a first schema extension to an identity management system and a bridge component to an identity management application wherein the bridge component comprises a second schema extension to the identity management application, receiving a request in a first data format associated with the identity management system, converting the request into a second data format associated with the identity management application and executing the request in the identity management application, receiving a response to the request in the second data format, converting the response into the first data format and returning the response to an end user via the identity management system.

Abstract: The system includes a host, a network including a security gateway, and a public application. Established are an access session between the network and the host and an application session between the public application and the network. An application session record is created for the application session, and includes the user's public user identity used to access the public application, the user's private user identity used to access the network, a host identity, and an application session time. To determine the private user identity for the application session, the security gateway sends a query with the host identity and the application session time. These are compared with the host identity and access session time in an access session record, if they match, then the private user identity in the access session record is returned, and it is stored as the private user identity in the application session record.

Abstract: An example method is provided for a computing device to perform access control for a user account. The method may include receiving a request for the user account to access a resource, wherein the resource is accessible via the computing device, and determining a permission set required to access the resource. The method may further include performing a bidirectional search to determine whether the user account is assigned to the permission set, the bidirectional search including a first search and a second search. In response to determination that the user account is included in a nested group membership that assigns the user account to the permission set based on the bidirectional search, the method may include permitting the user account to access the resource using the permission set.

Abstract: In one embodiment, a security device identifies, from monitored network traffic of one or more users, one or more suspicious domain names as candidate domains, the one or more suspicious domain names identified based on an occurrence of linguistic units used in discovered domain names within the monitored network traffic. The security device may then determine one or more features of the candidate domains, and confirms certain domains of the candidate domains as malicious domains using a parameterized classifier against the one or more features.

Abstract: In one implementation, a method for automatically generating a security policy for a controller includes receiving, by a security policy generation system and from a controller development environment, code for a device controller; selecting middleware that enforces a security policy; analyzing the code for the device controller; based at least in part on the analyzing, automatically generating the security policy; and providing the selected middleware along with the generated security policy.

Abstract: Embodiments of the present invention may provide the capability to identify security breaches in computer systems from clustering properties of clusters generated based on monitored behavior of users of the computer systems by using techniques that provide improved performance and reduced resource requirements. For example, behavior of users or resources may be monitored and analyzed to generate clusters and train clustering models. Labeling information relating to some user or resource may be received. When users or resources are clustered and when a cluster contains some labeled users/resources then an anomaly score can be determined for a user/resource belonging to the cluster. A user or resource may be detected to be an outlier of at least one cluster to which the user or resource has been assigned, and an alert indicating detection of the outlier may be generated.

Abstract: A security agent implemented on a monitored computing device is described herein. The security agent is configured to receive an event notification indicative of execution of an object and store, in a data structure on the monitored computing device, information associated with the event notification and the object. The security agent is further configured to receive an event notification indicative of an occurrence on the monitored computing device of an activity. Based at least in part on the stored information, the security agent correlates the occurrence of the activity with the execution of the object and generates an exploit detection event based on the correlating.

Abstract: A method of load balancing by multiple cores in a multi-core-based load balancing apparatus comparing arriving packets with a signature is provided, and comprises first load-balancing first packets arriving on the multiple cores during a first period based on an arrival rate of the first packets, identifying a signature for the comparison, analyzing the first packets, determining at least one service type of the first packets, estimating a mean deep packet inspection (DPI) time corresponding to the determined at least one service type of the first packets, generating a load balancing rule using the estimated average DPI time, and second load-balancing second packets arriving on the multiple cores during a second period using the generated load balancing rule.

Abstract: A system for processing a file using a file issue exclusion policy to manage risk is disclosed. If a file does not conform to a set of rules and would otherwise be quarantined, a file issue exclusion policy can be reviewed. If the file issue exclusion policy indicates that the reason why the file did not conform to the set of rules is acceptable, the file can be delivered to the recipient despite not conforming to the set of rules.

Abstract: Techniques are disclosed for providing a context-aware description of anomalous behavior in a computer network. According to one embodiment of the present disclosure, a description of an anomaly detected in computer network activity is received. The description includes one or more features of the computer network associated with the anomaly. Contextual information relating to at least one of the features is generated based on a logical network topology. The logical network topology specifies a plurality of network traffic attributes of the computer network. An alert that includes a second description of the anomaly and the contextual information is generated.

Abstract: Systems and methods for evaluating the evaluation behaviors of an evaluator are presented. In contrast to evaluation methods that monitor and analyze click behaviors, the disclosed subject matter is directed to evaluating non-click behaviors. After obtaining results of an evaluation request submitted to a response service for evaluation by the evaluator, evaluation behaviors of the evaluator are monitored. The monitored evaluation behaviors are in association with an evaluation of the obtained results and one or more heuristics or rules are applied to the monitored evaluation behaviors to determining whether the monitored evaluation behaviors are within predetermined quality thresholds. If the monitored evaluation behaviors are not within the predetermined quality thresholds, the monitored evaluation behaviors are flagged as anomalous evaluation behaviors.

Abstract: An Identity Based Behavior Measurement Architecture (such as the BMA) and related technologies are described herein. In an exemplary embodiment, the BMA can be derived from an IMA and use an identity model to express a deterministic measurement value for platform behavior.

Abstract: Examples relate to detecting network anomalies. In one example, a computing device may: receive, from each of a plurality of packet capture devices of a private network, domain name system (DNS) query packets that were sent by a particular client computing device operating on the private network, each DNS query packet specifying i) a destination DNS server, ii) a query domain name, and iii) a source address that specifies the particular client computing device; provide at least one of the DNS query packets to a DNS traffic analyzer that is trained to identify DNS anomalies based on characteristics of the DNS query packets; receive anomaly output from the DNS traffic analyzer, the anomaly output indicating a DNS anomaly that was identified for the DNS query packets; and in response to receiving the anomaly output, provide a user device with data specifying the identified DNS anomaly.

Abstract: A method, system and/or an apparatus to detect discrepancy in infrastructure security configurations from translated security best practice configurations in heterogeneous environments is disclosed. A method of an infrastructure security server communicatively coupled with a set of heterogeneous infrastructures translates a set of security best practice configurations of the heterogeneous infrastructures and/or a set of common vulnerabilities and exposures (CVE) of the heterogeneous infrastructures to programmatic execution. The method monitors the infrastructure security configurations associated with the heterogeneous infrastructures using a processor and a memory. The method analyzes the infrastructure security configurations based on the translated security best practice configurations and/or the translated common vulnerabilities and exposures (CVE).

Abstract: An approach for addressing (e.g., preventing) detected network intrusions in a virtualized/networked (e.g., cloud) computing environment is provided. In a typical embodiment, users may group components/systems of an environment/domain according to a range of security sensitivity levels/classifications. The users may further configure rules for responding to security threats for each security sensitivity level/classification. For example, if a “highly dangerous” security threat is detected in or near a network segment that contains highly sensitive systems, the user may configure rules that will automatically isolate those systems that fall under the high security classification. Such an approach allows for more granular optimization and/or management of system security/intrusion prevention that may be managed at a system level rather than at a domain level.

Abstract: Systems and methods for cloud security monitoring and threat intelligence in accordance with embodiments of the invention are disclosed. In one embodiment, a process for monitoring and remediation of security threats includes generating a threat model using a first portion of activity data, identifying, based upon the threat model, a threat using a second portion of activity data, selecting a security policy to implement in response to the identified threat, identifying cloud security controls in a remotely hosted cloud application server system to modify in accordance with the selected security policy, establishing a secure connection to the remotely hosted cloud application server system using login credentials associated with a tenant account with the cloud application, and sending instructions to the remotely hosted cloud application server system to set the identified cloud security controls with respect to the tenant account in accordance with the selected security policy.

Abstract: Disclosed are systems and methods for distributed denial of service (DDoS) protection. One or more nodes in a plurality of routes between a first node and a second node are identified. The one or more nodes can be identified at a predefined interval, or in response to one or more operational metrics exceeding a threshold. Network addresses of the identified one or more nodes are modified.

Abstract: In accordance with the example embodiments of the Invention there is at least a method and apparatus to detect that at least one message received from another network device of a communication network is in response to a prior message using a spoofed source address; based on the detecting, mirror the at least one message; and send to the another network device the mirrored at least one message to cause the another network device to filter out the at least one message in response to the prior message using the spoofed address. Further, there is at least a method and apparatus to receive from a network node signaling associated with at least one message; based on the signaling, detect that the at least one message is in response to a prior message using a spoofed source address; and based on the detecting, filter out the at least one message in response to the prior message using the spoofed source address.

Abstract: A computer implemented method, comprising obtaining a first hyperlink associated with a first web resource accessible via a client terminal, converting one or more portions of the first hyperlink into a query comprising search terms(s) derived, at least partially, from the portion(s) of the first hyperlink, submitting the query to search engine(s) configured to search for information via the internet, receiving, from the search engine(s), search results associated with the query, the search results including one or more second hyperlinks, determining whether to replace the first hyperlink with a replacement hyperlink selected from the second hyperlink(s) based, at least partially, on a result of an analysis of similarity of the first hyperlink compared to each of the second hyperlink(s) and causing the client terminal to access either the first web resource associated with the first hyperlink or a second web resource associated with the replacement hyperlink based on the determination.

Abstract: A personalized website theme for a website is received. The personalized website theme is distinct from a standard theme of the website. Further, a set of data is sent to the computing device. The set of data includes an indicium indicating the personalized website theme so that the computing device displays the website according to the personalized website theme at least prior to a request for identifying data associated with access to an account on the website.

Abstract: Disclosed in the embodiment of the present invention is a method for acquiring session initiation protocol (SIP) signaling decryption parameters and the method comprises the following steps: the authentication information of the Gm interface and the authentication information of the Cx interface are acquired; a security association (SA) decryption table is created according to the acquired authentication information of the Cx interface and authentication information of the Gm interface, wherein the SA decryption table comprises SIP signaling decryption parameters. A device for acquiring SIP signaling decryption parameters is also disclosed in the embodiments of the present invention.

Abstract: Disclosed herein are an apparatus and method for security policy management, which manages a network access policy in order to integrate distributed security policies and to apply the integrated security policy in a smart grid environment. The apparatus for security policy management includes a rule set generation unit for generating a rule set by converting predefined access policy security rules, acquired from one or more systems, into a document in a standard format, a topology extraction unit for extracting a network topology from a network diagram of the one or more systems, and a standard policy generation unit for generating a standard policy by combining the generated rule set with the extracted topology.

Abstract: A system and method for application software security and auditing are disclosed. A particular embodiment includes an application security management system configured to: cause installation of a client application (app) agent in a client app on a client app server; communicate with the client app agent via a data network to collect trace data corresponding to data elements accessed in the client app and previously identified as sensitive data; cause transfer of information indicative of the trace data to a host site via the data network; identify a policy corresponding to the trace data; and apply the identified policy to the sensitive data elements in the client app.

Abstract: An attack data packet processing method, an apparatus, and a system are provided. The method includes receiving, by a management node, description information of an attack data packet and an attack type of the attack data packet, where the description information and the attack type are sent by an awareness node; determining a processing policy on the attack data packet of the attack type according to the attack type; and sending the description information and the processing policy to a switch using a software-defined networking controller, so that the switch performs an operation indicated by the processing policy on the attack data packet with the description information.