Abstract: Systems and techniques provide activity monitoring and selective obfuscation of various fields or categories of information included in traffic between servers providing services and end-user devices accessing such services. The selective obfuscation may account for a user's role and one or more levels of authorization or permission assigned to such a role. More generally, the disclosed techniques provide the ability to selectively restrict end-user access to data included in server responses, such that desired portions of the data are not accessible while other portions of the data are still accessible. An administrator tool may configure the permissions and rules used to decide whether traffic to or from a particular server or service should be selectively obfuscated; and if so, how that traffic should be selectively obfuscated.

Abstract: The present invention relates to the field of networking and API/application security. In particular, the invention is directed towards methods, systems and computer program products for Application Programming Interface (API) based flow control and API based security at the application layer of the networking protocol stack. The invention additionally provides an API deception environment to protect a server backend from threats, attacks and unauthorized access.

Abstract: Methods and systems disclosed provide for creating private networks for secured communication between devices. The devices can communicate with each other over a secure tunnel created for a closed circle of devices. Furthermore, the methods and systems can enable offline communication between devices on a private network.

Abstract: Methods for establishing a stateless extranet in a secure communication network include transmitting a consumer NHOP to a provider CPE from a consumer CPE in a control plane. The consumer NHOP is associated with at least one attribute of an NHOP, including an encryption key available with the consumer CPE, to establish a secure communication tunnel in a data plane. The consumer CPE receives a service definition over the control plane associated with a service available with the provider CPE. A service anchor point is created based on an identifier of the service definition. A network address translation (NAT) IP request is transmitted to the provider CPE. The consumer CPE receives a NAT IP from the provider CPE in response to the NAT IP request. The NAT IP is associated with the service anchor point of the consumer CPE. A stateless service is thereby instantiated on the consumer CPE.

Abstract: An edge node has a central processing operable to gather sensor node data via a sensor and store at least part of the sensor node data locally in a public region of a persistent storage. The edge node backs up duplicate portions of the sensor node data to public storage regions of peer-edge nodes. The edge node receives private data from a host that is coupled to the edge computing node and the peer edge nodes, and stores the private data in a private region of the persistent storage. The private region is protected from the peer edge nodes using distributed key management.

Abstract: Methods, systems and apparatus, including computer programs encoded on computer storage medium, for implementation of secret superposition protocols. In one aspect a method includes, performing, by a sender party, quantum operations on one or more qubits, comprising preparing, according to a predetermined secret superposition protocol, one or more qubits in respective uniform superposition quantum states; transmitting, by the sender party, to a recipient party, and through a secure channel, data indicating use of the predetermined secret superposition protocol; and transmitting, by the sender party and to the recipient party, one or more of the qubits, to wherein the recipient party performs one or more measurements on the qubits to verify use of the predetermined secret superposition protocol.

Abstract: Embodiments described herein are directed to intelligently classifying Web trackers in a privacy preserving manner and mitigating the effects of such Web trackers. As users browse the Web and encounter various Web sites, tracker-related metrics are determined. The metrics are obfuscated to protect the privacy of the user. The obfuscated metrics are provided as inputs to a machine learning model, which is configured to output a classification for the Web trackers associated with the Web sites visited by the user. Depending on the classification, the effects of the Web trackers are mitigated by placing restrictions on the Web trackers. The restrictions for a particular Web tracker may be relaxed based on a level of user engagement a user has with respect to the tracker's associated Web site. By doing so, the compatibility risks associated with tracking prevention are mitigated for Web sites that are relatively important to the user.

Abstract: A hardware security module (HSM) client processes a request to store data in a set of HSMs. The HSM client determines a property of the data indicative of a sensitivity classification of the data. As a result of determining the data lacks a classification as sensitive, the HSM client transmits the data to a data store outside the set of HSMs and updates a database used by the HSM client to associate an identifier of the data with a reference to a location in the data store.

Abstract: In one embodiment, a method comprises: generating and maintaining, by a replicator device in a secure peer-to-peer data network, a secure private key and secure public key; establishing a two-way trusted relationship with a second replicator device for a pairwise topology of two-way trusted replicator devices; establishing a two-way trusted relationship with a first endpoint device based on validating a secure attachment request using the secure private key, and obtaining a second secure public key of the first endpoint device; validating, using the second secure public key, a secure data packet from the first endpoint device and destined for the second endpoint device, and obtaining information for reaching the second endpoint device via the second replicator device; and securely signing the secure data packet, received from the first endpoint device and destined for the second endpoint device, into a secure forwarded packet for secure transmission to the second replicator device.

Abstract: Disclosed is a system and a method for information distribution. The system comprises: a server for generating a group key and its corresponding key deriving parameter, wherein the server encrypts sensitive contents by using the group key to obtain encrypted information; and terminals configured to receive the encrypted information through an open channel, extract the group key, then decrypt the encrypted information by using the group key to obtain the original content. In the group forming process, each terminal encrypts its private identifier using the public key and submits the ciphertext to the server. In information distribution process, the server transmits the ciphertext of sensitive contents and the key deriving parameter to the terminals via open channel Because private information available only to respective group members is required for calculating the group key, this mechanism ensures that the sensitive content can be transmitted securely on the open channel.

Abstract: A secure communication tunnel between user space software and a client device can be established. A private session key can be communicated from the user space software to a network communication device via an application programming interface. Outbound session packets can be communicated from the user space software to the network communication device. The network communication device can generate encrypted outbound session packets by encrypting the outbound session packets using the private session key; communicate to the client device, via the secured communication tunnel, the encrypted outbound session packets; receive, by the network communication device from the client device, via the secured communication tunnel, inbound session packets; generate decrypted inbound session packets by decrypting the inbound session packets using the private session key; and communicate the decrypted inbound session packets.

Abstract: This present disclosure generally relates to managing encrypted network traffic using Domain Name System (DNS) responses. One example includes requesting an address; receiving a response from the resolution server including one or more addresses associated with the domain name; associating with the domain name a particular address selected from the received one or more addresses; receiving a request to resolve the domain name; sending a response to the request to resolve the domain name, the sent response including the particular address associated with the domain name; receiving a secure request for a resource, the secure request directed to the particular address associated with the domain name; and determining that the secure request is directed to the domain name based on the association between the particular address and the domain name.

Abstract: Systems and methods related to a VPN controller are provided. In some embodiments, a first VPN controller is configured to establish a VPN tunnel with a client endpoint, wherein the VPN tunnel is established using an authentication process of the client endpoint, route a L2 request to a second VPN controller via an established communication tunnel between the first VPN controller and the second VPN controller by identifying a Generic Routing Encapsulation (GRE) header of the L2 request and based on the GRE header of the L2 request, directing the L2 request to a responsive L2 device accessible by the second VPN controller, receive an encapsulated L2 response from the second VPN controller identifying acceptance of the L2 request, and enable an electronic communication between the client endpoint and the responsive L2 device at least via the VPN tunnel between the client endpoint and the first VPN controller.

Abstract: Data protection in a storage system that includes a plurality of Non-Volatile Memory Express (‘NVMe’) Solid State Drives (‘SSDs’), including: retrieving, from a plurality of NVMe SSDs (‘Non-Volatile Memory Express Solid State Drives’) of a storage system, one or more unencrypted shares of a master secret; reconstructing the master secret using the shares of the master secret; decrypting one or more encrypted device keys using the master secret; and using the decrypted device keys to perform a plurality of accesses to one or more of the NVMe SSDs.

Abstract: The present application relates to devices and components including apparatus, systems, and methods for secured user equipment communications over a user equipment relay. In some embodiments, symmetric or asymmetric encryption may be used for the secured user equipment communications.

Abstract: A method for privacy control in release of protected information includes: storing, in a memory of a first computing system, a plurality of data pairs, each of the plurality of data pairs including at least a decryption key and a registration identifier; receiving, by a receiver of the first computing system, a data request, the data request including at least a user identifier of a user associated with the data being requested in the data request; receiving, by the receiver of the first computing system, a registration identifier of the data being requested in the data request; identifying, by a processor of the first computing system, a data pair based on the registration identifier; and transmitting, by a transmitter of the first computing device, a decryption key of the identified data pair to a second computing system.

Abstract: Disclosed in some examples are devices, systems, and machine readable mediums for establishing peer to peer mobile wallet communications (P2PMW) over short range wireless communication networks. These P2PMW communications allow exchange of information between two wallet clients. Example communications include payments, providing identification, providing loans, and the like. The use of P2PMW communications opens up the prospect of anyone accepting payment from anybody else at any time. All that is needed is a computing device with a mobile wallet. Example short range wireless communications include Wireless LANs (WLAN) such as WIFI (e.g., communicating according to an Institute for Electrical and Electronics Engineers (IEEE) 802.11 family of standards), BLUETOOTH® or the like.

Abstract: Methods, apparatuses, and computer program products are disclosed for securely migrating data between devices. An example method includes receiving a request at a first time for data migration between a first user device and a second user device each associated with a first user. The method further includes retrieving a baseline attribute dataset associated with the first user generated before the first time and generating a first attribute dataset associated with the first user. The method includes authenticating a session between the first user device and the second user device at the first time and causing data transfer between the first user device and the second user device. The method further includes generating a second attribute dataset associated with the first user at a second time after the first time and authenticating the session at the second time based on the first attribute dataset and the second attribute dataset.

Abstract: Example embodiments of systems and methods for data transmission between a contactless card, a client device, and one or more servers are provided. The memory of the contactless card may include one or more applets and a counter. The client device may be in data communication with the contactless card and one or more servers, and the one or more servers may include an expected counter value. The client device may be configured to read the counter from the contactless card and transmit it to the one or more servers. The one or more servers may compare the counter to the expected counter value for synchronization. The contactless card and the one or more servers may resynchronize the counter, via one or more processes, based on one or more reads of the one or more applets. The one or more servers may authenticate the contactless card based on the resynchronization.

Abstract: Embodiments as disclosed provide systems and methods that use a local authenticator within a domain to provide a credential to access a resource of the domain to a non-local requestor. When a request is received from a non-local requestor at the domain the non-local requestor can be authenticated based on the request. The local authenticator can then be accessed to obtain a credential. This credential may be the same type of credential provided to members of the domain when they authenticate using the local authenticator. The credential is provided to the non-local requestor so the non-local requestor can access the resource of the domain using the credential and authentication of the non-local requestor with respect to these accesses can be accomplished using the local domain authenticator and the credential.

Abstract: Aspects of the disclosure include a method and associated network device. The method includes authenticating an identity of a user of a client device after the client device is associated with an access network provider. Authenticating the identity of the user comprises receiving, from an identity provider, a credential associated with the identity, and receiving, from the identity provider, information identifying a network-based service to be applied to network traffic with the client device. The method further includes establishing, using the credential and the received information, a secure connection between the access network provider and a service provider that is capable of providing the network-based service. The method further includes receiving network traffic from the service provider. Packets of the network traffic include an assurance value that enables the client device to determine that the network-based service is being provided by the service provider.

Abstract: Methods, computer-readable media, software, and apparatuses are provided to assist a user and vendor in completing an online trusted transaction. Trusted vendor websites are verified and user identities are confirmed through a cyber-security safe logon credentialing system. The vendor can be confident that the user identity has been verified to be who they say they are and the user can be confident that they are using a trusted verified vendor website.

Abstract: A method for automatically attaching a purpose-built electronic device to a provider network includes steps of discovering, by a Wi-Fi module of the purpose-built electronic device, a wireless data network in operable communication with the provider network selecting, by the Wi-Fi module, the wireless data network, transmitting a primary authentication certificate from the Wi-Fi module to an authentication, authorization, and accounting server of the provider network, receiving, by an application server of the provider network, a secondary authentication certificate from a functionality module of the purpose-built electronic device authenticating, by the provider network, the primary and secondary authentication certificates, and attaching the purpose-built device to the provider network.

Abstract: Techniques are disclosed for accelerating online certificate status protocol (OCSP) response distribution to relying parties using a content delivery network (CDN). A certificate authority generates updated OCSP responses for OCSP responses cached in the CDN that are about to expire. In addition, the certificate authority pre-generates cache keys in place of CDNs generating the keys. The certificate authority sends the OCSP responses and the cache keys in one transaction, and the CDN, in turn, consumes the new OCSP responses using the cache keys.

Abstract: A monitoring method includes obtaining identification information of a digital certificate processing device, establishing a connection with the digital certificate processing device according to the identification information, sending monitoring information to the digital certificate processing device, receiving operation data fed back according to the monitoring information, and monitoring an operation status of the digital certificate processing device according to the operation data.

Abstract: Example method includes: establishing a secure tunnel with an unauthenticated client device associated with a user of a restricted network; receiving user credentials associated with the user and transmitted from the unauthenticated client device within the secure tunnel; validating the received user credentials; and transmitting at least a client certificate and device configuration information to the unauthenticated client device within the secure tunnel such that the unauthenticated client device is able to access the restricted network after installing the client certificate and applying the device configurations based on the received device configuration information.

Abstract: A communication terminal includes a memory in which identification information associated with a user is stored, a controller that carries out authentication of the user, and a communication interface that transmits a signal including the identification information. When user authentication is successful, the controller sets the communication terminal to a first state in which the signal is transmitted to an external apparatus, and when user authentication is not successful, the controller sets the communication terminal to a second state in which the signal is not transmitted to the external apparatus.

Abstract: A method of authenticating a user of a multifunction device to a server, the method comprising associating a user-supplied image with user login credentials, using a server; receiving, at the server, an image uploaded from the multifunction device; and comparing the uploaded image to the user-supplied image, using the server, and, only if the uploaded image matches the user-supplied image, allowing the user of the multifunction device to authenticate to the server by providing additional login credentials to the server using the multifunction device.

Abstract: Devices, systems, and methods with behavioral one-time-passcode (OTP) generation. In one example, a server includes a memory and an electronic processor communicatively connected to the memory. The memory includes a behavioral one-time-passcode (OTP) program and a user profile repository. The electronic processor, when executing the behavioral OTP program, is configured to receive a one-time-passcode (OTP) request, generate a behavioral one-time-passcode (OTP) based on a user profile stored in the user profile repository in response to receiving the OTP request, and output the behavioral OTP that is generated.

Abstract: Described herein are computerized methods and systems for user authentication using an imaged machine-readable identity document. A server receives an authentication request from a first client device, including image files corresponding to a user's machine-readable identity document. The server displays on the first client device user-identifying data elements extracted from the image files. The server captures additional user-identifying data elements from the first client device, and verifies the user's identity based upon the user-identifying data elements. The server determines user contact channel data based upon the verified identity. The server displays the contact channel data on the first client device, and generates a transient access code upon receiving a contact channel selection.

Abstract: An apparatus for classifying a user to an electronic authentication card, the apparatus comprising at least a processor and a memory communicatively connected to the processor, the memory containing instructions configuring the at least a processor to receive user data comprising a transaction history, identify a plurality of authentication card parameters as a function of user input, determine a plurality of access rights as a function of user data and the plurality of authentication card parameters and generate an access pairing data structure linking the plurality of access rights to the authentication card.

Abstract: Embodiments described herein disclose technology for verifying authorization of an application download. The system can receive from a device associated with a user, a request to download an application. In response to a first instance of the application being downloaded on the device, the system can assign a unique identifier to the first instance of the application. After the application is downloaded and prior to granting the person requesting the application download access to the first instance of the application, the system can request via the first instance of the application identification information and particular authentication information to verify that the person requesting the application download is authorized to do so. In response to verifying that the person requesting the application download is authorized, the unique identifier can be associated with the account, user and/or device to result in a verified download of the first instance of the application.

Abstract: Systems and methods are provided for establishing a secure communication link between a first client and a second client. One exemplary computer-implemented method for establishing a secure communication link between a first diem and a second client includes accessing, from a storage, identification information of a user of the first client. The method further includes receiving a Domain Name Service (DNS) request from the first client requesting a secure network address corresponding to a secure domain name associated with the second client. The method further includes authenticating the user based on the user identification information. The method also includes transmitting the secure computer network address in response to the DNS request based on a determination that the user has been authenticated. A secure communication link between the first diem and the second client is established based on the secure computer network address.

Abstract: The present disclosure provides methods and systems for secure logon. One or more method includes: determining, via authentication information provided by a user of an electronic device, that the user is authorized to access an online account provided by the online account provider; providing the user with a selectable option to enable an expedited logon process by which the user can access the online account by solely providing a particular authentication item of the user; receiving a verification credential in response to a next logon attempt using the expedited logon process; and verifying that the received verification credential matches an assigned verification credential provided to the user for use in conjunction with the next logon attempt using the expedited logon process.

Abstract: The innovation disclosed and claimed herein, in one aspect thereof, comprises systems and methods of authenticating customers and service agents. The innovation receives a connection request to connect a customer and a service agent. The customer is authenticated for the service agent by matching biometric data of the customer to previously stored biometric data using a biometric recognition algorithm. The service agent is authenticated for the customer by matching a unique identifier to a previously stored unique identifier. A confirmation notification is generated and sent to the service agent and the customer to confirm the authentications. A connection is established between the customer and the service agent according to the authentications and the connection request.

Abstract: Disclosed embodiments provide a framework to enable automatic identification and authentication of users to allow for multichannel communications in an authenticated state. In response to an authentication request from an end agent engaged in a communications session with a user, a current authentication state associated with the user is determined. Based on the current authentication state and a set of authentication rules associated with the end agent, a set of authentication challenges are identified and executed by an application implemented on the user's computing device. Data corresponding to completion of these authentication challenges is used to determine a new authentication state, which can be used to update the communications session.

Abstract: A network adapter within an industrial input/output (I/O) system includes one or more processers. The one or more processors are configured to: receive a first combination; determine whether the first combination matches a predefined lock combination; upon determining that the first combination matches the predefined lock combination, start a lock process; receive a second combination; determine whether the second combination matches a predefined lock key; and upon determining that the second combination matches the predefined lock key, lock the adapter.

Abstract: A system and apparatus for enhancing the functionality and utility of an authentication process for web applications is disclosed.

Abstract: A computer implemented networking system and method for content-creating, sharing, and archiving, includes maintaining profiles for a plurality of users each having an account that stores and displays user-authored content posts, and generating, for each user profile, a virtual space (e.g. building or house) displayed via a UI, and including a main area and a plurality of sub-areas each being associated with a respective category, and wherein the main area provides navigation to the sub-areas. The approach includes generating the user-authored content posts for each of the users via posting templates that prompt a user to input and organize various content based upon the template guidance for the respective category. A prompting tool operates within the virtual space for each profile by displaying prompts within each of the sub-areas and related to the respective category and includes a prioritized list of user tasks.

Abstract: A computer system controls access to network devices. One or more user interface elements associated with one or more network devices that are within a view of a user are displayed to the user via an augmented reality display. Input from the user is received comprising instructions to execute a command at a network device of the one or more network devices. The user is determined, according to a security policy, to be authorized to execute the command at the network device. In response to determining that the user is authorized to execute the command, the command is executed at the network device. Embodiments of the present invention further include a method and program product for controlling access to network devices in substantially the same manner described above.

Abstract: Database systems and methods are provided for authorizing access to a protected resource. One method involves an authorization service automatically assigning a unique alias to a web application and thereafter receiving a request for access to a protected resource on behalf of a user of the web application. In response to the request, the authorization service generates a graphical user interface (GUI) display including a graphical representation of the unique alias automatically assigned to the web application at a client device associated with the user, and thereafter in response to user selection of a GUI element of the GUI display to authorize access, the authorization service obtains an access token associated with the user and the protected resource and transmits the access token to the web application.

Abstract: The invention relates to a device and a method for authenticating a user utilizing an internet access client (10) for accessing remote resources of a computer infrastructure, said access comprising a first authentication (130) of the internet access client (10) and a second authentication (140) of the user of the internet access client (10). The method includes sending (132), to a token security module (21), by the internet access client (10), a client certificate (220), said client certificate (220) being associated with items of identification information of the internet access client (10); and receiving (133), by the internet access client (10), an authentication token (210) generated by the token security module when the client certificate (220) sent has been verified by the token security module.

Abstract: Providing access control to distributed resources, including storing, at a computing dock coupled to an information handling system, a local access database indicating verified credentials of one or more users; receiving, at the computing dock, a request for access to a resource coupled to the computing dock; providing, in response to the request for access, an authentication request to an authentication system; in response to the authentication request, providing, by the computing dock, an authentication challenge to the information handling system; receiving, at the computing dock and in response to the authentication challenge, user credentials at the authentication system; verifying, at the authentication system, the user credentials against the local access database; providing, based on the verified user credentials, an authorization token to the first device; and allocating, based on the authorization token, access to the resource to the information handling system.

Abstract: A user permission system manages and regulates access to secure data at one or more third-party data sites. The system may provide access to one or more databases or other data structures based on user authentication and access rules that have been established, such as by a user associated with the data being accessed at the third party data store. Access may be provided via an API to the third-party data site, along with access credentials of a user with data stored with the third-party data site, allowing the system to access data on behalf of the user.

Abstract: A method for accessing cloud resources via a local application development environment on a computing device. The method includes invoking an access management client at the computing device; obtaining an account identifier associated with a user account and communicating the account identifier to an identity platform; receiving an authentication message from the identity platform in response to the identity platform validating the account identifier, the authentication message comprising a role identifier; communicating the authentication message to the cloud platform; receiving security credentials associated with the role identifier from the cloud platform in response to the cloud platform validating the authentication message and the associated role identifier; setting a variable in the local development environment based on the received security credentials for use by the local development environment to request access to one or more resources maintained by the cloud platform.

Abstract: The present disclosure generally relates to systems and methods that intelligently generate reassignment value conditions for reassigning access rights. The systems and methods include executing a trained contextual machine-learning model to generate predictions of value components of the reassignment value condition, which once satisfied, enables an access-right requestor to have an assigned access right reassigned to the access-right requestor.

Abstract: Systems and methods for providing access to media content by connecting, to a public device, a private device that has an installed application associated with the media content. A media guidance application may receive a communication from a private device, running a private interface application, requesting to access content using the public device. In response, the media guidance application may retrieve, at the public device, a public interface application associated with the private interface application, from a content provider of the content. The private interface application may be configured to control a graphical user interface of the public interface application. Accordingly, the user may be able to access content via the public device when the private device is within a predetermined proximity to the public device.

Abstract: A system for data security includes a processor and a computer-readable storage medium having instructions stored thereon that cause the processor to perform operations including: (i) logging data access events initiated by a user; (ii) generating a user profile of the user, the user profile including a size and a type of data accessed by each data access event; (iii) receiving a new data access event initiated by the user including a size and a type of data requested by the new data access event; (iv) comparing the size and the type of the requested data of the new data access event to the user profile; (v) determining that the new data access event initiated by the user does not correspond to the data included in the user profile; (vi) restricting the requested data associated with the new data access event; and (vii) transmitting the restricted data to the user.

Abstract: A method for accessing a network resource including detecting an attempt by a user via a computing device to access a service enabled by a computing system via a network and transmitting via the network to the computing system a first request to access the service in response to detecting the attempt by the user to access the service, the first request including at least one empty personally identifiable data structure. A failure to access the service responsive to the first request is determined. A second request to access the service in response to the first failure to access the service is transmitted via the network to the computing system, the second request including artificial personally identifiable information, and access to the service from the computing system is received for the user.

Abstract: A solution for efficient and secure automated age assurance checking in association with a third party workflow involving an interaction between a user having an associated email address, and a target service. A request to estimate an age of the user is received and includes the email address. In response, the system issues a query to one or more data sources, each data source being of a different type and having an age attribute associated therewith. The data source(s) return responses to the queries. The system then associates an age attribute (typically, a minimum age) to each indication received from each data source queried. Based on a frequency of occurrence of the indications and the associated age attributes, a digital footprint that includes an estimate of the individual's minimum age is derived. A response (e.g., the estimated minimum age) to the request is then returned to the third party workflow.