Abstract: A method for an information processing apparatus in which a hybrid application having both a function of a native application and a function of a web application operates and that is communicable with a server, the method includes transmitting, upon acceptance of a predetermined user operation, an acquisition request for information about the web application to the server, reading information about the native application saved in advance in the hybrid application, and displaying information generated from the acquired information as a response to the acquisition request and the read information, as a result of the predetermined user operation.

Abstract: Aspects of the subject disclosure may include, for example, a processing system including a processor; and a memory that stores executable instructions that, when executed by the processing system, facilitate performance of operations, including requesting a license for software from first equipment of a license holder; receiving a passed ledger associated with the license from the first equipment of the license holder, wherein the passed ledger comprises a latest block; receiving a hash value for the latest block from a software vendor of the software; calculating a hash value for the latest block; and responsive to the hash value provided by second equipment of the software vendor matching the hash value calculated for the latest block: executing the software. Other embodiments are disclosed.

Abstract: The present disclosure provides for improving security in a meter or an intelligent electronic device (IED) through the use of a security key which is unique to each meter or IED. Such a key may be used to prevent password reuse among multiple meters. Such a key may also be used to encrypt critical components of the software, such that only when running on the correct meter can the components of the software be decrypted. Such a key may also be used to uniquely identify the device in a larger data collection and management system. The security key can also be used to prevent the direct copying of meters. The present disclosure also provides for a meter or IED that stores functional software separately from core software.

Abstract: Some aspects of this disclosure are directed to implementing hardware-based obfuscation of digital data. For example, some aspects of this disclosure relate to a method, including performing a capture operation that loads a plurality of primary input (PI) bits into corresponding shift registers of a plurality of test data registers (TDRs) disposed on one or more digital semiconductor devices and configured to store a plurality of secret information bits. The method further includes performing a sequence of shift operations on the plurality of TDRs to obtain a plurality of output bits. The method further includes applying, by an authenticating processor, a derivation function on the plurality of output bits to extract the plurality of secret information bits thereby authenticating the one or more digital semiconductor devices.

Abstract: In one aspect, a device includes a processor and storage accessible to the processor. The storage includes instructions executable by the processor to present, on a display and in virtual space, at least first and second three-dimensional (3D) objects to which user input is directable in a particular sequence to provide a passcode associated with the device. The instructions are also executable to identify receipt of the passcode based on detection of first user input directed in the particular sequence to the first and second 3D objects. The instructions are then executable to authenticate a user responsive to the identification. In various examples, the virtual space may form part of an augmented reality presentation, a mixed reality presentation, and/or a virtual reality presentation.

Abstract: Systems and methods for performing biometric authentication using a smart ring are disclosed. An exemplary method includes collecting biometric data using sensors of a smart ring while a user is wearing the smart ring, wherein the biometric data includes a heartbeat pattern. The method further includes performing an authentication operation by (i) comparing the collected biometric data to a biometric signature for a known user to determine whether the biometric data matches the biometric signature, and (ii) when the biometric data matches the biometric signature, authenticating the user by updating a record to indicate that the user has been identified and authenticated as the known user. The method also includes, when the record indicates that the user has been identified and authenticated, digitally signing transaction data using a private cryptographic key stored on a memory of the smart ring.

Abstract: A monitoring system is disclosed. The monitoring system includes a monitoring server that is configured to receive a personally identifying code from a visitor to a property monitored by the monitoring system. The monitoring system includes one or more sensors that transmit sensor data to the monitoring server and that are configured to capture a biometric identifier from the visitor to the property monitored by the monitoring system. The monitoring system is configured to compare the received personally identifying code to a stored personally identifying code. The monitoring system is configured to compare the received biometric identifier to a stored biometric identifier. The monitoring system is configured to determine a likelihood that the visitor is the known person. The monitoring system is configured to determine that the likelihood that the visitor is the known person does not satisfy a threshold. The monitoring system is configured to generate an alarm condition.

Abstract: A biometric authentication system, including an image input unit configured to obtain an image by imaging a living body, a storage unit configured to store registration information relating to a plurality of biological features obtained from a biological region of an image of each person, and an authentication processing unit configured to process the biological region of the image obtained by the image input unit to execute biometric authentication based on the registration information, wherein the plurality of biological features obtained from the biological region of the each person are a plurality of biological features having a low pattern correlation with one another, and wherein the authentication processing unit is configured to combine the plurality of biological features having a low pattern correlation with one another, which are obtained by processing the image, to execute the biometric authentication.

Abstract: An information processing system acquires biological information of a target and generates output information determined in correspondence with identification information using the identification information associated with the biological information. Then, the output information is output.

Abstract: A biometric authentication system comprising headwear comprising a plurality of biosensors each configured to sample muscle activity so as to obtain a respective time-varying signal; a data store for storing a data set representing characteristic muscle activity for one or more users; and a processor configured to process the time-varying signals from the biosensors in dependence on the stored data set so as to determine a correspondence between a time-varying signal and characteristic muscle activity of one of the one or more users, and in dependence on the determined correspondence, authenticate the time-varying signals as being associated with that user.

Abstract: Provided are a personal authentication device performing accurate authentication immediately follow insertion an earphone/microphone device to wear, and preventing spoofing after authentication.

Abstract: A biological data registration support device includes: a control portion configured to acquire a plurality of registration scenarios, each including at least one verification method and associated with respective services, identify a verification method that is commonly included in the plurality of registration scenarios as a common verification method, and acquire one set of biological data for registration regarding the common verification method and one set of biological data for registration regarding the verification method other than the common verification method; and a transmitting portion configured to transmit the biological data for registration and the plurality registration scenarios acquired by the control portion.

Abstract: A dual wearable smart device system and a method of using the dual wearable smart device system for authenticating an electronic financial transaction are described. In one embodiment, a method for approving an electronic financial transaction using at least two wearable smart devices includes providing a first wearable smart device that is designated as a payment device for conducting electronic financial transactions. The method also includes providing a second wearable smart device that is designated as a confirmation device for confirming the electronic financial transactions by the first wearable smart device. The method includes initiating, by the first wearable smart device, an electronic financial transaction, and, approving, by the second wearable smart device, the electronic financial transaction initiated by the first wearable smart device. The method further includes authenticating the first wearable smart device to complete the electronic financial transaction.

Abstract: A method of unlocking a locked device includes receiving a device identifier over a wireless communication protocol, determining if the device identifier is associated with a list of trusted devices, transmitting a request to generate an acoustic signal over the wireless communication protocol based on the determination, receiving the acoustic signal as an audio sound generated external to the locked device, estimating a distance between a source of the audio sound and the locked device, and unlocking the locked device based on the estimation.

Abstract: The present disclosure provides a security verification method and a relevant device, to increase the difficulty of cracking. The method includes: receiving, from a verification requester, a request for pulling a sliding verification code; acquiring the sliding verification code which includes a slider and a second endpoint image obtained by performing filter processing on a first endpoint image; and returning the sliding verification code to the verification requester. The first endpoint image and the slider are generated from the same original image, and the slider and the second endpoint image are returned to the verification requester finally. The second endpoint image is obtained by performing image processing on the first endpoint image, and after the image processing, in an area outside the slider placement area, pixel values of pixels in the second endpoint image are different from pixel values of corresponding pixels in the original image.

Abstract: There are provided systems and methods for iframe injection in mobile web browser applications for web browser extension opt-in. A service provider may provide a mobile application web browser extension, which may operate in conjunction with a mobile application web browser. The extension may interface with the web browser in order to determine data for browsed websites and user interactions and provide offers and savings to users during electronic transaction processing. In order to use the extension with the web browser, an opt-in preference and permission may be required. To provide this opt-in, the extension may cause the web browser to navigate to and load a webpage of the service provider. The extension may then inject an iframe that calls another domain, and a script of the extension executes in the iframe. The script may then infer that a permission has been granted.

Abstract: A method is provided, the method comprising generating a data package, by control circuitry of a power tool; generating a unique signature for the data package with a private key, wherein the private key is generated by a secure element of the power tool, and wherein the secure element is a digital key storage unit; and transmitting the signed data package to an auxiliary device for verification.

Abstract: Disclosed herein is a technique for managing permissions associated with the control of a host device that are provided to a group of wireless devices. The host device is configured to pair with a first wireless device. In response to pairing with the first wireless device, the host device grants a first level of permissions for controlling the host device to the first wireless device. Subsequently, the host device can receive a second request from a second wireless device to pair with the host device. In response to pairing with the second wireless device, the host device can grant a second level of permissions for controlling the host device to second wireless device, where the second level of permissions is distinct from the first level of permissions.

Abstract: Disclosed are example methods, systems, and devices that allow for generation and maintenance of a central identity databank for a user's digital life. The identity databank may include identity elements with payload values and metadata values corresponding immutable attributes of the user. A multifactor identity authentication protocol allows service provider devices to more reliably validate transactions with user devices via an identity system. The identity databank may include passwords, which may be generated by the identity system linked to user accounts and/or service providers. The passwords may be provided to service provider devices, eliminating the need for users to conceive of a multitude of varying passwords for the user's accounts.

Abstract: A security platform architecture is described herein. The security platform architecture includes multiple layers and utilizes a combination of encryption and other security features to generate a secure environment.

Abstract: Disclosed are example methods, systems, and devices that allow for generation and maintenance of a central identity databank for a user's digital life. The identity databank may include identity elements with payload values and metadata values corresponding immutable attributes of the user. A multifactor identity authentication protocol allows service provider devices to more reliably validate transactions with user devices via an identity system. The identity databank may include passwords, which may be generated by the identity system linked to user accounts and/or service providers. The passwords may be provided to service provider devices, eliminating the need for users to conceive of a multitude of varying passwords for the user's accounts.

Abstract: Aspects of the invention are directed towards methods and systems for managing access of an application. One or more embodiments of the invention describe receiving an indication from a user to access an application. One or more embodiments of the invention further describe determining whether a user device is in an offline mode and if the user device is in the offline mode, prompting the user to input user credentials. Furthermore, the embodiments of the invention also describe receiving the user credentials from the user and validating the user credentials of the user with pre-stored user credentials. Accordingly, access of the application to the user is controlled based on said validation.

Abstract: A method and apparatus for establishing a software root of trust (RoT) ensures that the state of an untrusted computer system contains all and only content chosen by an external verifier and the system code begins execution in that state, or that the verifier discovers the existence of unaccounted for content. The method enables program booting into computer system states that are free of persistent malware such that an adversary cannot retain undetected control of an untrusted system.

Abstract: A health ticket minting process operates in a secure enclave on a computing device to ensure liveness of the enclave should a maliciously-compromised operating system deny service to starve the enclave. Cryptographically-secured health tickets provided by the minting process reset an authenticated watchdog timer (AWDT) that reboots the device from a hardware-protected recovery operating system if the timer expires. The health tickets are written to a secure channel using a symmetric key that is provisioned by repurposing an existing Intel SGX (Software Guard Extension) Versioning Support protocol that enables migration of secrets between enclaves that have the same author. In the event that the enclave fails to make forward progress and health tickets are not minted, then the AWDT expires and forces the reboot and re-imaging to a known good state to evict the malware from the computing device.

Abstract: Disclosed herein are systems, methods, and storage media for distributed system security. In an example embodiment, a computer-executable method includes receiving a first item of executable code, calculating a hash of the first item of executable code, and comparing the calculated hash to a database of hashes. Responsive to a determination that the calculated hash does not match any hash in the database of hashes, a first security policy is applied to the first item of executable code. Triggering of the first policy indicates that the first item of executable code should be blocked from execution. If the first item of executable code does not trigger the first security policy, the method includes executing the first item of executable code and intercepting a request initiated by the first item of executable code during execution. In the request matches a second security policy, the request is blocked and/or filtered or sanitized, based on attribute-based access control policies.

Abstract: Computer-implemented cyber-security processes and machines provide proactive anti-forensics activity detection and prevention to safeguard the integrity of transactions and their associated log details or other data using artificial intelligence and/or machine learning, thereby ensuring that all transactions and logs within the system are complaint for cyber forensics, and helping to make reactive forensic tasks more robust by adding proactive monitoring and compliance activity.

Abstract: Training and use of a byte n-gram embedding model is described herein. A neural network is trained to determine a probability of occurrence associated with a byte n-gram. The neural network includes one or more embedding model layers, at least one of which is configured to output an embedding array of values. The byte n-gram embedding model may be used to generate a hash of received data, to classify the received data with no knowledge of a data structure associated with the received data, to compare the received data to files having a known classification, and/or to generate a signature for the received data.

Abstract: A system and method for detecting malware using hierarchical clustering analysis. Unknown files classified by clustering and in view of known malicious and known safe files. Machine learning models and detection rules are used to enhance classification accuracy.

Abstract: An information processing apparatus according to the present disclosure includes an event index generation unit configured to generate an event index using event information output from a terminal and a search condition generation unit configured to generate a search condition for extracting the terminal exhibiting a specific behavior using a dynamic analysis result generated based on events occurred during an operation of malware and the event index. The search condition generation unit is configured to generate the search condition by reflecting an occurrence tendency of the event included in the dynamic analysis result in the terminal.

Abstract: According to examples, an apparatus may include a processor and a memory on which is stored machine-readable instructions that may cause the processor to determine a code fingerprint of a document containing a macro, in which the code fingerprint corresponds to a functionality of the macro. The processor may also determine whether the code fingerprint of the document matches a cluster code fingerprint associated with a cluster of documents. Based on a determination that the code fingerprint matches the cluster code fingerprint associated with the cluster of documents, the processor may determine whether the cluster of documents has been identified as being malicious or benign. In addition, based on a determination that the cluster of documents has been identified as being malicious or benign, the processor may handle the document as being malicious or benign while preventing the document from being sent to a sandbox environment for detonation of the document.

Abstract: An illustrative method includes detecting a request to perform an overwrite operation with respect to a non-header portion of a file stored by a storage system and determining, based on the detecting the request, that data stored by the storage system is possibly being targeted by a security threat.

Abstract: Techniques are described for enabling users of cloud provider services to verify, via cryptographic attestation, that trusted “enclaves” are used to process user data during limited points in time at which user data may be unencrypted or otherwise vulnerable. A cloud provider service processes requests involving user data at least in part using an enclave, where an enclave includes a virtual machine running on isolated computing resources of a host computing device managed by the cloud provider. The enclave, for example, can include an application that performs operations such as decrypting user data included in requests sent to a service (e.g., user data encrypted as part of a Transport Layer Security (TLS) connection established between the service and a client computing device), obtaining user-specific encryption keys from a key management service or other source, encrypting the user data using the encryption keys, and forwarding the encrypted data for further processing.

Abstract: A rule generator can automatically generate a machine-learning-powered detection system capable of recognizing a new malicious object or family of malicious objects and deployable as a text-based, pastable detection rule. The text may be quickly distributed and integrated into existing cybersecurity infrastructure, for example, if the cybersecurity infrastructure supports a rules engine. After initial distribution, the identity may be refined, updated, and replaced. This allows for rapid development and distribution of an initial level of protection, and for updating and improvement over time.

Abstract: A trusted boot method and apparatus, an electronic device, and a readable memory medium. In the method, an IE FUSE that supports only one data write and an IE FW that supports multiple data writes are designed, whereby a first key written in the IE FUSE is prevented from being tampered with. If a second key generated based on a first signature extracted from the current IE FW is different from the first key, it indicates that IE boot parameters stored in the current IE FW are already different from those initially stored in the IE FW, that is, the parameters have been tampered with. In most cases, the IE boot parameters stored in the IE FW should not be tampered with. Therefore, once tampering is discovered, there are reasons to believe that there is a security risk of malicious attacks.

Abstract: Detecting whether or not an open source software package has functionality which is not described by the source code used to build the open source software package. To do so, in one embodiment, this is done by accessing source code used to build the open source software package. The open source software package is built from the source code. After the open source software package has been rebuilt, then it is computed whether or not the rebuilt package accomplishes the same functions as the open source software package. Finally, if the rebuilt package does not accomplish the same functions as the open source software package, an alert is raised.

Abstract: A network connection device may include at least one sandbox to detect, isolate, and remove any discovered malware or cyber threat. The device may be configured to receive, save, and inspect data. A control layer may manage network connectivity so that only home organization network connections or external party network connections are connected at given moment in time.

Abstract: The present application describes techniques for node selection and ranking for, e.g., attack detection and localization in cyber-physical systems, without relying on digital twins, computer models of assets, or operational domain expertise. The described techniques include obtaining an input dataset of values for a plurality of nodes (e.g., sensors, actuators, controllers, software nodes) of industrial assets, computing a plurality of principal components (PCs) for the input dataset according to variance of values for each node, computing a set of common weighted PCs based on the plurality of PCs according to variance of each PC, and ranking each node based on the node's contribution to the set of common weighted PCs.

Abstract: Methods and systems described herein are directed to measuring cybersecurity vulnerability management programs and readiness. A vulnerability management program evaluation system can define vulnerability management capabilities and technologies supporting execution of those capabilities. Once defined, the system can conduct an initial assessment including scoring for the capabilities representing a depth of vulnerability management, as well as scoring for the technologies representing a breadth of vulnerability management. To update the initial assessment, the system can track the ongoing progress of projects that can affect the depth and/or breadth of vulnerability management, and then recalculate the scoring. At any time, the system can combine the depth and breadth to determine a comprehensive vulnerability management score.

Abstract: A system and method for application security profiling that includes extracting a code property graph from at least a subset of a code base; generating a code profile from the code property graph, wherein generating the code profile occurs prior to a compilation of the code base; and applying the code profile, comprising of identifying sections of interest within the code base.

Abstract: A system may include persistent storage containing representations of configuration items discovered in a managed network, where the configuration items include computing devices and software applications installed on the computing devices. One or more processors may be configured to: (i) obtain results of a vulnerability analysis performed on a software application, where the results indicate that the software application exhibits a vulnerability, (i) determine a count of computing devices on which the software application is installed, (iii) calculate a security threat score for the vulnerability, where the security threat score is based on a severity factor of the vulnerability and the count of computing devices, (iv) provide, to a first entity, a first indication of the software application and the vulnerability, and (v) provide, to a second entity, a second indication of the software application, the vulnerability, and the security threat score.

Abstract: Methods, computer-readable media, software, systems and apparatuses may retrieve, via a computing device and over a network, information related to one or more characteristics of a particular application or service deployed in a computing environment. The particular application or service may be associated with a class of applications or services based on the information. A type of personal data collected may be determined for each application or service in the associated class. For the particular application or service, a risk metric indicative of a type of personal data collected by the particular application or service in relation to the type of personal data collected by other applications or services in the associated class may be determined. An additional application or service with a lower risk than the particular application or service may be recommended.

Abstract: A method for privacy-preserving computation of aggregated private data of a group of client devices comprises: a server selecting at least t devices; being provided with key information including an encryption key e and a decryption key of a homomorphic threshold cryptosystem; obtaining a random value ri and being provided with the random values of the other devices in the group; the server transmitting client indices identifying selected devices, and signalling a device for aggregate encrypted data of each of the selected devices; the server receiving randomized encrypted data and an associated decryption share from each selected device, the decryption shares being configured such that decryption key d can be reconstructed on the basis of t decryption shares; and, the server aggregating the received randomized encrypted data of the selected devices using the homomorphic properties and using the decryption shares for decrypting the aggregated randomized encrypted data into cleartext.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, devices, apparatuses, and processes that maintain data confidentiality in communications involving voice-enabled devices in a distributed computing environment using homomorphic encryption. By way of example, an apparatus may receive encrypted command data from a computing system, decrypt the encrypted command data using a homomorphic private key, and perform operations that associate the decrypted command data with a request for an element of data. Using a public cryptographic key associated with a device, the apparatus generate an encrypted response that includes the requested data element, and transmit the encrypted response to the device. The device may decrypt the encrypted response using a private cryptographic key and to perform operations that present first audio content representative of the requested data element through an acoustic interface.

Abstract: Transitioning leadership in a cluster of nodes, including: initiating, by two or more nodes among a cluster of nodes, a leadership transition, wherein: a first node transmits a first secret key identifier to each of the other nodes in the cluster of nodes; and a second node transmits a second secret key identifier to each of the other nodes in the cluster of nodes; updating, by each node and based at least in part on a resolution policy, the current secret key identifier to be the second secret key identifier instead of the first secret key identifier; and transitioning, based at least in part on the second secret key identifier being selected to be the current secret key identifier, the second node to be a leader node of the cluster of nodes.

Abstract: Using a computer system, an instruction is received to define or modify a permission constraint corresponding to one or more files. A permission-instruction data set representing the permission constraint is stored in a data store. Subsequent to storing the permission-instruction data, a user request to access a particular file is intercepted. The data store is queried to determine whether any pending permission-instruction data set corresponds to the particular file. In response to the query, it is determined that the permission-instruction data set corresponds to the particular file. A permission constraint of the particular file is added or modified based on the permission-instruction data set. Based on the modified or added permission constraint, it is determined whether and/or an extent to which the user request is authorized. A response to the user request based on the determination as to whether and/or an extent to which the user request is authorized.

Abstract: A system includes one or more privacy vaults. At least one of the one or more privacy vaults is associated with at least one individual user, stores contents associated with the associated at least one individual user, and stores specific identification of a plurality of third-party entities, authorized to access at least a portion of the contents stored by the one or more privacy vaults, along with access permissions, one or more of the access permissions defined for each of the plurality of third-party entities. At least one of the access permissions defines accessibility of the contents for at least one of the plurality of third-party entities for which the at least one access permission is defined.

Abstract: A processor may identify that one or more client-side applications have been initiated. The processor may identify a browser container. The processor may securely run the one or more client-side applications in the browser container. A website server may collect data that is to be transferred to a browser and sent back from the browser, and the browser container may be associated with the browser. The processor may permit a transfer and sending of the data between the website server and the browser. The transfer and sending of the data may include session specific information that is to be cached on a client-side.

Abstract: Various embodiments set forth systems and techniques for securing media content capture capabilities on a device. The techniques include receiving a frame of a media content item; determining whether the frame of the media content item is signed based on an analysis of one or more pixels of the frame; and when the media content is signed, removing one or more restrictions on one or more functions on the device based on whether the one or more pixels on the frame meet one or more conditions, wherein the one or more functions enable the device to perform one or more operations on the frame of the media content item.

Abstract: A display method, a display device, and an electronic device are provided. The method includes: determining, in response to a current account not having an access authority for accessing a target file, an associated account of the current account, where a user corresponding to the associated account matches a user corresponding to the current account; and displaying prompt information based on a relevant authority of the associated account for the target file, where the relevant authority includes at least one of an access authority and an application authority.

Abstract: Computing platforms, methods, and storage media for processing a data access request are disclosed. Exemplary implementations may: receive, at an apparatus, a data access request from a communication device and via a network; and generate, at the apparatus and based on the received data access request, a revocable 1:1:1 token that authorizes data sharing for a specific combination of third party application-aggregator-institution. Exemplary implementations may transmit the revocable 1:1:1 token for storage in a token database, and may store the 1:1:1 tokens in a token database associated with an institution related to the data access request; this allows access to be managed by the user and controlled by the institution, without relying on the aggregator. Exemplary implementations may provide a dashboard enabling a user to individually remove apps from data sharing, based on management of the 1:1:1 tokens.