Abstract: Multimedia piracy detection (e.g., using a computerized tool) is enabled. A system can comprise a memory that stores executable instructions that, when executed by a processor, facilitate performance of operations, comprising: determining, based on a time domain and/or a frequency domain associated with original digital media content (e.g., and respective digital transportation) and using a counterfeit digital media content model, whether digital media content comprises a counterfeit of an authorized release of the original digital media content, wherein the counterfeit digital media content model has been generated based on machine learning applied to time domains and/or frequency domains of past original digital media content (e.g., and respective digital transportation) and to past digital media content (e.g., counterfeit digital media content) (e.g.

Abstract: Systems and methods are disclosed for managing usage rights with a uniform code. Contract terms for licensing a property, such as a data product, can be represented as combinations of usage rights categories with associated action attributes and provision attributes. These usage rights categories, action attributes, and provision attributes can be encoded to generate a string representing the contract term(s). This string can be leveraged to readily ascertain the usage rights available or desired for a particular property, enabling streamlined management for complex contract terms across numerous properties.

Abstract: A method and a system of running an application, an electronic device and a storage medium are provided. The method includes: acquiring an authorization code, where the authorization code is used to authorize the terminal device to run the application; acquiring a license information; extracting a device fingerprint and an authorization code associated with the device fingerprint from the license information; generating a verification result by comparing the authorization code extracted from the license information with the acquired authorization code and comparing the device fingerprint extracted from the license information with a device fingerprint of the terminal device; and allowing the terminal device to run the application or prohibiting the terminal device from running the application, according to the verification result.

Abstract: Novel tools and techniques for an IoT shell are provided. A system includes an internet of things (IoT) device, a database, and a license manager. The database may include one or more sets of authorized licenses, each set of authorized licenses associated with a respective vendor software. The license manager may be in communication with the IoT device and the database, and further include a processor and a non-transitory computer readable medium comprising instructions executable by the processor. The license manager may be configured to receive a request to reserve a license for a first vendor software, determine an availability of the license associated with the first vendor software, register a unique identifier of the IoT device in association with the license, and grant the license to the IoT device.

Abstract: Implementations of the present specification provide a digital item transfer interaction processing method and apparatus.

Abstract: A distributed processing system includes one or more accelerated units (AUs) connected to a network. To control access to the AUs by one or more users over the network, the distributed processing system includes a control plane circuitry connected to the network. The control plane circuitry is configured to grant a user access to one or more AUs connected to the network based on user security data stored at the control plane circuitry. The security data stored at the control plane circuitry indicates which resources of one or more AUs connected to the network one or more users are authorized to access.

Abstract: Disclosed is a method and system for authenticating user content authentication. A user content authentication method according to an example embodiment may include authenticating a user that desires to create user content, verifying that the user is directly writing the user content, and creating authentication information on the user content created by the user when it is verified that the user is directly writing the user content.

Abstract: Token for user-related control of a craftsman device, the token having a processor which is configured for control-related interaction with the craftsman device, an identification means which is configured to identify a user of the token, and a memory means with stored information, which are indicative of a personalized authorization profile of the user in relation to the craftsman device or allow access thereto, the processor being configured to allow, set and/or prevent use of the craftsman device by the user based on the personalized authorization profile when the token is coupled to the craftsman device.

Abstract: The present disclosure provides a computer-implemented system for managing screen time based on user activity. The system includes a configuration module for receiving user data and generating a record of the input, an activity tracking module with a reference algorithm and a task verification algorithm, and an execution module with a screen time accumulation bank and an execution algorithm. The configuration module includes an administrative account setup step, an individual account setup step, and a behavior rules setup step. The behavior rules setup step generates manual and automatic input rules based on user-designated tasks and physical activity targets. The execution module monitors the balance of the screen time accumulation bank and controls user engagement with the client device based on the balance and schedule rules.

Abstract: A system for gait-based user authentication, includes a processor and a memory. The memory includes instructions stored thereon, which when executed by the processor, cause the system to: access data relating to a gait of a user; provide the data as an input to an early escape network (EENet) having two or more early exits; dynamically determine by a deep Q-learning network (DQN) which of the two or more early exits of the EENet to take; dynamically determine by the EENet a predicted authentication at the determined exit; take the determined early exit by the EENet; and provide an authentication based on the predicted authentication at the determined early exit.

Abstract: An information processing apparatus includes: a memory which temporarily stores image data of an image captured by an imaging unit; a first processor which executes person detection processing to process the image data stored in the memory and to detect a face area with a face captured therein from the image in order to detect presence of a person, and face authentication processing to detect the face area from the image in response to a request from a system in order to authenticate the face; a second processor which gives instructions to make a transition of an operating state of the system and to change screen brightness of a display unit based on the detection result by the person detection processing; and a third processor which executes unlocking processing to unlock the system based on the authentication result by the face authentication processing.

Abstract: An authentication apparatus includes biometric information acquiring part which acquires first biometric information of user, certification information adding part, authentication part, and biometric information database which includes second biometric information of user stored in advance. The certification information adding part receives first biometric information from biometric information acquiring part, generates certification information concerning communication rule, notifies authentication part of certification information in advance, and transmits authentication information including certification information and first biometric information configured according to the communication rule shown by certification information to authentication part.

Abstract: The biological information acquisition means acquires biological information of the user. The determination means determines whether a predetermined condition is satisfied. In a case in which it is determined that the predetermined condition is satisfied, the key information transmission means transmits the key information to the mobile device. An authentication means authenticates the user by using the acquired biological information, encrypted biological information for collation, and the key information received by the key information reception means from the user device.

Abstract: A monitoring system is disclosed. The monitoring system includes a monitoring server that is configured to receive a personally identifying code from a visitor to a property monitored by the monitoring system. The monitoring system includes one or more sensors that transmit sensor data to the monitoring server and that are configured to capture a biometric identifier from the visitor to the property monitored by the monitoring system. The monitoring system is configured to compare the received personally identifying code to a stored personally identifying code. The monitoring system is configured to compare the received biometric identifier to a stored biometric identifier. The monitoring system is configured to determine a likelihood that the visitor is the known person. The monitoring system is configured to determine that the likelihood that the visitor is the known person does not satisfy a threshold. The monitoring system is configured to generate an alarm condition.

Abstract: System and method that enable a userspace compartmented IP Stack and network interfaces between a user device and communications devices associated with the user device, including mobile devices. The system and method include userspace bridging of data to/from external communications devices and applications onboard the user device. The system and method include userspace control of the network interfaces, routing between disparate IP networks, and routing of external IP network interfaces into user device interfaces. The system and method includes incorporating userspace device drivers required for external network hardware interface.

Abstract: An owner-tenant wireless shared omnibus access control system configured to enable owners and tenant users of an electronic access control system to seamlessly access a lock that is shared between remote site owners and one or more tenants, while maintaining access control and audit trail with minimal administrative overhead. An owner-tenant wireless shared omnibus access control system may be operably configured to enable expanded or limited access and audit trail information based on different user roles and permissions comprising an owner user and a tenant user.

Abstract: An e-vapor apparatus may include a pod assembly including a pre-vapor formulation compartment, a first electrical connector, a vapor channel traversing the pre-vapor formulation compartment, and a vaporizer, the pre-vapor formulation compartment configured to hold a pre-vapor formulation therein and in fluidic communication with the vaporizer during an operation of the e-vapor apparatus, the first electrical connector including first and second power electrodes, the first power electrode including a first contact portion on an exterior of the first electrical connector and a first extended portion configured to contact an anode portion of the vaporizer, the second power electrode including a second contact portion on the exterior of the first electrical connector and a second extended portion configured to contact a cathode portion of the vaporizer. The e-vapor apparatus may further include a dispensing body including a second electrical connector configured to connect to the first electrical connector.

Abstract: Disclosed herein is a technique for managing permissions associated with the control of a host device that are provided to a group of wireless devices. The host device is configured to pair with a first wireless device. In response to pairing with the first wireless device, the host device grants a first level of permissions for controlling the host device to the first wireless device. Subsequently, the host device can receive a second request from a second wireless device to pair with the host device. In response to pairing with the second wireless device, the host device can grant a second level of permissions for controlling the host device to second wireless device, where the second level of permissions is distinct from the first level of permissions.

Abstract: A system and process capable of providing a trusted execution environment (“TEE”) for one or more graphic processing units (“GPUs”) include a secure hypervisor, application sandbox virtual machine (VM), secure VM service module (SVSM), and security monitor (SM). In one embodiment, the secure hypervisor is running on a central processing unit (CPU) to regulate all interactions between software stacks and hardware. The application sandbox VM is running on top the hypervisor that hosts applications. The SVSM is running at virtual machine privilege level 0 (VMPLO) in a VM to regulate interactions between the applications and a GPU, wherein the SVSM includes a validator for verifying security and integrity of one or more GPU executions running on the GPU. The SM is configured to regulate interactions between VMs and the GPU in accordance with security properties.

Abstract: Disclosed in the present application are a model protection method and apparatus, a data processing method and apparatus, and a device and a medium, which are used for improving the security protection of a model. In the present application, a cloud device can determine, from a target model, a first sub-model which is stored in a trusted execution environment (TEE) of a terminal device, and send the first sub-model to the terminal device; the terminal device can store the first sub-model in the TEE of the terminal device; and the TEE can ensure that data processing, etc., are performed in a trusted environment.

Abstract: A method is provided that includes receiving a source code block of a source code and a sensor configuration associated with the source code block, performing instrumentation on the source code block at least two times to generate corresponding at least two differently instrumented code blocks from the source code block, creating a corresponding model of the sensor configuration for each differently instrumented code block, and receiving a request for an instrumented variant of the source code block for execution by a processing element and deploying the instrumented variant of the source code block to the processing element. The instrumented variant of the source code block comprises one of the at least two differently instrumented code blocks from the source code block.

Abstract: According to at least one aspect, a hardware system include a host processor, a policy engine, and an interlock is provided. These components can interoperate to enforce security policies. The host processor can execute an instruction and provide instruction information to the policy engine and the result of the executed instruction to the interlock. The policy engine can determine whether the executed instruction is allowable according to one or more security policies using the instruction information. The interlock can buffer the result of the executed instruction until an indication is received from the policy engine that the instruction was allowable. The interlock can then release the result of the executed instruction. The policy engine can be configured to transform instructions received from the host processor or add inserted instructions to the policy evaluation pipeline to increase the flexibility of the policy engine and enable enforcement of the security policies.

Abstract: A method for controlling access to at least one computer program which is accessible and executable on an embedded system is disclosed. The embedded system is provided and comprises two different runtime modes, a first runtime mode and a second runtime mode. In the first runtime mode, a predefined set of IT-security constraints is associated with the at least one computer program. In the second runtime mode at least a part of the predefined set of the IT-security constraints associated with the at least one computer program is void and the at least one computer program is accessible and executable with elevated rights for performing software development operations on the at least one computer program. The embedded system is set into the second runtime mode for a predefined time period. After the predefined time period is expired, the embedded system is set into the first runtime mode.

Abstract: A method is provided for mitigating a malware attack to a data processing system. The method may include initializing a malware stagnation file in the data processing system. The malware stagnation file can generate a range of addresses that do not exist in the memory and are not mapped to any applications of the data processing system. During operation of the data processing system, an address may be received by the data processing system for a read or write operation to the memory. If it is determined that the address defines an entry point of the malware stagnation file, it may be assumed that the requestor is malware and the malware stagnation file translates the address to an address that does not exist in the memory and allow access. The malware stagnation file may provide the non-existent addresses to the malware for as long as the malware makes requests.

Abstract: A method (200) for use in securing a computing system (416) against a recovery scenario from which the computing system would require recovery. The method comprises: i) obtaining (202) system recovery indicators for the computing system; and ii) predicting (204) a likelihood that the computing system will undergo the recovery scenario from the system recovery indicators using a model trained using a machine learning process that takes as input the system recovery indicators.

Abstract: A system for detecting and mitigating application security threats comprises a processor associated with a server. The processor executes a static security model to analyze a group of development code sets for an application to detect threat objects. The processor determines that a number of threat objects in each development code set is lower than a threshold. The processor further executes a run-time security model to analyze the combined code sets to determine a set of threat object measurements of application product releases for the application. The processor generates a set of threat change ratios per application based on a first threat object measurement and the threat object measurements after the first threat object measurement. The processor determines threat change patterns of the threat change ratios associated with the application product releases for the application. The processor determines whether to trigger a development security model for the application.

Abstract: Certain aspects are directed to apparatus and methods for performing a blinded operation. The method generally includes: obtaining a first operand and a second operand for a multiplication operation; performing, via one or more processors, one or more shift operations or a bit-flip operation on the first operand to generate a first blinded operand; and performing the multiplication operation based on the first blinded operand and the second operand to generate a blinded multiplication result.

Abstract: A plurality of fake vulnerabilities are exposed to network traffic alongside an active resource. Each fake vulnerability cannot harm the active resource and wherein the deceptive proxy device and the legitimate device are reachable by a common IP address. Network traffic is monitored in real-time, to detect an attack by a malicious device concerning at least one of the fake vulnerabilities of the plurality of fake vulnerabilities exposed by the deceptive proxy resource. The malicious device is trusted by the enterprise network. Responsive to the attack detection, a security action is taken with respect to the malicious device.

Abstract: Some embodiments of an interception-based unpacker leverage an auto-unpacker of a packed file, using certain hooks, to obtain unpacked content even when the specific compression and encryption algorithms that were used to pack the packed file are unknown. The unpacked content is studied directly, or injected into a copy of the packed file to create an unpacked executable version of the packed file. A hook on a process loader is utilized to obtain a pre-execution map of memory allocated to a target packed process. One or more interrupt hooks or system call hooks, which are triggered by permission changes or by write permission or execution permission exceptions, are utilized to obtain copies of unpacked content. In some embodiments, the interception-based unpacker executes primarily or entirely in kernel space. Embodiments of the interception-based unpacker are operable in open source kernel or closed source kernel operating systems.

Abstract: One embodiment provides a method, the method including: receiving, from a device and utilizing a variable modification system, a request to make a modification to content of a protected unified extensible firmware interface (UEFI) variable; verifying, using the variable modification system, an entity utilizing the device and requesting the modification is authorized to make modifications to the content of the protected UEFI variable; and authorizing, responsive to verifying the entity is an authorized entity and using an encryption scheme associated with the protected UEFI variable, the modification, wherein the authorization results in the modification to the content of the protected UEFI. Other aspects are claimed and described.

Abstract: Methods, systems, and apparatuses include reading a firmware image from a memory device. Parity data for the firmware image is computed. A first authentication code associated with the firmware image is received. A second authentication code is computed by performing a cryptographic operation on the parity data. It is determined that the first authentication code and the second authentication code match. The firmware image is loaded onto the memory device in response to determining that the first authentication code and the second authentication code match.

Abstract: A method for implementing replacing a startup screen of a smart POS device includes: checking, by the smart POS device, whether an updating screen completing flag exists when detecting a startup, if yes, displaying a corresponding startup screen according to a mirror file in a backup partition, otherwise, displaying a default startup screen according to a screen mirror file in a default startup screen partition; decrypting a received image data ciphertext by using a protection key, verifying data obtained by decrypting, if successful, generating a mirror file of the startup screen according to the data and storing the mirror file; applying for writing access to the backup partition; if the backup partition has a writing permission, clearing the updating screen completing flag and starting to write the stored mirror file in the backup partition; setting the updating screen completing flag after the mirror file is written in the backup partition.

Abstract: To improve computer security, on every boot or reboot a firmware agent provides a challenge for an OS agent to be used for the subsequent boot. During boot, the response to the previous challenge is checked, as it was provided in advance by the OS agent to a designated mailbox when the device was last switched on. The OS agent may generate a response in either an offline mode or when connected to a server. If the response is correct, the device boots normally. If the response is incorrect, then a firmware lock is engaged. A certain number of grace boots may be allowed without a response being required.

Abstract: To improve computer security, on every boot or reboot a firmware agent provides a challenge for an OS agent to be used for the subsequent boot. During boot, the response to the previous challenge is checked, as it was provided in advance by the OS agent to a designated mailbox when the device was last switched on. The OS agent may generate a response in either an offline mode or when connected to a server. If the response is correct, the device boots normally. If the response is incorrect, then a firmware lock is engaged. A certain number of grace boots may be allowed without a response being required.

Abstract: Techniques for collaborative detection of software application static vulnerabilities are disclosed. Print statements are injected into the source code for a software application for each of its inputs and outputs. Vulnerability findings are obtained from two or more static analysis tools run against the modified source code. A determination is made that a first static analysis tool reports that tainted data can flow from an input of a function to a return value of the function and it is determined that the second static analysis tool reports that tainted data can flow into the input of the function and that tainted data cannot flow to the return value based on the vulnerability findings. The injection-modified source code is modified to include an assignment of the input to the output to obtain stitch-modified source code. Then vulnerability findings are obtained for the stitch-modified source code and they include new findings.

Abstract: A method for managing virtual desktop infrastructure (VDI) environments includes: obtaining, by an orchestrator, a resource related parameter and a security related parameter; assembling, by the orchestrator, an application programming interface (API) combination to generate a VDI environment based on a plurality of vendor-provided APIs; testing, by the orchestrator and for a vulnerability result, the VDI environment across a range of users based on the resource related parameter and security related parameter; providing, by the orchestrator, the range of users and VDI environment to an analyzer, in which the analyzer is instructed by the orchestrator to generate a model that minimizes the vulnerability result of the VDI environment; generating, by the analyzer, a trained model by training the model using at least the range of users, VDI environment, security related parameter, resource related parameter, and vulnerability result; and initiating, by the analyzer, notification of an administrator about the tra

Abstract: A DLP system with ongoing risk assessment establishes a baseline quantification of data loss risk (“risk score”) of assets identified as sensitive assets and quantifies other dynamic factors as components to be combined or viewed with the baseline risk score. The baseline risk score provides an initial or static view of data loss risk for a sensitive asset at-rest and can be combined with other scoring components to provide different views of risk for a sensitive asset that represent more dynamic aspects. These scoring components relate to access activity over time or historical activity and in-transit activity. The baseline risk score with the dynamic risk scoring components provides a current view of risk and a trending or historical view of risk for the sensitive asset. The in-transit risk scoring component tailors risk assessment to a requestor to provide another perspective or contextualize risk with respect to the requestor.

Abstract: Systems and methods for software product deployment and/or compliance management are provided. In some embodiments, a method includes: receiving an indication of a first payload of a software deployment package; performing a first software scan of the first payload; generating a first integrity file including an indication of integrity based upon the first software scan; and triggering a transfer of the first payload and the first integrity file from a first network domain to a second network domain different from the first network domain.

Abstract: The embodiments disclosed herein are directed to a continuous vulnerability assessment system for detecting exploitable vulnerabilities. For example, an agent executes on a plurality of computing devices. Each agent profiles various pieces of software executing on its respective device and obtains various characteristics thereof. For instance, each agent determines, among other things, the length of time certain software executes on the device. Each agent provides descriptors of the determined characteristics to a vulnerability assessment engine. The engine determines a cumulative length of time that each particular piece of software executed across the plurality of computing devices.

Abstract: A data processing method, applied to a target device in which a Linux operating system is running. A first program is deployed in the Linux operating system. The method includes: loading a target loading and invasion machine into a first memory space of the first program, and acquiring a vulnerability repair library for the first program through the target loading and invasion machine; creating, in the first memory space, a second memory space for the target loading and invasion machine, and configuring a second runtime environment isolated from a first runtime environment of the first program; and loading the vulnerability repair library in the second memory space based on the second runtime environment, and performing a vulnerability repair on the first program by using the vulnerability repair library.

Abstract: A backdoor detection device according to the present disclosure is equipped with: a pattern extraction means that extracts a function flow pattern from the program code of firmware; a frequency information acquisition means that acquires appearance frequency information indicating the appearance frequency of the extracted function flow pattern; a determination means that determines whether a backdoor is included on the basis of the acquired appearance frequency information; and an output means that outputs information indicating the result of the determination by the determination means.

Abstract: The present disclosure is for systems and methods for data and model security in AI-based modeling approaches. Security techniques are applied at the user device level on edge devices to evaluate data and/or locally trained models for malicious content. Malicious content is detected and can be prevented from influencing central model updates or retraining.

Abstract: A system may include persistent storage containing representations of configuration items discovered in a managed network, where the configuration items include computing devices and software applications installed on the computing devices. One or more processors may be configured to: (i) obtain results of a vulnerability analysis performed on a software application, where the results indicate that the software application exhibits a vulnerability, (i) determine a count of computing devices on which the software application is installed, (iii) calculate a security threat score for the vulnerability, where the security threat score is based on a severity factor of the vulnerability and the count of computing devices, (iv) provide, to a first entity, a first indication of the software application and the vulnerability, and (v) provide, to a second entity, a second indication of the software application, the vulnerability, and the security threat score.

Abstract: A constrained decoding technique incorporates token constraints into a beam search at each time step of a decoding process in order to generate viable candidate sequences that are syntactically and semantically correct. The token constraints identify source code tokens or sequences of tokens that should appear in a candidate sequence. The token constraints are generated from checking whether a token predicted at each decoding step is feasible for a partial solution based on the production rules of the grammar of the programming language, the syntactic correctness of a partial sequence, and/or static type correctness.

Abstract: Various systems, methods, and computer program products are provided for complex data encryption. The method includes receiving a user input code from a computing device associated with a user. The user input code is one or more plaintext characters. The method also includes generating a first encrypted value using a first encryption algorithm based on the user input code. The method further includes decrypting the first encrypted value using one or more additional encryption algorithms. The one or more synthetic user input codes are generated by the decryption of the first encrypted value using each of the one or more additional encryption algorithms. The method still further includes determining a first encryption vulnerability score based on the value of the one or more synthetic user input codes. The method also includes causing a transmission of a user input code notification based on the first encryption vulnerability score.

Abstract: A computing device, such as a server, has a sealed housing and runs one or more data extraction agents. In some embodiments, the computing device includes one or more processors and memory located inside the sealed housing, the memory stores instructions that when executed by the one or more processors causes the one or more processors to: authenticate with a data recipient system using a prestored security engine and using a shared registration secret uniquely associating the computing device with the data recipient system; retrieve an extraction job specification from an extraction job specification repository associated with the data recipient system; and using the extraction job specification, communicate to one or more client computing devices associated with a client system to extract data records from one or more data stores of the client system. Related methods are also disclosed.

Abstract: An electronic device may include: a sensor configured to measure a plurality of bio-signals that includes a first bio-signal and one or more second bio-signals; an encryption chip configured to encrypt the first bio-signal based on a first encryption method that uses the one or more second bio-signals as an encryption code, and output the encrypted first bio-signal; and a communication device configured to transmit the encrypted first bio-signal to an external device.

Abstract: A memory where video content is stored for access by processing components in a display pipeline is divided into different categories or groupings, each different category or grouping corresponding to a different security level. Access, by the processing components in the display pipeline, to the video content stored in the different categories or groupings is restricted in different ways so that access to video content stored in the highest security categories or groupings is more restricted and more secure than access to the video content stored in a less secure categories or groupings. Video content is received and a security level corresponding to video content is identified. The video content is written into a memory category or grouping, of the plurality of different categories or groupings corresponding to a plurality of different security levels, based upon the security level corresponding to the video content.

Abstract: A driver monitoring system includes internal and external cameras attached to a vehicle. The cameras capture video of the vehicle's driver and the area surrounding the vehicle for later review by a coach or supervisor. To ensure privacy of people who appear in video, portions of the video may be processed to blur faces, license plates, and/or other features. Furthermore, access control mechanisms exist so that only users in specific roles have access to review certain types of video.

Abstract: A system is provided for authentication using tokenization of a resource prior to resource allocation. In particular, the system may generate a resource token associated with a target resource to be transferred through a virtual environment. The resource token may be stored on a distributed ledger and may comprise an ownership identifier such as a cryptographic address associated with an entity that has ownership over the resource. The resource token may further comprise a resource identifier associated with the resource. Accordingly, the system may validate the resource identifier against an authorized resource database. If a match is detected, the system may publish an authentication data record to the distributed ledger indicating that the resource is authentic. In this way, the system provides a secure, efficient way to validate resources within a virtual environment.