Abstract: A device may monitor traffic associated with a user equipment (UE) on multiple interfaces of a network. The device may determine an identity associated with the UE or the traffic on the multiple interfaces by correlating identifiers associated with the UE or the traffic across the multiple interfaces. The identity may uniquely identify a subscriber associated with the UE or the traffic. The device may determine a set of elements to be used to decipher the traffic after determining the identity associated with the UE or the traffic. The device may decipher the traffic utilizing the set of elements after determining the set of elements.

Abstract: A device generates a biometric public key for an individual based on both the individual's biometric data and a secret S, in a manner that verifiably characterizes both while tending to prevent recovery of either. The biometric data has a Sparse Representation and is encoded in a manner to include a component of noise, such that it is challenging to identify which locations are actually encoded features. Accordingly, the biometric data are encoded as a vector by choosing marker at locations where features are present and, where features are not present, choosing noisy data. The noisy data may be chaff bit values selected collectively from a group of (a) random values and (b) independent and identically distributed values. The biometric public key may be later used to authenticate a subject purporting to be the individual, using a computing facility that need not rely on a hardware root of trust.

Abstract: Systems and methods are described that relate to authentication and/or binding of multiple devices with varying security profiles. In one aspect, a first device with a higher security profile may vouch for the authenticity of a second device with a lower security profile when the second device requests access for content from a content provider. The vouching process may be implemented by allowing the first device to overlay its digital signature on a registration request that has been signed and transmitted by the second device. The second device with the lower security profile may access content from the content provider or source for a predetermined time period, even when the second device does not access content through the first device.

Abstract: Various methods, apparatuses/systems, and media for implementing a vulnerability management module are provided. A receiver receives a request for dynamically scanning vulnerability of a target computing device based on testable vulnerability criteria extracted from a database. A processor dynamically executes the testable vulnerability criteria from the SCCM based on the received request; creates a static SCCM advertisement with a dynamic pre/post validation check capability based on a result of the dynamically executing the testable vulnerability criteria; reports a success or a failure of the static SCCM advertisement related to the testable vulnerability criteria to indicate whether a vulnerability exists within the target computing device; and automatically remediates the vulnerability when it is determined that the vulnerability exists within the target computing device.

Abstract: The method comprises a client device receiving a verification request comprising an interaction identifier. The client device can compare samplings of block headers received from two or more full nodes. The client device can then, based on the comparing, verify at least one block header of the samplings of block headers. The client device can determine that a blockchain maintained by at least one of the two or more full nodes is valid in response to verifying the at least one block header of the samplings of block headers.

Abstract: Systems and methods are provided for secure messaging with constrained user actions. An example method includes causing presentation of an interactive user interface, the interactive user interface enabling messaging with end users, each end user being associated with a respective phone number. Selection of a particular end user is received via the interaction user interface and the interactive user interface is updated to include a selectable option which triggers transmission of a standardized consent message to a particular phone number associated with the particular end user. User input is received which indicates receipt of externally provided affirmative consent. The interactive user interface is updated, with the updated interactive user interface including an input portion configured to receive arbitrary information for transmission to the particular phone number.

Abstract: Disclosed is a high assurance unified switching device corresponding to a modular, standards-compliant extensible network switch supporting multiple security domains with data isolation of multiple data packets obtained from the multiple security domains. The device may comprise an inner layer router and an outer layer security wrapper (outer layer router). The ports on the outer layer router are configured for different security domains and assigned corresponding key pairs. The ports use the assigned key pairs for encrypting data packets prior to routing and decrypt the data after routing such that there is an isolation of data packets of different security domains. A routed packet arriving at the wrong port cannot be decrypted and therefore is dropped.

Abstract: A network device employs a transmitter configured to transmit a registration request to a software defined network (SDN) controller. The network device employs a receiver to receive a reply from the SDN controller. The reply indicates a plurality of provider edge (PE) devices coupled to a carrier network. The network device employs a processor to cause the transmitter and receiver to establish a plurality of asymmetric connections to a virtual private network (VPN) operating over a wide area network (WAN) via the PE devices.

Abstract: Systems and methods to securely send or write data to a cloud storage or server. In one embodiment, a method includes: establishing a connection to a client using a client-side transport protocol; receiving, over the connection, data from the first client; decrypting, using a client session key, the received data to provide first decrypted data; encrypting the first decrypted data using a stored payload key (that is associated with the client) to provide first encrypted data; encrypting, using a cloud session key, the first encrypted data using a remote-side transport protocol to provide second encrypted data; and sending the second encrypted data to the cloud storage or server.

Abstract: An implementation of the present application provides a computer-implemented method to increase the security of a blockchain-implemented transaction, the transaction including participation from a plurality of participating nodes, each participating node participating as a message originator, selector, and propagator. The method, implemented at a participating node, includes: receiving ciphertext from a prior node and determining whether the participating node is a selector node for said ciphertext received from the prior node. When the participating node is the selector node for said ciphertext, the method includes selecting a subset of said ciphertext, decrypting the selected subset of said ciphertext to provide opted ciphertext and transmitting said opted ciphertext to the next node. When the participating node is other than the selector node for said ciphertext, the method includes decrypting said ciphertext received from the prior node and transmitting the decrypted ciphertext to the next node.

Abstract: A data processing system has a processor, a system memory, and a hypervisor. The system memory stores program code and data in a plurality of memory pages. The hypervisor controls SLAT (second level address translation) read, write, and execute access rights of the plurality of memory pages. A portion of the plurality of memory pages are classified as being in a secure enclave portion of the system memory and a portion is classified as being in an unsecure memory area. The portion of the memory pages classified in the secure enclave is encrypted and a hash is generated for each of the memory pages. During an access of a memory page, the hypervisor determines if the accessed memory page is in the secure enclave or in the unsecure memory area based on the hash. In another embodiment, a method for accessing a memory page in the secure enclave is provided.

Abstract: A proxy system is installed on a computing device that is in the network path between the device and the Internet. The proxy system, residing on the computing device, decrypts and inspects all traffic going in and out of the computing device.

Abstract: In one embodiment, a computer-implemented method of a data processing (DP) accelerator encrypting or decrypting input data can include receiving, from a host device, a command, the input data, and a kernel. The kernel can be an encryption kernel, or a decryption kernel, and the DP accelerator need not know which kernel it has received. The DP accelerator runs the received kernel. In response to the DP accelerator receiving the command, the DP accelerator performs encrypting of the input data using the kernel, if the received kernel is an encryption kernel, otherwise, decrypting the input data using the kernel. The encrypted, or decrypted, input data is then provided to the host device.

Abstract: A set of identifying elements of a first network is determined from a set of data. For each identifying element of the set of identifying elements, a first frequency at which the identifying element is associated with a first set of systems connected to the first network is determined, and a second frequency at which the identifying element is associated with a second set of systems of other networks accessible via the Internet is determined. It is determined if each identifying element is associated with the first set of systems at a greater frequency than with the second set of systems based, at least in part, on the first frequency and the second frequency. If an identifying element is associated with the first set of systems at a greater frequency than with the second set of systems, the identifying element is indicated as a fingerprint of the first network.

Abstract: A terminal device transmits, upon a launch of an application frontend of a distributed application, a lookup request based on a predetermined fully qualified domain name associated with an application backend of the distributed application to a domain name server via a communication network. Upon receipt of the fully qualified domain name, the domain name server transmits an IP address associated with the fully qualified domain name to the application frontend. Upon receipt of the IP address, the terminal device transmits application data to the transmitted IP address via a connection provided by the communication network. Upon transmission of the application data, the core server selects a quality service for the distributed application, which is then applied by the communication network for operation of the distributed application.

Abstract: Trusted client security factor-based authorizations at a server. The techniques allow the server to authorize client requested operations to access a protected resource or service based on trusted client security factors that are obtained at client machines and provided to the server.

Abstract: Typically, when a user switches sessions between devices, the user authenticates the sessions by providing user account information, password, and/or pin code input or other credentials. However, when the user is frequently switching sessions between devices, authenticating sessions may result in the user reducing or even stopping switching across mobile devices. Systems and methods according to this disclosure provide automatic session roaming across mobile devices using proximity authentication. Upon detecting an indication to initiate session roaming, the source device automatically roams the session on the source device to a target device based on a proximity of the source device to the target device. The session is handed off from the source device to the target device as an authenticated user session.

Abstract: According to an embodiment, there is provided a security method of XML web document, and in particular, a method of encrypting a tag set by a user when generating an XML document to display data contents of the encrypted tag as a web document. The security method of XML web document includes setting, by the processor, an encryption tag to be encrypted according to setting of a user; generating, by the processor, an XML document including the encryption tag based on data input by the user; retrieving, by the processor, the set encryption tag of the XML document; and generating, by the processor, an encrypted text for data corresponding to the encryption tag and outputting the encrypted text on a View window, and a plain tag format and the encryption tag format are maintained as they are and displayed on the View window, and only the data corresponding to the encryption tag is displayed on the View window as the generated encrypted text.

Abstract: Techniques for sharing private data objects in a trusted execution environment using a distributed ledger are described. The techniques described herein may enable sharing of data objects, referred to herein as private data objects (PDOs), between individuals and organizations with access and update policies mediated by execution of code (referred to herein as a “smart contract”) carried with the PDO in a secure enclave. A distributed ledger may serve as a “public commit log” to ensure that there is a single, authoritative instance of the object and provide a means of guaranteeing atomicity of updates across interacting objects.

Abstract: A Multi-Access Edge Compute (MEC) system includes a plurality of compute resources including one or more processors configured to implement services; wherein the services include any of edge services, routing functions, and hosted services; and wherein the services further include cloud-based security services implemented in the MEC in conjunction with a cloud-based security system that includes a plurality of nodes and offers multi-tenant cloud-based security services, and wherein the cloud-based security services implemented in the MEC are for subscribers of a service provider associated with the MEC.

Abstract: A method, system, and computer program product generate, with a payment network, a first value (a) and a second value (ga), the second value (ga) generated based on the first value (a) and a generator value (g); generate, with the payment network, a plurality of random merchant numbers (mi) for a respective plurality of merchant banks; determine, with the payment network, a merchant product (M) based on a product of the plurality of random merchant numbers (mi); generate, with the payment network, a public key (pki) based on the second value (ga), the merchant product (M), and the random merchant number (mi) and a random key (rki) based on the merchant product (M) and the random merchant number (mi) for each respective merchant bank; and communicate, with the payment network, the public key (pki) and the random key (rki) to at least one respective merchant bank.

Abstract: Systems and methods relating to alerting users as to user information to be exchanged during transactions. A user information system (UIS) information circuit and an associated user information database populates an account with user information received from at least one of the user and a plurality of entities. A user information request relating to a transaction is received from an entity computing system associated with an entity over a network via a network interface circuit. A security circuit sends an alert comprising an approval request containing an identification of user information requested in the user information request to a user computing device associated with the user over the network. The security circuit receives an approval of the approval request from the user computing device, and the UIS information circuit provides the approved information to the entity to complete the transaction.

Abstract: An apparatus for segmented processing of order management system data is described herein. The apparatus generally includes: a front end interface that is operative to receive unencrypted payment information and unencrypted personal information relating to at least one customer order and return encrypted payment information and encrypted personal information relating to the at least one customer order; a middle tier interface that is operative to receive encrypted payment information and encrypted personal information relating to at least one customer order and return decrypted personal information only; and/or a back end interface that is operative to receive encrypted payment information and encrypted personal information relating to at least one customer order and return decrypted payment information and decrypted personal information relating to the at least one customer order.

Abstract: A system and method for providing secure access to an organization's internal directory service from external hosted services. The system includes a remote directory service configured to accept directory service queries from an application running on hosted services. The remote directory service passes the queries to a directory service proxy server inside a firewall of the organization via a secure connection service. The directory service proxy server passes the queries to the internal directory service inside said firewall. Request responses from the internal directory service pass through the directory service proxy server to the remote directory service through said firewall via the secure connection service. The remote directory service returns the response to the requesting application.

Abstract: A method of enhancing travel security features associated with a mobile device is provided. The method may include operating a time clock to store a start device confiscation time in a memory and to store an end device confiscation time in the memory, monitoring the mobile device to detect tampering occurring between the start device confiscation time and the end device confiscation time, and in response to the detecting of tampering, prompting the user for a secure identifier. Upon receipt of the secure identifier, the method may include opening a secure i/o pathway to a re-image file. The secure i/o pathway preferably enables execution of an executable re-image file. The re-image file may be used to re-image a software image of the mobile device. The re-image file may contain a pre-tampered image of the mobile device.

Abstract: A system, method, and computer program product are provided for implementing hardware backed symmetric operations for password based authentication. In operation, a system receives a request to access software utilizing password-based authentication. Further, the system receives a password for the password-based authentication. The system computes a hash utilizing the password and a hardware-based authenticator associated with hardware of the system utilizing hardware backed symmetric encryption. Moreover, the system verifies that the hash computed utilizing the password and the hardware-based authenticator is correct for accessing the software.

Abstract: In one embodiment, a method includes: receiving, by a first computing device on a first port of a plurality of ports, a data packet, wherein each of the ports corresponds to one of a plurality of security classes, and the first computing device comprises a plurality of cryptographic modules, each module configured to encrypt data for a respective one of the security classes; tagging the data packet, wherein tagging data identifies one of the security classes and the first port; routing, based on at least one header, the data packet to a first cryptographic module of the plurality of cryptographic modules; encrypting the data packet using the first cryptographic module; and storing the encrypted data packet in a first data storage device.

Abstract: A security server device, method, non-transitory computer readable medium and security system that receives request data for a request from a client to a web server system where the request comprises a session identifier (ID) for a session between an authenticated user and the web server system. A determination is made whether the client is a single-user device based on the request data and multi-domain data. Another determinations is made on whether the client is compromised based on the request data. In response to the determinations that the client is a single-user device and is not compromised an extension of the session between the authenticated user on the client and the web server system is caused.

Abstract: A method and a system for modifying network connection access rules using multi factor authentication (MFA) are provided herein. The method may include the following steps: receiving, at a computer network, an access request from a client device; retrieving a user identification data associated with said client device; presenting a message over said client device, wherein the message contains details associated with said access request; responsive to the user confirmation of said details, initiating an MFA process, wherein the MFA process comprises presenting an authentication message over the client device; and only in a case that the user has been authenticated by the MFA process, establishing the requested connection access.

Abstract: A method, system, and computer program product generate, with a payment network, a first value (a) and a second value (ga), the second value (ga) based on the first value (a) and a generator value (g); generate, with the payment network, a plurality of random merchant numbers (mi) for a respective plurality of merchant banks; determine, with the payment network, a merchant product (M) based on a product of the plurality of random merchant numbers (mi); generate, with the payment network, a public key (pki) based on the second value (ga), the merchant product (M), and the random merchant number (mi) and a random key (rki) based on the merchant product (M) and the random merchant number (mi) for each respective merchant bank; and communicate, with the payment network, the public key (pki) and the random key (rki) to at least one respective merchant bank.

Abstract: A terminal device may, in a case where a first type of related information including a public key is obtained due to a first type of communication device outputting the first type of related information, send first connection information to the first type of communication device. The first type of communication device may be capable of executing a wireless communication complying with a predetermined rule of Wi-Fi scheme. The terminal device may, in a case where a second type of related information different from the first type of related information is obtained due to a second type of communication device outputting the second type of related information, send second connection information to the second type of communication device. The second type of communication device may be incapable of executing a wireless communication complying with the predetermined rule.

Abstract: A field data transmission method comprises: a cloud platform determining at least one first device operation index be obtained via data analysis. For each first device operation index, the cloud platform generates control information for the first device operation index. The control information is used to determine a primary edge controller from among at least one edge controller, wherein the primary edge controller is used to send first field data to the cloud platform, the first field data is used for data analysis by the cloud platform to obtain the first device operation index, and the first field data is obtained by the primary edge controller preprocessing second field data. The cloud platform sends each piece of control information to each edge controller, respectively. The cloud platform receives first field data from each primary edge controller, respectively.

Abstract: A computer-implemented method of transmitting messages within a mesh network comprises: receiving at a first node included within the mesh network a network message that is to be broadcast within the mesh network; determining a security key type based on at least one of a resource parameter associated with at least one neighbor node included in the mesh network or an attribute of the network message; securing the network message with a security key of the security key type to generate n secured network message; and broadcasting the secured network message to one or more other nodes included in the mesh network that are directly connected to the first node.

Abstract: An Internet Protocol Security (IPsec) acceleration method includes generating, by an Internet Key Exchange (IKE) device, an IKE link establishment session packet according to an IPSec configuration parameter and a security policy in a security policy database (SPD), sending, by the IKE device, the IKE link establishment session packet to a peer device, establishing a security association (SA) with the peer device, and sending, by the IKE module, the SA to a data forwarding device, where the IKE device and the data forwarding device are discrete devices.

Abstract: For a network including multiple computers acting as tunnel endpoints in a network, some embodiments provide a method for processing data messages in parallel using multiple processors (e.g., cores) of each computer. Each computer in some embodiments has a set of interfaces configured as tunnel endpoints connecting to multiple tunnels. In some embodiments, the multiple processors encrypt data messages according to a set of encryption parameters or multiple sets of encryption parameters that specify an encryption policy for data messages requiring encryption, an encryption algorithm, an encryption key, a destination network address, and an encryption-parameter-set identifier.

Abstract: Systems and methods detect and prevent changes in business applications that modify its state to non-secure and/or non-compliant. A system may include a processor set up to perform: defining a compliant state of a computer software configuration, monitoring a state of the computer software configuration, detecting a change in the state of the computer software configuration, wherein the change causes a changed state, and comparing the compliant state and the changed state, wherein if the changed state conflicts with the compliant state, stopping the change.

Abstract: A method and service to encrypt data at rest on disks that are managed by a container orchestrator (CO) using a container storage interface (CSI). The method and service including intercepting a request transferred from a CO to a CSI plugin and sending the intercepted request to an encryption proxy plugin. The method and service also including examining the request to determine if encryption is needed. In response to encryption being needed, performing encryption on the volume. The method and service also transferring the intercepted request to the container storage interface plugin.

Abstract: Hybrid tables can be used in different use-case scenarios. Hybrid tables provide a flexible mechanism to support files and data in different formats while providing access to the different types of data as part of one table. This flexibility can allow the use of hybrid tables in data lake or other similar environments.

Abstract: Examples herein involve authorization of use of cryptographic keys based on cryptocurrency payments. An example method includes analyzing a request for a cryptographic key of a key server where the request may be received from a requesting device and the cryptographic key is used to decrypt or encrypt a message of the request, and authorizing use of the cryptographic key to decrypt or encrypt the message based on a balance in a cryptocurrency wallet associated with the request.

Abstract: Systems and methods for bare-metal or pre-boot user-machine authentication, binding, and entitlement provisioning are described. In some embodiments, a method may include: receiving, at a first portal managed by a manufacturer of an Information Handling System (IHS): (i) user credentials associated with a user of the IHS, and (ii) device identification associated with the IHS before the IHS is shipped to the user; selecting a customer of the manufacturer associated with the device identification; forwarding an indication of the user credentials to a second portal managed by the customer; and, in response to the second portal having successfully authenticated the user, establishing an identity session with the second portal; receiving, from the IHS, a request to initiate an entitlement sequence.

Abstract: A computer-implemented method to automatically identify hotspots in a network graph. The method includes receiving, by a processor, input data, wherein the input data includes a plurality of messages, each message containing a set of message data. The method further includes generating, by a pattern detector, and based on the input data, a network graph, wherein the network graph includes a plurality of nodes. The method also includes determining a first risk indicator for each of the plurality of nodes. The method includes assigning a first weight to the first risk indicator for each of the plurality of nodes. The method further includes identifying a first hotspot in the plurality of nodes, wherein the first hotspot is based on the first weight of the first risk indicator of a first node. The method also includes outputting, by a network interface, the first hotspot and the network graph.

Abstract: The invention provides a method and system for generating a watermark on the basis of graphic, a terminal, and a medium. The method includes acquiring a watermark image and at least one watermark unit image; acquiring watermark encryption information; determining the distribution information of the watermark unit images in the watermark image according to the watermark encryption information and a preset encryption model, the distribution information comprising imaging regions of the watermark unit images in the watermark image; and overlaying each watermark unit image into a corresponding imaging region in the watermark image to generate the watermark. The watermark encryption information has a one-to-one corresponding relationship with the distribution information of the watermark unit images in the watermark image, and the corresponding relationship can be defined by a user so that others cannot crack the watermark without knowing the encryption model, thereby improving the watermark cracking difficulty.

Abstract: A system and method for providing and synthesizing data for publishers operating in the connected television ecosystem. Data from third party reporting platforms may be combined to present a unified view. Audience engagement may be measured, observed, and combined in a novel manner, providing unique insights to users.

Abstract: Systems, methods, and computer-readable media including software logic are provided for optimizing Border Gateway Protocol (BGP) traffic in a telecommunications network. In one embodiment, systems and methods include, with a current state of one or more inter-Autonomous Systems (AS) links, causing performance of an action in the telecommunication network, determining a metric based on the action to determine an updated current state of the one or more inter-AS links, and utilizing the metric to perform a further action to achieve one or more rewards associated with the one or more inter-AS links.

Abstract: A storage device for providing data storage services to a source host and a destination host includes persistent storage and a controller. The controller obtains a handoff initiation request for a handoff of storage resources of the persistent storage allocated to the source host, the handoff initiation request specifies that the storage resource is to be handed off to the destination host; in response to obtaining the handoff initiation request: quiesces the storage resource; terminates use of the storage resource by the source host after quiescing the storage resource; after terminating the use of the storage resource by the source host, connects the destination host to the storage resource; and after connecting the destination host to the storage resource, enables use of the storage resource by the destination host.

Abstract: Disclosed herein are embodiments of systems and methods for locally conducting delegated authentication at edge nodes. In an embodiment, an edge node of a managed network receives, from an authentication system, authentication information for a user. The edge node stores the authentication information. The edge node receives, from a user device associated with the user, an authentication request that includes presented authentication information. The edge node determines whether one or more authentication criteria are met for the authentication request, and if so performs a set of authenticating operations. The one or more authentication criteria includes the presented authentication information matching the stored authentication information. The set of authenticating operations includes authenticating the user with respect to the managed network, as well as establishing an authenticated session for the user at the edge node.

Abstract: Methods and supporting systems for managing secure communications and establishing authenticated communications between processes of a computer application operating across network domains are provided. Authentication agents operate on servers hosting application processes, wherein each authentication agent has access to policies related to each of the application processes. An authentication agent operating on an originating server intercepts transmissions from an originating application processes and appends a trust profile associated with the originating application process. The transmission is released to a receiving server, where it is intercepted and validated at the receiving server by a second authentication agent on the receiving server.

Abstract: Examples described herein relate to the selection of virtual private network profiles. A device obtains VPN metrics associated with a plurality of VPN server nodes and monitors device usage metrics. The device is configured with a first VPN profile, which indicates that a first VPN tunnel connection is associated with a first VPN server node from the plurality of VPN server nodes. The device determines a latency associated with each of the plurality of VPN server nodes based on the VPN metrics and the device usage metrics. A second VPN server node associated with a least latency among the plurality of VPN server nodes is selected. A second VPN tunnel connection associated with the second VPN server node is determined based on the device usage metrics. A second VPN profile indicating that the second VPN tunnel connection is associated with the second VPN server node is displayed as a recommendation to a user.

Abstract: Access authentication in an artificial intelligence system includes perceiving electronically with a first user's artificial intelligence voice response system (AIVRS) a physical presence of a second user. A voice request is generated by the first user's AIVRS and conveyed to a second user requesting access to a knowledge corpus stored by an AIVRS of the second user. Based on a voice response of the second user, the first user's AIVRS instantiates an electronic communications session with the second user's AIVRS. The session is initiated via an electronic communications connection with a portable device of the second user. Selected portions of the knowledge corpus are retrieved by the first user's AIVRS from the second user's AIVRS, the portions selected based on the voice response. An action by one or more IoT devices is initiated in response to a voice prompt interpreted by the first user's AIVRS based on the selected portions.

Abstract: Some embodiments provide a method for authorizing application programming interface (API) calls on a host computer in a local cluster of computers. The method is performed in some embodiments by an API-authorizing agent executing on the host computer in the local computer cluster. From a remote cluster of computers, the method receives (1) a set of API-authorizing policies to evaluate in order to determine whether API calls to an application executing on the host computer are authorized, and (2) a set of parameters needed for evaluating the policies. With the remote cluster of computers, the method registers for notifications regarding updates to the set of parameters. The method then receives notifications, from the remote cluster, regarding an update to the set of parameters, and modifies the set of parameters based on the update.