Abstract: A verifier peer system transmits a request to an application of another peer system to obtain integrity data of the application. In response to the request, the verifier peer system obtains a response that includes kernel secure boot metrics of the other peer system and integrity data of the application and of any application dependencies. If the verifier peer system determines that the response is valid, the verifier peer system evaluates the integrity data and the kernel secure boot metrics against a set of Known Good Values to determine whether the integrity data and the kernel secure boot metrics are valid. If the integrity data and the kernel secure boot metrics are valid, the verifier peer system determines that the other peer system is trustworthy.

Abstract: A computer system controls access to data. A secure container that is based on an image file is instantiated at an endpoint device of a user, wherein the secure container includes encrypted data corresponding to the user. An access request to the secure container is authenticated by verifying credentials of the user. In response to verifying the credentials of the user, access to the data is granted. Access to the data is controlled by decrypting and enabling access to a portion of the data, wherein additional portions of the data are decrypted and made accessible based on user behavior.

Abstract: Memory devices, systems including memory devices, and methods of operating memory devices are described, in which memory devices are configured to provide row clear features. In some embodiments, the memory device may receive a command from a host device directed to a row of a memory array included in the memory device. The memory device may determine that the command is directed to two or more columns associated with the row, where each column is coupled with a group of memory cells. The memory device may activate the row to write the two or more columns using a set of predetermined data stored in a register of the memory device. Subsequently, the memory device may deactivate the word line based on writing the set of predetermined data to the two or more columns.

Abstract: In response to determining that the authentication function operating on the authentication node on a network is not responsive, a re-direct message may be communicated to at least one edge device on the network that requests of the authentication function on the authentication node be re-directed to a different authentication node.

Abstract: Improved tools and techniques for generating stateful rules for behavior-based threat detection enable threat analysts, who do not have advanced computer programming skills, to quickly and easily generate high-level representations of stateful behavioral rules, which are then compiled into a format suitable for execution by a stateful rule processing engine. In some examples, the high-level representations of stateful rules are coded in a high-level, domain specific language (DSL). The DSL may provide high-level primitives suitable for (1) expressing sequences of attack behaviors, (2) tagging computational entities (e.g., threads, processes, applications, systems, users, etc.) with states (e.g., user-defined states), and/or (3) performing operations on endpoint nodes (e.g., reporting activity, blocking activity, terminating processes, etc.).

Abstract: A method, system, and computer-readable memory containing instructions include receiving a DNS request containing authentication information, validating the authentication information, determining an appropriate action to take based on the validating status, and taking the appropriate action. Actions may include responding with an individualized network layer address or service location address, delaying sending a response message, sending a network layer address or service location address corresponding to a site containing authentication information, and sending a response with a network layer address or service location address with a web address configured to mimic the website related to the requested resource.

Abstract: A computer-implemented method is disclosed.

Abstract: Various embodiments of the present technology generally relate to authentication. More specifically, some embodiments relate to systems and methods for mobile application infrastructure and framework for application authentication. Currently, methods and systems for authentication are not flexible or dynamic and over-authentication has become a solution because it is cheap and easy. In contrast, in accordance with some embodiments of this application, the methods and systems can analyze authentication challenges and non-authentication challenges received from a server over a network in a client side infrastructure. The client side infrastructure can determine a customized, flexible, and dynamic plan for responding to authentication challenges in manner that avoids over-authentication on the client side.

Abstract: Various embodiments enable broadcast communications security. Various embodiments enable the authentication of broadcast communications. Various embodiments may enable asymmetric authentication and integrity protection of small size messages, such as one or more signed messages totaling a length of 250 bytes or less. Various embodiments may support cryptographic signing of beacon type messages using certificates. Various embodiments may include generating a beacon type message, cryptographically signing the beacon type message at least in part using a certificate to generate a signed beacon message, and sending the signed beacon type message in one or more broadcast transmissions in conjunction with, or independently of, certificate information used to verify the signed beacon message.

Abstract: A system may receive first level authentication data from a first user, authorize first level access to a secure device, and transmit a push notification including a second factor authentication key to a first user device responsive to first factor authentication data matching stored authentication data for the first user. The system may receive a wireless communication from the first user device attenuated by one or more beam attenuating materials to form a first attenuated beam profile. In response to a match of the first attenuated beam profile to a stored beam profile beyond a predetermined threshold, the system may associate the second factor authentication key as an authorized login credential for the first user. The system may receive the second factor authentication key from the first user and authorize the second factor authentication data to grant the first user second level access to the secure device.

Abstract: In an embodiment, a communication method, using OFDM (Orthogonal Frequency Division Multiplexing), comprises transmitting and receiving packets between a first node and at least one second node, where each packet comprises a preamble and payload data. The method, performed by the first node, may comprise receiving packets from the at least one second node, and authenticating the at least one second node based on physical layer characteristics, i.e., on CSI (Channel State Information). The authenticating may be based on a plurality of preambles, which are extracted from a group of consecutively received packets.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: Machine learning in an artificial pancreas is described. An artificial pancreas system may include a wearable glucose monitoring device, an insulin delivery system, and a computing device. Broadly speaking, the wearable glucose monitoring device provides glucose measurements of a person continuously. The artificial pancreas algorithm, which may be implemented at the computing device, determines doses of insulin to deliver to the person based on a variety of aspects for the purpose of maintaining the person's glucose within a target range, as indicated by those glucose measurements. The insulin delivery system then delivers those determined doses to the person. As the artificial pancreas algorithm determines insulin doses for the person over time and effectiveness of the insulin doses to maintain the person's glucose level in the target range is observed, an underlying model of the artificial pancreas algorithm may be updated to better determine insulin doses.

Abstract: Systems arid methods for implementing client-side load balancing for remote application servers. An example method comprises receiving, by a publishing server, an application server status information reflecting computing resource utilization by each application server of a plurality of application servers; receiving a request initiated by a client computing device to access a published application executable by at least a subset of the plurality of application servers; and responsive to determining that a load metric reflecting performance of the publishing server exceeds a threshold value, transmitting an instruction to the client computing device to perform client-side load balancing using a snapshot of the application server status information to select an application server of the subset of the plurality of application servers.

Abstract: The present disclosure includes methods, devises and systems for preparing and installing one or more application keys owned by application owners in a remote device. The present disclosure further proposes methods, devices and systems for secure installation of subsequent application keys on a device utilising corresponding key derivation functions to associate an application with a respective policy and identifier using significantly Imv bandwidth for transfer of keys for execution of the respective application on the device.

Abstract: An information obtaining method and an apparatus are disclosed. The method includes: sending a first initial NAS message including a non-cleartext information element protected using a first root key from a terminal to a source mobility management network element; receiving a second root key and first indication information from the source mobility management network element, where the first indication information indicates that the second root key is an updated key; sending second indication information and third indication information to the terminal based on the first indication information, where the second indication information indicates the terminal to update the first root key stored by the terminal to obtain the second root key, and the third indication information indicates the terminal to resend the initial NAS message; and receiving a second initial NAS message including the non-cleartext information element protected using the second root key from the terminal.

Abstract: A method for providing a user identity based on zero-knowledge proof over a blockchain network by using a user certificate is provided. The method includes steps of: an address abstraction smart contract (a) instructing the user terminal which made a user identity generating request to generate the user identity corresponding to the user certificate issued from a certification authority and generate a user identity proof by using user identity verifying parameters, the user identity, the user certificate and a certification authority public key, to thereby prove that the user identity is generated from the user certificate issued by the certification authority; and (b) upon receiving a user identity registering request from the user terminal, (i) verifying the user identity proof by using the user identity verifying parameters, the user identity, the certification authority public key and the user identity proof and (ii) registering the user identity upon successful verification.

Abstract: A computer-implemented method of generating a share of a digital signature of a message, wherein a threshold number of different signature shares from respective participants of a group of participants are required to generate the digital signature, wherein each participant has a respective private key share, the method being performed by a first one of the participants and comprising: generating a first message-independent component and a first message-dependent component, wherein the message-independent component is generated based on a first private key share and wherein the message-dependent component is generated based on the message; causing the first message-independent component to be made available to a coordinator; and causing a first signature share to be made available to the coordinator for generating the signature based on at least the threshold number of signature shares, wherein the first signature share comprises at least the message-dependent component.

Abstract: Selective virtualization of resources is provided, where the resources may be intercepted and services or the resources may be intercepted and redirected. Virtualization logic monitors for one or more activities that are performed in connection with one or more resources and conducted during processing of an object within the virtual machine. The first virtualization logic further selectively virtualizes resources associated with the one or more activities that are initiated during the processing of the object within the virtual machine by at least redirecting a first request of a plurality of requests to a different resource than requesting by a monitored activity of the one or more activities.

Abstract: In one embodiment, distributed data storage systems and methods integrate a change tracking manager with scalable databases. According to one embodiment, a computer implemented method comprises integrating change tracking of storage objects into the distributed object storage database that includes a first database of a first type and one or more chapter databases of a second type with the distributed object storage database supporting a primary lookup index and a secondary lookup index in order to locate a storage object. The method includes recording in a header of a chapter database a network topology for connecting a bucket having the chapter database to a first peer bucket when a new mirror to the first peer bucket is being established, and recording a first directive into the header of the chapter database to express a type of content to be mirrored from the bucket to the first peer bucket.

Abstract: Systems and methods for application identification in accordance with embodiments of the invention are disclosed. In one embodiment, a user device includes a processor and memory configured to store an application, a session manager, an application identifier, and at least one shared library, and the processor is configured by the session manager to communicate the application identifier and the application identifier data to an authentication server and permit the execution of the application in response to authentication of the application by the authentication server.

Abstract: Row-level security (RLS) may provide fine-grained access control based on flexible, user-defined access policies to databases, tables, objects, and other data structures. A RLS policy may be an entity or object that defines rules for row access. A RLS policy may be decoupled or independent from any specific table. This allows more robust and flexible control. A RLS policy may then be attached to one or more tables. The RLS policy may include a Boolean-valued expression.

Abstract: An input unit receives an input of data, as learning purpose data and determination target data, in which requests made to a server by a user are represented in a time series. Then, a shaping unit shapes the received data. A classifying unit classifies the shaped data for each user who made the requests. Then, a learning unit extracts, from the classified learning purpose data, consecutive n requests as feature values of the learning purpose data, performs learning by using the feature values of the learning purpose data, and creates a profile for each user. A determination unit extracts, from the classified determination target data, consecutive n requests as feature values of the determination target data and performs determination of the determination target data based on the feature values of the determination target data and based on the profiles created by the learning unit.

Abstract: Provided is a method for automatically registering a user on a field device for the purpose of administering the field device, including a) providing user information on the basis of an identity of the user and an identity of the field device by a security device; b) transmitting the provided user information to a mobile device of the user; c) generating field-device-specific registration information on the basis of the transmitted user information by the mobile device; and d) registering the user on the field device by the generated registration information. This method has the particular advantage that a highly secure infrastructure can be used for administering access information for administering the field devices without problems arising during the registration process.

Abstract: Embodiments of the present systems and methods may provide techniques that provide dynamic groups and attribute-based access control (ABAC) model (referred as CV-ABACG) to secure communication, data exchange and resource access in smart vehicles ecosystems. In embodiments, the model not only considers system wide attributes-based security policies, but also takes into account individual user privacy preferences for allowing or denying service notifications, alerts, and operations to on-board resources. Embodiments of the present systems and methods may provide groups in vehicular IoT, which may be dynamically assigned to moving entities like connected cars, based on their current GPS coordinates, speed or other attributes, to ensure relevance of location and time sensitive notification services, to provide administrative benefits to manage large numbers of entities, and to enable attributes inheritance for fine-grained authorization policies.

Abstract: A cryptographic accelerator (processor) retrieves data blocks for processing from a memory. These data blocks arrive and are stored in an input buffer in the order they were stored in memory (or other known order)—typically sequentially according to memory address (i.e., in-order.) The processor waits until a certain number of data blocks are available in the input buffer and then randomly selects blocks from the input buffer for processing. This randomizes the processing order of the data blocks. The processing order of data blocks may be randomized within sets of data blocks associated with a single read transaction, or across sets of data blocks associated with multiple read transactions.

Abstract: A method includes determining a first node set and a second node set that are in a distributed database and that are separately associated with a first data table, where data in the first data table is stored in the first node set, migrating the data from the first node set to the second node set, receiving, in a process of migrating the data, a target service request for the first data table, determining, in response to the target service request, a third node set in the first node set and the second node set that is configured to respond to the target service request, and sending the target service request to a first data node in the third node set.

Abstract: An apparatus and method for generating NFTs from user-specific products and data, the apparatus including at least a processor, a memory communicatively connected to the at least processor, wherein the memory containing instructions configuring the at least processor to receive a data collection from a user, wherein the data collection comprising a plurality of user-specific data objects, assess a plurality of user categories as a function of the data collection, identify a value function as a function of the plurality of user-specific data objects and the plurality of user categories, optimize the value function to generate a ranked plurality of user-specific data objects, generate a recommendation for the NFT as a function of the ranked plurality of user-specific data objects, and generate the NFT as a function of the recommendation.

Abstract: A system and a method for secure communications over a network, the method comprising: receiving a data packet from a first device, the data packet comprising an encrypted data part and a metadata part, the metadata part comprising a cleartext part and removable metadata, the removable metadata comprising a network access code that is authenticatable by means of a network access key; validating the data packet, wherein validating the data packet comprises authenticating the network access code using the network access key; removing the removable metadata from the data packet after validating the data packet, thereby altering the data packet; and transmitting the altered data packet to a second device. The system comprises a first, a second, and a third device. The third device may comprise a receiver and a transmitter, and a validator that comprises a processor and a memory.

Abstract: Methods and systems are described. A method includes accessing a first identifier of a payment requester and a first identifier of an electronic communication from an electronic communication client that identifies a payment requester and an electronic communication, authenticating the payment requester as being registered to receive payments, if the payment requester is authenticated, automatically identifying a payment service that is registered as an approved payer, and authenticating the payment service as being approved to make payments to the payment requester. In response to a selection of a funds transfer triggering component in the electronic communication, causing a transfer of funds from the approved payment service to the payment requester.

Abstract: The present disclosure relates to a system and method for providing a service on a wearable device where the wearable device is limited in its functionality in some way when compared with a companion device. In particular, the disclosure describes use cases for configuring the wearable device, and use cases for configuring a wearable device and performing service application functions on the wearable device while leveraging a companion device.

Abstract: A system and method are provided for enhanced multi-way time transfer for time synchronization between at least one slave node and one master node. A slave node sends a first message to the master node to launch a time synchronization between the slave node and the master node. Upon receiving the first message, the master node adds a receiving time on a master clock to the first message to form a second message. The master node sends the second message back to the slave node and the slave node adds a receiving time on the slave clock to the second message to form an updated message. The slave node performs a time adjustment to the slave clock based on the updated message, thereby synchronizing time between the slave node and the master node.

Abstract: Automated techniques for converting network devices from a Layer 2 (L2) network into a Layer 3 (L3) network in a hierarchical manner are described herein. The network devices may be configured to boot such that their ports are in an initialization mode in which the ports are unable to transmit locally generated DHCP packets. When a network device detects that a neighbor (or “peer”) device has acquired an IP address or has been configured by a network controller, then the port on which the neighbor device is detected can then be transitioned from the initialization mode into a forwarding mode. In the forwarding mode, the port can be used to transmit packets to obtain an IP address. Thus, the network devices are converted from an L2 device to an L3 device in a hierarchical order such that upstream devices are discovered and converted into L3 devices before downstream devices.

Abstract: A digital certificate processing method includes: receiving a distribution request for a digital certificate, wherein the digital certificate does not contain validity period information; acquiring a verification result for the digital certificate; and according to the verification result, recording the digital certificate which has passed verification to a blockchain.

Abstract: Technologies for providing policy-based secure containers for multiple enterprise applications include a client computing device and an enterprise policy server. The client computing device sends device attribute information and a request for access to an enterprise application to the enterprise policy server. The enterprise policy server determines a device trust level based on the device attribute information and a data sensitivity level based on the enterprise application, and sends a security policy to the client computing device based on the device trust level and the data sensitivity level. The client computing device references or creates a secure container for the security policy, adds the enterprise application to the secure container, and enforces the security policy while executing the enterprise application in the secure container. Multiple enterprise applications may be added to each secure container. Other embodiments are described and claimed.

Abstract: Tracking, identifying and article management systems and methods for reliably and repeatedly determining one or more physically uncopiable attribute instances (of the same or varying types) from or inherent in an article of manufacture, using the selected physical uncopiable attribute(s) to produce an unforgeable identity for the article, and then integrating that unforgeable identity into computer-based tracking systems in a way that permits the tracking system to track and monitor articles for which identity information is known. Applications include documents, fashion accessories, artwork, and other objects.

Abstract: Methods and systems for remote, asynchronous key entry and extraction are provided. A credential device can store a first key thereon, and can store an encrypted key component. A hardware security module manages a key template including a plurality of key components. The hardware security module manages a complementary key to the first key. The key component on the credential device can be encrypted with the first key for storage on the credential device and decrypted by the complementary key at the hardware security module. Alternately, the key component can be encrypted with the complementary key and provided to the credential device for decryption at a secure system via the first key. Accordingly, a key custodian may supply or extract a key component at a hardware security module remotely and at a time convenient to that key custodian.

Abstract: The present invention may include a computing device receives a location data from a client device, wherein the client device comprises one or more location sensors to generate the location data. The computing device determines an altitude of the client device above a floor from the location data. The computing device determines an age and a height of a user using a trained neural network from the client device and the location data and assigns a wireless network channel to the client device based on the age and the height of the user.

Abstract: An intelligent subsystem coupled with a Super System on Chip (SSoC)/microprocessor, a radio transceiver, a voice processing module/voice processing algorithm, a display component, one or more camera sensors/computational cameras for three-dimensional (3-D) sensing of the surroundings, a near-field communication device, a biometric sensor, an artificial eye, a biological lab-on-chip (LOC)/DNA sequencing biomodule, an intelligent learning algorithm and an algorithm for three-dimensional (3-D) perception is disclosed. The Super System on Chip (SSoC) includes memristors. The intelligent subsystem can respond to a user's interests and/or preferences, provide telepresence and perceive the surroundings. Furthermore, the intelligent subsystem is sensor-aware or context-aware.

Abstract: This disclosure relates to, among other things, key generation systems and methods. Certain embodiments disclosed herein provide for generation of cryptographic keys based on one or more defined key generation rules. Key generation consistent with various aspects of the disclosed embodiments may increase the difficultly and/or cost of producing public keys and, by extension, discourage the generation of fake keys used in connection with a key flooding attack. In certain embodiments, generated keys and/or associated key generation rules may depend, at least in part, on associated binding data.

Abstract: Techniques and mechanisms described herein facilitate the management of digital rights for media content item presentation. According to various embodiments, a request for a content decryption key may be received at a media application implemented at a computing device. The request may be transmitted by a media content player implemented at the computing device. The request may be transmitted in accordance with a designated key exchange protocol. A license for an encrypted media content item corresponding with the requested content decryption key may be identified at the media application. Based on information included in the license, encrypted key material may be decrypted to create the requested content decryption key via a processor at the computing device. The requested content decryption key may be provided to the media content player.

Abstract: A device can (i) store public keys Ss and Sn for a network and (ii) record private key sd. A network can record a corresponding private keys ss and sn. The device can (i) generate a device ephemeral PKI key pair (Ed, ed) and (ii) send public key Ed to the network. The device can receive an ephemeral public key Es from the network. The device can calculate values for A: an elliptic curve point addition over Ss, Sn, and Es, and B: (sd+ed) mod n. The device can input values for X and Y into an elliptic curve Diffie Hellman key exchange (ECDH) in order to determine a mutually derived shared secret X5, where the network can also derive shared secret X5. The device can (i) use X5 to derive a key K2 and (ii) decrypt a ciphertext from the network using key K2.

Abstract: Computer-implemented methods of placing and processing calls in a communications network are provided. The computer-implemented method of processing calls in a telephone network comprises: identifying a plurality of calls that have been made by a particular telephone number to telephone numbers in the telephone network; determining whether a sequence in which the calls were placed corresponds to a correct order for calling those telephone numbers, the correct order being determined based on a predetermined order for calling telephone numbers in the telephone network; and determining that one or more of the calls were made by spoofing the particular telephone number if the sequence in which the calls were placed does not correspond to a correct order.

Abstract: A communications device for implementing an electronic payment process, the communications device including a receiver unit operable to receive a secure limited use key (SLUK) from a financial institution that is generated by the financial institution using a first limited use key (LUK) generated using a first key associated with the financial institution, an identifier which identifies a user of the communications device, and a variable code, and a subset of the characters of a passcode associated with the user of the communications device, each character in the subset being identified by its character position in the passcode, and the character position in the passcode of each of the characters in the subset being determined by a predetermined algorithm on the basis of a second key associated with the user of the communications device, the identifier which identifies the user of the communications device and the variable code.

Abstract: A system for secure data protection and encryption for computing devices. The present invention includes a fast encryption technique for quickly ensuring that the correct binding parameters are used for an encrypted data file. The encrypted file is used in two ways. Because unsecure data could pass through a peripheral device to gain access to a secure computing environment, a dongle housing encryption and decryption subsystems is placed in between the unsecure sources and the peripheral that can encrypt and decrypt data intended for the secure computing environment. The firmware of the computing device can be updated by dividing the update file into encrypted segments that are verified on the device and placed into non-volatile memory. When all parts have been received, decrypted, and written into memory, the device reboots using the updated firmware.

Abstract: A semiconductor device includes an operation resource which performs a plurality of ECU functions, a peripheral resource which is shared by the plurality of ECU functions and a control mechanism which controls a period in which one of the ECU functions uses the peripheral resource. The control mechanism calculates, based on a budget value which is given in advance and is a performance allocation, a use prohibition period in which the one of the ECU functions is prohibited from using the peripheral resource within the predetermined unit time.

Abstract: An apparatus for automatic credential classification includes at least a processor and a memory that is communicatively connected to the processor, the processor configured to receive an attribute datum including a credential datum, and classify the credential datum to at least a required credential datum by training an attribute classifier using a credential training data wherein credential training data contains a plurality of data entries correlating required credential datum as an input to the required credential data as outputs and generating a credential classification datum, wherein credential classification datum is generated by classifying the credential datum to the required credential datum using the attribute classifier. Processor generates and stores an attribute match datum as a function of the credential classification datum.

Abstract: The present invention relates, in general, to computing engineering and, more particularly, to a method and system for anonymously identifying a user as a member of a group of users. The authors provide the improved anonymous identification witness hiding protocol intended to verify membership in a local community of registered participants based on one-way accumulators developed using quasi-commutative one-way elliptic curve functions. The identification protocol according to the present invention provides the required level of cryptographic security with low operational efforts and resource consumption.

Abstract: An encryption system comprises a key generation apparatus that generates an encryption key relating to the authority to generate a ciphertext from a plaintext, a homomorphic operation key relating to the authority to execute a homomorphic operation on a ciphertext that remains encrypted and whose authority is weaker than that of the encryption key, and a decryption key relating to the authority to decrypt ciphertext; an encryption apparatus that generates a ciphertext from a plaintext using the encryption key; a homomorphic operation apparatus that executes a homomorphic operation on the ciphertext using the homomorphic operation key; and a decryption apparatus that decrypts ciphertext using the decryption key.

Abstract: A clock synchronization method includes receiving, by a receiving apparatus, a plurality of data blocks using a plurality of physical layer modules (PHYs), where the plurality of data blocks include a plurality of head data blocks, performing, by the receiving apparatus, timestamp sampling on the plurality of data blocks to generate a plurality of receipt timestamps, aligning, by the receiving apparatus, the plurality of receipt timestamps using a first receipt timestamp as a reference, generating, by the receiving apparatus, a clock synchronization packet based on the plurality of data blocks, and writing, by the receiving apparatus, a value of a second receipt timestamp into the clock synchronization packet, where the second receipt timestamp is a receipt timestamp that is of a second data block and that is determined based on the plurality of aligned receipt timestamps.