Abstract: Systems and methods for controlling and tracking computer devices using a secure communication path between a central server and a machine control-file watchdog program. One or more machine control-files can be generated to control, limit and track a computer device using a machine control-file watchdog program. The system sets limits on the computer device to ensure the user operating the computer device stays within a restricted set of usage limitations. The machine control-file watchdog program protects the one or more machine control-files and additionally can report on all activities performed by the computer device to the central server.

Abstract: A method performs a strong authentication using a mobile terminal and the capability of the user, as proof of an identity. The mobile terminal allows an authentication to be established by communicating with a proxy authentication server and a notification server. These communications are initiated by an authentication server, used for the authentication. Throughout the authentication, the authentication server remains masked by the proxy authentication server. The only interface between the authentication server and the rest of the world is the proxy authentication server.

Abstract: A network security system and method implements dynamic access control for a protected resource using run-time contextual information. In some embodiments, the network security system and method implements a dynamic access ticket scheme for access control where the access ticket is based on run-time application context. In other embodiments, the network security system and method implements policy enforcement actions in response to detected violations using application programming interface (API) to effectively block detected policy violations without negatively impacting the operation of the application or the user of the application. In some embodiments, the network security system uses enterprise social collaboration tools to interact with the end-user or with the system administrator in the event of detected security incidents.

Abstract: A computer-implemented method for identity authentication in a data processing system, including: receiving, by the processor, an authentication request from a user; receiving, by the processor, real-time data from one or more Internet of Things (IoT) devices associated with the user; generating, by the processor, one or more questions based on the real-time data; receiving, by the processor, one or more responses to the one or more questions from the user; comparing, by the processor, the one or more responses from the user with one or more correct answers identified by the processor. If the one or more responses match the one or more correct answers, providing, by the processor, the user with a successful identity authentication.

Abstract: An approach is disclosed for running a first smart contract on a first blockchain platform restricting access to a client's funds appropriated to a second smart contract running on a second blockchain platform. A transaction is received by invoking the first smart contract authorizing the second smart contract. In response to receiving an indication of a successful completion of the first smart contract, a plurality of client's authorization tickets are sent to the second smart contract. The invoked smart contract receives the set of authorization information and records the set of authorization information. After receiving a set of authenticated authorization tickets exceeding a predetermined threshold, the funds are released.

Abstract: Systems and methods include receiving a record associated with an incident that was detected by the CASB system in a Software-as-a-Service (SaaS) application; determining a hash based on a plurality of levels for the record; determining if the record exists in a data store based on the hash, and if the record exists, deleting an old record; and inserting the record in the data store based on the hash, wherein the data store is maintained in-memory and includes records at leaf nodes in a multi-level hash based on the plurality of levels.

Abstract: In some embodiments, there is provided a method for updating a gateway in a substation. The method includes receiving, at a gateway from a server, an update package assigned with a first identifier, the update package including at least one of: a configuration associated with at least one monitoring device connected to the gateway; and an application configurable to collect data from the at least one monitoring device; in response to receiving the update package, determining whether the first identifier matches a second identifier of the gateway; and in response to determining that the first identifier matches the second identifier of the gateway, updating the gateway with the received update package.

Abstract: Techniques of keyless authentication of computing services in distributed computing systems are disclosed herein. One example technique includes upon receiving a command to instantiate a computing service, transmitting a request to an authentication service for an identity assertion token corresponding to an application execution of which instantiates the computing service. The example technique can also include upon receiving the requested identity assertion token, storing the received identity assertion token in the container and modifying an entry of a configuration file in the container that allows the instantiated computing service to access the stored identity assertion token and authenticate to the authentication service using the identity assertion token.

Abstract: Embodiments include a method for providing tokens which includes: receiving from a user system an encrypted data packet including user credentials and a request for an authentication token to access protected resources; extracting the user's security information; transmitting a data packet to a security and access management system, where the data packet includes the user's security information and a request for user validation; receiving, from the security and access management system, user validation and additional data; generating a thin token and a fat token; storing the thin token in association with the fat token; transmitting the thin token to the user system; receiving, from the user system, a request to access protected resources from a protected resource system, the request including the thin token; validating the received thin token; accessing the fat token associated with the thin token; and transmitting the fat token to the protected resource system.

Abstract: A method of managing and verifying a certificate of a terminal is provided. The method includes obtaining certificate information that is usable when downloading and installing a specific bundle corresponding to at least one of a secondary platform bundle family identifier or a secondary platform bundle family custodian identifier, transmitting, to a secondary platform bundle manager, the certificate information corresponding to the at least one of the secondary platform bundle family identifier or the secondary platform bundle family custodian identifier of the specific bundle, and receiving, from the secondary platform bundle manager, at least one of a certificate of the secondary platform bundle manager, certificate information to be used by a smart secure platform (SSP), the secondary platform bundle family identifier, or the secondary platform bundle family custodian identifier.

Abstract: A model-based industrial security policy configuration system implements a plant-wide industrial asset security policy in accordance with security policy definitions provided by a user. The configuration system models the collection of industrial assets for which diverse security policies are to be implemented. An interface allows the user to define zone-specific security configuration and event management policies for a plant environment at a high-level based on a security model that groups the industrial assets into security zones. Based on the model and these policy definitions, the system generates asset-level security setting instructions configured to set appropriate device settings on one or more of the industrial assets to implement the security event management policies, and deploys these instructions to the appropriate assets in order to implement the defined policies.

Abstract: A system and method is disclosed for transporting application data through a communications tunnel between a host device and a guest device that each includes networked processors. The application data may be transported between the host device and the guest device through an allowed port of the host device, the communications tunnel, and a port of the guest device. Based on logon credentials, the guest device can be authenticated by a security server and a role may be determined. The role can include allowed ports and associated applications on the host that the guest is allowed to access. Remote access from the guest device to host devices or remote devices may be enabled without needing prior knowledge of their configurations. Secure access may be facilitated to remote host devices or remote devices, according to security policies that can vary on a per-session basis and takes into account various factors.

Abstract: A communication apparatus includes an authentication unit that sets a communication parameter for connecting to a wireless network, and executes authentication processing, with a base station, for registering the communication apparatus to the base station that forms the wireless network, as a management apparatus that is allowed to connect another apparatus to the wireless network, a setting unit that, based on information acquired from code information captured through imaging, sets the communication parameter to another communication apparatus corresponding to the code information, and a registration unit that executes registration processing for registering the other communication apparatus to the base station as the management apparatus, based on at least a condition that the communication parameter is set to the other communication apparatus by the setting unit.

Abstract: One or more medical devices are configured to connect to a predetermined temporary provisioning network of a healthcare organization, the temporary provisioning network being different than a healthcare network of the healthcare organization. After the devices are received by the healthcare organization, and powered up for the first time, device identifiers corresponding to the medical devices are received at a server remote from the healthcare organization, from the temporary provisioning network, together with an indication that the medical devices are requesting access to a management server within a healthcare network of the healthcare organization.

Abstract: Embedding of digital incentive tokens within a digital image can occur cryptographically using a public key in some embodiments. An encrypted digital incentive token may be embedded within a digital image, including a variety of encrypted information. The digital image with the embedded digital incentive token may be sent to users via delivery mechanisms such as direct webpage embedding, email, text message, and social media sharing. An image recipient may be able to view the image and also take additional action including gaining access to the embedded digital incentive token. Digital incentive tokens can be embedded by altering image metadata so that the image itself is not changed in some embodiments, but data associated with the image is changed to identify the token. Pixel data can be altered to reflect a token for an image. Digital incentive tokens can also be tracked through different platforms to determine usage.

Abstract: Methods include establishing a transport layer security connection between the client and a server that provides the web service, identifying at least one cryptographic key for communication with the web service in the connection, closing the connection and communicating between the client and the web service using a web service token that is signed and encrypted according to the identified at least one cryptographic key. Communicating between the client and the web service using a web service token may not require creation of a new transport layer security connection. Further embodiments provide a computer configured to perform operations as described above and computer-readable medium storing instructions that, when executed by a computer, perform operations as described above.

Abstract: A process running on client devices intercepts requests destined for an identity provider (“IdP”) system and injects a digital signature corresponding to a user associated with the request. In order to reduce or eliminate the burden on providers of the applications or other resources used by the users, the organization providing the IdP system may also provide components that run locally on the client devices of users and integrate with the users' applications. For example, in one embodiment code of the IdP system is run within a container of an application to handle communication with the IdP system. Additionally, code of the IdP system is run as a local process that handles request interception and digital signature injection. For client devices not supporting the use of the local process, a separate verifier application of the IdP can be run locally and allow interactively performing authentication via a user interface.

Abstract: A system, includes a device and a payload warehouse. The device receives a user request to initiate a feature of the device. In response to receiving the request, device information is provided to a payload warehouse. The payload warehouse stores an inventory which includes a digital payload. The digital payload includes data, such as a digital certificate, which may be used by the device to implement the user-requested feature. The payload warehouse receives the device information provided by the device and determines an encryption vector based at least in part on the received device information. Using the encryption vector, the digital payload is encrypted. The encrypted digital payload is provided to the device.

Abstract: Disclosed herein are systems and methods for decentralized data distribution by a database network system comprising a hierarchical blockchain model. The hierarchical blockchain model may comprise a quantum pyramid consensus to distribute data throughout the database network system in a decentralized and secure manner. The hierarchical construct may be built according to trusted scores calculated for the nodes of the network over their lifetime at the network.

Abstract: Disclosed is a device and method to secure software update information for authorized entities. In one embodiment, a device for receiving secured software update information from a server, the device includes: a physical uncolonable function (PUF) information generator, comprising a PUF cell array, configured to generate PUF information, wherein the PUF information comprises at least one PUF response output, wherein the at least one PUF response output is used to encrypt the software update information on the server so as to generate encrypted software update information; a first encrypter, configured to encrypt the PUF information from the PUF information generator using one of at least one public key from the server so as to generate encrypted PUF information; and a second encrypter, configured to decrypt the encrypted software update information using one of the at least one PUF response output so as to obtain the software update information.

Abstract: Method, apparatus and computer program product for multi-device user authentication are described herein. For example, the apparatus includes at least one processor and at least one non-transitory memory including program code.

Abstract: A system and method include reception of a request to create a virtual machine associated with a requested number of resource units of each of a plurality of resource types, determination, for each of the plurality of resource types, of a pool of available resource units, random selection, for each of the plurality of resource types, of the requested number of resource units from the pool of available resource units of the resource type, and allocation of the selected resource units of each of the plurality of resource types to the virtual machine.

Abstract: A computer-implemented method for creating a secure software container. The method comprises providing a first layered software container image, transforming all files, except corresponding metadata, of each layer of the first layered software container image into a volume, the volume comprises a set of blocks, wherein each layer comprises an incremental difference to a next lower layer, encrypting each block of the set of blocks of a portion of the layers, and storing each encrypted set of the blocks as a layer of an encrypted container image along with unencrypted metadata for rebuilding an order of the set of blocks equal to an order of the first layered software container image, so that a secure encrypted software container is created.

Abstract: A machine-learning algorithm receives code indicative of a software unit and parses the code to extract an authenticating parameter. The machine-learning algorithm constructs an authentication template based on the authenticating parameter and providing the authentication template to a user. The algorithm receives user input from the user responsive to the authentication template and creates an authentication microservice based on the authentication template (and optionally the input). The algorithm links the authentication microservice to the software unit to deploy the authentication microservice within the software unit. The machine-learning algorithm is then modified based on the input.

Abstract: Methods, systems, computer-readable media, and apparatuses method for performing single sign on for a user device to the Internet. User sign-in credentials including an identity token of the user are received by a hosted desktop from the user device, including an indication that the user is attempting to access a website. The website is authorized as a trusted website by a network authorization node, and the website is issued a one-time-use token. A web browser of the hosted desktop receives an application provided by the website to cause the web browser to call the hosted desktop to initiate single sign on. Authenticity of the one-time-use token is requested by a daemon process, and the website's public key is obtained. Upon verifying authenticity of the web site, the identity token of the user is passed to the website, to enable the website to establish single sign on with the user.

Abstract: In one embodiment, a device classification service obtains telemetry data for a plurality of devices in a network. The device classification service repeatedly assigns the devices to device clusters by applying clustering to the obtained telemetry data. The device classification service determines a measure of stability loss associated with the cluster assignments. The measure of stability loss is based in part on whether a device is repeatedly assigned to the same device cluster. The device classification service determines, based on the measure of stability loss, that the cluster assignments have stabilized. The device classification service obtains device type labels for the device clusters, after determining that the cluster assignments have stabilized.

Abstract: A system for providing remote monitoring of assets is disclosed. The system provides secure communication with one or more assets and receive operational data from the one or more assets. The system generates a graphical user interface that be used for selection of inputs from the one or more assets and specification of conditions to be applied to inputs for generation of alerts. The system can receive a selection of one or more asset outputs and two or more conditions. The conditions are applied to the selection of one or more assets to generate alerts when at least one of the conditions is satisfied.

Abstract: Examples of the present disclosure describe systems and methods for monitoring the security privileges of a process. In aspects, when a process is created, the corresponding process security token and privilege information is detected and recorded. At subsequent “checkpoints,” the security token is evaluated to determine whether the security token has been replaced, or whether new or unexpected privileges have been granted to the created process. When a modification to the security token is determined, a warning or indication of the modification is generated and the process may be terminated to prevent the use of the modified security token.

Abstract: One example method includes accessing stored data, associating a unique identifier with the data, creating a hash by hashing a combination that comprises the unique identifier and the data, transmitting the hash to a notary service, receiving, from the notary service, a digital signature that corresponds to the hash, appending the digital signature to the data, and storing, as an object, a combination that comprises the digital signature, the data, and the unique identifier.

Abstract: A control packet transmission system includes a first switch device that, during a first time period, generates and transmits first control packets to a second switch device. Furthermore, a third switch device is provided that, during the first time period, generates and transmits third control packets to the second switch device, and transmits a copy of those third control packets to the first switch device. The first switch then generates respective first hash values using each of the first and third control packets, and generate a first consolidated hash value using each of the respective first hash values. During a subsequent second time period, the first switch device may determine that control data exchanged during the first and second time periods is the same and, in response, transmit the first consolidated hash value to the second switch device in place of any control packets transmitted to the second switch device.

Abstract: Examples provide a system for managing access-restricted partial cryptographic keys for encrypting and decrypting data. In some examples, a slot server generates and stores a first partial key. The first partial key is access-restricted based on access control data. A slot value mapped to the storage location is returned to the client by the slot server. The client generates a second partial key which is stored at the client device with the slot value. To obtain the first partial key, the client sends a request to the slot server, including the slot value. The requesting client is validated using access control data. If the request comes from a validated client, the slot server provides the first partial key to the client. The first partial key and the second partial key are combinable to generate a composite key for encrypting and decrypting data.

Abstract: A data transmission method, a related device, and a related system. The method includes: receiving, by a first access network device, a data packet (for example, small data) sent by user equipment (for example, an IoT device), where the data packet includes a first cookie and raw data; verifying, by the first access network device, the first cookie, to obtain a verification result; and processing, by the first access network device, the raw data based on the verification result. Implementation of embodiments can reduce load on a network side when a large quantity of user equipments need to perform communication, thereby increasing data transmission efficiency.

Abstract: Measurement methods, devices and systems based on a trusted high-speed encryption card are disclosed. One of the methods includes: a BIOS actively measuring at least one firmware in a device if an integrity measurement result made by a trusted security chip for the BIOS indicates that the integrity thereof is not corrupted; loading one or more firmware if the integrity of the one or more firmware in the device actively measured by the BIOS is not corrupted; and forbidding a system of the device from being started or controlling the system to enter into a non-secure mode if the integrity of one or more firmware in the device actively measured by the BIOS is corrupted.

Abstract: A method for regulating modification of a distributed digital ledger at a node comprises controlling access to a cryptographic key used to enable modification of the distributed digital ledger according to a policy maintained by at least one owner of the distributed digital ledger.

Abstract: A method of presenting appropriate actions for responding to a visitor to a smart home environment via an electronic greeting system of the smart home environment, including detecting a visitor of the smart home environment; obtaining context information from the smart home environment regarding the visitor; based on the context information, identifying a plurality of appropriate actions available to a user of a client device for interacting with the visitor via the electronic greeting system; and causing the identified actions to be presented to the user of the client device.

Abstract: The current invention relates to a triggering monitoring device for a deformation tube having two tube parts which can slide into each other against resistance in a coupling, in particular a train coupling, having a housing that includes a connection for connecting to the deformation tube and at least one working surface for action of one tube part during its movement relative to the other tube part of the deformation tube part, wherein the housing can be deformed through the action of the tube part on the working surface. The triggering monitoring device according to the invention is characterized in that a sensor is provided in or on the housing which detects deformation of the housing and which is moreover equipped to transmit detection of a deformation to an evaluation device.

Abstract: A system for providing secure access to digital resources is provided that utilizes a blockchain platform. Using this blockchain platform, digital resource vendors create new digital tracking ledgers for their digital resource products such that updates to the digital resource products are accessible directly from a blockchain. Accordingly, these updates are deliverable in a protected and secure manner to consumers of the digital resources.

Abstract: A method includes receiving, at a distributed storage (DS) unit, an access request from a requesting device. The access request includes a username and a user certificate, and the user certificate includes a user certificate signature. The user certificate is authenticated, and a domain name of a certificate authority (CA) associated with the user certificate is determined from information included in the access request. A CA certificate is obtained using the domain name of the CA, and the signature on the user certificate is validated using the CA certificate. The access request is approved in response to both 1) authenticating the user certificate, and 2) validating the user certificate signature using the CA certificate.

Abstract: A resource reservation system includes an information processing apparatus configured to manage reservation information of one or more resources, and an information processing terminal configured to acquire the reservation information from the information processing apparatus. The information processing apparatus includes first circuitry configured to provide information necessary for transmitting the reservation information to the information processing terminal. The information processing terminal includes second circuitry configured to receive the information provided by the first circuitry. The information processing terminal can acquire the reservation information from the information processing apparatus by using the information received by the second circuitry.

Abstract: A provisioning service operating on a remote server is configured to handle provisioning of Internet of Things (IoT) devices, in which IoT devices are configured to execute policies provided by the provisioning service to self-regulate access to an IoT portal. The provisioning service generates an access token and policy which are unique to a trusted platform module (TPM) for a respective IoT device. The TPM executes the policy upon each instance in which the IoT device requires authorization to perform an operation or access the IoT portal. The policy may be configured according to a prepaid or postpaid model. In both models a local counter within the TPM of the IoT device may increment upon each instance of authorization. Under the prepaid model the IoT device may acquire a set number of uses, and under the postpaid model a statement may be generated based on prior usage.

Abstract: Disclosed are methods, apparatus, systems, and computer readable storage media for providing access to a private resource in an enterprise social networking system. One or more servers may receive a request for access to a private resource to be granted to a user from a publisher. The publisher may be configured to publish a message as a feed item to one or more feeds, where the message includes a user identification identifying the user. The user does not have access to the private resource. The feed item may be provided to display in the one or more feeds. Access may be granted to the user via the one or more feeds. In some implementations, access may be granted in response to a user input from the feed item associated with a moderator or owner, the moderator or owner having a privilege to control user access to the private resource.

Abstract: Techniques of data authentication in a distributed computing system are disclosed herein. One example technique includes receiving a request for performing an operation along with a data package that includes a security token, a first digital signature of the security token generated using an ephemeral private key, and an ephemeral public key with a second digital signature generated using a master private key stored at a secure location. The example technique can also include initially validating the second digital signature using a public key corresponding to the master private key, and upon validating the second digital signature, validating the first digital signature of the security token using the ephemeral public key included in the data package. Upon validating that the first digital signature of the security token, the request can be authenticated, and the requested operation can be performed.

Abstract: A system for creating authenticating a user from user information, hardware profile, and combinations thereof, where the hardware profile includes user generated data stored on an electronic device.

Abstract: Provided is a method for setting up access authorization for a subscriber apparatus to access a subnetwork of a mobile radio network, wherein the subnetwork is administrated by a mobile radio administration apparatus and the access authorization for the subscriber apparatus to access the subnetwork is checked by an access apparatus of the mobile radio network, wherein—access authorization to access the subnetwork is requested for the subscriber apparatus from the mobile radio administration apparatus by a local administration apparatus,—a subnetwork authorization token is assigned to the subscriber apparatus by the mobile radio administration apparatus and transmitted to the subscriber apparatus, wherein the subscriber apparatus is authorized to access the subnetwork only if the subnetwork authorization token is transmitted from the subscriber apparatus to the subnetwork during an access request and is confirmed as valid.

Abstract: Embodiments of the present invention provide systems, methods, and computer storage media for facilitating user-centric identity management. In this regard, various aspects of identity management are designed to be more transparent to users to bolster user assurance with respect to “behind-the-scenes” procedures of identity management. Generally, indications of data flow between service providers, identity providers, and/or user devices can be provided to the user device for presentation to the user. As a result, visual representations of data flow, notifications of data flow, or the like, can be presented to the user to expose various aspects of identity management. In some embodiments, users may be able to control aspects of identity management, for example, by confirming or preventing data flow between providers.

Abstract: Disclosed embodiments relate to systems and methods for providing an end-to-end secure lifecycle of data. Techniques include receiving a request from a client to access data; reserving a designated memory region; protecting the designated memory region using access restriction to certain processes of an operating system; receiving data from a trusted source; injecting the data into the designated memory region in a zero-copy manner; sending the data to the client in a zero-copy manner; receiving an indication that the client performed an interaction; and in response to the indication, disposing of the data and the designated memory region.

Abstract: A system for a secure connection includes an interface and a processor. The interface is configured to receive a request from a user of a tenant to enable a connection for a specific internal network application or service to an external network destination. The processor is configured to determine whether the connection is enabled for the specific internal network application or service for the tenant; and in response to determining that the connection is enabled, providing a token required for the connection to the external network destination.

Abstract: A method for evaluating sensor data for a value document includes a memory and a multi-core processor arranged to access the memory. A management sub-group of the cores comprises at least one of the cores, and at least one evaluation subgroup of the cores comprises at least one other of the cores. The management subgroup manages the memory regarding the storing of at least the sensor data and generates evaluation information for carrying out the evaluation. At least one evaluation subgroup carries out at least one part of the evaluation in dependence on the evaluation information and stores the result in the memory.

Abstract: Methods and systems for securing a data connection for communicating between two end-points are described herein. One of the end-points may be a server and the other of the end-points may be a client that wants to communicate with the server. The data connection may be secured based on a previously-established secure connection and/or a self-signed or self-issued certificate. In some variations, by using the previously-established secure connection and/or a self-signed or self-issued certificate, the secure communication between the server and the client may be conducted without using a third-party authentication service and without requiring a third-party CA to issue a certificate for the server.

Abstract: In some examples, a target device determines that each device of a plurality of devices (i) includes a certificate that is provided to each device during provisioning, (ii) is within a predetermined distance from the target device, (iii) includes a beacon secret that is broadcast to each device at a predetermined time interval, and (iv) that either: (a) a privilege level associated with at least one device of the plurality of devices satisfies a particular privilege level specified by an access policy or (b) a number of the plurality devices with the determined distance from the target device satisfies a predetermined number specified by the access policy. The target device grants at least one device of the plurality of devices access to the target device, and receives a message from the at least one device. The target device initiates an action based at least in part on the message.