Abstract: A system for providing a directory service for generating network presence documents may include a computer processor and memory having instructions stored thereon. These may instruct the processor to parse registration information of a member to obtain a set of keywords. Using the set of keywords, the network maybe searched for information about the member, and registration information may be created based on the information. A trusted network presence document may be generated to include at least a first portion of the registration information as read only content. A link may be created between a profile document and the trusted network presence document. The profile document may include at least a second portion of the registration information as customizable content customizable by the member. The document may then be published on the network.

Abstract: A method and system authenticates a user of a data management system. The method and system store an identification tag in the transaction description for a transaction between the user and the data management system. When the user attempts to access the data management system at a later date, the method and system requests that the user provide access to the transaction description. If the user is able to provide access to a transaction description that includes the identification tag, then the method and system can authenticate the user.

Abstract: Applying data owner-defined data protection policies for identity data security within a blockchain environment is provided. A data sharing request for an identity data attribute corresponding to a data owner is received from a data consumer. A data protection policy defined by the data owner that corresponds to the identity data attribute requested by the data consumer is retrieved from a blockchain. The data protection policy is applied to the identity data attribute requested by the data consumer to determine amount of data sharing with the data consumer.

Abstract: Standard I/O library functions for accessing files stored on mass storage devices are modified to enable access to files stored in firmware volumes. An application can be compiled against the modified standard I/O library functions to generate a pre-boot application. When the pre-boot application is executed within a pre-boot execution environment, it can utilize standard I/O library functions to access files stored in a firmware volume. In response to receiving a request to open a file from a pre-boot application, the called I/O function searches a file cross-reference table to locate the filename for the file. If the filename is in the file cross-reference table, the GUID associated with the filename is retrieved from the file cross-reference table and used to obtain a file handle to the file. The file handle can then be returned to the pre-boot application and used to perform other types of operations on the file.

Abstract: Methods and apparatuses are described for caching login sessions to access a software testing environment. A server identifies a test case for execution against an application in the software testing environment, the test case comprising one or more test steps. The server retrieves test data based upon the identified test case and generates a session key using the test data. The server requests an active session from a login session cache using the session key. When an active session exists in the login session cache, the server receives, from the login session cache, session data corresponding to the active session, establishes a connection to the application in the software testing environment using the session data and without first authenticating to the software testing environment, and executes one or more test steps of the test case against the application in the software testing environment using the test data.

Abstract: The systems and methods of aggregate signing of digital signatures on multiple messages simultaneously, comprising: receiving two or more digital messages wherein each message is signed using two or more digitally split keys from a private key and the two or more digital signatures of the message using the split key are combined to get a compressed short signature; receiving the compressed short signature for each message; receiving a public key associated with the private key for each message; aggregate signing the messages to output an aggregate signature. The aggregate signature can be further verified against any or all of the messages.

Abstract: A method of managing and verifying a certificate of a terminal is provided. The method includes obtaining certificate information that is usable when downloading and installing a specific bundle corresponding to at least one of a secondary platform bundle family identifier or a secondary platform bundle family custodian identifier, transmitting, to a secondary platform bundle manager, the certificate information corresponding to the at least one of the secondary platform bundle family identifier or the secondary platform bundle family custodian identifier of the specific bundle, and receiving, from the secondary platform bundle manager, at least one of a certificate of the secondary platform bundle manager, certificate information to be used by a smart secure platform (SSP), the secondary platform bundle family identifier, or the secondary platform bundle family custodian identifier.

Abstract: Apparatus and methods for generating a unique token that can be imprinted on a document to attest to the verification of an executor's signature. The apparatus and methods may include a platform that may present a token electronically to the executor via a first electronic channel. The executor may use a registered device to capture a portion of the token, and transmit the portion from the registered device to the platform via a second channel to the platform. The platform may verify that the portion is registered to the executor. The platform may combine the portion with another portion of the token, and imprint the pair of combined portions on the document with another token.

Abstract: In an example, a subject using a user mobile-identification-credential device (UMD) requests vetting by a vetting system, which receives verified part or all of subject information associated with a level-n mobile identification credential (MIC-n) that UMD received from a level-n authorizing party system (APS-n). The MIC-n is linked to lower level MIC-0 to MIC-(n?1). The vetting system, as level-n relying party system (RPS-n), uses the verified subject information associated with the linked MIC-0 to MIC-n to verify or not verify the identity of the subject, develops an identity profile of the subject, and determines a vetting result of the subject. MIC-i (i=1 to n) is linked to MIC-(i?1) which UMD received from APS-(i?1), and the APS-i is RPS-(i?1) which verified the identity of the subject using verified part or all of subject information associated with the MIC-(i?1), such that MIC-0 to MIC-n from level-0 to level-n are linked.

Abstract: A system for recording a digitally signed assertion using an authorization token, includes a cryptographic evaluator designed and configured to receive a dataset and an authorization token. The authorization token includes a verification datum of a device-specific secret possessed by the cryptographic evaluator, a digital signature of a certificate authority generating the authorization token, and a secure temporal attribute. The cryptographic evaluator is configured to produce a secure proof using the device-specific secret. The cryptographic evaluator is configured to generate a first digitally signed assertion as a function of the dataset, the secure proof, and the authorization token. The cryptographic evaluator is configured to enter the first digitally signed assertion in at least an instance of a first temporally sequential listing.

Abstract: A method and system for automatically determining a device-specific configuration for a software application operating on a user device. A configuration monitoring program monitors local user data stored on a user device and generates a device-specific prediction model using a machine learning algorithm applied to the monitored local data. The configuration monitoring program also receives a global prediction model generated remotely using global user data collected from a plurality of user devices. The configuration monitoring program generates a predicted device-specific configuration of the application operating on the user device using prediction data from both the device-specific prediction model and the global prediction model and updates the configuration of the given application using the predicted device-specific configuration.

Abstract: The present disclosure provides a method and an apparatus for precise positioning of a scholar based on mining of the scholar's scientific research achievement. The method includes: extracting text information in the scholar's scientific research achievement P to obtain key information, and constructing structural information; mining and constructing implicit information O with a geographic directivity in the scholar's scientific research achievement P according to the key information and the structural information; performing a structural arrangement on the structural information, and acquiring a final result R; and acquiring a mapping of A?R according to the final result R and the matrix U, acquiring and outputting the positioning information of the authors in the set A.

Abstract: In one embodiment, a device classification service receives data indicative of network traffic policies assigned to a plurality of device types. The device classification service associates measures of policy restrictiveness with the device types, based on the received data indicative of the network traffic policies assigned to the plurality of device types. The device classification service determines misclassification costs associated with a machine learning-based device type classifier of the service misclassifying an endpoint device of one of the plurality device types with another of the plurality of device types, based on their associated measures of policy restrictiveness. The device classification service adjusts the machine learning-based device type classifier to account for the determined misclassification costs.

Abstract: Systems, methods, and articles of manufacture comprising processor-readable storage media are provided for implementing security for a network environment using a centralized smart security system. For example, a method includes implementing a network comprising a plurality of network devices which collectively generate data that is utilized by a computing system to execute an application, and implementing a centralized security system as a computing node within the network to manage security operations within the network and to establish secured and trusted communications between the network devices and the computing system. The network devices may comprise wireless sensor devices operating in a wireless sensor network, wherein the computing system executes an IoT (Internet of Things) application which processes the data that is generated by the wireless sensor devices.

Abstract: Systems, methods, and apparatus for authenticating and authorizing clients. A client certificate is used to authenticate and authorize a client (or user). When the client certificate is received, the certificate is authenticated. If the certificate is valid, a username included in the certificate is used to authorize the client. This may be done based on privileges or permissions associated with the user name. Once the client or user is authenticated and authorized, operations requested by the client can be performed as long as permitted by the privileges or permissions.

Abstract: A network security system and method implements dynamic access control for a protected resource using run-time contextual information. In some embodiments, the network security system and method implements a dynamic access ticket scheme for access control where the access ticket is based on run-time application context. In other embodiments, the network security system and method implements policy enforcement actions in response to detected violations using application programming interface (API) to effectively block detected policy violations without negatively impacting the operation of the application or the user of the application. In some embodiments, the network security system uses enterprise social collaboration tools to interact with the end-user or with the system administrator in the event of detected security incidents.

Abstract: A system for creating authenticating a user from user information, hardware profile, and combinations thereof, where the hardware profile includes user generated data stored on an electronic device.

Abstract: A device that includes a secure element or a secure environment receives a token for authenticating a user that has an account with a service provider. The device generates, based on the token, a set of keys that include at least a private key and a public key. The device performs a key authentication procedure to compare the set of keys and a configured set of keys and selects a public key, of the set of keys or the configured set of keys, based on a result of the key authentication procedure. The device causes a device identifier of the device and the public key to be provided to another device that uses the device identifier and the public key to perform an authentication procedure to authenticate the user. The device receives, from the other device, an indication of whether the device is connected to a network.

Abstract: Devices and methods for granting requests for authorization using data of devices associated with requestors are disclosed. A method includes: receiving, by a computing device, a request for authorization; receiving, by the computing device, identification information for at least one device of a requestor; determining, by the computing device, a risk score using the received identification information for the at least one device of the requestor; and in response to the risk score exceeding a predetermined threshold, the computing device granting the request for authorization.

Abstract: A managed directory service receives, from a computer system operated in a first network, a request to obtain a set of credentials usable to access resources in a second network. In response to the request, the managed directory service determines, based at least in part on a first set of permissions in a directory maintained in the second network, that the computer system is authorized to receive the set of credentials. The managed directory service provides the set of credentials to the computer system, which enables use of the set of credentials to identify a second set of permissions for accessing resources in the second network.

Abstract: Techniques for an identity-aware load balancer (ALB) are described. An identity-aware ALB can securely authenticate users when accessing web-based applications accessed through the ALB, or a node of the ALB. An application owner can configure an authentication action in the ALB. When a request for the application is received, the ALB inspects the request for a session cookie to determine whether the requesting user is logged-in. If the request includes a session cookie, the ALB can decrypt the session cookie and provide identity information with the request to the application. If no session cookie is included, or if the session cookie is expired, the ALB can authenticate the user with an identity provider specified in the authentication action. Integrating authentication into an ALB simplifies application development and maintenance, and improves security, since fewer changes to the application stack reduce the chances of errors being introduced.

Abstract: In a case where a driver for a system authentication application preinstalled in an image formation apparatus is active, a display unit displays a screen such that issuance of an instruction to perform authentication based on an authentication method using an IC card is performable. In a case where a driver for a general authentication application installed in the image formation apparatus in accordance with an instruction from a user is active, the display unit displays the screen such that issuance of an instruction to perform authentication based on the authentication method using the IC card is not performable.

Abstract: Embodiments of the present disclosure disclose a secret information distribution method. The method includes: receiving, by a network functions virtualization infrastructure NFVI, secret information sent by management and orchestration (MANO); creating a virtual trusted platform module (vTPM) in the NFVI, and writing the secret information into the vTPM; receiving, by the network functions virtualization infrastructure NFVI, a virtualized network function VNF initialization command from the MANO, and creating a VNF; and obtaining, by the VNF, the secret information from the vTPM.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for determining an applicable privacy policy based on various criteria associated with a user and the associated product or service. User and product criteria may be obtained automatically and/or based on user input and analyzed by a privacy policy rules engine to determine the applicable policy. Text from the applicable policy can then be presented to the user. A default policy can be used when no particular applicable policy can be identified using by the rules engine. Policies may be ranked or prioritized so that a policy can be selected in the event the rules engine identifies two, conflicting policies based on the criteria.

Abstract: The described embodiments employ aspects of distributed ledger technologies to facilitate electronic verification and sharing of profile information. Nodes maintaining a distributed ledger include—a first node that generates profile data, and second nodes that generate certificates verifying the generated profile data. The first node can be employed by a client device to generate profile data associated with a first identifier and referencing a second identifier for inclusion on a personal profile, such as a social media webpage. The client device can send the first node a request to have the profile data verified by the referenced second identifier. The profile data can be stored on a distributed ledger so that a second node associated with the second identifier can generate, on behalf of the second identifier, a certificate that verifies the stored profile data.

Abstract: Various embodiments relate generally to data science and data analysis, and computer software and systems to provide an interface between repositories of disparate datasets and computing machine-based entities that seek access to the datasets, and, more specifically, to a computing and data storage platform that facilitates consolidation of one or more datasets, whereby data ingestion is performed to form data representing layered data files and data arrangements to facilitate, for example, interrelations among a system of networked collaborative datasets. In some examples, a method may include forming a first layer data file and a second layer data file, assigning addressable identifiers to uniquely identify units of data and data units to facilitate the linking of data, and implementing selectively one or more of a unit of data and a data unit as a function of a context of a data access request for a collaborative dataset.

Abstract: A method includes receiving an authentication request for a remote session between a managed device and a client device, the authentication request comprising an identifier of a user of the client device and a one-time remote service credential (RSC) passcode. The method also includes providing the user identifier and the one-time RSC passcode to an identity provider and receiving, from the identity provider, a user token for the user of the client device. The method further includes authenticating the user token using a service provider, receiving a set of attributes of the user of the client device responsive to successful authentication of the user token and providing an authentication response to the managed device, the authentication response comprising the set of attributes of the user of the client device which are used to establish the remote session between the managed device and the client device.

Abstract: A first controller generates a first group key, executes first mutual authentication with devices within a group, and shares the first group key with the devices that have succeeded in first mutual authentication. When a second controller joins the group, the first controller decides a coordinator that manages a group key used in common in the group. The first controller executes second mutual authentication with the coordinator, and shares the first group key with the coordinator when the second mutual authentication is successful. The coordinator performs encrypted communication within the group using the first group key, generates a second group key when valid time of the first group key is equal to or smaller than a predetermined value, executes third mutual authentication with the devices and a third controller, and updates the first group key of the devices and the third controller that have succeeded in the third authentication.

Abstract: The disclosed technology relates to a system configured to generate an initial tree state, wherein the initial tree state includes three tree data structures configured to aid in the synchronization of content items managed by a content management system. The system is configured to provide the initial tree state to a client synchronization service, retrieve a final tree state from the client synchronization service, and determine whether the final tree state is correctly synchronized.

Abstract: An electronic device is provided. The electronic device includes a first short-range communication module configured to execute short-range communication with a second electronic device, a security module configured to store security information, and a processor configured to receive, from the second electronic device, a pairing key that registers the electronic device as being linked to the second electronic device, transmit session key generation information to the second electronic device when authentication with the second electronic device is completed based on the pairing key, generate a session key based on the session key generation information, encrypt the security information based on the session key, and transmit the encrypted information to the second electronic device.

Abstract: A method for defending a computing system against ransomware attacks is disclosed. In one embodiment, such a method includes identifying, on a computing system, files to be protected against ransomware attacks. The method appends a public key to each of the files. Upon receiving a request to modify a specific file, the method reads the public key appended to the file, requests an authentication token from a user, and computes a private key associated with the files. The method combines the public key, authentication token, and private key to generate an unlock key. This unlock key is compared to a validation key. The method authorizes modification of the file in the event the unlock key matches the validation key. A corresponding system and computer program product are also disclosed.

Abstract: A computing resource service provider grants a first set of security permissions to a principal (e.g., a user) which may be used to access a plurality of computing resources. The permissions may be associated with a first security token. The principal may access resources using the first set of security permissions, and a system (e.g., a service provider) may identify a subset of security permissions that are sufficient to provide access to the computing resources accessed by the principal using the first set of permissions. The subset may be associated with the principal. In some cases, the principal operating under the subset of permissions may be denied access to a computing resource and may be granted access to the computing resource by operating under the first set of permissions.

Abstract: The present disclosure relates to a communication technique for combining a 5G communication system for supporting a higher data transmission rate than a 4G system with an IoT technology, and a system therefor. The present disclosure can be applied to 5G communication and IoT related technology-based intelligent services (for example, smart homes, smart buildings, smart cities, smart cars or connected cars, health care, digital education, retail business, security and safety related services, etc.).

Abstract: Techniques for using sending communication data using a first communication system and a second communication system are described. When a request is received to send communication data, it is determined that sending the communication data includes the second communication system. A request for updated identification information, such as a security token, is therefore sent to the second communication system prior to, for example, determining further account information related to the initiator of the communication and/or an identity of a recipient of the communication. While the request is pending, additional requests for the identification information are delayed. When the new identification information is received, the communication data is sent.

Abstract: Selecting a persona for a Decentralized Identifier (DID) and associated DID document based on a trust score. A request for data or services associated with an owner of various decentralized identifiers (DID) is received. Each of the plurality of DIDs may have an associated DID document. The associated DID document for each of the DIDs defines a persona based on an amount of identifying information included in the DID document. Based on the received request, a trust score is assigned to an entity that generated the received request. The trust score is at least partially based on the verifiability of an identity of the entity that generated the received request. Based on the trust score, the persona and the associated DID and DID document that should be used by the owner for interacting with the entity that generated the request is selected.

Abstract: One embodiment provides event handling in a cloud based multi-tenant identity management system. Embodiments receive a plurality of individual events and a request to create a group from the individual events. Embodiments publish the group as a composite event and persist the composite event in a composite queue. Embodiments then dispatch the composite event to a composite handler, parse the composite event and persist the individual events in respective event queues.

Abstract: The invention relates to a computer-implemented system and method for service-to-service authentication. The method may comprise deploying the SSA service, deploying a micro service, and providing an SSA client that serves as an interface between the micro service and the SSA service. The micro service can send a request to the SSA service for an authentication token. The SSA service then generates the authentication token for the micro service, which is signed by the SSA service using an SSA service private key. The authentication token can be encrypted so that it is secure when sent by the SSA service to the micro service. The authentication token carries information necessary for the micro service to access a second micro service directly through validation of the authentication token by the second micro service based in part on a private key of the micro service previously generated by the SSA service.

Abstract: This disclosure relates method and system for protecting a computing device from a malware. In one embodiment, the method may include determining a digital trust certificate of a set of computing instructions to be executed by the computing device. The set of computing instructions may form a part of a boot process of the computing device, and may be a firmware, a boot loader, a kernel, a system driver, a start-up file, or an antimalware. The method may further include establishing a chain of trust by validating the digital trust certificate with the computing device. The digital trust certificate may be pre-registered with a local database, accessible by the computing device, by communicating with a centralized certificate authority and policy server. Upon a positive establishment of the chain of trust, the method may further include allowing an execution of the set of computing instructions by the computing device.

Abstract: A communication system for authenticate a second communication device to a first communication device, wherein the communication system comprises a physical connection between a first communication device and a second communication device, where a first message may be transmitted from the first communication device, via the physical connection, to the second communication device.

Abstract: Disclosed is a device and method to secure software update information for authorized entities. In one embodiment, a device for receiving secured software update information from a server, the device includes: a physical uncolonable function (PUF) information generator, comprising a PUF cell array, configured to generate PUF information, wherein the PUF information comprises at least one PUF response output, wherein the at least one PUF response output is used to encrypt the software update information on the server so as to generate encrypted software update information; a first encrypter, configured to encrypt the PUF information from the PUF information generator using one of at least one public key from the server so as to generate encrypted PUF information; and a second encrypter, configured to decrypt the encrypted software update information using one of the at least one PUF response output so as to obtain the software update information.

Abstract: A method for preserving privacy in an HTTP communication between a client and a server includes: intercepting an HTTP request that is sent from the client to the server; extracting a cookie from the HTTP request, the cookie including a cookie name and a cookie value; splitting the cookie value into information segments; and modifying one or more of the information segments based on predefined modification rules.

Abstract: Method, apparatus and computer program product for multi-device user authentication are described herein. For example, the apparatus includes at least one processor and at least one non-transitory memory including program code.

Abstract: A portable encryption format wraps encrypted files in a self-executing container that facilitates transparent, identity-based decryption for properly authenticated users while also providing local password access to wrapped files when identity-based decryption is not available.

Abstract: A display unit displays an image including information which is necessary to share communication parameters for establishing a wireless connection and information about a scheme for establishing a wireless connection, whereby the connection scheme to be performed is shared with a target apparatus, and a wireless connection is established by using the desired connection scheme.

Abstract: Aspects of the disclosure relates to managed access to content and/or services. In certain aspects, tokens or other artifacts can be utilized for authentication and authorization.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for blockchain-based cross-entity authentication are provided. One of the methods includes: obtaining an authentication request by a first entity for authenticating a user, wherein the authentication request comprises a decentralized identifier (DID) of the user; in response to determining that the first entity is permitted to access authentication information of the user endorsed by a second entity, generating a blockchain transaction for obtaining an authentication result of the user by the second entity, wherein the authentication result is associated with the DID; and transmitting the blockchain transaction to a blockchain node for adding to a blockchain.

Abstract: An image processing apparatus provided with a biological information sensor receives an authentication request including a verification parameter from a service providing system, transmits the verification parameter to an information processing apparatus provided with an authentication module for biometric authentication, and a tamper-resistant storage device configured to store a user's biological information required when an authentication process is performed by the authentication module and a private key generated with respect to the biological information, transmits the biological information acquired by the biological information sensor using an encryption technique to the information processing apparatus, receives signature data, created using the private key extracted when biometric authentication based on the transmitted biological information has succeeded and the verification parameter, from the information processing apparatus, and transmits the signature data to the service providing system.

Abstract: Examples of the present disclosure describe systems and methods for monitoring the security privileges of a process. In aspects, when a process is created, the corresponding process security token and privilege information is detected and recorded. At subsequent “checkpoints,” the security token is evaluated to determine whether the security token has been replaced, or whether new or unexpected privileges have been granted to the created process. When a modification to the security token is determined, a warning or indication of the modification is generated and the process may be terminated to prevent the use of the modified security token.

Abstract: A portable encryption format wraps encrypted files in a self-executing container that facilitates transparent, identity-based decryption for properly authenticated users while also providing local password access to wrapped files when identity-based decryption is not available.

Abstract: An apparatus and associated method are provided for application deployment assessment. In use, a plurality of deployment parameters associated with one or more applications, and a workload profile are received. Further, an application deployment specification is generated, based on the workload profile and the deployment parameters. Still yet, a type of one or more orchestrators on one or more systems is identified. The application deployment specification is processed, based on the identified type of the one or more orchestrators on the one or more systems. Further, the one or more processors execute the instructions to deploy, via an application program interface (API), the one or more applications to the one or more orchestrators on at least one of the one or more systems, and at least one workload generator to at least one of the one or more systems, utilizing the processed application deployment specification. Operational data is collected from one or more monitoring agents on the one or more systems.