Abstract: There is provided an apparatus comprising input circuitry that receives requests comprising input addresses in an input domain. Output circuitry provides output addresses. The output addresses comprise secure physical addresses to secure storage circuitry and non-secure physical addresses to non-secure storage circuitry. Lookup circuitry stores a plurality of mappings comprising at least one mapping between the input addresses and the secure physical addresses, and at least one mapping between the input addresses and the non-secure physical addresses.

Abstract: A commercial shipping asset including a plurality of sensors disposed on the commercial shipping asset. A controller is communicatively connected to each sensor in the plurality of sensors. The controller further includes a master asset identifier and a receiver. The controller is configured to implement a dynamic information discovery protocol.

Abstract: This document describes a secure element that leverages the resources of a computer system to perform specialized functions using sensitive information. The secure element securely stores sensitive information on flash memory of the computer system. In response to a request requiring use of sensitive information, the secure element loads a security application and sensitive information from the computer system. By leveraging external resources, the secure element may flexibly accommodate increasing resource requirements of the computer system and be used in a wide range of computer systems.

Abstract: A protection device includes a memory, and processing circuitry coupled to the memory and configured to acquire a list of file paths of predetermined protection target files, and perform an operation of protecting data of a file corresponding to a file path included in the list.

Abstract: Systems as described herein may implement a data management ecosystem for databases. A computing device may receive, from a first user device, a request to migrate one or more data objects from a sandbox to a production environment. The production environment may include a plurality of data warehouses that may be provided as a service in a cloud computing environment, and computing resources are dynamically allocated to the plurality of data warehouses. The computing device may determine lineage information and update a database catalog of the data warehouses with the lineage information. The computing device may identify sensitive data contained within the one or more data objects and generate tokenization for the sensitive data. Based on the lineage information in the database catalog and the tokenization, the computing device may generate a migration plan and cause the at least one of the plurality of data warehouses to execute the migration plan.

Abstract: A system and method for controlling access to an on-device machine learning model without the use of encryption is described herein. For example, a request is received from an application executing on a device of a user. The request is to download a machine learning model to the device that enables a feature of the application, and the request includes information associated with the user and/or the device. The information is used to create an obfuscation key, and a derivative model can be generated using a reference copy of the machine learning model and the obfuscation key. The derivative model and the obfuscation key are then sent to the application. When the obfuscation key is provided to the derivative model at runtime, values derived from the obfuscation key are provided as additional inputs that enable the derivative model to function properly.

Abstract: Systems and methods of the present disclosure enable the generation and use of secure offline tokens for account activity authentication. A processor receives an activity record including activity details including an entity identifier. The processor determines a flight booking associated with the activity record when the entity identifier includes an airline, and determines flight data associated with the flight booking. The processor automatically generates an offline token associated with the user account, including account access restrictions. The account access restrictions include a token activation period that binds the offline token to a duration of the flight, and a token entity binding that binds the offline token to use with the airline for performing in-flight account activity requests. The processor automatically causes a computing device to download the offline token to enabling performing the in-flight account activity requests with the entity during the offline token activation period.

Abstract: A robust and reliable multimodal authentication is provided by a multimodal authentication device. The multimodal authentication device utilizes an audio authentication, a video authentication, an audio liveliness authentication, and a video liveliness authentication to determine the authentication of a user. By including a liveliness component in the authentication determination reduces the risk of fraud by factoring in live movement and orientation into the authentication determines. For example, various image/location combinations are displayed to the user and the user is instructed to track and verbally identify the various images. In this way, the user is authenticated based not only on, for example, facial and audio recognition but also a liveliness associated with each.

Abstract: Execution of an application in an application-level sandbox is disclosed. A request to launch an application is received by an operating system executing on a device. A determination is made that a stored copy of the application should be executed within an application-level sandbox. The stored copy of the application is executed in the application-level sandbox.

Abstract: An image processing apparatus providing a plurality of functions includes a display control unit that, upon receiving an instruction for displaying a screen of a function where use of the function requires authentication, displays the screen of the function requiring authentication in a state where a user operation on the screen of the function is not received, wherein the display control unit enables receipt of a user operation on the screen of the function in a case where a user is successfully authenticated and authorized to use the function.

Abstract: Provided is a method of allowing a user to participate in a video conference using a quick response (QR) code, which is a method performed by a server connected to a plurality of participant terminals and a user terminal via a wired/wireless network, the method including: generating a conference session with the plurality of participant terminals to initiate the video conference; generating identification information for identifying the video conference so that the user terminal is allowed to access the video conference; transmitting the identification information to a participant intermediary terminal that is one of the plurality of participant terminals; and upon recognizing, by the user terminal, a QR code output on the participant intermediary terminal, allowing the user terminal to participate in the video conference.

Abstract: Disclosed is a liveness test method and liveness test apparatus. The liveness test method includes determining a presence of a subject using a radar sensor, performing a first liveness test on the subject based on radar data obtained by the radar sensor, in response to the subject being present, acquiring image data of the subject using an image sensor, in response to a result of the first liveness test satisfying a first condition, and performing a second liveness test on the subject based on the image data.

Abstract: Techniques described herein are directed to implementing three-domain secure (3DS) solutions in a software development kit (SDK), and more generally, improving the process of authenticating user transactions in third-party merchant applications. In an example, a user may enroll in the delegated authentication service offered by the authentication service provider as a result of conducting a payment transaction in a first application having the SDK. During a subsequent transaction, initiated in an unassociated second application having the compiled SDK, the user may authenticate the payment method without registering the payment method with the second application and/or by delegating a 3DS authentication to the authentication service provider rather than performing the 3DS authentication with an issuer of the payment method. Additionally, techniques described herein may configure a user device, without access to an internet connection, as a standalone payment instrument.

Abstract: Methods, systems, and apparatuses are provided to automatically determine whether an image is spoofed. For example, a computing device may obtain an image, and may execute a trained convolutional neural network to ingest elements of the image. Further, and based on the ingested elements of the image, the executed trained convolutional neural network generates an output map that includes a plurality of intensity values. In some examples, the trained convolutional neural network includes a plurality of down sampling layers, a plurality of up sampling layers, and a plurality of joint spatial and channel attention layers. Further, the computing device may determine whether the image is spoofed based on the plurality of intensity values. The computing device may also generate output data based on the determination of whether the image is spoofed, and may store the output data within a data repository.

Abstract: A trusted application running method applied to a computer system on which a trusted execution environment (TEE) and a rich execution environment (REE) are deployed, where one or more trusted applications (TAs) run on the TEE operating system. The TEE operating system may start a target TA. Then, the target TA may send, to the TEE operating system, a loading request for a target dynamic library supporting the target service. The TEE operating system may load the target dynamic library to memory space of the target TA in response to the loading request. In this way, before the target TA runs the target service, a program module used to support the target service does not need to be loaded to the memory space of the TA, thereby reducing a waste of the memory space of the TA.

Abstract: A non-standard user interface object identification system includes an object candidate extractior that extracts one or more objects from an image, a first similarity analyzer that determines object type candidates of the one or more objects in accordance with similarities between the one or more objects and a standard user interface (UI) element, a second similarity analyzer that selects object type-specific weight values in accordance with layout characteristics of the one or more objects and determines object types of the one or more objects using the object type candidates and the object type-specific weight values, and an object identifier that receives type and characteristic information of a search target object and identifies the search target object in accordance with characteristic information and the object types of the one or more objects.

Abstract: A method for evaluating security of third-party application is disclosed. The method includes: in an automated test environment: launching a test instance of a first application; and obtaining a data access signature of the first application based on identifying at least one application state of the first application and account data retrieved by the first application from a user account at a protected data resource in the at least one application state; receiving, from a client device associated with the user account, an indication of access permissions for the first application to access the user account for retrieving account data; detecting a change in the data access signature of the first application; and in response to detecting the change in the data access signature of the first application, notifying the user of the detected change.

Abstract: Responsive to a start-up of an instance of a cloud-based computing environment, metadata that is stored in a virtual trusted platform module (vTPM) is accessed. The metadata represents configuration parameters for the instance, and the configuration parameters include a security credential. The instance is configured based on the metadata. The configuration includes configuring an access control of the instance with the security credential.

Abstract: A method for cryptocurrency conversion includes: determining conversion information; sending the cryptocurrency to a settlement address; determining conversion orders; determining transaction completion; and executing the conversion orders.

Abstract: A processor is configured to determine whether or not target data, this being data that a first application is attempting to access, is permitted data based on a correspondence relationship list, and to permit the first application to access the target data in cases in which the processor has determined the target data to be the permitted data, and not to permit the first application to access the target data in cases in which the processor has determined the target data not to be the permitted data.

Abstract: Disclosed are blockchain type contract terminal and method using position information. There are provided: an input module that is inputted with a contract term regarding an object of contract; a position information collection module that collects, in real time, position information of the object at the time of contract; a contract creation module that creates a contract by using the contract term inputted by the input module and the position information at the time of contract collected in real time by the position information collection module; a blockchain creation module that encrypts the contract created by the contract creation module to create a blockchain; and a blockchain distributed storage control module that transmits the blockchain created at the blockchain creation module to another terminal in a P2P manner for storing on a network in a distributed manner.

Abstract: To provide a technology of more accurately detecting spoofing in face authentication, without increasing a scale of a device configuration and a burden on a user. A spoofing detection device includes a facial image sequence acquisition unit, a line-of-sight change detection unit, a presentation information display unit, and a spoofing determination unit. The facial image sequence acquisition unit acquires a facial image sequence indicating the face of a user. The line-of-sight change detection unit detects information about a temporal change in the line-of-sight from the facial image sequence. The presentation information display unit displays presentation information presented to the user as part of an authentication process. The spoofing determination unit determines the likelihood of the face indicated by the facial image sequence being spoofing on the basis of the information about the temporal change in the line-of-sight with respect to the presentation information.

Abstract: A method includes creating an account with an elevator system; assigning a primary user to the account; assigning a secondary user to the account; associating elevator access privileges to the secondary user, the elevator access privileges including floors of a building that the secondary user can access via the elevator system.

Abstract: Methods and apparatus to identify haptic vibrations of touchscreens are disclosed. Example apparatus disclosed herein include means for generating a haptic control signal that is to cause vibrations of a haptic display means, the vibrations to simulate a texture corresponding to visual subject matter to be displayed on the haptic display means, the vibrations of the haptic display means to produce an acoustically detectable signal. Disclosed example apparatus also include means for encoding a watermark into the haptic control signal to generate a watermarked haptic control signal, the watermark including identification information to identify at least one of the subject matter or the texture, the watermark to modify the acoustically detectable signal.

Abstract: A processor includes a processor core. A register of the core is to store: a bit range for a number of address bits of physical memory addresses used for key identifiers (IDs), and a first key ID to identify a boundary between non-restricted key IDs and restricted key IDs of the key identifiers. A memory controller is to: determine, via access to bit range and the first key ID in the register, a key ID range of the restricted key IDs within the physical memory addresses; access a processor state that a first logical processor of the processor core executes in an untrusted domain mode; receive a memory transaction, from the first logical processor, including an address associated with a second key ID; and generate a fault in response to a determination that the second key ID is within a key ID range of the restricted key IDs.

Abstract: A system may be configured to perform edge device based multi-factor authentication. In some aspects, the system may capture a plurality of video frames, detect a first face within a first video frame, detect a second face within a second video frame, generate a first signature based on the first face and a second signature based on the second face, determine that the first signature matches the second signature, determine that a third video frame corresponds to a human, and verify that the first signature and second signature correspond to a first authentication credential of a known user. Further, the system may capture audio information, verify that the audio information corresponds to a second authentication credential of the known user, and provide physical access to a controlled area.

Abstract: Provided is an analysis system including: an operation analysis unit that analyzes operation of an analysis target program that is a target program to be analyzed, by executing the analysis target program in a second execution environment that is a computing environment for analysis, the second execution environment being configured to emulate at least a partial configuration of a first execution environment that is a computing environment for real operation where the analysis target program is able to be executed; and a configuration unit that builds the second execution environment capable of emulating a specific configuration of the first execution environment, the specific configuration relevant to an operation of the analysis target program, by modifying at least a partial configuration of the second execution environment in accordance with the operation of the analysis target program analyzed by the operation analysis unit.

Abstract: Biometrics are increasingly used to provide authentication and/or verification of a user in many security and financial applications for example. However, “spoof attacks” through presentation of biometric artefacts that are “false” allow attackers to fool these biometric verification systems. Accordingly, it would be beneficial to further differentiate the acquired biometric characteristics into feature spaces relating to live and non-living biometrics to prevent non-living biometric credentials triggering biometric verification. The inventors have established a variety of “liveness” detection methodologies which can block either low complexity spoofs or more advanced spoofs. Such techniques may provide for monitoring of responses to challenges discretely or in combination with additional aspects such as the timing of user's responses, depth detection within acquired images, comparison of other images from other cameras with database data etc.

Abstract: Methods and systems provide for multi-factor authentication (MFA) of a user to a device or network in which a criteria for maintaining the authentication is based on the presence of the user before a device. After the user is authenticated and provided with access, a continuity criteria (i.e., a measure of the presence of the user before the device) must be fulfilled for that access to be maintained. When it is determined that the continuity requirement is not fulfilled, an aspect of the access is denied. A continuity criteria may be based on the location of a second computing device with respect to a first computing device. And multiple methods of determining continuity may be employed simultaneously, with access being denied when continuity is fulfilled by none of the methods.

Abstract: An electronic device having a cable includes a storage unit and a communication unit. The storage unit stores first authentication information used for an authentication communication directed to the electronic device and second authentication information used for an authentication communication directed to the cable. The communication unit is capable of responding to an authentication communication directed to the electronic device and is also capable of responding to an authentication communication directed to the cable.

Abstract: A point-of-sale system is a dual-screen stand assembly that includes a merchant terminal and a consumer terminal. The merchant terminal and the consumer terminal can be mated together in a fixed position to form a single unitary stand, or can be separated from each other in a separated position with each terminal serving as its own separate stand. The merchant terminal supports a merchant computing device and is oriented in a merchant-facing direction. The consumer terminal is detachably mated to the merchant terminal and supports a consumer computing device that is oriented in a consumer-facing direction. The point-of-sale system also includes a card reader as part of the customer terminal to perform a payment. The card reader is configured to accepting swipe cards, chip cards or contactless (EMV or NFC) payments.

Abstract: A method, apparatus, and computer program product for proactive offline authentication are provided. An example method includes determining a current offline condition of a computing device at a first time and determining a prior online condition of the computing device at a second time that is earlier than the first time at which the computing device generated second authentication credentials based upon one or more user attributes obtained from a digital identity construct database associated with a first user at the second time. The method further includes obtaining, at the first time, first authentication credentials associated with the first user and determining a discrepancy between the first and the second authentication credentials. In response to the determined discrepancy, the method includes generating an authentication token based upon the second authentication credentials for authenticating a first user device of the first user with the computing device.

Abstract: An electronic apparatus operated by a sales clerk includes a display, a camera configured to capture an image of a code displayed on a screen of a portable registration apparatus operated by a customer in a store, the code corresponding to one or more commodities to be purchased and check data indicating whether each of said one or more commodities needs to be checked by the sales clerk before being checked out, and a processor configured to, when the image of the code is captured by the camera, acquire information indicating said one or more commodities to be purchased and the check data using the code, and control the display to display a screen showing one or more commodities that need to be checked by the sales clerk based on the acquired information.

Abstract: Disclosed embodiments relate to iteratively developing profiles for network entities. Operations may include accessing a set of permissions associated with a network entity; obtaining a set of permission vectors for the network entity based on the set of permissions; evaluating each permission vector within the set of permission vectors for iteratively developing a profile for the network entity, the evaluation being based on at least: whether each permission vector within the set of permission vectors provides sufficient privileges for the network entity to perform an action, and a predefined rule; creating a new set of permission vectors for the network entity based on at least the selected group of the set of permission vectors; iterating the evaluation for the new set of permission vectors; determining whether an iteration termination condition has been met; and terminating the iteration based on the iteration termination condition being met.

Abstract: A security platform architecture is described herein. The security platform architecture includes multiple layers and utilizes a combination of encryption and other security features to generate a secure environment.

Abstract: A system, apparatus, method, and machine readable medium are described for performing advanced authentication techniques and associated applications. For example, one embodiment of a method comprises: receiving a policy identifying a set of acceptable authentication capabilities; determining a set of client authentication capabilities; and filtering the set of acceptable authentication capabilities based on the determined set of client authentication capabilities to arrive at a filtered set of one or more authentication capabilities for authenticating a user of the client.

Abstract: Aspects presented herein may enable a base station to share trained neural network from one UE to other UE(s) to improve the efficiency of a neural network training. In one aspect, a base station receives, from a first UE, one or more ML model parameters based on a first zone ID that identifies a first geographical zone, the one or more ML model parameters being associated with the first zone ID or the first geographical zone or both. The base station provides the one or more ML model parameters to a second UE based on at least one of the zone ID or the first geographical zone.

Abstract: The present disclosure relates to a method for booting a processing device, the method including: generating, by a monotonic counter and during a first boot phase, a first count value; transmitting, by the monotonic counter, the first count value to an access control circuit of a memory; reading, on the basis of the first count value, first data stored in the memory; and generating, by the monotonic counter and during a second boot phase, a second count value greater than the first count value. The access control circuit of the memory is configured so that the reading of the first data is not authorized on the basis of the second count value.

Abstract: Communication methods and apparatus are described. One communication method includes that user equipment (UE) sends an N1 message to a security anchor function (SEAF), where the N1 message carries a Diffie-Hellman (DH) public parameter or a DH public parameter index, the N1 message further carries an encrypted identifier of the UE, and the encrypted identifier is obtained by encrypting a permanent identifier of the UE and a first DH public key. The UE receives an authentication request that carries a random number and that is sent by the SEAF. The UE sends, to the SEAF, an authentication response used to respond to the authentication request, where the authentication response carries an authentication result calculated based on a root key and the random number.

Abstract: The disclosure herein describes changing a mode of operation of a computing device using signals from a pen device. The pen device obtains gesture input data from at least one sensor of the pen device and the obtained gesture input data is compared to at least one gesture pattern. Based on the gesture input data matching the at least one gesture pattern, the pen device transitions to an active state. The pen device detects, via an electrostatic communication channel, an uplink signal from the computing device and sends a signal to change a mode of operation of the computing device by at least one of a network interface or a communication channel, other than the electrostatic communication channel. Changing modes of operation of a computing device provides a flexible, stream-lined way to enhance the user experience of using a computing device with a pen device (e.g., performing an initial pairing process).

Abstract: A vehicle control apparatus may include a host including a driving application of a vehicle controller and a hardware security module that determines whether to transmit a message for allowing booting of the host to the host, according to a result of a secure boot at an n-th cycle, and determines whether to perform the secure boot at a (n+1)-th cycle, depending on whether the message is transmitted to the host.

Abstract: A method of authorizing a client device to a service includes, by a customer electronic device associated with a customer: defining an access control list that includes permissions for authorized clients of the customer, creating authorization tokens and encoding the ACL into each of the authorization tokens, and distributing the authorization tokens to the authorized clients. The method includes, by a data center that provides a service to one or more of the authorized clients: receiving a service request for the service from a requesting client that includes a submitted authorization token, decoding the submitted authorization token to identify a received ACL in the submitted authorization token, analyzing the received ACL to determine whether the requesting client is an authorized client and the permissions in the received ACL grant the requesting client permission to access the service, and if so, providing the service to the requesting client.

Abstract: The present disclosure involves systems, software, and computer implemented methods for access control for object instances. A method includes receiving, at a cloud application, a user request associated with a user. The user request corresponds to an instance of a first application artifact type. Role assignments for the user are retrieved from a cloud platform and a determination is made that the role assignments grant permission to the first application artifact type to the user. A determination is made that a first instance-based access policy exists for the first application artifact type. A determination is made regarding whether the first instance-based access policy grants permission for the user to access the instance. The user request is serviced in response to determining that the first instance-based access policy grants permission for the user to access the instance.

Abstract: The purpose of the present invention is to provide a portable terminal and an application software start-up system whereby the application software that is started up is limited depending on the state of a user, thereby providing an improved ease of use. For this purpose, an application software start-up method for an information processing device comprises: performing identity authentication based on static biological information; determining the state of the user by comparing dynamic biological information acquired from the body of the user with previously measured dynamic biological information; and limiting the application software that is started up in accordance with the determined state of the user and on the basis of a permission level that is set in advance for each application software item.

Abstract: Systems and methods of Exact Data Matching (EDM) for identifying related tokens in data content using structured signature data implemented in a cloud-based system receiving data sets and customer configuration from a customer, wherein the data sets include customer specific sensitive data from a structured data source with each token represented by a hash value and the customer configuration includes one or more primary keys for a plurality of records in the data sets; distributing the data sets and the customer configuration to a plurality of nodes in the cloud-based system; performing monitoring of content between a client of the customer and an external network; detecting a presence of a plurality of tokens associated with a record in the customer specific sensitive data based on the monitoring; and performing a policy-based action in the cloud-based system based on the detecting.

Abstract: Techniques for processing voice commands from a locked device are described. A voice command received by a locked device is stored, a prompt requesting that the device be unlocked is generated, and the voice command is processed automatically after the device is unlocked. Thus, the system processes the voice command without the user repeating the voice command. In addition, the system may process certain voice commands even when the device is locked. For example, a whitelist filter compares an intent associated with the voice command to whitelisted intents from a whitelist database before the intent is dispatched to a speechlet, and intents included in the whitelist database are processed normally. Thus, the system performs certain voice commands while the device is locked, while other voice commands may be automatically processed after the device is unlocked without the user repeating the voice command.

Abstract: A data transfer device includes: a plurality of masters each having a buffer and configured to calculate a remaining-time counter based on an amount of data in the buffer; a memory system configured to perform data transfer with the plurality of masters and having a memory access prohibition period during which access from the plurality of masters is intermittently prohibited; a bus arbiter configured to arbitrate the plurality of masters based on the remaining-time counter; and a remaining-time counter-adjusting part configured to add a remaining-time counter offset, which adjusts the remaining-time counter until the start of the memory access prohibition period, to at least one of the plurality of masters.

Abstract: A computer-implemented method of making secure computer products is described, including a computer-implemented method of configuring a computer system configured to run an operating system, wherein the method of to enable the computer system to resist the execution of unauthorised software, the method comprising: instantiating an application programming interface to enable an application running on the computer system to access the functionality of the operating system; and applying a transform to the application programming interface to modify the application programming interface.

Abstract: Described herein are systems and methods for prime and probe attack mitigation. For example, some methods include, responsive to a cache miss caused by a process, checking whether a priority level of the process satisfies a first priority requirement of a first cache block of a cache with multiple ways including cache blocks associated with respective priority requirements; responsive to the priority level satisfying the first priority requirement, loading the first cache block; and, responsive to the priority level satisfying the first priority requirement, updating the first priority requirement to be equal to the priority level of the process.

Abstract: Techniques for performing application programming interface (API)-level validation of API requests to infrastructure resources in a cloud computing environment are provided. One technique includes receiving an API request from a user to access a cloud computing service in the cloud computing environment. A determination is made as to whether at least one action indicated in the API request is allowed to be performed, based at least in part on one or more parameters of the API request. Upon determining that the at least one action is allowed to be performed, the API request is forwarded to the cloud computing service.